feat(api): PermissionAuthorizationHandler resuelve overrides desde DB por request [UDT-009]

src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs

@@ -1,26 +1,32 @@
+using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Common;
 
 namespace SIGCM2.Api.Authorization;
 
 /// <summary>
 /// Authorization handler for <see cref="RequirePermissionAttribute"/>.
-/// Reads the "rol" claim from the authenticated user, queries <see cref="IRolPermisoRepository"/>
-/// for the role's assigned permissions, and succeeds if at least one matches (OR semantics).
-/// No caching — UDT-006 design decision D1: always authoritative from DB.
+/// UDT-009: Reads "rol" + "sub" claims, queries both IRolPermisoRepository
+/// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
+/// and succeeds if at least one required permission matches (OR semantics).
+/// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
 /// </summary>
 public sealed class PermissionAuthorizationHandler
     : AuthorizationHandler<RequirePermissionAttribute>
 {
     private readonly IRolPermisoRepository _rolPermisoRepo;
+    private readonly IUsuarioRepository _usuarioRepo;
     private readonly ILogger<PermissionAuthorizationHandler> _logger;
 
     public PermissionAuthorizationHandler(
         IRolPermisoRepository rolPermisoRepo,
+        IUsuarioRepository usuarioRepo,
         ILogger<PermissionAuthorizationHandler> logger)
     {
         _rolPermisoRepo = rolPermisoRepo;
+        _usuarioRepo = usuarioRepo;
         _logger = logger;
     }
 
@@ -28,13 +34,11 @@ public sealed class PermissionAuthorizationHandler
         AuthorizationHandlerContext context,
         RequirePermissionAttribute requirement)
     {
-        // 1. Must be authenticated — defense-in-depth (AuthorizeAttribute already requires it)
+        // 1. Must be authenticated — defense-in-depth
         if (context.User?.Identity?.IsAuthenticated != true)
-        {
-            return; // implicit Fail — nothing Succeeded
-        }
+            return; // implicit Fail
 
-        // 2. Extract "rol" claim — JwtBearer is configured with RoleClaimType="rol"
+        // 2. Extract "rol" claim
         var rolCodigo = context.User.FindFirst("rol")?.Value;
         if (string.IsNullOrWhiteSpace(rolCodigo))
         {
@@ -45,13 +49,32 @@ public sealed class PermissionAuthorizationHandler
             return;
         }
 
-        // 3. Load permissions assigned to this role — no cache (UDT-006 D1)
-        var permisos = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);
-        var permisoCodes = permisos.Select(p => p.Codigo).ToHashSet(StringComparer.Ordinal);
+        // 3. Extract "sub" claim — MapInboundClaims=false so it stays as "sub" (NOT NameIdentifier)
+        var subClaim = context.User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value
+                    ?? context.User.FindFirst("sub")?.Value;
 
-        // 4. OR semantics — any single match is enough
-        var matched = requirement.PermissionCodes
-            .FirstOrDefault(code => permisoCodes.Contains(code));
+        if (string.IsNullOrWhiteSpace(subClaim) || !int.TryParse(subClaim, out var userId))
+        {
+            _logger.LogWarning(
+                "Authorization failed — token missing or non-numeric 'sub' claim for user {User}",
+                context.User.Identity?.Name);
+            context.Fail(new AuthorizationFailureReason(this, "missing_sub_claim"));
+            return;
+        }
+
+        // 4. Load role permissions — no cache (UDT-006 D1)
+        var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);
+        var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);
+
+        // 5. Load user overrides — no cache (UDT-009 D3); null usuario → no overrides
+        var usuario = await _usuarioRepo.GetByIdAsync(userId);
+        var overrides = PermisosOverride.FromJson(usuario?.PermisosJson);
+
+        // 6. Resolve effective permissions
+        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
+
+        // 7. OR semantics — any single match is enough
+        var matched = requirement.PermissionCodes.FirstOrDefault(effective.Contains);
 
         if (matched is not null)
         {
@@ -59,11 +82,9 @@ public sealed class PermissionAuthorizationHandler
             return;
         }
 
-        // 5. Stash required permission for ForbiddenProblemDetailsHandler (Batch 3)
+        // 8. Stash required permission for ForbiddenProblemDetailsHandler
         if (context.Resource is HttpContext httpContext)
-        {
             httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];
-        }
 
         context.Fail(new AuthorizationFailureReason(this,
             $"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));