1

We are controlling access to our application's resources and actions by using ThinkTecture's MVC ClaimsAuthorizeAttribute and would like to be able to include some unit test coverage using Moq.

Ideally, I'd like to write a test which requests a controller action decorated with:

[ClaimsAuthorize("operation_x", "resource_1")]

... so as to enter our AuthorizationManager's CheckAccess override method during execution of the test.

Our CheckAccess override simply gets the action and resource from the incoming AuthorizationContext ("operation_x" and "resource_1") and determines whether the Principal has the resource/action combination as a claim and returns true if a match is found.

The test would pass or fail based on the result of our CheckAccess override.

Most of the examples I've found online are about unit testing custom Authorize attributes or testing whether a controller action has been decorated by an AuthzAttribute. There don't seem to be many examples of testing ThinkTecture's ClaimsAuthorize attribute.

Is it even possible to achieve what I've described? If so, please advise!

Thanks

dev'd
  • 469
  • 1
  • 4
  • 12

1 Answers1

2

You may be looking to do more work than necessary - you don't need to test ThinkTecture's ClaimsAuthorizeAttribute, because ThinkTecture have already done that. You should write tests which test your own code - namely the outcome of the actions performed inside your override of CheckAccess.

If you want to check whether the ThinkTecture attribute works as it should, you should look into setting up an integration test which causes the controller action in question to be invoked.

Steve Wilkes
  • 7,085
  • 3
  • 29
  • 32
  • 1
    Thanks for responding Steve. Indeed - the results of our calls to my CheckAccess override should be the main concern here. I think what you're saying is that there's no added benefit of invoking CheckAccess by proxy of the test requesting the controller action (and executing the authz pipeline) than there is by calling CheckAccess directly within the test method? – dev'd Jan 09 '14 at 14:16
  • 1
    So in the latest version ClaimsAuthorizeAttribute appears to have been renamed ResourceActionAuthorizeAttribute, but I haven't yet found good examples for how to use this. The sample code in the project doesn't build anymore because it hasn't been renamed from ClaimsAuthorizeAttribute. Any suggestions on documentation and examples would be a welcome addition. Thx. – Steve L Jun 05 '14 at 03:06