dmolinari/SIG-CM2.0
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c0646be0dca070272bf9eb802fb0bd1234e0301
SIG-CM2.0/src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs
dmolinari b619c05762 feat(audit): security events en Auth + authorization handlers (UDT-010 B9) 
Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}
2026-04-16 13:59:27 -03:00

107 lines
4.5 KiB
C#
Raw Blame History

using System.IdentityModel.Tokens.Jwt;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using SIGCM2.Application.Abstractions.Persistence;
using SIGCM2.Application.Audit;
using SIGCM2.Application.Common;
namespace SIGCM2.Api.Authorization;
/// <summary>
/// Authorization handler for <see cref="RequirePermissionAttribute"/>.
/// UDT-009: Reads "rol" + "sub" claims, queries both IRolPermisoRepository
/// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
/// and succeeds if at least one required permission matches (OR semantics).
/// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
/// UDT-010: emits SecurityEvent 'permission.denied' on rejection.
/// </summary>
public sealed class PermissionAuthorizationHandler
: AuthorizationHandler<RequirePermissionAttribute>
{
private readonly IRolPermisoRepository _rolPermisoRepo;
private readonly IUsuarioRepository _usuarioRepo;
private readonly ISecurityEventLogger _security;
private readonly ILogger<PermissionAuthorizationHandler> _logger;
public PermissionAuthorizationHandler(
IRolPermisoRepository rolPermisoRepo,
IUsuarioRepository usuarioRepo,
ISecurityEventLogger security,
ILogger<PermissionAuthorizationHandler> logger)
{
_rolPermisoRepo = rolPermisoRepo;
_usuarioRepo = usuarioRepo;
_security = security;
_logger = logger;
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
RequirePermissionAttribute requirement)
{
// 1. Must be authenticated — defense-in-depth
if (context.User?.Identity?.IsAuthenticated != true)
return; // implicit Fail
// 2. Extract "rol" claim
var rolCodigo = context.User.FindFirst("rol")?.Value;
if (string.IsNullOrWhiteSpace(rolCodigo))
{
_logger.LogWarning(
"Authorization failed — token missing 'rol' claim for user {User}",
context.User.Identity?.Name);
context.Fail(new AuthorizationFailureReason(this, "missing_rol_claim"));
return;
}
// 3. Extract "sub" claim — MapInboundClaims=false so it stays as "sub" (NOT NameIdentifier)
var subClaim = context.User.FindFirst(JwtRegisteredClaimNames.Sub)?.Value
?? context.User.FindFirst("sub")?.Value;
if (string.IsNullOrWhiteSpace(subClaim) || !int.TryParse(subClaim, out var userId))
{
_logger.LogWarning(
"Authorization failed — token missing or non-numeric 'sub' claim for user {User}",
context.User.Identity?.Name);
context.Fail(new AuthorizationFailureReason(this, "missing_sub_claim"));
return;
}
// 4. Load role permissions — no cache (UDT-006 D1)
var rolPermisoEntities = await _rolPermisoRepo.GetByRolCodigoAsync(rolCodigo);
var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);
// 5. Load user overrides — no cache (UDT-009 D3); null usuario → no overrides
var usuario = await _usuarioRepo.GetByIdAsync(userId);
var overrides = PermisosOverride.FromJson(usuario?.PermisosJson);
// 6. Resolve effective permissions
var effective = PermisoResolver.Resolve(rolPermisos, overrides);
// 7. OR semantics — any single match is enough
var matched = requirement.PermissionCodes.FirstOrDefault(effective.Contains);
if (matched is not null)
{
context.Succeed(requirement);
return;
}
// 8. Stash required permission for ForbiddenProblemDetailsHandler
var requiredPermission = requirement.PermissionCodes[0];
if (context.Resource is HttpContext httpContext)
httpContext.Items["RequiredPermission"] = requiredPermission;
// 9. Emit SecurityEvent for the denial
var endpoint = (context.Resource as HttpContext)?.Request?.Path.Value;
var method = (context.Resource as HttpContext)?.Request?.Method;
await _security.LogAsync("permission.denied", "failure",
actorUserId: userId,
failureReason: $"missing_permission:{requiredPermission}",
metadata: new { permissionRequired = requiredPermission, endpoint, method });
context.Fail(new AuthorizationFailureReason(this,
$"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));
}
}
Reference in New Issue View Git Blame Copy Permalink