public virtual void testHistoricTaskInstanceReportWithoutAuthorization()
{
// given
startProcessInstanceByKey(PROCESS_KEY);
string taskId = selectSingleTask().Id;
disableAuthorization();
taskService.complete(taskId);
enableAuthorization();
try
{
// when
historyService.createHistoricTaskInstanceReport().duration(PeriodUnit.MONTH);
fail("Exception expected: It should not be possible to create a historic task instance report");
}
catch (AuthorizationException e)
{
// then
IList <MissingAuthorization> missingAuthorizations = e.MissingAuthorizations;
assertEquals(1, missingAuthorizations.Count);
MissingAuthorization missingAuthorization = missingAuthorizations[0];
assertEquals(READ_HISTORY.ToString(), missingAuthorization.ViolatedPermissionName);
assertEquals(PROCESS_DEFINITION.resourceName(), missingAuthorization.ResourceType);
assertEquals(ANY, missingAuthorization.ResourceId);
}
}
// create historic process instance report
public virtual void testHistoricProcessInstanceReportWithoutAuthorization()
{
// given
StartProcessInstanceByKey(PROCESS_KEY);
string taskId = selectSingleTask().Id;
disableAuthorization();
taskService.Complete(taskId);
enableAuthorization();
try
{
// when
historyService.CreateHistoricProcessInstanceReport().Duration(PeriodUnit.Month);
Assert.Fail("Exception expected: It should not be possible to create a historic process instance report");
}
catch (AuthorizationException e)
{
// then
IList <MissingAuthorization> missingAuthorizations = e.MissingAuthorizations;
Assert.AreEqual(1, missingAuthorizations.Count);
MissingAuthorization missingAuthorization = missingAuthorizations[0];
Assert.AreEqual(Permissions.ReadHistory.ToString(), missingAuthorization.ViolatedPermissionName);
Assert.AreEqual(Resources.ProcessDefinition.ToString() /*.ResourceName()*/, missingAuthorization.ResourceType);
Assert.AreEqual(AuthorizationFields.Any, missingAuthorization.ResourceId);
}
}
public virtual void testDeleteAuthorization()
{
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Delete); // revoke Delete
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
// try to Delete authorization
authorizationService.DeleteAuthorization(basePerms.Id);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info);
}
}
[Test] public virtual void testTenanGroupMembershipDeleteAuthorizations()
{
IGroup group1 = identityService.NewGroup("group1");
identityService.SaveGroup(group1);
ITenant tenant1 = identityService.NewTenant("tenant1");
identityService.SaveTenant(tenant1);
// add base permission which allows nobody to Delete memberships
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.TenantMembership;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'Delete'
basePerms.RemovePermission(Permissions.Delete);
authorizationService.SaveAuthorization(basePerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
identityService.DeleteTenantGroupMembership("tenant1", "group1");
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.TenantMembership.ToString() /*.ResourceName()*/, "tenant1", info);
}
}
public AuthorizationException(string userId, MissingAuthorization exceptionInfo) : base("The user with id '" + userId + "' does not have " + generateMissingAuthorizationMessage(exceptionInfo) + ".")
{
this.userId = userId;
missingAuthorizations = new List <MissingAuthorization>();
missingAuthorizations.Add(exceptionInfo);
this.resourceType = exceptionInfo.ResourceType;
this.permissionName = exceptionInfo.ViolatedPermissionName;
this.resourceId = exceptionInfo.ResourceId;
}
// transformer /////////////////////////////
public static MissingAuthorizationDto fromInfo(MissingAuthorization info)
{
MissingAuthorizationDto dto = new MissingAuthorizationDto();
dto.PermissionName = info.ViolatedPermissionName;
dto.ResourceId = info.ResourceId;
dto.ResourceName = info.ResourceType;
return(dto);
}
public virtual void testCreateAuthorization()
{
// add base permission which allows nobody to create authorizations
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'create'
basePerms.RemovePermission(Permissions.Create);
authorizationService.SaveAuthorization(basePerms);
// now enable authorizations:
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
// we cannot create another authorization
authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
// circumvent auth check to get new transient object
IAuthorization authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke);
authorization.UserId = "someUserId";
authorization.Resource = Resources.Application;
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
}
/// <summary>
/// Generated exception message for the missing authorization.
/// </summary>
/// <param name="exceptionInfo"> to use </param>
private static string generateMissingAuthorizationMessage(MissingAuthorization exceptionInfo)
{
StringBuilder builder = new StringBuilder();
string permissionName = exceptionInfo.ViolatedPermissionName;
string resourceType = exceptionInfo.ResourceType;
string resourceId = exceptionInfo.ResourceId;
builder.Append("'");
builder.Append(permissionName);
builder.Append("' permission on resource '");
builder.Append((!string.ReferenceEquals(resourceId, null) ? (resourceId + "' of type '") : ""));
builder.Append(resourceType);
builder.Append("'");
return(builder.ToString());
}
[Test] public virtual void testTenantCreateAuthorizations()
{
// add base permission which allows nobody to create tenants:
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Tenant;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'create'
basePerms.RemovePermission(Permissions.Create);
authorizationService.SaveAuthorization(basePerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
identityService.NewTenant("tenant");
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info);
}
// circumvent auth check to get new transient userobject
ITenant tenant = new TenantEntity("tenant");
try
{
identityService.SaveTenant(tenant);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info);
}
}
[Test] public virtual void testTenantUpdateAuthorizations()
{
// create tenant
ITenant tenant = new TenantEntity("tenant");
identityService.SaveTenant(tenant);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Tenant;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
tenant = identityService.CreateTenantQuery().First();
tenant.Name = "newName";
try
{
identityService.SaveTenant(tenant);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, "tenant", info);
}
// but I can create a new tenant:
ITenant newTenant = identityService.NewTenant("newTenant");
identityService.SaveTenant(newTenant);
}
public virtual void testUserUpdateAuthorizations()
{
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch authhorization
basePerms = authorizationService.CreateAuthorizationQuery().First();
// make some change to the perms
basePerms.AddPermission(Permissions.All);
try
{
authorizationService.SaveAuthorization(basePerms);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info);
}
// but we can create a new auth
IAuthorization newAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
newAuth.UserId = "jonny2";
newAuth.Resource = Resources.Authorization;
newAuth.ResourceId = AuthorizationFields.Any;
newAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(newAuth);
}
[Test] public virtual void testGroupUpdateAuthorizations()
{
// crate group while still in god-mode:
IGroup group1 = identityService.NewGroup("group1");
identityService.SaveGroup(group1);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Group;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
group1 = identityService.CreateGroupQuery().First();
//group1.ToString() = "IGroup 1";
try
{
identityService.SaveGroup(group1);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Group.ToString() /*.ResourceName()*/, "group1", info);
}
// but I can create a new group:
IGroup group2 = identityService.NewGroup("group2");
identityService.SaveGroup(group2);
}
[Test] public virtual void testUserUpdateAuthorizations()
{
// crate user while still in god-mode:
IUser jonny1 = identityService.NewUser("jonny1");
identityService.SaveUser(jonny1);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.User;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
jonny1 = identityService.CreateUserQuery().First();
jonny1.FirstName = "Jonny";
try
{
identityService.SaveUser(jonny1);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.User.ToString() /*.ResourceName()*/, "jonny1", info);
}
// but I can create a new user:
IUser jonny3 = identityService.NewUser("jonny3");
identityService.SaveUser(jonny3);
}
/// <summary>
/// Checks if the info has the expected parameters.
/// </summary>
/// <param name="expectedPermissionName"> to use </param>
/// <param name="expectedResourceName"> to use </param>
/// <param name="expectedResourceId"> to use </param>
/// <param name="info"> to check </param>
public static void assertExceptionInfo(string expectedPermissionName, string expectedResourceName, string expectedResourceId, MissingAuthorization info)
{
assertEquals(expectedPermissionName, info.ViolatedPermissionName);
assertEquals(expectedResourceName, info.ResourceType);
assertEquals(expectedResourceId, info.ResourceId);
}
