Add BackOfficeAdmins capability and simplify mock identities to admin and plain user

Author: tjementum

.github/workflows/_deploy-infrastructure.yml

@@ -37,6 +37,10 @@ on:
       back_office_entra_client_id:
         required: true
         type: string
+      back_office_admins_group_id:
+        required: false
+        type: string
+        default: "-"
       postgres_admin_object_id:
         required: true
         type: string
@@ -88,6 +92,7 @@ jobs:
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
+          BACK_OFFICE_ADMINS_GROUP_ID: ${{ inputs.back_office_admins_group_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
@@ -169,6 +174,7 @@ jobs:
         env:
           POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
           BACK_OFFICE_ENTRA_CLIENT_ID: ${{ inputs.back_office_entra_client_id }}
+          BACK_OFFICE_ADMINS_GROUP_ID: ${{ inputs.back_office_admins_group_id }}
           GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
           GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
           STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}

.github/workflows/cloud-infrastructure.yml

@@ -39,6 +39,7 @@ jobs:
       domain_name: ${{ vars.STAGING_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.STAGING_BACK_OFFICE_DOMAIN_NAME || '-' }}
       back_office_entra_client_id: ${{ vars.STAGING_BACK_OFFICE_ENTRA_CLIENT_ID }}
+      back_office_admins_group_id: ${{ vars.STAGING_BACK_OFFICE_ADMINS_GROUP_ID || '-' }}
       postgres_admin_object_id: ${{ vars.STAGING_POSTGRES_ADMIN_OBJECT_ID }}
       production_service_principal_object_id: ${{ vars.PRODUCTION_SERVICE_PRINCIPAL_OBJECT_ID }}
 
@@ -59,5 +60,6 @@ jobs:
       domain_name: ${{ vars.PRODUCTION_DOMAIN_NAME }}
       back_office_domain_name: ${{ vars.PRODUCTION_BACK_OFFICE_DOMAIN_NAME || '-' }}
       back_office_entra_client_id: ${{ vars.PRODUCTION_BACK_OFFICE_ENTRA_CLIENT_ID }}
+      back_office_admins_group_id: ${{ vars.PRODUCTION_BACK_OFFICE_ADMINS_GROUP_ID || '-' }}
       postgres_admin_object_id: ${{ vars.PRODUCTION_POSTGRES_ADMIN_OBJECT_ID }}
       tenant_id: ${{ vars.TENANT_ID }}

application/AppHost/Program.cs

@@ -3,6 +3,7 @@
 using AppHost;
 using Azure.Storage.Blobs;
 using Projects;
+using SharedKernel.Authentication.MockEasyAuth;
 using SharedKernel.Configuration;
 
 // Read the port allocation before CreateBuilder so we can set Aspire's dashboard env vars
@@ -91,6 +92,7 @@
     .WithEnvironment("OAUTH_PUBLIC_URL", "https://localhost:" + ports.AppGateway)
     .WithEnvironment("Hostnames__App", appHostname)
     .WithEnvironment("BackOffice__Host", backOfficeHostname)
+    .WithEnvironment("BackOffice__AdminsGroupId", MockEasyAuthIdentities.MockAdminsGroupId)
     .WithReference(accountDatabase)
     .WithReference(azureStorage)
     .WithEnvironment("OAuth__Google__ClientId", googleOAuthClientId)

application/account/BackOfficeWebApp/routes/login.tsx

@@ -11,7 +11,7 @@ import { useState } from "react";
 import logoMarkUrl from "@/shared/images/logo-mark.svg";
 import { HorizontalHeroLayout } from "@/shared/layouts/HorizontalHeroLayout";
 
-const MOCK_IDENTITY_IDS = ["admin", "support", "readonly", "plain"] as const;
+const MOCK_IDENTITY_IDS = ["admin", "user"] as const;
 
 interface MockLoginSearch {
   returnPath: string;
@@ -84,13 +84,9 @@ function MockLoginPage() {
 function getIdentityName(id: string) {
   switch (id) {
     case "admin":
-      return <Trans>Admin User</Trans>;
-    case "support":
-      return <Trans>Support User</Trans>;
-    case "readonly":
-      return <Trans>Read Only</Trans>;
-    case "plain":
-      return <Trans>Plain User</Trans>;
+      return <Trans>Admin</Trans>;
+    case "user":
+      return <Trans>User</Trans>;
     default:
       return id;
   }
@@ -100,11 +96,7 @@ function getIdentityDescription(id: string) {
   switch (id) {
     case "admin":
       return <Trans>Log in with admin rights</Trans>;
-    case "support":
-      return <Trans>Log in with support rights</Trans>;
-    case "readonly":
-      return <Trans>Log in with read-only rights</Trans>;
-    case "plain":
+    case "user":
       return <Trans>Log in without group claims</Trans>;
     default:
       return null;

application/account/BackOfficeWebApp/shared/translations/locale/da-DK.po

@@ -19,8 +19,8 @@ msgstr "Konti"
 msgid "Accounts (coming soon)"
 msgstr "Konti (kommer snart)"
 
-msgid "Admin User"
-msgstr "Administrator"
+msgid "Admin"
+msgstr "Admin"
 
 msgid "An unexpected error occurred while processing your request."
 msgstr "Der opstod en uventet fejl ved behandlingen."
@@ -91,12 +91,6 @@ msgstr "Log ind"
 msgid "Log in with admin rights"
 msgstr "Log ind med administratorrettigheder"
 
-msgid "Log in with read-only rights"
-msgstr "Log ind med skrivebeskyttede rettigheder"
-
-msgid "Log in with support rights"
-msgstr "Log ind med supportrettigheder"
-
 msgid "Log in without group claims"
 msgstr "Log ind uden gruppeclaims"
 
@@ -127,9 +121,6 @@ msgstr "Ingen"
 msgid "Page not found"
 msgstr "Siden blev ikke fundet"
 
-msgid "Plain User"
-msgstr "Almindelig bruger"
-
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
 
@@ -139,9 +130,6 @@ msgstr "Tjek venligst URL'en eller vend tilbage til forsiden."
 msgid "Please try again or return to the home page."
 msgstr "Prøv venligst igen eller vend tilbage til forsiden."
 
-msgid "Read Only"
-msgstr "Skrivebeskyttet"
-
 msgid "Screenshots of the dashboard project with desktop and mobile versions"
 msgstr "Skærmbilleder af dashboard-projektet i desktop- og mobilversioner"
 
@@ -160,9 +148,6 @@ msgstr "Support"
 msgid "Support (coming soon)"
 msgstr "Support (kommer snart)"
 
-msgid "Support User"
-msgstr "Supportbruger"
-
 msgid "System"
 msgstr "System"
 
@@ -175,6 +160,9 @@ msgstr "Tema"
 msgid "Try again"
 msgstr "Prøv igen"
 
+msgid "User"
+msgstr "Bruger"
+
 msgid "User menu"
 msgstr "Brugermenu"
 

application/account/BackOfficeWebApp/shared/translations/locale/en-US.po

@@ -19,8 +19,8 @@ msgstr "Accounts"
 msgid "Accounts (coming soon)"
 msgstr "Accounts (coming soon)"
 
-msgid "Admin User"
-msgstr "Admin User"
+msgid "Admin"
+msgstr "Admin"
 
 msgid "An unexpected error occurred while processing your request."
 msgstr "An unexpected error occurred while processing your request."
@@ -91,12 +91,6 @@ msgstr "Log in"
 msgid "Log in with admin rights"
 msgstr "Log in with admin rights"
 
-msgid "Log in with read-only rights"
-msgstr "Log in with read-only rights"
-
-msgid "Log in with support rights"
-msgstr "Log in with support rights"
-
 msgid "Log in without group claims"
 msgstr "Log in without group claims"
 
@@ -127,9 +121,6 @@ msgstr "None"
 msgid "Page not found"
 msgstr "Page not found"
 
-msgid "Plain User"
-msgstr "Plain User"
-
 msgid "PlatformPlatform logo"
 msgstr "PlatformPlatform logo"
 
@@ -139,9 +130,6 @@ msgstr "Please check the URL or return to the home page."
 msgid "Please try again or return to the home page."
 msgstr "Please try again or return to the home page."
 
-msgid "Read Only"
-msgstr "Read Only"
-
 msgid "Screenshots of the dashboard project with desktop and mobile versions"
 msgstr "Screenshots of the dashboard project with desktop and mobile versions"
 
@@ -160,9 +148,6 @@ msgstr "Support"
 msgid "Support (coming soon)"
 msgstr "Support (coming soon)"
 
-msgid "Support User"
-msgstr "Support User"
-
 msgid "System"
 msgstr "System"
 
@@ -175,6 +160,9 @@ msgstr "Theme"
 msgid "Try again"
 msgstr "Try again"
 
+msgid "User"
+msgstr "User"
+
 msgid "User menu"
 msgstr "User menu"
 

application/account/Tests/BackOffice/BackOfficeAdminRequirementTests.cs

@@ -0,0 +1,63 @@
+using System.Security.Claims;
+using FluentAssertions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+using SharedKernel.Authentication.BackOfficeIdentity;
+using Xunit;
+
+namespace Account.Tests.BackOffice;
+
+// Verifies the optional BackOffice:AdminsGroupId capability gate. When unset, no one is admin.
+// When set, the principal must carry a 'groups' claim matching the configured value.
+public sealed class BackOfficeAdminRequirementTests
+{
+    [Fact]
+    public async Task HandleRequirement_WhenAdminsGroupIdUnset_ShouldFail()
+    {
+        var handler = CreateHandler(null);
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, ["BackOfficeAdmins"]);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeFalse();
+    }
+
+    [Fact]
+    public async Task HandleRequirement_WhenPrincipalCarriesMatchingGroup_ShouldSucceed()
+    {
+        var handler = CreateHandler("BackOfficeAdmins");
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, ["BackOfficeAdmins"]);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeTrue();
+    }
+
+    [Fact]
+    public async Task HandleRequirement_WhenPrincipalLacksMatchingGroup_ShouldFail()
+    {
+        var handler = CreateHandler("BackOfficeAdmins");
+        var requirement = new BackOfficeAdminRequirement();
+        var context = CreateAuthorizationContext(requirement, []);
+
+        await handler.HandleAsync(context);
+
+        context.HasSucceeded.Should().BeFalse();
+    }
+
+    private static BackOfficeAdminAuthorizationHandler CreateHandler(string? adminsGroupId)
+    {
+        var options = Options.Create(new BackOfficeHostOptions { Host = "back-office.test.localhost", AdminsGroupId = adminsGroupId });
+        return new BackOfficeAdminAuthorizationHandler(options);
+    }
+
+    private static AuthorizationHandlerContext CreateAuthorizationContext(IAuthorizationRequirement requirement, string[] groups)
+    {
+        var claims = groups.Select(group => new Claim(BackOfficeIdentityDefaults.GroupsClaimType, group));
+        var identity = new ClaimsIdentity(claims, BackOfficeIdentityDefaults.AuthenticationScheme);
+        var principal = new ClaimsPrincipal(identity);
+        return new AuthorizationHandlerContext([requirement], principal, null);
+    }
+}

application/account/WebApp/tests/e2e/back-office-flows.spec.ts

@@ -41,12 +41,12 @@ test.describe("@smoke", () => {
 
         await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/login?returnPath=%2Fapi%2Fback-office%2Fme`);
         await expect(page.getByRole("heading", { name: "BackOffice - Localhost" })).toBeVisible();
-        await expect(page.getByRole("radio", { name: "Admin User Log in with admin rights" })).toBeVisible();
+        await expect(page.getByRole("radio", { name: "Admin Log in with admin rights" })).toBeVisible();
       }
     )();
 
     await step("Pick the Admin identity & verify callback redirects back to the protected endpoint")(async () => {
-      await page.getByRole("radio", { name: "Admin User Log in with admin rights" }).click();
+      await page.getByRole("radio", { name: "Admin Log in with admin rights" }).click();
       await page.getByRole("button", { name: "Log in" }).click();
 
       await expect(page).toHaveURL(`${BACK_OFFICE_BASE_URL}/api/back-office/me`);
@@ -59,7 +59,7 @@ test.describe("@smoke", () => {
 
       expect(response.status()).toBe(200);
       const payload = await response.json();
-      expect(payload.displayName).toBe("Admin User");
+      expect(payload.displayName).toBe("Admin");
       expect(payload.groups).toContain("BackOfficeAdmins");
     })();
 

application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeAdminRequirement.cs

@@ -0,0 +1,29 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+
+namespace SharedKernel.Authentication.BackOfficeIdentity;
+
+public sealed class BackOfficeAdminRequirement : IAuthorizationRequirement;
+
+// Authorization handler enforcing the optional back-office admin capability. Easy Auth gates the
+// container app to authenticated tenant users; this requirement adds an opt-in admin gate on top.
+// When BackOffice:AdminsGroupId is unset, no one passes (admin features are off). When set, the
+// principal must carry a 'groups' claim matching the configured value.
+public sealed class BackOfficeAdminAuthorizationHandler(IOptions<BackOfficeHostOptions> options)
+    : AuthorizationHandler<BackOfficeAdminRequirement>
+{
+    private readonly BackOfficeHostOptions _options = options.Value;
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, BackOfficeAdminRequirement requirement)
+    {
+        if (string.IsNullOrWhiteSpace(_options.AdminsGroupId)) return Task.CompletedTask;
+
+        var hasGroup = context.User.Claims.Any(claim =>
+            claim.Type == BackOfficeIdentityDefaults.GroupsClaimType &&
+            string.Equals(claim.Value, _options.AdminsGroupId, StringComparison.Ordinal)
+        );
+
+        if (hasGroup) context.Succeed(requirement);
+        return Task.CompletedTask;
+    }
+}

application/shared-kernel/SharedKernel/Authentication/BackOfficeIdentity/BackOfficeHostOptions.cs

@@ -8,4 +8,6 @@ public sealed class BackOfficeHostOptions
 
     [Required(AllowEmptyStrings = false)]
     public string Host { get; init; } = string.Empty;
+
+    public string? AdminsGroupId { get; init; }
 }