First Checkin related to Roles

src/Microsoft.Health.ControlPlane.Core/Features/Exceptions/RoleNotFoundException.cs

@@ -0,0 +1,18 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using System.Diagnostics;
+
+namespace Microsoft.Health.ControlPlane.Core.Features.Exceptions
+{
+    public class RoleNotFoundException : ControlPlaneException
+    {
+        public RoleNotFoundException(string name)
+           : base(string.Format(Resources.RoleNotFound, name))
+        {
+            Debug.Assert(!string.IsNullOrEmpty(name), "Role identifier should not be empty");
+        }
+    }
+}

src/Microsoft.Health.ControlPlane.Core/Features/Persistence/IControlPlaneDataStore.cs

@@ -6,6 +6,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Health.ControlPlane.Core.Features.Rbac;
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
 
 namespace Microsoft.Health.ControlPlane.Core.Features.Persistence
 {
@@ -14,5 +15,9 @@ public interface IControlPlaneDataStore
         Task<IdentityProvider> GetIdentityProviderAsync(string name, CancellationToken cancellationToken);
 
         Task<IdentityProvider> UpsertIdentityProviderAsync(IdentityProvider identityProvider, CancellationToken cancellationToken);
+
+        Task<Role> GetRoleAsync(string name, CancellationToken cancellationToken);
+
+        Task<Role> UpsertRoleAsync(Role role, CancellationToken cancellationToken);
     }
 }

src/Microsoft.Health.ControlPlane.Core/Features/Rbac/IRbacService.cs

@@ -5,6 +5,7 @@
 
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
 
 namespace Microsoft.Health.ControlPlane.Core.Features.Rbac
 {
@@ -13,5 +14,9 @@ public interface IRbacService
         Task<IdentityProvider> GetIdentityProviderAsync(string name, CancellationToken cancellationToken);
 
         Task<IdentityProvider> UpsertIdentityProviderAsync(IdentityProvider identityProvider, CancellationToken cancellationToken);
+
+        Task<Role> GetRoleAsync(string name, CancellationToken cancellationToken);
+
+        Task<Role> UpsertRoleAsync(Role role, CancellationToken cancellationToken);
     }
 }

src/Microsoft.Health.ControlPlane.Core/Features/Rbac/RbacService.cs

@@ -7,6 +7,7 @@
 using System.Threading.Tasks;
 using EnsureThat;
 using Microsoft.Health.ControlPlane.Core.Features.Persistence;
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
 
 namespace Microsoft.Health.ControlPlane.Core.Features.Rbac
 {
@@ -30,5 +31,15 @@ public async Task<IdentityProvider> UpsertIdentityProviderAsync(IdentityProvider
         {
             return await _controlPlaneDataStore.UpsertIdentityProviderAsync(identityProvider, cancellationToken);
         }
+
+        public async Task<Role> GetRoleAsync(string name, CancellationToken cancellationToken)
+        {
+            return await _controlPlaneDataStore.GetRoleAsync(name, cancellationToken);
+        }
+
+        public async Task<Role> UpsertRoleAsync(Role role, CancellationToken cancellationToken)
+        {
+            return await _controlPlaneDataStore.UpsertRoleAsync(role, cancellationToken);
+        }
     }
 }

src/Microsoft.Health.ControlPlane.Core/Features/Rbac/Roles/ResourceAction.cs

@@ -0,0 +1,33 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using System.Runtime.Serialization;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Converters;
+
+namespace Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles
+{
+    [JsonConverter(typeof(StringEnumConverter))]
+    public enum ResourceAction
+    {
+        /// <summary>
+        /// Read
+        /// </summary>
+        [EnumMember(Value = "read")]
+        Read,
+
+        /// <summary>
+        /// Write
+        /// </summary>
+        [EnumMember(Value = "write")]
+        Write,
+
+        /// <summary>
+        /// HardDelete
+        /// </summary>
+        [EnumMember(Value = "hardDelete")]
+        HardDelete,
+    }
+}

src/Microsoft.Health.ControlPlane.Core/Features/Rbac/Roles/ResourcePermission.cs

@@ -0,0 +1,24 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using System.Collections.Generic;
+
+namespace Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles
+{
+    public class ResourcePermission
+    {
+        public ResourcePermission()
+        {
+            Actions = new List<ResourceAction>();
+        }
+
+        public ResourcePermission(IList<ResourceAction> resourceActions)
+        {
+            Actions = resourceActions;
+        }
+
+        public IList<ResourceAction> Actions { get; }
+    }
+}

src/Microsoft.Health.ControlPlane.Core/Features/Rbac/Roles/Role.cs

@@ -0,0 +1,31 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using System.Collections.Generic;
+using Newtonsoft.Json;
+
+namespace Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles
+{
+    public class Role
+    {
+        [JsonConstructor]
+        protected Role()
+        {
+        }
+
+        public Role(string name, IList<ResourcePermission> resourcePermissions,  string version)
+        {
+            Name = name;
+            ResourcePermissions = resourcePermissions;
+            Version = version;
+        }
+
+        public string Name { get; set; }
+
+        public virtual string Version { get; set; }
+
+        public IList<ResourcePermission> ResourcePermissions { get; internal set; } = new List<ResourcePermission>();
+    }
+}

src/Microsoft.Health.ControlPlane.CosmosDb/Features/Storage/ControlPlaneDataStore.cs

@@ -15,6 +15,7 @@
 using Microsoft.Health.ControlPlane.Core.Features.Exceptions;
 using Microsoft.Health.ControlPlane.Core.Features.Persistence;
 using Microsoft.Health.ControlPlane.Core.Features.Rbac;
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
 using Microsoft.Health.ControlPlane.CosmosDb.Features.Storage.Rbac;
 using Microsoft.Health.CosmosDb.Configs;
 using Microsoft.Health.CosmosDb.Features.Storage;
@@ -59,6 +60,28 @@ public async Task<IdentityProvider> GetIdentityProviderAsync(string name, Cancel
             return identityProvider.ToIdentityProvider();
         }
 
+        public async Task<Role> GetRoleAsync(string name, CancellationToken cancellationToken)
+        {
+            EnsureArg.IsNotNull(name, nameof(name));
+
+            var role = await GetSystemDocumentByIdAsync<CosmosRole>(name, CosmosRole.RolePartition, cancellationToken);
+            if (role == null)
+            {
+                throw new RoleNotFoundException(name);
+            }
+
+            return role.ToRole();
+        }
+
+        public async Task<Role> UpsertRoleAsync(Role role, CancellationToken cancellationToken)
+        {
+            EnsureArg.IsNotNull(role, nameof(role));
+
+            var cosmosRole = new CosmosRole(role);
+            var resultRole = await UpsertSystemObjectAsync(cosmosRole, CosmosRole.RolePartition, cancellationToken);
+            return resultRole.ToRole();
+        }
+
         public async Task<IdentityProvider> UpsertIdentityProviderAsync(IdentityProvider identityProvider, CancellationToken cancellationToken)
         {
             EnsureArg.IsNotNull(identityProvider, nameof(identityProvider));

src/Microsoft.Health.ControlPlane.CosmosDb/Features/Storage/Rbac/CosmosRole.cs

@@ -0,0 +1,41 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
+using Microsoft.Health.CosmosDb.Features.Storage;
+using Newtonsoft.Json;
+
+namespace Microsoft.Health.ControlPlane.CosmosDb.Features.Storage.Rbac
+{
+    public class CosmosRole : Role
+    {
+        internal const string RolePartition = "Role_";
+
+        public CosmosRole(Role role)
+              : base(role.Name, role.ResourcePermissions,  role.Version)
+        {
+            ETag = $"\"{role.Version}\"";
+        }
+
+        [JsonConstructor]
+        protected CosmosRole()
+        {
+        }
+
+        [JsonProperty("id")]
+        public string Id => Name;
+
+        [JsonProperty("partitionKey")]
+        public string PartitionKey { get; } = RolePartition;
+
+        [JsonProperty("_etag")]
+        public string ETag { get; protected set; }
+
+        [JsonProperty(KnownDocumentProperties.IsSystem)]
+        public bool IsSystem { get; } = true;
+
+        public override string Version => ETag;
+    }
+}

src/Microsoft.Health.ControlPlane.CosmosDb/Features/Storage/Rbac/CosmosRoleExtensions.cs

@@ -0,0 +1,20 @@
+// -------------------------------------------------------------------------------------------------
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License (MIT). See LICENSE in the repo root for license information.
+// -------------------------------------------------------------------------------------------------
+
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
+
+namespace Microsoft.Health.ControlPlane.CosmosDb.Features.Storage.Rbac
+{
+    public static class CosmosRoleExtensions
+    {
+        public static Role ToRole(this CosmosRole cosmosRole)
+        {
+            return new Role(
+                cosmosRole.Name,
+                cosmosRole.ResourcePermissions,
+                cosmosRole.ETag.Trim('"'));
+        }
+    }
+}

src/Microsoft.Health.Fhir.Api/Controllers/ControlPlaneController.cs

@@ -9,11 +9,10 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Health.ControlPlane.Core.Features.Rbac;
+using Microsoft.Health.ControlPlane.Core.Features.Rbac.Roles;
 
 namespace Microsoft.Health.Fhir.Api.Controllers
 {
-    // TODO: Remove before PR
-    [Route("Admin/IdentityProvider/")]
     public class ControlPlaneController : Controller
     {
         private readonly IRbacService _rbacService;
@@ -26,12 +25,40 @@ public ControlPlaneController(IRbacService rbacService)
         }
 
         [HttpGet]
-        [Route("{IdentityProviderName}")]
+        [Route("Admin/IdentityProvider/{IdentityProviderName}")]
         [AllowAnonymous]
         public async Task<IActionResult> Index(string identityProviderName, CancellationToken cancellationToken)
         {
             var response = await _rbacService.GetIdentityProviderAsync(identityProviderName, cancellationToken);
             return Ok(response);
         }
+
+        [HttpGet]
+        [Route("Admin/Roles/{RoleName}")]
+        [AllowAnonymous]
+        public async Task<IActionResult> GetRole(string roleName, CancellationToken cancellationToken)
+        {
+            var response = await _rbacService.GetRoleAsync(roleName, cancellationToken);
+            return Ok(response);
+        }
+
+        [HttpPut]
+        [Route("Admin/Roles")]
+        [AllowAnonymous]
+        public async Task<IActionResult> UpdateRole([FromBody] Role role, CancellationToken cancellationToken)
+        {
+            var response = await _rbacService.UpsertRoleAsync(role, cancellationToken);
+            return Ok(response);
+        }
+
+
+        [HttpPost]
+        [Route("Admin/Roles")]
+        [AllowAnonymous]
+        public async Task<IActionResult> CreateRole([FromBody] Role role, CancellationToken cancellationToken)
+        {
+            var response = await _rbacService.UpsertRoleAsync(role, cancellationToken);
+            return Ok(response);
+        }
     }
 }

src/Microsoft.Health.Fhir.CosmosDb/Microsoft.Health.Fhir.CosmosDb.csproj

@@ -4,6 +4,7 @@
     <TargetFramework>netcoreapp2.1</TargetFramework>
     <CodeAnalysisRuleSet>..\..\CustomAnalysisRules.ruleset</CodeAnalysisRuleSet>
     <GeneratorProjectPath>..\..\tools\Microsoft.Health.Extensions.BuildTimeCodeGenerator\Microsoft.Health.Extensions.BuildTimeCodeGenerator.csproj</GeneratorProjectPath>
+    <LangVersion>7.3</LangVersion>
   </PropertyGroup>
 
   <ItemGroup>

src/Microsoft.Health.Fhir.Web/appsettings.json

@@ -4,7 +4,7 @@
             "UseStrictConformance": true
         },
         "Security": {
-            "Enabled": true,
+            "Enabled": false,
             "Authentication": {
                 "Audience": null,
                 "Authority": "https://localhost:44348"