public void GivenAnAccessListWhenRemovingUserFromACLThenUserHasNoAccessToThePermissionsInTheRole()
{
var permission = this.FindPermission(M.Organisation.Name, Operations.Read);
var role = new RoleBuilder(this.Session).WithName("Role").WithPermission(permission).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
var person2 = new PersonBuilder(this.Session).WithFirstName("Jane").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithSubject(person).WithRole(role).Build();
this.Session.Derive();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
this.Session.Derive();
var acl = new AccessControlLists(person)[organisation];
accessControl.RemoveSubject(person);
accessControl.AddSubject(person2);
this.Session.Derive();
acl = new AccessControlLists(person)[organisation];
Assert.False(acl.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenNoAccessControlWhenCreatingAnAccessControlWithoutARoleThenAccessControlIsInvalid()
{
var userGroup = new UserGroupBuilder(this.Session).WithName("UserGroup").Build();
var securityToken = new SecurityTokenBuilder(this.Session).Build();
securityToken.AddAccessControl(new AccessControlBuilder(this.Session)
.WithSubjectGroup(userGroup)
.Build());
var validation = this.Session.Derive(false);
Assert.True(validation.HasErrors);
Assert.Equal(1, validation.Errors.Length);
var derivationError = validation.Errors[0];
Assert.Equal(1, derivationError.Relations.Length);
Assert.Equal(typeof(DerivationErrorRequired), derivationError.GetType());
Assert.Equal(M.AccessControl.Role, derivationError.Relations[0].RoleType);
}
public void DeniedPermissions()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithRole(databaseRole).WithSubject(person).Build();
this.Session.Derive(true);
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.IsFalse(this.Session.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsTrue(accessList.CanRead(M.Organisation.Name));
organisation.AddDeniedPermission(readOrganisationName);
accessList = new AccessControlList(organisation, person);
Assert.IsFalse(accessList.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenAnotherUserGroupAndAnAccessControlledObjectWhenGettingTheAccessListThenUserHasAccessToThePermissionsInTheRole()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new UserGroupBuilder(this.Session).WithName("Group").WithMember(person).Build();
var anotherUserGroup = new UserGroupBuilder(this.Session).WithName("AnotherGroup").Build();
this.Session.Derive(true);
this.Session.Commit();
new AccessControlBuilder(this.Session).WithSubjectGroup(anotherUserGroup).WithRole(databaseRole).Build();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.IsFalse(this.Session.Derive().HasErrors);
var accessList = new AccessControlList(organisation, person);
Assert.IsFalse(accessList.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenNoAccessControlWhenCreatingAAccessControlWithoutAUserOrUserGroupThenAccessControlIsInvalid()
{
var securityToken = new SecurityTokenBuilder(this.Session).Build();
var role = new RoleBuilder(this.Session).WithName("Role").Build();
securityToken.AddAccessControl(
new AccessControlBuilder(this.Session)
.WithRole(role)
.Build());
var validation = this.Session.Derive(false);
Assert.True(validation.HasErrors);
Assert.Equal(1, validation.Errors.Length);
var derivationError = validation.Errors[0];
Assert.Equal(2, derivationError.Relations.Length);
Assert.Equal(typeof(DerivationErrorAtLeastOne), derivationError.GetType());
Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.Subjects));
Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.SubjectGroups));
}