DPS907 WSA500 Assignment 5

A portfolio of apps that share a common security environment.

Read/skim all of this document before you begin work.

 

Due date

Friday, November 30, 2018, at 11:00pm ET

Grade value: 20% of your final course grade

If you wish to submit the assignment before the due date and time, you can do that.

It is VERY IMPORTANT to submit your work before the due date and time. 
This assignment CANNOT be late.
If it is not submitted by the due date and time, your Assignment 5 grade will be zero. 

Grading will begin soon after the submission date and time, and will continue into the next week. 
The demonstration on December 3, 4, 5, or 6 is worth marks, and is part of the grading scheme. 

 

Objective(s)

Create a working portfolio of apps that share a common security environment. Use the professor-provided IA Server app for identity management and the cookie/token-issuing part of authentication.

A simple diagram that shows the intended end result is below.

 

Introduction to the problem to be solved

Assume that you are in an organization that is implementing a portfolio of web apps and web services. All will share a common security environment.

We must create that common security environment, and ensure that it works. There will be three apps. One will be the IA Server app. Another app will be a data-rich app (using the web service project template that includes the Chinook sample database). A third app will implement resource ownership principles, as well as prove that it’s possible to add another app to the common security environment.

 

Specifications overview and work plan

The following specifications apply to all of your assignments:

  • Follows best practices
  • Implements the recommended system design guidance
  • Customized appearance on the landing web page
  • Uses Entity Framework and Code First technology
  • Includes a Fiddler log file that shows complete coverage of tests
  • Delivery hypermedia representations from apps

For this assignment, here is what we’re looking for:

  • A correctly-configured IA Server app, with initial users and app claims
  • Additional added (at run/test time) app claims and user accounts
  • In the new data-rich app, add and configure the security components it needs
  • In addition, add the resource models, manager, and controller code to deliver employee data, using a range of authorization criteria
  • In the simple app, add and configure the security components it needs
  • Edit its Values controller, to deliver simple string data, using a range of authorization criteria

 

During the class/session, your professor will help you get started and make progress on this assignment.

DPS907 students must do one more task: “Configure manager/supervisor” must work only for the new manager/supervisor. 

 

Getting started

Get the IAServer project from the GitHub code example repository. It is in the week 9 folder.

  • Do NOT load and run this IA Server app yet

Next, create a new web service, named A5Music. It will use the “Web service project template v1”.

Coming soon – Another new web service, named A5Owner, will be created.
Do it when the updated specifications are published.

For both the A5Music app and the future A5Owner app, remember to customize the home controller’s index view with your personal information, and the _Layout.cshtml view template with the application name.

 

Doing the work

Let’s start by preparing the infrastructure components.

 

IA Server app configuration, with initial users and app claims

Open the IA Server app in Visual Studio. Do a build/compile (to bring in the packages), but do not load and run the app yet.

  • Do NOT load and run this IA Server app yet!

To facilitate testing and grading, we must change its database’s “Initial Catalog” name. How?

  1. Open its Web.config source code file
  2. Look for the connection string named “DataContext”
  3. In its connectionString attribute value, look for the “Initial Catalog=IAStore;” string

Change the “IAStore” string so that it includes “IA” and part of your Seneca user account name. For example, your professor’s Seneca user account name is “pmcintyr”, so his string value would be changed to, for example, “Initial Catalog=IApmcintyr;“.

Next, configure the IA Server to programmatically create a new user account – for you – when the app loads for the first time. (The app already has created the uam and dev user accounts.) Just copy-paste the code block, and change the code that enables you to create a new user account for you.

Then, configure some “app claims” for the “master list” of allowable claims. Use the existing method stub (code block), and fill in the claims that you want your app to have. Recall that we’re working with the music business theme. At a minimum, please create these app claims:

  • Role claims, for Employee, and Customer
  • OU claims, at least three (3), for departments (organizational units) that would typically work with employees and customers
  • OU claims, at least three (3), for city names (locations); you can assume that the music business has offices or facilities in a number of cities worldwide
  • Task claims, at least three (3), for the kinds of tasks that would typically be done for employee, customer, and sales tasks; some of these claims should address typical human resources activities (read/skim the linked article to learn more about that organizational function)

Finally, you should be able to load and run the app. When you do, you will notice that you can login as uam, dev, or your new account. (Use the “Login” link on the web page that loads.) Make sure this works correctly BEFORE continuing.

 

Additional app claims and user accounts

Using the existing functionality in the IA Server (look for a controller that will enable you to do so), add two (2) additional app claims, for the OU and/or Task claim types.

Make sure you capture that activity in Fiddler.

Then, using the existing functionality in the IA Server, create several user accounts, with claims that make sense for the kind of user account. Here’s what we suggest:

Use a common password for all user accounts (maybe Password123!). That way, your testing process will be easier (and the marking process will be easier).

Create about four user accounts for employees of the music business. We recommend that you use the data from the Employees entity collection in the sample database. In other words, select about four of the existing “employees”, and create user accounts for them.

Optionally, you can also add more accounts, with simple names, for example, emp1@example.com, emp2, emp3, and emp4. Or, you could use a name that more closely matches their primary job function (e.g. sales1, clerk3, etc.).

When you are creating user accounts, ensure that you configure claims that make sense. Each user account will have a role claim, and it is likely that each will also have (two or more) custom claims.

Note that this work will be captured by the Fiddler request logging feature, so that your professor will be able to see that this was done correctly.

 

In the A5Music app, add and configure the security components it needs

The A5Music app will need to validate access tokens.

Therefore, as you have recently learned, add the necessary security components to the app.

Additionally, configure the app (and the other participating apps) to use a common encryption/decryption key for the access tokens and cookies.

 

In the A5Music app, add the hypermedia representation formatter

As you have recently done, add the hypermedia representation formatter to this app. Remember to activate it in the pipeline.

 

In the A5Music app, enable it to deliver employee data

This app will fulfill a small number of use cases:

  1. Get all employees
  2. Get one employee
  3. Add new employee
  4. Configure an employee’s manager (supervisor)

You do NOT have to return results from associated/related objects. The goal in this assignment is to participate in a common security environment, and configure controller actions with various “authorize” attributes.

Have you done some of this work before? Yes.

Review and re-use your work from a previous assignment or a posted code example.

 

Get all employees

This will work for users with these claims:

  • Role Employee, and
  • One of the OU or Task claims

 

Get one employee

This will work for users with these claims:

  • Role Employee, and
  • Two of the OU and/or Task claims

The result is that this action will have three (3) “and” conditions for authorization.

 

Add new employee

This will work for users with these claims:

  • Role Employee, and
  • A Task claim that has something to do with the ability to add a new employee

 

WSA500 students ONLY – Configure an employee’s manager (supervisor)

This will work for users with these claims:

  • Role Employee, and
  • A Task claim that has something to do with being a manager/supervisor

 

DPS907 students ONLY – Configure an employee’s manager (supervisor)

This will work for users with these claims:

  • Role Employee, and
  • A Task claim that has something to do with being a manager/supervisor

This work has one extra security feature.

If the two conditions above are met, then the actual work done in the Manager method will succeed ONLY if the user account name in the request’s security principal matches the user account name in the employee that will be the manager/supervisor. In other words, only the employee’s new manager/supervisor can do this task.

When you are testing this use case, make sure that you are authenticated as one of the “employees” that are actually in the database’s Employees entity collection.

How would you do this? Do an extra check in the Manager method – check the security principal. (You learned about this in both your web apps course, and in this course.) Compare the user name (which is enough, in this situation, to uniquely identify a user).

For example, if the current request is from Andrew Adams, and the request is to configure Andrew as Nancy Edwards’ manager/supervisor, you would expect that the request would succeed.

However, if the current request is from someone else (e.g. “clerk3@example.com”), and the request is to configure Andrew as Nancy’s manager/supervisor, you would expect that the request would fail.

As was just mentioned above, in the past, you have learned how to check the security principal:

var user = HttpContext.Current.User as ClaimsPrincipal;

The “user” variable has an “Identity” property, which has the user name value that you need to compare. (And recall that user name is the same as the user’s email address.)

 

Introducing the A5Owner app

This new app will participate in the security domain, and enable you to implement the techniques in the recently-covered “resource ownership” topic.

The app’s data will be the “smartphones” data that we worked with earlier in the course.

Your professor has created a working and tested project that you can use as a base for your work, which will add security-awareness, and the ability to handle the resource ownership constraints.

 

Getting started

Get the A5Owner project (as a zip file) from the course’s code repository. It is in the templates and solutions directory/folder.

As delivered, it is configured to use a database after you have defined the necessary pieces, which will be described below. If you wish, you can build/compile and run, to view its home page in a browser.

 

Make the A5Owner app participate in your security domain

Similar to what you did (above) in the A5Music app, configure this A5Owner app with the necessary security components. This task includes the addition of the new RequestUser class to the project.

 

Add the data classes and database pieces

Now, add a “Smartphone” design model class to your project. If you wish, you can use the class that’s in the Assignment 1 example solution that’s posted in the course code example repository, in the templates and solutions folder. If you write your own class, or use your own code from your own Assignment 1 solution, make sure it has at least the same properties that are in the example solution’s class.

An important property MUST exist in the Smartphone class – an “Owner” (string) property (as you learned recently). Make sure it’s there before continuing.

Add a  DbSet<TEntity>  property to the data context class.

 

Add manager code, resource models, and controller

Add the manager code that declares the AutoMapper create-maps.

Add the appropriate methods to the Manager class, for handling get-all, get-one, and add-new situations. If you copy code from your own solution or from the example solution, then the code is not yet complete – you must add more.

As you recently learned, the “add new” method MUST include code to set/configure the owner’s user account name, using information you get from the security principal attached to the request thread.

For the “get all” and “get one” methods, make sure that they return results ONLY for the user represented in the security principal attached to the request thread.

Add resource models from your own solution, or from the sample solution, or written new from scratch.

Add a controller, and methods that handle get-all, get-one, and add-new use cases. Again, you can use code from your own solution, or from the sample solution, or written new from scratch.

At this point in time, your work should build and compile clean, and should run.

When testing:

  1. Ensure that you use at least three (3) separate user accounts.
  2. For each user account, create at least three (3) smartphone objects.
  3. When running and capturing your Fiddler tests, ensure that they show the results from the three controller use cases. Look for and confirm that attempts to fetch (get-all or get-one) smartphone objects that are NOT owned by the current user are unsuccessful. In other words, the current user must be able to fetch their own smartphone objects only.

 

Testing your work

Use Fiddler.

Test all scenarios (use cases).

This time, add some requests that you know will cause HTTP response errors (400s and/or 500s), so that we know that your app is responding with the correct status code etc.

Again, remember the tip from the notes:
Create a plain text file in your project root to store entity bodies that can be used in copy/paste.

 

Saving – “exporting” – your tests

On the left side list of requests, you can delete items that you do not want to be included in the export.

When you’re ready to save, choose File > Export Sessions > All Sessions…

The export format will be “HTTPArchive v1.2”. Click the Next button to choose a save location (your project’s root, in the same folder level as the “packages” and “assign1” folder) and specify a filename. Name the file by using the project name (e.g. “whatever.har”).

(You can test whether the export was successful. How? First, close then re-open Fiddler. Choose File > Import Sessions. Select “HTTPArchive” as the import format. Navigate to the folder that holds the “.har” file, and select it. Finally, browse through the request-response sessions.)

 

Reminder about academic honesty

You must comply with the College’s academic honesty policy.

Although you may interact and collaborate with others, you must submit your own work.

 

Submitting your work

This Assignment 5 has a modified submission process (when compared to earlier assignments). 

We need all three projects to be able to grade your work. 

Therefore, here is the modified procedure:

  1. Make copies of all three projects
  2. For each project, remove its packages, bin, and obj folders
  3. Zip all three projects together (in one zip file), and upload to the designated location on My.Seneca/Blackboard before the due date-and-time

 

For example, assume that you are currently viewing a folder named “A5” in File Explorer.

It should have these three sub-folders:

  1. IA
  2. A5Music
  3. A5Owner

Select all three folders, then zip them into one zip file result.

 

 

 

 

 

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Advertisements
%d bloggers like this: