public virtual void testHistoricTaskInstanceReportWithoutAuthorization() { // given startProcessInstanceByKey(PROCESS_KEY); string taskId = selectSingleTask().Id; disableAuthorization(); taskService.complete(taskId); enableAuthorization(); try { // when historyService.createHistoricTaskInstanceReport().duration(PeriodUnit.MONTH); fail("Exception expected: It should not be possible to create a historic task instance report"); } catch (AuthorizationException e) { // then IList <MissingAuthorization> missingAuthorizations = e.MissingAuthorizations; assertEquals(1, missingAuthorizations.Count); MissingAuthorization missingAuthorization = missingAuthorizations[0]; assertEquals(READ_HISTORY.ToString(), missingAuthorization.ViolatedPermissionName); assertEquals(PROCESS_DEFINITION.resourceName(), missingAuthorization.ResourceType); assertEquals(ANY, missingAuthorization.ResourceId); } }
// create historic process instance report public virtual void testHistoricProcessInstanceReportWithoutAuthorization() { // given StartProcessInstanceByKey(PROCESS_KEY); string taskId = selectSingleTask().Id; disableAuthorization(); taskService.Complete(taskId); enableAuthorization(); try { // when historyService.CreateHistoricProcessInstanceReport().Duration(PeriodUnit.Month); Assert.Fail("Exception expected: It should not be possible to create a historic process instance report"); } catch (AuthorizationException e) { // then IList <MissingAuthorization> missingAuthorizations = e.MissingAuthorizations; Assert.AreEqual(1, missingAuthorizations.Count); MissingAuthorization missingAuthorization = missingAuthorizations[0]; Assert.AreEqual(Permissions.ReadHistory.ToString(), missingAuthorization.ViolatedPermissionName); Assert.AreEqual(Resources.ProcessDefinition.ToString() /*.ResourceName()*/, missingAuthorization.ResourceType); Assert.AreEqual(AuthorizationFields.Any, missingAuthorization.ResourceId); } }
public virtual void testDeleteAuthorization() { // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Delete); // revoke Delete authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { // try to Delete authorization authorizationService.DeleteAuthorization(basePerms.Id); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info); } }
[Test] public virtual void testTenanGroupMembershipDeleteAuthorizations() { IGroup group1 = identityService.NewGroup("group1"); identityService.SaveGroup(group1); ITenant tenant1 = identityService.NewTenant("tenant1"); identityService.SaveTenant(tenant1); // add base permission which allows nobody to Delete memberships IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.TenantMembership; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'Delete' basePerms.RemovePermission(Permissions.Delete); authorizationService.SaveAuthorization(basePerms); processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { identityService.DeleteTenantGroupMembership("tenant1", "group1"); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.TenantMembership.ToString() /*.ResourceName()*/, "tenant1", info); } }
public AuthorizationException(string userId, MissingAuthorization exceptionInfo) : base("The user with id '" + userId + "' does not have " + generateMissingAuthorizationMessage(exceptionInfo) + ".") { this.userId = userId; missingAuthorizations = new List <MissingAuthorization>(); missingAuthorizations.Add(exceptionInfo); this.resourceType = exceptionInfo.ResourceType; this.permissionName = exceptionInfo.ViolatedPermissionName; this.resourceId = exceptionInfo.ResourceId; }
// transformer ///////////////////////////// public static MissingAuthorizationDto fromInfo(MissingAuthorization info) { MissingAuthorizationDto dto = new MissingAuthorizationDto(); dto.PermissionName = info.ViolatedPermissionName; dto.ResourceId = info.ResourceId; dto.ResourceName = info.ResourceType; return(dto); }
public virtual void testCreateAuthorization() { // add base permission which allows nobody to create authorizations IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'create' basePerms.RemovePermission(Permissions.Create); authorizationService.SaveAuthorization(basePerms); // now enable authorizations: processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { // we cannot create another authorization authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info); } // circumvent auth check to get new transient object IAuthorization authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke); authorization.UserId = "someUserId"; authorization.Resource = Resources.Application; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info); } }
/// <summary> /// Generated exception message for the missing authorization. /// </summary> /// <param name="exceptionInfo"> to use </param> private static string generateMissingAuthorizationMessage(MissingAuthorization exceptionInfo) { StringBuilder builder = new StringBuilder(); string permissionName = exceptionInfo.ViolatedPermissionName; string resourceType = exceptionInfo.ResourceType; string resourceId = exceptionInfo.ResourceId; builder.Append("'"); builder.Append(permissionName); builder.Append("' permission on resource '"); builder.Append((!string.ReferenceEquals(resourceId, null) ? (resourceId + "' of type '") : "")); builder.Append(resourceType); builder.Append("'"); return(builder.ToString()); }
[Test] public virtual void testTenantCreateAuthorizations() { // add base permission which allows nobody to create tenants: IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Tenant; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'create' basePerms.RemovePermission(Permissions.Create); authorizationService.SaveAuthorization(basePerms); processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { identityService.NewTenant("tenant"); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info); } // circumvent auth check to get new transient userobject ITenant tenant = new TenantEntity("tenant"); try { identityService.SaveTenant(tenant); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info); } }
[Test] public virtual void testTenantUpdateAuthorizations() { // create tenant ITenant tenant = new TenantEntity("tenant"); identityService.SaveTenant(tenant); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Tenant; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: tenant = identityService.CreateTenantQuery().First(); tenant.Name = "newName"; try { identityService.SaveTenant(tenant); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, "tenant", info); } // but I can create a new tenant: ITenant newTenant = identityService.NewTenant("newTenant"); identityService.SaveTenant(newTenant); }
public virtual void testUserUpdateAuthorizations() { // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch authhorization basePerms = authorizationService.CreateAuthorizationQuery().First(); // make some change to the perms basePerms.AddPermission(Permissions.All); try { authorizationService.SaveAuthorization(basePerms); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info); } // but we can create a new auth IAuthorization newAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); newAuth.UserId = "jonny2"; newAuth.Resource = Resources.Authorization; newAuth.ResourceId = AuthorizationFields.Any; newAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(newAuth); }
[Test] public virtual void testGroupUpdateAuthorizations() { // crate group while still in god-mode: IGroup group1 = identityService.NewGroup("group1"); identityService.SaveGroup(group1); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Group; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: group1 = identityService.CreateGroupQuery().First(); //group1.ToString() = "IGroup 1"; try { identityService.SaveGroup(group1); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Group.ToString() /*.ResourceName()*/, "group1", info); } // but I can create a new group: IGroup group2 = identityService.NewGroup("group2"); identityService.SaveGroup(group2); }
[Test] public virtual void testUserUpdateAuthorizations() { // crate user while still in god-mode: IUser jonny1 = identityService.NewUser("jonny1"); identityService.SaveUser(jonny1); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.User; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: jonny1 = identityService.CreateUserQuery().First(); jonny1.FirstName = "Jonny"; try { identityService.SaveUser(jonny1); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.User.ToString() /*.ResourceName()*/, "jonny1", info); } // but I can create a new user: IUser jonny3 = identityService.NewUser("jonny3"); identityService.SaveUser(jonny3); }
/// <summary> /// Checks if the info has the expected parameters. /// </summary> /// <param name="expectedPermissionName"> to use </param> /// <param name="expectedResourceName"> to use </param> /// <param name="expectedResourceId"> to use </param> /// <param name="info"> to check </param> public static void assertExceptionInfo(string expectedPermissionName, string expectedResourceName, string expectedResourceId, MissingAuthorization info) { assertEquals(expectedPermissionName, info.ViolatedPermissionName); assertEquals(expectedResourceName, info.ResourceType); assertEquals(expectedResourceId, info.ResourceId); }