Provicevko/create tech admin net6 (#764)

* Create SuperAdmin.sql

Added sql file

* Added MustChangePassword field to User model

* Changed results

* Added UserManagerAdditionalService

* Added ChangePasswordLogin

* Added using password regex from constants

* Added tests

* Added localizer messages

* Updated NUnit version

* Added MustChangePassword migration

* namespace fix

* Renamed admin role to techadmin role

* AddedTechAdminWithMustChangePassword migration

* fix migration issue

* Updated SuperAdmin.sql

* Net6 null check

Author: strivitech

Config/SuperAdmin.sql

@@ -0,0 +1,63 @@
+USE OutOfSchoolDb;
+
+INSERT INTO AspNetUsers
+(Id,
+CreatingTime,
+LastLogin,
+LastName,
+MiddleName,
+FirstName,
+Role,
+UserName,
+NormalizedUserName,
+Email,
+NormalizedEmail,
+EmailConfirmed,
+PasswordHash,
+SecurityStamp,
+ConcurrencyStamp,
+PhoneNumber,
+PhoneNumberConfirmed,
+TwoFactorEnabled,
+LockoutEnd,
+LockoutEnabled,
+AccessFailedCount,
+IsRegistered,
+MustChangePassword)
+VALUES
+('fe78ed30-7df9-412b-8f1c-a21f3175334f', #Id
+NOW(), #CreatingTime
+'0001-01-01 00:00:00.0000000', #LastLogin
+'ТехАдмін', #Last name
+'ТехАдмін', #Middle name
+'ТехАдмін', #First name
+'techadmin', #Role
+'[email protected]', #UserName
+'[email protected]', #NormalizedUserName
+'[email protected]', #Email
+'[email protected]', #NormalizedEmail
+0, #EmailConfirmed
+'AQAAAAEAACcQAAAAEB+AG8yyfG66fAkFIJ1mMdDx5ChM/wxoUHIwBuJt4cuO+jDCrPMw7D9BLYRtkvbrpg==', #PasswordHash from password ->   Kf%ms3nAp7%aH
+'CALDXWOCPDFBODKYAKGNLA4LH36H7HAC', #SecurityStamp
+'9a8f388b-c168-4ea1-ad5a-ae3245d7bd4f', #ConcurrencyStamp
+'123456789', #PhoneNumber without +380
+0, #PhoneNumberConfirmed
+0, #TwoFactorEnabled
+NULL, #LockoutEnd
+1, #LockoutEnabled
+0, #AccessFailedCount
+1, #IsRegistered
+1) #MustChangePassword
+ON DUPLICATE KEY UPDATE # to reset sensitive data   
+Email='[email protected]', #Email
+PasswordHash = 'AQAAAAEAACcQAAAAEB+AG8yyfG66fAkFIJ1mMdDx5ChM/wxoUHIwBuJt4cuO+jDCrPMw7D9BLYRtkvbrpg==', #PasswordHash from password ->   Kf%ms3nAp7%aH
+SecurityStamp = 'G4GRJFN7ET7EVVDQ4NEQQOY6SETRULJB', #SecurityStamp
+ConcurrencyStamp = 'ed689760-8ab0-45fa-8b13-ec431c093627', #ConcurrencyStamp
+MustChangePassword = 1; #MustChangePassword
+
+INSERT INTO AspNetUserRoles
+(UserId, RoleId)
+VALUES
+((SELECT Id FROM AspNetUsers WHERE Role = 'techadmin' LIMIT 1) #UserId (tech admin)
+,(SELECT Id FROM AspNetRoles WHERE Name = 'techadmin' LIMIT 1)) #RoleId (tech admin)
+

OutOfSchool/OutOfSchool.Common/Constants.cs

@@ -29,4 +29,6 @@ public static class Constants
     public const string AddressSeparator = ", ";
 
     public const string EnumErrorMessage = "{0} should be in enum range";
+
+    public const string AdminKeyword = "Admin";
 }

OutOfSchool/OutOfSchool.Common/PermissionModule/PermissionManagement/PermissionsSeeder.cs

@@ -71,7 +71,7 @@ public static string SeedPermissions(string role)
     {
         switch (role.ToLower())
         {
-            case "admin":
+            case "techadmin":
                 return SeedAdminPermissions.PackPermissionsIntoString();
 
             case "provider":

OutOfSchool/OutOfSchool.DataAccess/Enums/Role.cs

@@ -4,6 +4,6 @@ public enum Role
 {
     Provider,
     Parent,
-    Admin,
+    TechAdmin,
     MinistryAdmin,
 }

OutOfSchool/OutOfSchool.DataAccess/Extensions/ModelBuilderExtension.cs

@@ -1,4 +1,5 @@
 using Microsoft.EntityFrameworkCore;
+using OutOfSchool.Common;
 using OutOfSchool.Common.PermissionsModule;
 using OutOfSchool.Services.Enums;
 using OutOfSchool.Services.Models;
@@ -67,9 +68,9 @@ public static void Seed(this ModelBuilder builder)
             new PermissionsForRole
             {
                 Id = 1,
-                RoleName = Role.Admin.ToString(),
-                PackedPermissions = PermissionsSeeder.SeedPermissions(Role.Admin.ToString()),
-                Description = "admin permissions",
+                RoleName = Role.TechAdmin.ToString(),
+                PackedPermissions = PermissionsSeeder.SeedPermissions(Role.TechAdmin.ToString()),
+                Description = "techadmin permissions",
             },
             new PermissionsForRole
             {
@@ -88,8 +89,8 @@ public static void Seed(this ModelBuilder builder)
             new PermissionsForRole
             {
                 Id = 4,
-                RoleName = nameof(Role.Provider) + nameof(Role.Admin),
-                PackedPermissions = PermissionsSeeder.SeedPermissions(nameof(Role.Provider) + nameof(Role.Admin)),
+                RoleName = nameof(Role.Provider) + Constants.AdminKeyword,
+                PackedPermissions = PermissionsSeeder.SeedPermissions(nameof(Role.Provider) + Constants.AdminKeyword),
                 Description = "provider admin permissions",
             },
             new PermissionsForRole

OutOfSchool/OutOfSchool.DataAccess/Models/User.cs

@@ -36,5 +36,8 @@ public class User : IdentityUser, IKeyedEntity<string>
     // for permissions managing at login and check if user is original provider or its admin
     public bool IsDerived { get; set; } = false;
 
+    // If it's true then user must change his password before the logging into the system
+    public bool MustChangePassword { get; set; }
+
     public Gender Gender { get; set; }
 }

OutOfSchool/OutOfSchool.IdentityServer.Tests/Controllers/AuthControllerTests.cs

@@ -24,13 +24,16 @@
 using Microsoft.Extensions.Localization;
 using Microsoft.Extensions.Options;
 using OutOfSchool.IdentityServer.Config;
+using OutOfSchool.IdentityServer.Services.Interfaces;
+using OutOfSchool.Tests.Common.TestDataGenerators;
 
 namespace OutOfSchool.IdentityServer.Tests.Controllers;
 
 [TestFixture]
 public class AuthControllerTests
 {
     private readonly Mock<FakeUserManager> fakeUserManager;
+    private readonly Mock<IUserManagerAdditionalService> fakeUserManagerAdditionalService;
     private readonly Mock<FakeSignInManager> fakeSignInManager;
     private readonly Mock<IIdentityServerInteractionService> fakeInteractionService;
     private readonly Mock<ILogger<AuthController>> fakeLogger;
@@ -42,6 +45,7 @@ public class AuthControllerTests
     public AuthControllerTests()
     {
         fakeUserManager = new Mock<FakeUserManager>();
+        fakeUserManagerAdditionalService = new Mock<IUserManagerAdditionalService>();
         fakeInteractionService = new Mock<IIdentityServerInteractionService>();
         fakeSignInManager = new Mock<FakeSignInManager>();
         fakeLogger = new Mock<ILogger<AuthController>>();
@@ -67,6 +71,7 @@ public void Setup()
             .Returns(new LocalizedString("mock", "error"));
         authController = new AuthController(
             fakeUserManager.Object,
+            fakeUserManagerAdditionalService.Object,
             fakeSignInManager.Object,
             fakeInteractionService.Object, 
             fakeLogger.Object,
@@ -168,6 +173,183 @@ public async Task Login_WithLoginVMWithoutModelError_ReturnsActionResult(
         Assert.IsInstanceOf(type, result);
     }
 
+    [Test]
+    public async Task Login_WhenUserMustChangePasswordAndEmailWithPasswordAreCorrect_ReturnsRedirectActionToChangePasswordLogin()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        var loginViewModel = CreateLoginViewModelFromData();
+        user.MustChangePassword = true;
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult.Success);
+
+        // Act
+        var result = await authController.Login(loginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(RedirectToActionResult), result);
+        Assert.AreEqual(0, authController.ModelState.Count);
+        Assert.AreEqual(nameof(AuthController.ChangePasswordLogin), (result as RedirectToActionResult)?.ActionName);
+    }
+
+    [Test]
+    public async Task Login_WhenUserMustChangePasswordAndEmailWithPasswordAreNotCorrect_ReturnsViewWithError()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        var loginViewModel = CreateLoginViewModelFromData();
+        user.MustChangePassword = true;
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult.Failed);
+
+        // Act
+        var result = await authController.Login(loginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(ViewResult), result);
+        Assert.AreEqual(1, authController.ModelState.Count);
+    }
+
+    [Test]
+    public async Task Login_WhenUserMustNotChangePasswordAndEmailWithPasswordAreCorrectAndReturnUrlIsNotEmpty_ReturnsRedirectToReturnUrl()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        var loginViewModel = CreateLoginViewModelFromData(user.UserName);
+        user.MustChangePassword = false;
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        SetupDefaultUserManagerUpdateAsync(IdentityResult.Success);
+        SetupDefaultSignInManagerPasswordSignInAsync(SignInResult.Success);
+
+        // Act
+        var result = await authController.Login(loginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(RedirectResult), result);
+        Assert.AreEqual(0, authController.ModelState.Count);
+        Assert.AreEqual(loginViewModel.ReturnUrl, (result as RedirectResult)?.Url);
+    }
+
+    [Test]
+    public async Task Login_WhenUserMustNotChangePasswordAndEmailWithPasswordAreCorrectAndReturnUrlIsEmpty_ReturnsRedirectToLogin()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        var loginViewModel = CreateLoginViewModelFromData(user.UserName, returnUrl: string.Empty);
+        user.MustChangePassword = false;
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        SetupDefaultUserManagerUpdateAsync(IdentityResult.Success);
+        SetupDefaultSignInManagerPasswordSignInAsync(SignInResult.Success);
+
+        // Act
+        var result = await authController.Login(loginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(RedirectResult), result);
+        Assert.AreEqual(0, authController.ModelState.Count);
+        Assert.AreEqual(nameof(AuthController.Login), (result as RedirectResult)?.Url);
+    }
+
+    [Test]
+    public async Task ChangePasswordLogin_WhenUserMustChangePasswordAndEmailWithPasswordsAreCorrectAndReturnUrlIsNotEmpty_ReturnsRedirectToReturnUrl()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        user.MustChangePassword = true;
+        var changePasswordLoginViewModel = CreateChangePasswordLoginViewModelFromData();
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        fakeUserManagerAdditionalService.Setup(s =>
+            s.ChangePasswordWithRequiredMustChangePasswordAsync(user, It.IsAny<string>(), It.IsAny<string>()))
+            .ReturnsAsync(() => { user.MustChangePassword = false; return IdentityResult.Success;});
+        SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult.Success);
+        fakeSignInManager.Setup(s => s.GetExternalAuthenticationSchemesAsync())
+            .ReturnsAsync(new List<AuthenticationScheme>());
+        SetupDefaultUserManagerUpdateAsync(IdentityResult.Success);
+        SetupDefaultSignInManagerPasswordSignInAsync(SignInResult.Success);
+
+        // Act
+        var result = await authController.ChangePasswordLogin(changePasswordLoginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(RedirectResult), result);
+        Assert.AreEqual(0, authController.ModelState.Count);
+        Assert.AreEqual(changePasswordLoginViewModel.ReturnUrl, (result as RedirectResult)?.Url);
+    }
+
+    [Test]
+    public async Task ChangePasswordLogin_WhenUserMustChangePasswordAndEmailWithPasswordsAreCorrectAndReturnUrlIsEmpty_ReturnsRedirectToLogin()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        user.MustChangePassword = true;
+        var changePasswordLoginViewModel = CreateChangePasswordLoginViewModelFromData(returnUrl: string.Empty);
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        fakeUserManagerAdditionalService.Setup(s =>
+                s.ChangePasswordWithRequiredMustChangePasswordAsync(user, It.IsAny<string>(), It.IsAny<string>()))
+            .ReturnsAsync(() => { user.MustChangePassword = false; return IdentityResult.Success;});
+        SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult.Success);
+        fakeSignInManager.Setup(s => s.GetExternalAuthenticationSchemesAsync())
+            .ReturnsAsync(new List<AuthenticationScheme>());
+        SetupDefaultUserManagerUpdateAsync(IdentityResult.Success);
+        SetupDefaultSignInManagerPasswordSignInAsync(SignInResult.Success);
+
+        // Act
+        var result = await authController.ChangePasswordLogin(changePasswordLoginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(RedirectResult), result);
+        Assert.AreEqual(0, authController.ModelState.Count);
+        Assert.AreEqual(nameof(AuthController.Login), (result as RedirectResult)?.Url);
+    }
+
+    [Test]
+    public async Task ChangePasswordLogin_WhenUserMustNotChangePassword_ReturnsViewWithModelError()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        user.MustChangePassword = false;
+        var changePasswordLoginViewModel = CreateChangePasswordLoginViewModelFromData(returnUrl: string.Empty);
+        SetupDefaultUserManagerFindByEmailAsync(user);
+
+        // Act
+        var result = await authController.ChangePasswordLogin(changePasswordLoginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(ViewResult), result);
+        Assert.AreEqual(1, authController.ModelState.Count);
+    }
+
+    [Test] public async Task ChangePasswordLogin_WhenUserMustChangePasswordAndEmailWithPasswordAreNotCorrect_ReturnsViewWithModelError()
+    {
+        // Arrange
+        var user = UserGenerator.Generate();
+        user.MustChangePassword = true;
+        var changePasswordLoginViewModel = CreateChangePasswordLoginViewModelFromData();
+        SetupDefaultUserManagerFindByEmailAsync(user);
+        SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult.Failed);
+
+        // Act
+        var result = await authController.ChangePasswordLogin(changePasswordLoginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(ViewResult), result);
+        Assert.AreEqual(1, authController.ModelState.Count);
+    }
+
+    [Test] public async Task ChangePasswordLogin_WhenUserNotFound_ReturnsViewWithModelError()
+    {
+        // Arrange
+        var changePasswordLoginViewModel = CreateChangePasswordLoginViewModelFromData();
+        SetupDefaultUserManagerFindByEmailAsync(null);
+
+        // Act
+        var result = await authController.ChangePasswordLogin(changePasswordLoginViewModel);
+
+        // Assert
+        Assert.IsInstanceOf(typeof(ViewResult), result);
+        Assert.AreEqual(1, authController.ModelState.Count);
+    }
+    
     [Test]
     public void Register_WithoutReturnUrl_ReturnsViewResult()
     {
@@ -339,4 +521,51 @@ public static IEnumerable<AuthenticationScheme> EmptySchemes
     {
         get => new List<AuthenticationScheme>();
     }
+    
+    private void SetupDefaultUserManagerFindByEmailAsync(User user)
+        => fakeUserManager.Setup(s => s.FindByEmailAsync(It.IsAny<string>())).ReturnsAsync(user);
+
+    private void SetupDefaultSignInManagerCheckPasswordSignInAsync(SignInResult signInResult)
+        => fakeSignInManager.Setup(s => s
+                .CheckPasswordSignInAsync(It.IsAny<User>(), It.IsAny<string>(), false))
+                .ReturnsAsync(signInResult);
+
+    private void SetupDefaultUserManagerUpdateAsync(IdentityResult identityResult)
+        => fakeUserManager.Setup(s => s
+            .UpdateAsync(It.IsAny<User>())).ReturnsAsync(identityResult);
+
+    private void SetupDefaultSignInManagerPasswordSignInAsync(SignInResult signInResult)
+        => fakeSignInManager.Setup(s => s.PasswordSignInAsync(It.IsAny<string>(), It.IsAny<string>(), false, false))
+            .ReturnsAsync(signInResult);
+    private static LoginViewModel CreateLoginViewModelFromData(
+        string email = "[email protected]",
+        string password = "RandomPassword3%",
+        string returnUrl = "RandomReturnUrl",
+        IEnumerable<AuthenticationScheme> authenticationSchemes = default)
+    {
+        return new LoginViewModel
+        {
+            Username = email,
+            Password = password,
+            ReturnUrl = returnUrl,
+            ExternalProviders = authenticationSchemes
+        };
+    }
+
+    private static ChangePasswordLoginViewModel CreateChangePasswordLoginViewModelFromData(
+        string email = "[email protected]",
+        string password = "RandomPassword5%",
+        string newPassword = "RandomPassword3%",
+        string confirmNewPassword = "RandomPassword3%",
+        string returnUrl = "RandomReturnUrl")
+    {
+        return new ChangePasswordLoginViewModel
+        {
+            Email = email,
+            CurrentPassword = password,
+            NewPassword = newPassword,
+            ConfirmNewPassword = confirmNewPassword,
+            ReturnUrl = returnUrl
+        };
+    }
 }