public virtual void testGlobalAuthPermissions()
{
AuthorizationEntity authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeGrant);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.All));
Assert.True(authorization.IsPermissionGranted(Permissions.None));
IList <Permissions> perms = (authorization.GetPermissions(new Permissions[] { }));
Assert.True(perms.Contains(Permissions.None));
Assert.AreEqual(1, perms.Count);
authorization.AddPermission(Permissions.Read);
perms = (authorization.GetPermissions(new Permissions[] { }));
Assert.True(perms.Contains(Permissions.None));
Assert.True(perms.Contains(Permissions.Read));
Assert.AreEqual(2, perms.Count);
Assert.True(authorization.IsPermissionGranted(Permissions.Read));
Assert.True(authorization.IsPermissionGranted(Permissions.None)); // (none is always granted => you are always authorized to do nothing)
try
{
authorization.IsPermissionRevoked(Permissions.Read);
Assert.Fail("Exception expected");
}
catch (System.InvalidOperationException e)
{
AssertTextPresent("ENGINE-03026 Method 'isPermissionRevoked' cannot be used for authorization with type 'GRANT'.", e.Message);
}
}
public async Task <TAuthorizationToken> GetAsync <TAuthorizationToken>(DeploymentScope deploymentScope)
where TAuthorizationToken : AuthorizationToken, new()
{
if (deploymentScope is null)
{
throw new ArgumentNullException(nameof(deploymentScope));
}
var client = await tableClient.ConfigureAwait(false);
var rowKey = AuthorizationEntity.GetEntityId(deploymentScope);
var partitionKey = string.Join(",", typeof(TAuthorizationToken).AssemblyQualifiedName.Split(',').Take(2));
try
{
var response = await client
.GetEntityAsync <TAuthorizationToken>(partitionKey, rowKey)
.ConfigureAwait(false);
return(response.Value);
}
catch (RequestFailedException ex) when(ex.Status == 404)
{
// doesn't exist
return(null);
}
}
public virtual void testRevokeAuthPermissions()
{
AuthorizationEntity authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke);
Assert.IsFalse(authorization.IsPermissionRevoked(Permissions.All));
IList <Permissions> perms = (authorization.GetPermissions(new Permissions[] { }));
Assert.AreEqual(0, perms.Count);
authorization.RemovePermission(Permissions.Read);
perms = (authorization.GetPermissions(new Permissions[] { }));
Assert.True(perms.Contains(Permissions.Read));
Assert.True(perms.Contains(Permissions.All));
Assert.AreEqual(2, perms.Count);
try
{
authorization.IsPermissionGranted(Permissions.Read);
Assert.Fail("Exception expected");
}
catch (System.InvalidOperationException e)
{
AssertTextPresent("ENGINE-03026 Method 'isPermissionGranted' cannot be used for authorization with type 'REVOKE'.", e.Message);
}
}
public virtual void testRevokeAuthPermissions()
{
AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_REVOKE);
authorization.setResource(Resources.DEPLOYMENT);
assertFalse(authorization.isPermissionRevoked(ALL));
IList <Permission> perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
assertEquals(0, perms.Count);
authorization.removePermission(READ);
perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
assertTrue(perms.Contains(READ));
assertTrue(perms.Contains(ALL));
assertEquals(2, perms.Count);
try
{
authorization.isPermissionGranted(READ);
fail("Exception expected");
}
catch (System.InvalidOperationException e)
{
assertTextPresent("ENGINE-03026 Method 'isPermissionGranted' cannot be used for authorization with type 'REVOKE'.", e.Message);
}
}
public virtual void testGlobalAuthPermissions()
{
AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
authorization.setResource(Resources.DEPLOYMENT);
assertFalse(authorization.isPermissionGranted(ALL));
assertTrue(authorization.isPermissionGranted(NONE));
IList <Permission> perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
assertTrue(perms.Contains(NONE));
assertEquals(1, perms.Count);
authorization.addPermission(READ);
perms = Arrays.asList(authorization.getPermissions(Permissions.values()));
assertTrue(perms.Contains(NONE));
assertTrue(perms.Contains(READ));
assertEquals(2, perms.Count);
assertTrue(authorization.isPermissionGranted(READ));
assertTrue(authorization.isPermissionGranted(NONE)); // (none is always granted => you are always authorized to do nothing)
try
{
authorization.isPermissionRevoked(READ);
fail("Exception expected");
}
catch (System.InvalidOperationException e)
{
assertTextPresent("ENGINE-03026 Method 'isPermissionRevoked' cannot be used for authorization with type 'GRANT'.", e.Message);
}
}
protected internal virtual AuthorizationEntity createGrantAuthorization(string userId, string groupId, Resource resource, string resourceId, params Permission[] permissions)
{
// assuming that there are no default authorizations for *
if (!string.ReferenceEquals(userId, null))
{
ensureValidIndividualResourceId("Cannot create authorization for user " + userId, userId);
}
if (!string.ReferenceEquals(groupId, null))
{
ensureValidIndividualResourceId("Cannot create authorization for group " + groupId, groupId);
}
AuthorizationEntity authorization = new AuthorizationEntity(AUTH_TYPE_GRANT);
authorization.UserId = userId;
authorization.GroupId = groupId;
authorization.setResource(resource);
authorization.ResourceId = resourceId;
if (permissions != null)
{
foreach (Permission permission in permissions)
{
authorization.addPermission(permission);
}
}
return(authorization);
}
public virtual AuthorizationEntity[] newTaskAssignee(Task task, string oldAssignee, string newAssignee)
{
if (!string.ReferenceEquals(newAssignee, null))
{
ensureValidIndividualResourceId("Cannot create default authorization for assignee " + newAssignee, newAssignee);
// create (or update) an authorization for the new assignee.
string taskId = task.Id;
// fetch existing authorization
AuthorizationEntity authorization = getGrantAuthorizationByUserId(newAssignee, TASK, taskId);
// update authorization:
// (1) fetched authorization == null -> create a new authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled)
// (2) fetched authorization != null -> add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled
// Update or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided
authorization = updateAuthorization(authorization, newAssignee, null, TASK, taskId, READ, DefaultUserPermissionForTask, SpecificReadVariablePermission);
// return always created or updated authorization
return(new AuthorizationEntity[] { authorization });
}
return(null);
}
protected String processList(String url, AuthorizationEntity authorization)
{
WebRequestUtil wrUtil = new WebRequestUtil(authorization);
Dictionary <string, string> post_data = new Dictionary <string, string>();
String response = wrUtil.getRequest(url, post_data);
return(response);
}
public static LoginModel ToLoginModel(this AuthorizationEntity authorisationEntity)
{
return(new LoginModel()
{
Email = authorisationEntity.Email,
Password = authorisationEntity.Password
});
}
public virtual AuthorizationEntity[] newUser(User user)
{
// create an authorization which gives the user all permissions on himself:
string userId = user.Id;
ensureValidIndividualResourceId("Cannot create default authorization for user " + userId, userId);
AuthorizationEntity resourceOwnerAuthorization = createGrantAuthorization(userId, null, USER, userId, ALL);
return(new AuthorizationEntity[] { resourceOwnerAuthorization });
}
protected internal virtual bool hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, string userId, string groupId, Resource resource, string resourceId)
{
bool sameUserId = areIdsEqual(authEntity.UserId, userId);
bool sameGroupId = areIdsEqual(authEntity.GroupId, groupId);
bool sameResourceId = areIdsEqual(authEntity.ResourceId, (resourceId));
bool sameResourceType = authEntity.ResourceType == resource.resourceType();
bool sameAuthorizationType = authEntity.AuthorizationType == AUTH_TYPE_GRANT;
return(sameUserId && sameGroupId && sameResourceType && sameResourceId && sameAuthorizationType);
}
public bool CheckForm(AuthorizationEntity authorization)
{
var auth = unitOfWork.AuthorizationRepository.Get(x => x.Email == authorization.Email);
if (auth != null && auth.Password == authorization.Password && auth.Confirm == true)
{
return(true);
}
return(false);
}
public static Authorization ToAuthorization(this AuthorizationEntity authorisationEntity)
{
return(new Authorization()
{
Id = authorisationEntity.Id,
Email = authorisationEntity.Email,
Password = authorisationEntity.Password,
UserId = authorisationEntity.UserId,
Confirm = authorisationEntity.Confirm
});
}
public bool InsertAuthorization(AuthorizationEntity auth)
{
try
{
var table = _tableClient.GetTableReference(Tables.Authorizaiton);
var insertOperation = TableOperation.Insert(auth);
table.Execute(insertOperation);
return(true);
}
catch (Exception e)
{
return(false);
}
}
public void UpdateAuthorization(AuthorizationEntity teamAuth)
{
try
{
var table = _tableClient.GetTableReference(Tables.Authorizaiton);
var replaceOperation = TableOperation.Replace(teamAuth);
table.Execute(replaceOperation);
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
public virtual void testCreateAuthorization()
{
// add base permission which allows nobody to create authorizations
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'create'
basePerms.RemovePermission(Permissions.Create);
authorizationService.SaveAuthorization(basePerms);
// now enable authorizations:
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
// we cannot create another authorization
authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
// circumvent auth check to get new transient object
IAuthorization authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke);
authorization.UserId = "someUserId";
authorization.Resource = Resources.Application;
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
}
public static int Update(AuthorizationEntity entity, DbConnection connection, DbTransaction transaction)
{
var command = KandaTableDataGateway._factory.CreateCommand(connection, transaction);
command.CommandText = @"usp_UpdateAuthorizations";
KandaDbDataMapper.MapToParameters(command, entity);
var result = KandaTableDataGateway._factory.CreateParameter(@"Result", DbType.Int32, sizeof(int), ParameterDirection.ReturnValue, DBNull.Value);
command.Parameters.Add(result);
command.ExecuteNonQuery();
return((int)result.Value);
}
// Deployment ///////////////////////////////////////////////
public virtual AuthorizationEntity[] newDeployment(Deployment deployment)
{
ProcessEngineConfigurationImpl processEngineConfiguration = Context.ProcessEngineConfiguration;
IdentityService identityService = processEngineConfiguration.IdentityService;
Authentication currentAuthentication = identityService.CurrentAuthentication;
if (currentAuthentication != null && !string.ReferenceEquals(currentAuthentication.UserId, null))
{
string userId = currentAuthentication.UserId;
string deploymentId = deployment.Id;
AuthorizationEntity authorization = createGrantAuthorization(userId, null, DEPLOYMENT, deploymentId, READ, DELETE);
return(new AuthorizationEntity[] { authorization });
}
return(null);
}
public virtual AuthorizationEntity[] newGroup(Group group)
{
IList <AuthorizationEntity> authorizations = new List <AuthorizationEntity>();
// whenever a new group is created, all users part of the
// group are granted READ permissions on the group
string groupId = group.Id;
ensureValidIndividualResourceId("Cannot create default authorization for group " + groupId, groupId);
AuthorizationEntity groupMemberAuthorization = createGrantAuthorization(null, groupId, GROUP, groupId, READ);
authorizations.Add(groupMemberAuthorization);
return(authorizations.ToArray());
}
private void DeserializeSerializeCompare(string jsonRep)
{
// convert the JSON to objects. Convert the objects to JSON.
AuthorizationEntity hydrated = JsonConvert.DeserializeObject <AuthorizationEntity>(jsonRep);
Assert.NotNull(hydrated);
string serialized = JsonConvert.SerializeObject(hydrated, Formatting.Indented);
output.WriteLine(serialized);
// compare original JSON with results of deserialize / serialize
var nodeSet1 = JsonConvert.DeserializeObject <JObject>(jsonRep);
var nodeSet2 = JsonConvert.DeserializeObject <JObject>(serialized);
Assert.True(JToken.DeepEquals(nodeSet1, nodeSet2),
"Original JSON and results of deserialize,serialize are different token graphs");
}
/// <summary>
/// Searches through the cache, if there is already an authorization with same rights. If that's the case
/// update the given authorization with the permissions and remove the old one from the cache.
/// </summary>
protected internal virtual void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, string userId, string groupId, Resource resource, string resourceId)
{
DbEntityManager dbManager = Context.CommandContext.DbEntityManager;
IList <AuthorizationEntity> list = dbManager.getCachedEntitiesByType(typeof(AuthorizationEntity));
foreach (AuthorizationEntity authEntity in list)
{
bool hasSameAuthRights = hasEntitySameAuthorizationRights(authEntity, userId, groupId, resource, resourceId);
if (hasSameAuthRights)
{
int previousPermissions = authEntity.getPermissions();
authorization.setPermissions(previousPermissions);
dbManager.DbEntityCache.remove(authEntity);
return;
}
}
}
public virtual AuthorizationEntity[] newFilter(Filter filter)
{
string owner = filter.Owner;
if (!string.ReferenceEquals(owner, null))
{
// create an authorization which gives the owner of the filter all permissions on the filter
string filterId = filter.Id;
ensureValidIndividualResourceId("Cannot create default authorization for filter owner " + owner, owner);
AuthorizationEntity filterOwnerAuthorization = createGrantAuthorization(owner, null, FILTER, filterId, ALL);
return(new AuthorizationEntity[] { filterOwnerAuthorization });
}
else
{
return(null);
}
}
public virtual AuthorizationEntity[] newTaskGroupIdentityLink(Task task, string groupId, string type)
{
ensureValidIndividualResourceId("Cannot grant default authorization for identity link to group " + groupId, groupId);
// create (or update) an authorization for the given group
// whenever a new user identity link will be added
string taskId = task.Id;
// fetch existing authorization
AuthorizationEntity authorization = getGrantAuthorizationByGroupId(groupId, TASK, taskId);
// update authorization:
// (1) fetched authorization == null -> create a new authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled)
// (2) fetched authorization != null -> add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled
// Update or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided
authorization = updateAuthorization(authorization, null, groupId, TASK, taskId, READ, DefaultUserPermissionForTask, SpecificReadVariablePermission);
// return always created or updated authorization
return(new AuthorizationEntity[] { authorization });
}
protected internal virtual AuthorizationEntity updateAuthorization(AuthorizationEntity authorization, string userId, string groupId, Resource resource, string resourceId, params Permission[] permissions)
{
if (authorization == null)
{
authorization = createGrantAuthorization(userId, groupId, resource, resourceId);
updateAuthorizationBasedOnCacheEntries(authorization, userId, groupId, resource, resourceId);
}
if (permissions != null)
{
foreach (Permission permission in permissions)
{
if (permission != null)
{
authorization.addPermission(permission);
}
}
}
return(authorization);
}
/// <summary>
/// Create a new authorization.
/// </summary>
/// <param name="identifier">The identifier to be authorized.</param>
/// <returns>The authorization created.</returns>
/// <exception cref="InvalidOperationException">If the account key is missing.</exception>
public async Task <AcmeResult <AuthorizationEntity> > NewAuthorization(AuthorizationIdentifier identifier)
{
if (this.key == null)
{
throw new InvalidOperationException();
}
var auth = new AuthorizationEntity
{
Identifier = identifier,
Resource = ResourceTypes.NewAuthorization
};
var uri = await handler.GetResourceUri(ResourceTypes.NewAuthorization);
var result = await handler.Post(uri, auth, key);
ThrowIfError(result);
if (result.HttpStatus == HttpStatusCode.SeeOther) // An authentication with the same identifier exists.
{
result = await handler.Get <AuthorizationEntity>(result.Location);
ThrowIfError(result);
}
return(new AcmeResult <AuthorizationEntity>
{
Data = result.Data,
Json = result.Json,
Raw = result.Raw,
Links = result.Links,
Location = result.Location,
ContentType = result.ContentType
});
}
public SaveAuthorizationCmd(IAuthorization authorization)
{
this.Authorization = (AuthorizationEntity)authorization;
Validate();
}
/// <summary>
///
/// </summary>
/// <param name="entity"></param>
/// <param name="connection"></param>
/// <param name="transaction"></param>
/// <returns></returns>
public bool Update(AuthorizationEntity entity, DbConnection connection, DbTransaction transaction)
{
var updated = AuthorizationsGateway.Update(entity, connection, transaction);
return(updated == 1);
}
/// <summary>
///
/// </summary>
/// <param name="entity"></param>
/// <param name="connection"></param>
/// <param name="transaction"></param>
/// <returns></returns>
public bool Create(AuthorizationEntity entity, DbConnection connection, DbTransaction transaction)
{
var created = AuthorizationsGateway.Insert(entity, connection, transaction);
return(created == 1);
}
public AuthorizationAttribute(ClaimScope claimScope, AuthorizationAction action, AuthorizationEntity entity)
{
ClaimScope = claimScope;
Name = AuthorizationName.Generate(action, entity);
}
public virtual AuthorizationEntity[] tenantMembershipCreated(Tenant tenant, Group group)
{
AuthorizationEntity userAuthorization = createGrantAuthorization(null, group.Id, TENANT, tenant.Id, READ);
return(new AuthorizationEntity[] { userAuthorization });
}
