feat(api): RequirePermissionAttribute + PermissionAuthorizationHandler [UDT-006]

src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs

@@ -0,0 +1,71 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using SIGCM2.Application.Abstractions.Persistence;
+
+namespace SIGCM2.Api.Authorization;
+
+/// <summary>
+/// Authorization handler for <see cref="RequirePermissionAttribute"/>.
+/// Reads the "rol" claim from the authenticated user, queries <see cref="IRolPermisoRepository"/>
+/// for the role's assigned permissions, and succeeds if at least one matches (OR semantics).
+/// No caching — UDT-006 design decision D1: always authoritative from DB.
+/// </summary>
+public sealed class PermissionAuthorizationHandler
+    : AuthorizationHandler<RequirePermissionAttribute>
+{
+    private readonly IRolPermisoRepository _rolPermisoRepo;
+    private readonly ILogger<PermissionAuthorizationHandler> _logger;
+
+    public PermissionAuthorizationHandler(
+        IRolPermisoRepository rolPermisoRepo,
+        ILogger<PermissionAuthorizationHandler> logger)
+    {
+        _rolPermisoRepo = rolPermisoRepo;
+        _logger = logger;
+    }
+
+    protected override async Task HandleRequirementAsync(
+        AuthorizationHandlerContext context,
+        RequirePermissionAttribute requirement)
+    {
+        // 1. Must be authenticated — defense-in-depth (AuthorizeAttribute already requires it)
+        if (context.User?.Identity?.IsAuthenticated != true)
+        {
+            return; // implicit Fail — nothing Succeeded
+        }
+
+        // 2. Extract "rol" claim — JwtBearer is configured with RoleClaimType="rol"
+        var rolCodigo = context.User.FindFirst("rol")?.Value;
+        if (string.IsNullOrWhiteSpace(rolCodigo))
+        {
+            _logger.LogWarning(
+                "Authorization failed — token missing 'rol' claim for user {User}",
+                context.User.Identity?.Name);
+            context.Fail(new AuthorizationFailureReason(this, "missing_rol_claim"));
+            return;
+        }
+
+        // 3. Load permissions assigned to this role — no cache (UDT-006 D1)
+        var permisos = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);
+        var permisoCodes = permisos.Select(p => p.Codigo).ToHashSet(StringComparer.Ordinal);
+
+        // 4. OR semantics — any single match is enough
+        var matched = requirement.PermissionCodes
+            .FirstOrDefault(code => permisoCodes.Contains(code));
+
+        if (matched is not null)
+        {
+            context.Succeed(requirement);
+            return;
+        }
+
+        // 5. Stash required permission for ForbiddenProblemDetailsHandler (Batch 3)
+        if (context.Resource is HttpContext httpContext)
+        {
+            httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];
+        }
+
+        context.Fail(new AuthorizationFailureReason(this,
+            $"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));
+    }
+}

src/api/SIGCM2.Api/Authorization/RequirePermissionAttribute.cs

@@ -0,0 +1,35 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace SIGCM2.Api.Authorization;
+
+/// <summary>
+/// Authorization attribute that requires the authenticated user to have at least ONE
+/// of the declared permission codes assigned to their role (OR semantics).
+/// Implements IAuthorizationRequirementData (.NET 8+) so ASP.NET Core builds the policy
+/// on-the-fly from GetRequirements() — no AddPolicy() registration needed.
+/// </summary>
+/// <example>
+/// // Single permission
+/// [RequirePermission("administracion:usuarios:gestionar")]
+///
+/// // Multiple — OR semantics: any single match grants access
+/// [RequirePermission("ventas:contado:crear", "ventas:ctacte:crear")]
+/// </example>
+[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
+public sealed class RequirePermissionAttribute
+    : AuthorizeAttribute, IAuthorizationRequirement, IAuthorizationRequirementData
+{
+    /// <summary>Permission codes required (OR semantics — at least one must match).</summary>
+    public string[] PermissionCodes { get; }
+
+    public RequirePermissionAttribute(params string[] permissionCodes)
+    {
+        if (permissionCodes is null || permissionCodes.Length == 0)
+            throw new ArgumentException("At least one permission code is required.", nameof(permissionCodes));
+
+        PermissionCodes = permissionCodes;
+    }
+
+    /// <inheritdoc/>
+    public IEnumerable<IAuthorizationRequirement> GetRequirements() => new[] { this };
+}

src/api/SIGCM2.Api/Program.cs

@@ -1,5 +1,7 @@
+using Microsoft.AspNetCore.Authorization;
 using Serilog;
 using Scalar.AspNetCore;
+using SIGCM2.Api.Authorization;
 using SIGCM2.Application;
 using SIGCM2.Infrastructure;
 using SIGCM2.Api.Filters;
@@ -21,6 +23,10 @@ builder.Host.UseSerilog((ctx, lc) => lc
 builder.Services.AddApplication();
 builder.Services.AddInfrastructure(builder.Configuration);
 
+// Authorization — handler lives in Api layer; DO NOT move to Infrastructure DI
+builder.Services.AddAuthorization();
+builder.Services.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();
+
 // Controllers with exception filter
 builder.Services.AddControllers(opts =>
 {