Add BackOfficeAdmins capability and simplify mock identities to admin and plain user

Author: tjementum

.github/workflows/_deploy-container.yml

@@ -18,6 +18,10 @@ on:
       image_name:
         required: true
         type: string
+      container_app_name:
+        required: false
+        type: string
+        default: ""
       version:
         required: true
         type: string
@@ -69,7 +73,7 @@ jobs:
 
       # For production, import image from staging instead of building
       - name: Import Container Image from Staging to Production
-        if: inputs.azure_environment == 'prod'
+        if: inputs.azure_environment == 'prod' && inputs.container_app_name == ''
         run: |
           STAGING_REGISTRY_ID="/subscriptions/${{ vars.STAGING_SUBSCRIPTION_ID }}/resourceGroups/${{ env.UNIQUE_PREFIX }}-stage-global/providers/Microsoft.ContainerRegistry/registries/${{ env.UNIQUE_PREFIX }}stage"
 
@@ -82,11 +86,11 @@ jobs:
 
       # For staging, build and push the image
       - name: Setup Docker Buildx
-        if: inputs.azure_environment == 'stage'
+        if: inputs.azure_environment == 'stage' && inputs.container_app_name == ''
         uses: docker/setup-buildx-action@v4
 
       - name: Build and Push Container Image
-        if: inputs.azure_environment == 'stage'
+        if: inputs.azure_environment == 'stage' && inputs.container_app_name == ''
         working-directory: ${{ inputs.docker_context }}
         run: |
           docker buildx create --use
@@ -102,14 +106,15 @@ jobs:
         run: |
           CLUSTER_RESOURCE_GROUP_NAME="${{ env.UNIQUE_PREFIX }}-${{ env.ENVIRONMENT }}-${{ env.CLUSTER_LOCATION_ACRONYM }}"
           SUFFIX=$(echo "${{ inputs.version }}" | sed 's/\./-/g')
-          az containerapp update --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --image "${{ env.UNIQUE_PREFIX }}${{ env.ENVIRONMENT }}.azurecr.io/${{ inputs.image_name }}:${{ inputs.version }}" --revision-suffix $SUFFIX
+          TARGET_APP="${{ inputs.container_app_name != '' && inputs.container_app_name || inputs.image_name }}"
+          az containerapp update --name "$TARGET_APP" --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --image "${{ env.UNIQUE_PREFIX }}${{ env.ENVIRONMENT }}.azurecr.io/${{ inputs.image_name }}:${{ inputs.version }}" --revision-suffix $SUFFIX
 
           echo "Waiting for the new revision to be active..."
           for i in {1..10}; do
             sleep 15
 
-            RUNNING_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.runningState" --output tsv)
-            HEALTH_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.healthState" --output tsv)
+            RUNNING_STATUS=$(az containerapp revision list --name "$TARGET_APP" --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.runningState" --output tsv)
+            HEALTH_STATUS=$(az containerapp revision list --name "$TARGET_APP" --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.healthState" --output tsv)
             if [[ "$HEALTH_STATUS" == "Healthy" ]]; then
               echo "New revision is healthy. Running state: $RUNNING_STATUS"
               exit 0

.github/workflows/_deploy-infrastructure.yml

@@ -37,6 +37,10 @@ on:
       back_office_entra_client_id:
         required: true
         type: string
+      back_office_admins_group_id:
+        required: false
+        type: string
+        default: "-"
       postgres_admin_object_id:
         required: true
         type: string
@@ -88,6 +92,7 @@ jobs:
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
+          BACK_OFFICE_ADMINS_GROUP_ID: ${{ inputs.back_office_admins_group_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -174,6 +179,7 @@ jobs:
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
+          BACK_OFFICE_ADMINS_GROUP_ID: ${{ inputs.back_office_admins_group_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}

.github/workflows/account.yml

@@ -279,6 +279,25 @@ jobs:
       docker_context: ./application/account
       docker_file: ./Workers/Dockerfile
 
+  back-office-stage:
+    name: Back Office Staging
+    if: ${{ needs.build-and-test.outputs.deploy_staging == 'true' }}
+    needs: [build-and-test, database-migrations-stage, api-stage]
+    uses: ./.github/workflows/_deploy-container.yml
+    secrets: inherit
+    with:
+      azure_environment: "stage"
+      cluster_location_acronym: ${{ vars.STAGING_CLUSTER_LOCATION_ACRONYM }}
+      service_principal_id: ${{ vars.STAGING_SERVICE_PRINCIPAL_ID }}
+      subscription_id: ${{ vars.STAGING_SUBSCRIPTION_ID }}
+      image_name: account-api
+      container_app_name: back-office
+      version: ${{ needs.build-and-test.outputs.version }}
+      artifacts_name: account-api
+      artifacts_path: application/account/Api/publish
+      docker_context: ./application/account
+      docker_file: ./Api/Dockerfile
+
   database-migrations-prod1:
     name: Database Production
     if: ${{ needs.build-and-test.outputs.deploy_production == 'true' }}
@@ -331,3 +350,22 @@ jobs:
       artifacts_path: application/account/Workers/publish
       docker_context: ./application/account
       docker_file: ./Workers/Dockerfile
+
+  back-office-prod1:
+    name: Back Office Production
+    if: ${{ needs.build-and-test.outputs.deploy_production == 'true' }}
+    needs: [build-and-test, database-migrations-prod1, api-prod1]
+    uses: ./.github/workflows/_deploy-container.yml
+    secrets: inherit
+    with:
+      azure_environment: "prod"
+      cluster_location_acronym: ${{ vars.PRODUCTION_CLUSTER1_LOCATION_ACRONYM }}
+      service_principal_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_ID }}
+      subscription_id: ${{ vars.PRODUCTION_SUBSCRIPTION_ID }}
+      image_name: account-api
+      container_app_name: back-office
+      version: ${{ needs.build-and-test.outputs.version }}
+      artifacts_name: account-api
+      artifacts_path: application/account/Api/publish
+      docker_context: ./application/account
+      docker_file: ./Api/Dockerfile

.github/workflows/cloud-infrastructure.yml

@@ -39,6 +39,7 @@ jobs:
       domain_name: ${{ vars.STAGING_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.STAGING_BACK_OFFICE_DOMAIN_NAME || '-' }}
       back_office_entra_client_id: ${{ vars.STAGING_BACK_OFFICE_ENTRA_CLIENT_ID }}
+      back_office_admins_group_id: ${{ vars.STAGING_BACK_OFFICE_ADMINS_GROUP_ID || '-' }}
       postgres_admin_object_id: ${{ vars.STAGING_POSTGRES_ADMIN_OBJECT_ID }}
       production_service_principal_object_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID }}
 
@@ -59,5 +60,6 @@ jobs:
       domain_name: ${{ vars.PRODUCTION_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.PRODUCTION_BACK_OFFICE_DOMAIN_NAME || '-' }}
       back_office_entra_client_id: ${{ vars.PRODUCTION_BACK_OFFICE_ENTRA_CLIENT_ID }}
+      back_office_admins_group_id: ${{ vars.PRODUCTION_BACK_OFFICE_ADMINS_GROUP_ID || '-' }}
       postgres_admin_object_id: ${{ vars.PRODUCTION_POSTGRES_ADMIN_OBJECT_ID }}
       tenant_id: ${{ vars.TENANT_ID }}

application/AppHost/Program.cs

@@ -3,6 +3,7 @@
 using AppHost;
 using Azure.Storage.Blobs;
 using Projects;
+using SharedKernel.Authentication.MockEasyAuth;
 using SharedKernel.Configuration;
 
 // Read the port allocation before CreateBuilder so we can set Aspire's dashboard env vars
@@ -91,6 +92,7 @@
     .WithEnvironment("OAUTH_PUBLIC_URL", "https://localhost:" + ports.AppGateway)
     .WithEnvironment("Hostnames__App", appHostname)
     .WithEnvironment("BackOffice__Host", backOfficeHostname)
+    .WithEnvironment("BackOffice__AdminsGroupId", MockEasyAuthIdentities.MockAdminsGroupId)
     .WithReference(accountDatabase)
     .WithReference(azureStorage)
     .WithEnvironment("OAuth__Google__ClientId", googleOAuthClientId)

application/account/BackOfficeWebApp/routes/login.tsx

@@ -11,7 +11,7 @@ import { useState } from "react";
 import logoMarkUrl from "@/shared/images/logo-mark.svg";
 import { HorizontalHeroLayout } from "@/shared/layouts/HorizontalHeroLayout";
 
-const MOCK_IDENTITY_IDS = ["admin", "support", "readonly", "plain"] as const;
+const MOCK_IDENTITY_IDS = ["admin", "user"] as const;
 
 interface MockLoginSearch {
   returnPath: string;
@@ -84,13 +84,9 @@ function MockLoginPage() {
 function getIdentityName(id: string) {
   switch (id) {
     case "admin":
-      return <Trans>Admin User</Trans>;
-    case "support":
-      return <Trans>Support User</Trans>;
-    case "readonly":
-      return <Trans>Read Only</Trans>;
-    case "plain":
-      return <Trans>Plain User</Trans>;
+      return <Trans>Admin</Trans>;
+    case "user":
+      return <Trans>User</Trans>;
     default:
       return id;
   }
@@ -100,11 +96,7 @@ function getIdentityDescription(id: string) {
   switch (id) {
     case "admin":
       return <Trans>Log in with admin rights</Trans>;
-    case "support":
-      return <Trans>Log in with support rights</Trans>;
-    case "readonly":
-      return <Trans>Log in with read-only rights</Trans>;
-    case "plain":
+    case "user":
       return <Trans>Log in without group claims</Trans>;
     default:
       return null;

application/account/BackOfficeWebApp/shared/translations/locale/da-DK.po

@@ -19,8 +19,8 @@ msgstr "Konti"
 msgid "Accounts (coming soon)"
 msgstr "Konti (kommer snart)"
 
-msgid "Admin User"
-msgstr "Administrator"
+msgid "Admin"
+msgstr "Admin"
 
 msgid "An unexpected error occurred while processing your request."
 msgstr "Der opstod en uventet fejl ved behandlingen."
@@ -91,12 +91,6 @@ msgstr "Log ind"
 msgid "Log in with admin rights"
 msgstr "Log ind med administratorrettigheder"
 
-msgid "Log in with read-only rights"
-msgstr "Log ind med skrivebeskyttede rettigheder"
-
-msgid "Log in with support rights"
-msgstr "Log ind med supportrettigheder"
-
 msgid "Log in without group claims"
 msgstr "Log ind uden gruppeclaims"
 
@@ -127,9 +121,6 @@ msgstr "Ingen"
 msgid "Page not found"
 msgstr "Siden blev ikke fundet"
 
-msgid "Plain User"
-msgstr "Almindelig bruger"
-
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
 
@@ -139,9 +130,6 @@ msgstr "Tjek venligst URL'en eller vend tilbage til forsiden."
 msgid "Please try again or return to the home page."
 msgstr "Prøv venligst igen eller vend tilbage til forsiden."
 
-msgid "Read Only"
-msgstr "Skrivebeskyttet"
-
 msgid "Screenshots of the dashboard project with desktop and mobile versions"
 msgstr "Skærmbilleder af dashboard-projektet i desktop- og mobilversioner"
 
@@ -160,9 +148,6 @@ msgstr "Support"
 msgid "Support (coming soon)"
 msgstr "Support (kommer snart)"
 
-msgid "Support User"
-msgstr "Supportbruger"
-
 msgid "System"
 msgstr "System"
 
@@ -175,6 +160,9 @@ msgstr "Tema"
 msgid "Try again"
 msgstr "Prøv igen"
 
+msgid "User"
+msgstr "Bruger"
+
 msgid "User menu"
 msgstr "Brugermenu"
 

application/account/BackOfficeWebApp/shared/translations/locale/en-US.po

@@ -19,8 +19,8 @@ msgstr "Accounts"
 msgid "Accounts (coming soon)"
 msgstr "Accounts (coming soon)"
 
-msgid "Admin User"
-msgstr "Admin User"
+msgid "Admin"
+msgstr "Admin"
 
 msgid "An unexpected error occurred while processing your request."
 msgstr "An unexpected error occurred while processing your request."
@@ -91,12 +91,6 @@ msgstr "Log in"
 msgid "Log in with admin rights"
 msgstr "Log in with admin rights"
 
-msgid "Log in with read-only rights"
-msgstr "Log in with read-only rights"
-
-msgid "Log in with support rights"
-msgstr "Log in with support rights"
-
 msgid "Log in without group claims"
 msgstr "Log in without group claims"
 
@@ -127,9 +121,6 @@ msgstr "None"
 msgid "Page not found"
 msgstr "Page not found"
 
-msgid "Plain User"
-msgstr "Plain User"
-
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
 
@@ -139,9 +130,6 @@ msgstr "Please check the URL or return to the home page."
 msgid "Please try again or return to the home page."
 msgstr "Please try again or return to the home page."
 
-msgid "Read Only"
-msgstr "Read Only"
-
 msgid "Screenshots of the dashboard project with desktop and mobile versions"
 msgstr "Screenshots of the dashboard project with desktop and mobile versions"
 
@@ -160,9 +148,6 @@ msgstr "Support"
 msgid "Support (coming soon)"
 msgstr "Support (coming soon)"
 
-msgid "Support User"
-msgstr "Support User"
-
 msgid "System"
 msgstr "System"
 
@@ -175,6 +160,9 @@ msgstr "Theme"
 msgid "Try again"
 msgstr "Try again"
 
+msgid "User"
+msgstr "User"
+
 msgid "User menu"
 msgstr "User menu"
 

application/account/Tests/BackOffice/BackOfficeAdminRequirementTests.cs

@@ -0,0 +1,63 @@
+using System.Security.Claims;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+using SharedKernel.Authentication.BackOfficeIdentity;
+using Xunit;
+
+namespace Account.Tests.BackOffice;
+
+// Verifies the optional BackOffice:AdminsGroupId capability gate. When unset, no one is admin.
+// When set, the principal must carry a 'groups' claim matching the configured value.
+public sealed class BackOfficeAdminRequirementTests
+{
+    [Fact]
+    public async Task HandleRequirement_WhenAdminsGroupIdUnset_ShouldFail()
+    {
+        var handler = CreateHandler(null);
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, ["BackOfficeAdmins"]);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task HandleRequirement_WhenPrincipalCarriesMatchingGroup_ShouldSucceed()
+    {
+        var handler = CreateHandler("BackOfficeAdmins");
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, ["BackOfficeAdmins"]);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task HandleRequirement_WhenPrincipalLacksMatchingGroup_ShouldFail()
+    {
+        var handler = CreateHandler("BackOfficeAdmins");
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, []);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeFalse();
+    }
+
+    private static BackOfficeAdminAuthorizationHandler CreateHandler(string? adminsGroupId)
+    {
+        var options = Options.Create(new BackOfficeHostOptions { Host = "back-office.test.localhost", AdminsGroupId = adminsGroupId });
+        return new BackOfficeAdminAuthorizationHandler(options);
+    }
+
+    private static AuthorizationHandlerContext CreateAuthorizationContext(IAuthorizationRequirement requirement, string[] groups)
+    {
+        var claims = groups.Select(group => new Claim(BackOfficeIdentityDefaults.GroupsClaimType, group));
+        var identity = new ClaimsIdentity(claims, BackOfficeIdentityDefaults.AuthenticationScheme);
+        var principal = new ClaimsPrincipal(identity);
+        return new AuthorizationHandlerContext([requirement], principal, null);
+    }
+}