refactor(Core.Application.Pipelines.Authorization): improve role matching logic

ahmet-cetinkaya · ahmet-cetinkaya · commit 156054c5d8d0 · 2025-02-02T22:23:03.000+03:00
diff --git a/src/Core.Application/Pipelines/Authorization/AuthorizationBehavior.cs b/src/Core.Application/Pipelines/Authorization/AuthorizationBehavior.cs
@@ -40,19 +40,21 @@ private bool isHasRequiredRole(IEnumerable<string> identityRoles, ReadOnlySpan<c
     {
         bool isMatch = false;
         foreach (var role in identityRoles)
-            for (int i = 0; i < requiredRoleClaims.Length; ++i)
+        {
+            for (int i = 0, j = 0; i < requiredRoleClaims.Length; ++i)
             {
-                if (requiredRoleClaims[i] == ',')
-                    continue;
-
-                if (requiredRoleClaims[i] == role[i])
+                if (requiredRoleClaims[i] == role[j])
+                {
                     isMatch = true;
+                    if (j + 1 < role.Length) ++j;
+                }
                 else
                 {
                     isMatch = false;
-                    break;
+                    j = 0;
                 }
             }
+        }
 
         return isMatch;
     }
diff --git a/src/tests/Core.Application.Tests/Core.Application.Tests/Pipelines/AuthorizationBehaviorTests.cs b/src/tests/Core.Application.Tests/Core.Application.Tests/Pipelines/AuthorizationBehaviorTests.cs
@@ -25,7 +25,7 @@ public async Task Handle_ValidRequest_ReturnsResponse()
 
     public class ValidSecuredRequest : IRequest<int>, ISecuredRequest
     {
-        public IEnumerable<string> IdentityRoles { get; set; }
+        public IEnumerable<string> IdentityRoles { get; set; } = [];
         public ReadOnlySpan<char> RequiredRoleClaims => "".AsSpan();
     }
 
@@ -44,7 +44,7 @@ await Assert.ThrowsAsync<AuthenticationException>(
 
     public class InvalidSecuredRequest : IRequest<int>, ISecuredRequest
     {
-        public IEnumerable<string> IdentityRoles { get; set; }
+        public IEnumerable<string> IdentityRoles { get; set; } = [];
         public ReadOnlySpan<char> RequiredRoleClaims => "".AsSpan();
     }
 
@@ -69,7 +69,7 @@ await Assert.ThrowsAsync<AuthorizationException>(
 
     public class SecuredRequestWithRequiredRoleClaims : IRequest<int>, ISecuredRequest
     {
-        public IEnumerable<string> IdentityRoles { get; set; }
+        public IEnumerable<string> IdentityRoles { get; set; } = [];
         public ReadOnlySpan<char> RequiredRoleClaims => "admin".AsSpan();
     }
 
@@ -94,7 +94,7 @@ public async Task Handle_ValidRequest_WithRequiredRoleClaims_ReturnsResponse()
 
     public class SecuredRequestWithoutRequiredRoleClaims : IRequest<int>, ISecuredRequest
     {
-        public IEnumerable<string> IdentityRoles { get; set; }
-        public ReadOnlySpan<char> RequiredRoleClaims => "admin".AsSpan();
+        public IEnumerable<string> IdentityRoles { get; set; } = [];
+        public ReadOnlySpan<char> RequiredRoleClaims => "editor,admin".AsSpan();
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -40,19 +40,21 @@ private bool isHasRequiredRole(IEnumerable<string> identityRoles, ReadOnlySpan<c`
`40`	`40`	`{`
`41`	`41`	`bool isMatch = false;`
`42`	`42`	`foreach (var role in identityRoles)`
`43`		`- for (int i = 0; i < requiredRoleClaims.Length; ++i)`
	`43`	`+ {`
	`44`	`+ for (int i = 0, j = 0; i < requiredRoleClaims.Length; ++i)`
`44`	`45`	`{`
`45`		`- if (requiredRoleClaims[i] == ',')`
`46`		`- continue;`
`47`		`-`
`48`		`- if (requiredRoleClaims[i] == role[i])`
	`46`	`+ if (requiredRoleClaims[i] == role[j])`
	`47`	`+ {`
`49`	`48`	`isMatch = true;`
	`49`	`+ if (j + 1 < role.Length) ++j;`
	`50`	`+ }`
`50`	`51`	`else`
`51`	`52`	`{`
`52`	`53`	`isMatch = false;`
`53`		`- break;`
	`54`	`+ j = 0;`
`54`	`55`	`}`
`55`	`56`	`}`
	`57`	`+ }`
`56`	`58`
`57`	`59`	`return isMatch;`
`58`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ public async Task Handle_ValidRequest_ReturnsResponse()`
`25`	`25`
`26`	`26`	`public class ValidSecuredRequest : IRequest<int>, ISecuredRequest`
`27`	`27`	`{`
`28`		`- public IEnumerable<string> IdentityRoles { get; set; }`
	`28`	`+ public IEnumerable<string> IdentityRoles { get; set; } = [];`
`29`	`29`	`public ReadOnlySpan<char> RequiredRoleClaims => "".AsSpan();`
`30`	`30`	`}`
`31`	`31`
`@@ -44,7 +44,7 @@ await Assert.ThrowsAsync<AuthenticationException>(`
`44`	`44`
`45`	`45`	`public class InvalidSecuredRequest : IRequest<int>, ISecuredRequest`
`46`	`46`	`{`
`47`		`- public IEnumerable<string> IdentityRoles { get; set; }`
	`47`	`+ public IEnumerable<string> IdentityRoles { get; set; } = [];`
`48`	`48`	`public ReadOnlySpan<char> RequiredRoleClaims => "".AsSpan();`
`49`	`49`	`}`
`50`	`50`
`@@ -69,7 +69,7 @@ await Assert.ThrowsAsync<AuthorizationException>(`
`69`	`69`
`70`	`70`	`public class SecuredRequestWithRequiredRoleClaims : IRequest<int>, ISecuredRequest`
`71`	`71`	`{`
`72`		`- public IEnumerable<string> IdentityRoles { get; set; }`
	`72`	`+ public IEnumerable<string> IdentityRoles { get; set; } = [];`
`73`	`73`	`public ReadOnlySpan<char> RequiredRoleClaims => "admin".AsSpan();`
`74`	`74`	`}`
`75`	`75`
`@@ -94,7 +94,7 @@ public async Task Handle_ValidRequest_WithRequiredRoleClaims_ReturnsResponse()`
`94`	`94`
`95`	`95`	`public class SecuredRequestWithoutRequiredRoleClaims : IRequest<int>, ISecuredRequest`
`96`	`96`	`{`
`97`		`- public IEnumerable<string> IdentityRoles { get; set; }`
`98`		`- public ReadOnlySpan<char> RequiredRoleClaims => "admin".AsSpan();`
	`97`	`+ public IEnumerable<string> IdentityRoles { get; set; } = [];`
	`98`	`+ public ReadOnlySpan<char> RequiredRoleClaims => "editor,admin".AsSpan();`
`99`	`99`	`}`
`100`	`100`	`}`