data attributes and test fix

Author: MWClayson-NHS

application/CohortManager/src/Functions/DemographicServices/DemographicDurableFunction/DemographicDurableFunction.csproj

@@ -16,7 +16,6 @@
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" />
     <PackageReference Include="Contrib.Grpc.Core.M1" />
     <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" />
-        <PackageReference Include="Contrib.Grpc.Core.M1" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" />
   </ItemGroup>
   <ItemGroup>

application/CohortManager/src/Functions/Shared/Common/Authentication/AuthenticationAttribute.cs

@@ -0,0 +1,20 @@
+namespace Common;
+
+[AttributeUsage(AttributeTargets.Method)]
+public class AuthenticationAttribute : Attribute
+{
+    public Role[]? Roles { get; }
+    public bool RequiresAuthentication => Roles != null && Roles.Length > 0;
+    public AuthenticationAttribute(Role role)
+    {
+        Roles = new[] { role };
+    }
+    public AuthenticationAttribute(Role[] roles)
+    {
+        Roles = roles;
+    }
+    public AuthenticationAttribute()
+    {
+        Roles = null;
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/CIS2AuthMiddleware.cs

@@ -24,6 +24,12 @@ public Cis2AuthMiddleware(ILogger<Cis2AuthMiddleware> logger, ICreateResponse cr
 
     public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
     {
+        if(!context.RequiresAuthentication())
+        {
+            await next(context);
+            return;
+        }
+
         var req = await context.GetHttpRequestDataAsync();
         var accessToken = string.Empty;
         var tokensExist = AuthHelper.TryGetIdTokenFromHeaders(context, out var token);

…ared/Common/Authentication/AuthConfig.cs …mmon/Authentication/Config/AuthConfig.csapplication/CohortManager/src/Functions/Shared/Common/Authentication/AuthConfig.cs renamed to application/CohortManager/src/Functions/Shared/Common/Authentication/Config/AuthConfig.cs application/CohortManager/src/Functions/Shared/Common/Authentication/AuthConfig.cs renamed to application/CohortManager/src/Functions/Shared/Common/Authentication/Config/AuthConfig.cs

@@ -10,6 +10,7 @@ public class AuthConfig
     public required string AuthClientId { get; init; }
     [Required, Url]
     public required string UserInfoUrl { get; init; }
+    public bool RequireAuthentication { get; init; } = true;
 
 }
 

…ared/Common/Authentication/RoleConfig.cs …mmon/Authentication/Config/RoleConfig.csapplication/CohortManager/src/Functions/Shared/Common/Authentication/RoleConfig.cs renamed to application/CohortManager/src/Functions/Shared/Common/Authentication/Config/RoleConfig.cs application/CohortManager/src/Functions/Shared/Common/Authentication/RoleConfig.cs renamed to application/CohortManager/src/Functions/Shared/Common/Authentication/Config/RoleConfig.cs

@@ -0,0 +1,84 @@
+namespace Common;
+
+using System.Collections.Concurrent;
+using System.Reflection;
+using Microsoft.Azure.Functions.Worker;
+
+public static class FunctionContextExtension
+{
+    public static bool RequiresAuthentication(this FunctionContext context)
+    {
+        var authAttribute = context.GetEndpoint()?.Metadata.GetMetadata<AuthenticationAttribute>();
+        return authAttribute != null;
+    }
+
+    public static Role[] GetRequiredRoles(this FunctionContext context)
+    {
+        var authAttribute = context.GetEndpoint()?.Metadata.GetMetadata<AuthenticationAttribute>();
+        return authAttribute?.Roles ?? Array.Empty<Role>();
+    }
+
+    public static FunctionEndpoint? GetEndpoint(this FunctionContext context)
+    {
+        ArgumentNullException.ThrowIfNull(context);
+
+        return FunctionEndpointCache.GetOrAdd(context.FunctionDefinition.EntryPoint, CreateEndpoint);
+    }
+
+    private static readonly ConcurrentDictionary<string, FunctionEndpoint?> FunctionEndpointCache = new();
+
+    private static FunctionEndpoint? CreateEndpoint(string entryPoint)
+    {
+        if (string.IsNullOrWhiteSpace(entryPoint))
+        {
+            return null;
+        }
+
+        var separatorIndex = entryPoint.LastIndexOf('.');
+        if (separatorIndex <= 0 || separatorIndex == entryPoint.Length - 1)
+        {
+            return null;
+        }
+
+        var typeName = entryPoint[..separatorIndex];
+        var methodName = entryPoint[(separatorIndex + 1)..];
+
+        var declaringType = AppDomain.CurrentDomain
+            .GetAssemblies()
+            .Select(assembly => assembly.GetType(typeName, throwOnError: false, ignoreCase: false))
+            .FirstOrDefault(type => type != null);
+
+        var method = declaringType?.GetMethod(
+            methodName,
+            BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance);
+
+        return method == null
+            ? null
+            : new FunctionEndpoint(method.GetCustomAttributes(inherit: true));
+    }
+}
+
+public sealed class FunctionEndpoint
+{
+    public FunctionEndpoint(IEnumerable<object> metadata)
+    {
+        Metadata = new FunctionEndpointMetadataCollection(metadata);
+    }
+
+    public FunctionEndpointMetadataCollection Metadata { get; }
+}
+
+public sealed class FunctionEndpointMetadataCollection
+{
+    private readonly IReadOnlyList<object> _metadata;
+
+    public FunctionEndpointMetadataCollection(IEnumerable<object> metadata)
+    {
+        _metadata = metadata.ToArray();
+    }
+
+    public T? GetMetadata<T>() where T : class
+    {
+        return _metadata.OfType<T>().FirstOrDefault();
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/FunctionContextExtension.cs

@@ -0,0 +1,51 @@
+namespace Common;
+
+
+using Microsoft.Azure.Functions.Worker;
+using Microsoft.Azure.Functions.Worker.Http;
+using Microsoft.Azure.Functions.Worker.Middleware;
+using Microsoft.Extensions.Logging;
+
+public class PermissionsMiddleware : IFunctionsWorkerMiddleware
+{
+    private readonly ICreateResponse _createResponse;
+    private readonly IRoleManager _roleManager;
+    private readonly ILogger<PermissionsMiddleware> _logger;
+
+    public PermissionsMiddleware(ICreateResponse createResponse, IRoleManager roleManager, ILogger<PermissionsMiddleware> logger)
+    {
+        _createResponse = createResponse;
+        _roleManager = roleManager;
+        _logger = logger;
+     }
+
+    public async Task Invoke(FunctionContext context, FunctionExecutionDelegate next)
+    {
+        if (!context.RequiresAuthentication())
+        {
+            await next(context);
+            return;
+        }
+
+        var req = await context.GetHttpRequestDataAsync();
+        var user = (Cis2User)context.Items["Cis2User"]!;
+        var requiredRoles = context.GetRequiredRoles();
+
+        if (requiredRoles.Length == 0 || requiredRoles.Any(role => _roleManager.ValidateRole(user, role)))
+        {
+            await next(context);
+            return;
+        }
+
+        await HandleUnauthorizedAsync(context, req, $"User {user.Uid} does not have required roles to access this resource.", "Forbidden: You do not have permission to access this resource.");
+        return;
+    }
+
+    private async Task HandleUnauthorizedAsync(FunctionContext context, HttpRequestData request, string logMessage, string responseMessage)
+    {
+        var logger = context.GetLogger<PermissionsMiddleware>();
+        logger.LogWarning("Authorization Error: {LogMessage}", logMessage);
+        var response = await _createResponse.CreateHttpResponseWithBodyAsync(System.Net.HttpStatusCode.Forbidden, request, responseMessage);
+        context.GetInvocationResult().Value = response;
+    }
+}

application/CohortManager/src/Functions/Shared/Common/Authentication/PermissionsMiddleware.cs

@@ -24,16 +24,14 @@ public class GetValidationExceptions
     private readonly IValidationExceptionData _validationData;
     private readonly IHttpParserHelper _httpParserHelper;
     private readonly IPaginationService<ValidationException> _paginationService;
-    private readonly IRoleManager _roleManager;
 
-    public GetValidationExceptions(ILogger<GetValidationExceptions> logger, ICreateResponse createResponse, IValidationExceptionData validationData, IHttpParserHelper httpParserHelper, IPaginationService<ValidationException> paginationService, IRoleManager roleManager)
+    public GetValidationExceptions(ILogger<GetValidationExceptions> logger, ICreateResponse createResponse, IValidationExceptionData validationData, IHttpParserHelper httpParserHelper, IPaginationService<ValidationException> paginationService)
     {
         _logger = logger;
         _createResponse = createResponse;
         _validationData = validationData;
         _httpParserHelper = httpParserHelper;
         _paginationService = paginationService;
-        _roleManager = roleManager;
     }
 
     /// <summary>
@@ -46,6 +44,7 @@ public GetValidationExceptions(ILogger<GetValidationExceptions> logger, ICreateR
     /// Returns 200 OK with data, 204 No Content if empty, 400 Bad Request for validation errors, or 500 Internal Server Error.
     /// </returns>
     [Function(nameof(GetValidationExceptions))]
+    [Authentication(Role.CohortManagerUser)]
     public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequestData req)
     {
         var exceptionId = _httpParserHelper.GetQueryParameterAsInt(req, "exceptionId");
@@ -60,11 +59,6 @@ public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Anonymou
         var ruleId = _httpParserHelper.GetQueryParameterAsNullableInt(req, "ruleId");
         var dateCreated = _httpParserHelper.GetQueryParameterAsDateTime(req, "dateCreated");
 
-        if (!_roleManager.ValidateRole((Cis2User)req.FunctionContext.Items["Cis2User"]!, Role.CohortManagerUser))
-        {
-            return _createResponse.CreateHttpResponse(HttpStatusCode.Forbidden, req);
-        }
-
         try
         {
             if (exceptionId > 0)