[Test] public virtual void testGroupOverrideGlobalGrantAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for group "sales"
IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
groupRevoke.GroupId = "sales";
groupRevoke.Resource = (Resources)resource1.resourceType();
groupRevoke.ResourceId = AuthorizationFields.Any;
groupRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(groupRevoke);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny does not have Permissions.All permissions if queried with groups
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
// if queried without groups he has
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
// jonny can't read if queried with groups
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// if queried without groups he has
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
// someone else who is in group "marketing" but but not "sales" can
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType()));
// he could'nt if he were in jonny's groups
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// jonny can still Delete
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType()));
}
[Test] public virtual void testUserOverrideGroupOverrideGlobalAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for group "sales"
IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
groupRevoke.GroupId = "sales";
groupRevoke.Resource = (Resources)resource1.resourceType();
groupRevoke.ResourceId = AuthorizationFields.Any;
groupRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(groupRevoke);
// add Permissions.Read for jonny
IAuthorization userGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
userGrant.UserId = "jonny";
userGrant.Resource = (Resources)resource1.resourceType();
userGrant.ResourceId = AuthorizationFields.Any;
userGrant.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(userGrant);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny can read
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
// someone else in the same groups cannot
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// someone else in different groups can
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
}
[Test] public virtual void testUserOverrideGlobalGrantAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for jonny
IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
localRevoke.UserId = "jonny";
localRevoke.Resource = (Resources)resource1.resourceType();
localRevoke.ResourceId = AuthorizationFields.Any;
localRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(localRevoke);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny does not have Permissions.All permissions
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
// jonny can't read
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// someone else can
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
// jonny can still Delete
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType()));
}
public virtual void testCreateAuthorizationWithGroupId()
{
TestResource resource1 = new TestResource("resource1", 100);
// initially, no authorization exists:
Assert.AreEqual(0, authorizationService.CreateAuthorizationQuery());
// simple create / Delete with userId
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.GroupId = "aGroupId";
////authorization.Resource = resource1;
// save the authorization
authorizationService.SaveAuthorization(authorization);
// authorization exists
Assert.AreEqual(1, authorizationService.CreateAuthorizationQuery() /*.Count()*/);
// Delete the authorization
authorizationService.DeleteAuthorization(authorization.Id);
// it's gone
Assert.AreEqual(0, authorizationService.CreateAuthorizationQuery() /*.Count()*/);
}
[Test] public virtual void testAuthorizationCheckEmptyDb()
{
TestResource resource1 = new TestResource("resource1", 100);
TestResource resource2 = new TestResource("resource2", 101);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
}; // Collections.singletonList("marketing");
// if no authorizations are in Db, nothing is authorized
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource2.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType(), "someId"));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource1.resourceType(), "someId"));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType(), "someOtherId"));
}
public virtual void testUpdatePersistentAuthorization()
{
TestResource resource1 = new TestResource("resource1", 100);
TestResource resource2 = new TestResource("resource1", 101);
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.UserId = "aUserId";
//authorization.Resource = resource1;
authorization.ResourceId = "aResourceId";
authorization.AddPermission(Permissions.Access);
// save the authorization
authorizationService.SaveAuthorization(authorization);
// validate authorization
IAuthorization savedAuthorization = authorizationService.CreateAuthorizationQuery().First();
Assert.AreEqual("aUserId", savedAuthorization.UserId);
Assert.AreEqual(resource1.resourceType(), savedAuthorization.ResourceType);
Assert.AreEqual("aResourceId", savedAuthorization.ResourceId);
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access));
// update authorization
savedAuthorization.UserId = "anotherUserId";
//savedAuthorization.Resource = resource2;
savedAuthorization.ResourceId = "anotherResourceId";
savedAuthorization.AddPermission(Permissions.Delete);
authorizationService.SaveAuthorization(savedAuthorization);
// validate authorization updated
savedAuthorization = authorizationService.CreateAuthorizationQuery().First();
Assert.AreEqual("anotherUserId", savedAuthorization.UserId);
Assert.AreEqual(resource2.resourceType(), savedAuthorization.ResourceType);
Assert.AreEqual("anotherResourceId", savedAuthorization.ResourceId);
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access));
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Delete));
}
public virtual void testInvalidCreateAuthorization()
{
TestResource resource1 = new TestResource("resource1", 100);
// case 1: no user id & no group id ////////////
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
//authorization.Resource = resource1;
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (ProcessEngineException e)
{
Assert.True(e.Message.Contains("IAuthorization must either have a 'userId' or a 'groupId'."));
}
// case 2: both user id & group id ////////////
authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.GroupId = "someId";
authorization.UserId = "someOtherId";
//authorization.Resource = resource1;
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (ProcessEngineException e)
{
AssertTextPresent("IAuthorization must either have a 'userId' or a 'groupId'.", e.Message);
}
// case 3: no resourceType ////////////
authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.UserId = "someId";
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (ProcessEngineException e)
{
Assert.True(e.Message.Contains("IAuthorization 'resourceType' cannot be null."));
}
// case 4: no permissions /////////////////
authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
authorization.UserId = "someId";
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (ProcessEngineException e)
{
Assert.True(e.Message.Contains("IAuthorization 'resourceType' cannot be null."));
}
}
[Test] public virtual void testNullAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
Assert.IsFalse(authorizationService.IsUserAuthorized(null, null, Permissions.Update, (Resources)resource1.resourceType()));
}