diff --git a/src/DfE.CoreLibs.Testing/Authorization/Helpers/EndpointTestDataProvider.cs b/src/DfE.CoreLibs.Testing/Authorization/Helpers/EndpointTestDataProvider.cs index 1849d2b..41b53da 100644 --- a/src/DfE.CoreLibs.Testing/Authorization/Helpers/EndpointTestDataProvider.cs +++ b/src/DfE.CoreLibs.Testing/Authorization/Helpers/EndpointTestDataProvider.cs @@ -47,6 +47,7 @@ public static IEnumerable GetPageSecurityTestData(string jsonContent, public static IEnumerable GetPageSecurityTestDataFromFile(string configFilePath, IEnumerable endpoints, bool globalAuthorizationEnabled) { var jsonContent = File.ReadAllText(configFilePath); + return GetPageSecurityTestData(jsonContent, endpoints, globalAuthorizationEnabled); } diff --git a/src/DfE.CoreLibs.Testing/Authorization/Validators/PageSecurityValidator.cs b/src/DfE.CoreLibs.Testing/Authorization/Validators/PageSecurityValidator.cs index 3ae29b5..7b66ef0 100644 --- a/src/DfE.CoreLibs.Testing/Authorization/Validators/PageSecurityValidator.cs +++ b/src/DfE.CoreLibs.Testing/Authorization/Validators/PageSecurityValidator.cs @@ -4,46 +4,55 @@ using Microsoft.AspNetCore.Routing; namespace DfE.CoreLibs.Testing.Authorization.Validators -{ +{ public class PageSecurityValidator(RouteEndpoint endpoint, bool globalAuthorizationEnabled = false) { public ValidationResult ValidateSinglePageSecurity(string route, string expectedSecurity) { var hasAuthorizeMetadata = endpoint.Metadata.Any(m => m is AuthorizeAttribute); + var hasAllowAnonymousMetadata = endpoint.Metadata.Any(m => m is AllowAnonymousAttribute); var authorizeAttributes = endpoint.Metadata.OfType().ToList(); - if (globalAuthorizationEnabled) - { - if (expectedSecurity == "AllowAnonymous") - { - if (hasAuthorizeMetadata) - { - return ValidationResult.Failed($"Page {route} should be anonymous but is protected."); - } - } - else - { - if (!hasAuthorizeMetadata) - { - return ValidationResult.Failed($"Page {route} should be protected globally but has no Authorize attribute."); - } - } + if (globalAuthorizationEnabled && expectedSecurity != "AllowAnonymous" && !hasAuthorizeMetadata) + { + return ValidationResult.Failed($"Page {route} should be protected globally but has no Authorize attribute."); } - if (expectedSecurity.StartsWith("Authorize")) + return expectedSecurity switch { - var expectedRequirements = ValidatorHelper.ParseExpectedSecurity(expectedSecurity); - try - { - ValidatorHelper.ValidateAuthorizeAttributes(authorizeAttributes, route, expectedRequirements); - } - catch (Exception ex) - { - return ValidationResult.Failed(ex.Message); - } - } + "AllowAnonymous" => ValidateAllowAnonymousPage(route, hasAuthorizeMetadata, hasAllowAnonymousMetadata), + var security when security.StartsWith("Authorize") => ValidateAuthorizePage(route, authorizeAttributes, expectedSecurity, hasAllowAnonymousMetadata), + _ => ValidationResult.Success() + }; + } + + private static ValidationResult ValidateAllowAnonymousPage(string route, bool hasAuthorizeMetadata, bool hasAllowAnonymousMetadata) + { + // AllowAnonymous page checks + if (hasAllowAnonymousMetadata) + return ValidationResult.Success(); + + return hasAuthorizeMetadata + ? ValidationResult.Failed($"Page {route} should be anonymous but is protected.") + : ValidationResult.Success(); + } - return ValidationResult.Success(); + private static ValidationResult ValidateAuthorizePage(string route, List authorizeAttributes, string expectedSecurity, bool hasAllowAnonymousMetadata) + { + if (hasAllowAnonymousMetadata) + return ValidationResult.Failed($"Page {route} should be protected but is anonymous."); + + var expectedRequirements = ValidatorHelper.ParseExpectedSecurity(expectedSecurity); + + try + { + ValidatorHelper.ValidateAuthorizeAttributes(authorizeAttributes, route, expectedRequirements); + return ValidationResult.Success(); + } + catch (Exception ex) + { + return ValidationResult.Failed(ex.Message); + } } } }