Core.Thalos.BuildingBlocks/Core.Cerberos.Adapters/Attributes/PermissionAttribute.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;

namespace Core.Cerberos.Adapters.Attributes
{
    /// <summary>
    /// Custom authorization attribute that checks if the user has any of the required permissions.
    /// </summary>
    [System.Diagnostics.CodeAnalysis.ExcludeFromCodeCoverage]
    public class PermissionAttribute : AuthorizeAttribute, IAuthorizationFilter
    {
        private readonly string _requiredPermissions;

        /// <summary>
        /// Initializes a new instance of the <see cref="PermissionAttribute"/> class.
        /// </summary>
        /// <param name="requiredPermissions">The array of permissions required to access the resource.</param>
        public PermissionAttribute(string requiredPermissions)
        {
            _requiredPermissions = requiredPermissions;
        }

        /// <summary>
        /// Called during the authorization process to determine if the user has any of the required permissions.
        /// </summary>
        /// <param name="context">The context in which the authorization filter operates.</param>
        public void OnAuthorization(AuthorizationFilterContext context)
        {
            try
            {
                var hasPermission = false;

                var servicePermissionsList = _requiredPermissions.Replace(" ", "").Split(',').ToList();

                var servicePermissions = servicePermissionsList.Select(s => new Permission
                {
                    Name = s.Substring(0, s.IndexOf('.')),
                    AccessLevel = s.Substring(s.IndexOf('.') + 1),
                });

                var userPermissionsList = context.HttpContext.User.Claims
                    .Where(c => c.Type == "permissions")
                    .Select(c => c.Value)
                    .ToList();

                var userPermissions = userPermissionsList.Select(s => new Permission
                {
                    Name = s.Substring(0, s.IndexOf('.')),
                    AccessLevel = s.Substring(s.IndexOf('.') + 1),
                });

                foreach (var servicePermission in servicePermissions)
                {
                    hasPermission = userPermissions
                        .Where(up => up.Name == servicePermission.Name && up.AccessLevel == "All"
                                   || up.Name == servicePermission.Name && up.AccessLevel == servicePermission.AccessLevel)
                        .Count() > 0 ? true : false;

                    if (hasPermission) break;
                }

                if (!hasPermission)
                    context.Result = new UnauthorizedResult();
            }
            catch (Exception ex)
            {
                context.Result = new UnauthorizedResult();
            }
        }
    }
}