public void ComputeOnInsertPrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
Assert.AreEqual(@"\r1, \r2, r25", ReportRoles(roles.Load()), "roles created");
principals.Insert(u1, u2, u3, u5);
Assert.AreEqual(@"\u1, \u2, \u3, u5", ReportPrincipals(principals.Load()), "principals created");
// Recompute membership on insert domain users:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "auto-membership on insert");
// Inserting non-domain users and roles:
membership.Insert(new[] {
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
},
checkUserPermissions: true);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "non-domain users and roles");
}
}
public void RoleInheritance()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Modify role inheritance:
repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFromID = r1.ID, PermissionsFromID = r25.ID
} });
TestUtility.ShouldFail(() => repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFromID = r25.ID, PermissionsFromID = r2.ID
} }), "UserException",
"It is not allowed to add users or user groups here because this role is synchronized with an Active Directory group.",
"Please change the user membership on Active Directory instead.");
}
}
public void ComputeOnUpdatePrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on update principal (domain users only):
u2.Name = "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, u2x-\r2, u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update ignore non-domain users");
u2.Name = _domainPrefix + "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users");
u2.Name = _domainPrefix + "u2";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users 2");
}
}
public static Common.Role LoadRole(Guid roleGuid)
{
Business.Role roleController = new Business.Role();
Common.Role role = new Common.Role();
roleController.Load(roleGuid, role);
return(role);
}
public void RecomputeMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership relations:
var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single();
membership.Delete(new[] { u1r1 }, checkUserPermissions: false);
Assert.AreEqual(@"\u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "modified membership");
repository.Common.PrincipalHasRole.RecomputeFromActiveDirectoryPrincipalHasRole();
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership");
}
}
public bool UpdateRole(Common.Role role)
{
return(ExecuteSPCommand("UpdateRole",
"@Guid", role.RoleGuid,
"@Title", role.Title,
"@Priority", role.Priority,
"@IsDefault", role.IsDefault,
"@IsSalePackage", role.IsSalePackage,
"@Price", role.Price,
"@Description", role.Description));
}
public void InsertUnusedRole()
{
TestPermissionsCachingOnChange(context =>
{
var common = context.Repository.Common;
var role3 = new Common.Role {
Name = RolePrefix + Guid.NewGuid().ToString()
};
common.Role.Insert(role3);
},
new[] { true, true, false },
"Roles");
}
private void InitializePage()
{
btnSave.Text = Language.GetString(btnSave.Text);
btnCancel.Text = Language.GetString(btnCancel.Text);
btnSave.Attributes["onclick"] = "return validateRequiredFields();";
if (ActionType == "edit")
{
Common.Role role = Facade.Role.LoadRole(RoleGuid);
txtTitle.Text = role.Title;
chbDefaultRole.Checked = role.IsDefault;
ChbIsSalePackage.Checked = role.IsSalePackage;
txtPrice.Text = Helper.FormatDecimalForDisplay(role.Price);
txtDescription.Text = role.Description;
}
}
public void UserShouldNotUpdateDomainMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2);
principals.Insert(u1, u2);
// The user should not update domain users/groups membership:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container));
var u2r2 = membership.Query(m => m.Principal.Name.Contains(@"\u2")).Single();
membership.Delete(new[] { u2r2 }, checkUserPermissions: false);
Assert.AreEqual(@"\u1-\r1", ReportMembership(container));
var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single();
TestUtility.ShouldFail(
() => membership.Delete(new[] { u1r1 }, checkUserPermissions: true),
"It is not allowed to remove the user membership here, because role " + _domainPrefix + "r1 is synchronized with an Active Directory group");
}
}
protected void btnSave_Click(object sender, EventArgs e)
{
try
{
Common.Role role = new Common.Role();
role.RoleGuid = RoleGuid;
role.Title = txtTitle.Text;
role.Price = Helper.GetDecimal(txtPrice.Text);
role.Description = txtDescription.Text;
role.Priority = Helper.GetByte(txtPriority.Text);
role.IsSalePackage = ChbIsSalePackage.Checked;
role.IsDefault = chbDefaultRole.Checked;
role.UserGuid = UserGuid;
role.CreateDate = DateTime.Now;
if (role.HasError)
{
throw new Exception(role.ErrorMessage);
}
switch (ActionType)
{
case "edit":
if (!Facade.Role.UpdateRole(role))
{
throw new Exception(Language.GetString("ErrorRecord"));
}
break;
case "insert":
if (!Facade.Role.InsertRole(role))
{
throw new Exception(Language.GetString("ErrorRecord"));
}
break;
}
Response.Redirect(string.Format("/PageLoader.aspx?c={0}", Helper.Encrypt((int)UserControls.UI_Roles_Role, Session)));
}
catch (Exception ex)
{
ClientSideScript = string.Format("result('error','{0}')", ex.Message);
}
}
public void CommonFilters()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Common filters:
var filter1 = new Common.ActiveDirectoryAllUsersParameter();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter1),
"filter ActiveDirectoryAllUsersParameter");
var filter2 = new[] { u1.Name, u2.Name }.Select(name => new Common.ActiveDirectoryUserParameter { UserName = name }).ToArray();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter2),
"filter ActiveDirectoryUserParameter");
}
}
public void InsertRoleWithPermissions()
{
TestPermissionsCachingOnChange(context =>
{
var common = context.Repository.Common;
var role3 = new Common.Role {
Name = RolePrefix + Guid.NewGuid().ToString()
};
common.Role.Insert(role3);
var claim1 = common.Claim.Load(c => c.ClaimResource == Claim1.Resource && c.ClaimRight == Claim1.Right).Single();
common.RolePermission.Insert(new Common.RolePermission {
RoleID = role3.ID, ClaimID = claim1.ID, IsAuthorized = false
});
var role1 = common.Role.Load(r => r.Name == Role1Name).Single();
common.RoleInheritsRole.Insert(new Common.RoleInheritsRole {
UsersFromID = role1.ID, PermissionsFromID = role3.ID
});
},
new[] { false, true, false }, // Denied permission on claim1.
"RolePermissions, RolePermissions, RoleRoles, RoleRoles, Roles");
}
public void InsertTestPermissions()
{
DeleteTestPermissions();
using (var container = new RhetosTestContainer(commitChanges: true))
{
var r = container.Resolve <Common.DomRepository>();
var principal1 = new Common.Principal {
Name = User1Name
};
var principal2 = new Common.Principal {
Name = User2Name
};
r.Common.Principal.Insert(principal1, principal2);
var role1 = new Common.Role {
Name = Role1Name
};
var role2 = new Common.Role {
Name = Role2Name
};
r.Common.Role.Insert(role1, role2);
r.Common.PrincipalHasRole.Insert(new Common.PrincipalHasRole {
PrincipalID = principal1.ID, RoleID = role1.ID
});
r.Common.RoleInheritsRole.Insert(new Common.RoleInheritsRole {
UsersFromID = role1.ID, PermissionsFromID = role2.ID
});
var claim1 = r.Common.Claim.Load(c => c.ClaimResource == Claim1.Resource && c.ClaimRight == Claim1.Right).Single();
var claim2 = r.Common.Claim.Load(c => c.ClaimResource == Claim2.Resource && c.ClaimRight == Claim2.Right).Single();
r.Common.PrincipalPermission.Insert(new Common.PrincipalPermission {
PrincipalID = principal1.ID, ClaimID = claim1.ID, IsAuthorized = true
});
r.Common.RolePermission.Insert(new Common.RolePermission {
RoleID = role2.ID, ClaimID = claim2.ID, IsAuthorized = true
});
}
}
public void InsertTestPermissions()
{
DeleteTestPermissions();
using (var scope = TestScope.Create())
{
var context = scope.Resolve <Common.ExecutionContext>();
var r = scope.Resolve <Common.DomRepository>();
var principal1 = context.InsertPrincipalOrReadId(User1Name);
context.InsertPrincipalOrReadId(User2Name);
var role1 = new Common.Role {
Name = Role1Name
};
var role2 = new Common.Role {
Name = Role2Name
};
r.Common.Role.Insert(role1, role2);
r.Common.PrincipalHasRole.Insert(new Common.PrincipalHasRole {
PrincipalID = principal1.ID, RoleID = role1.ID
});
r.Common.RoleInheritsRole.Insert(new Common.RoleInheritsRole {
UsersFromID = role1.ID, PermissionsFromID = role2.ID
});
var claim1 = r.Common.Claim.Load(c => c.ClaimResource == Claim1.Resource && c.ClaimRight == Claim1.Right).Single();
var claim2 = r.Common.Claim.Load(c => c.ClaimResource == Claim2.Resource && c.ClaimRight == Claim2.Right).Single();
r.Common.PrincipalPermission.Insert(new Common.PrincipalPermission {
PrincipalID = principal1.ID, ClaimID = claim1.ID, IsAuthorized = true
});
r.Common.RolePermission.Insert(new Common.RolePermission {
RoleID = role2.ID, ClaimID = claim2.ID, IsAuthorized = true
});
scope.CommitAndClose();
}
}
public void InsertTestPermissions()
{
DeleteTestPermissions();
using (var container = new RhetosTestContainer(commitChanges: true))
{
var r = container.Resolve<Common.DomRepository>();
var principal1 = new Common.Principal { Name = User1Name };
var principal2 = new Common.Principal { Name = User2Name };
r.Common.Principal.Insert(principal1, principal2);
var role1 = new Common.Role { Name = Role1Name };
var role2 = new Common.Role { Name = Role2Name };
r.Common.Role.Insert(role1, role2);
r.Common.PrincipalHasRole.Insert(new Common.PrincipalHasRole { PrincipalID = principal1.ID, RoleID = role1.ID });
r.Common.RoleInheritsRole.Insert(new Common.RoleInheritsRole { UsersFromID = role1.ID, PermissionsFromID = role2.ID });
var claim1 = r.Common.Claim.Load(c => c.ClaimResource == Claim1.Resource && c.ClaimRight == Claim1.Right).Single();
var claim2 = r.Common.Claim.Load(c => c.ClaimResource == Claim2.Resource && c.ClaimRight == Claim2.Right).Single();
r.Common.PrincipalPermission.Insert(new Common.PrincipalPermission { PrincipalID = principal1.ID, ClaimID = claim1.ID, IsAuthorized = true });
r.Common.RolePermission.Insert(new Common.RolePermission { RoleID = role2.ID, ClaimID = claim2.ID, IsAuthorized = true });
}
}
public Guid InsertRole(Common.Role role)
{
Guid guid = Guid.NewGuid();
try
{
ExecuteSPCommand("InsertRole",
"@Guid", guid,
"@Title", role.Title,
"@Priority", role.Priority,
"@CreateDate", role.CreateDate,
"@UserGuid", role.UserGuid,
"@IsDefault", role.IsDefault,
"@IsSalePackage", role.IsSalePackage,
"@Price", role.Price,
"@Description", role.Description);
return(guid);
}
catch
{
guid = Guid.Empty;
return(guid);
}
}
public static bool InsertRole(Common.Role role)
{
Business.Role roleController = new Business.Role();
return(roleController.InsertRole(role) != Guid.Empty ? true : false);
}
public void InsertRoleWithPermissions()
{
TestPermissionsCachingOnChange(context =>
{
var common = context.Repository.Common;
var role3 = new Common.Role { Name = RolePrefix + Guid.NewGuid().ToString() };
common.Role.Insert(role3);
var claim1 = common.Claim.Load(c => c.ClaimResource == Claim1.Resource && c.ClaimRight == Claim1.Right).Single();
common.RolePermission.Insert(new Common.RolePermission { RoleID = role3.ID, ClaimID = claim1.ID, IsAuthorized = false });
var role1 = common.Role.Load(r => r.Name == Role1Name).Single();
common.RoleInheritsRole.Insert(new Common.RoleInheritsRole { UsersFromID = role1.ID, PermissionsFromID = role3.ID });
},
new[] { false, true, false }, // Denied permission on claim1.
"RolePermissions, RolePermissions, RoleRoles, RoleRoles, Roles");
}
public void InsertUnusedRole()
{
TestPermissionsCachingOnChange(context =>
{
var common = context.Repository.Common;
var role3 = new Common.Role { Name = RolePrefix + Guid.NewGuid().ToString() };
common.Role.Insert(role3);
},
new[] { true, true, false },
"Roles");
}
public void ComputeOnAuthorization()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Delete(membership.Load());
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on authorization:
var authorizationProvider = container.Resolve <CommonAuthorizationProvider>();
Assert.AreEqual(@"\u2-r25, u5-r25", ReportMembership(container));
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2, r25", ReportRoles(userRoles, container), "mixed membership");
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u2");
}
AuthorizationDataCache.ClearCache();
membership.Delete(membership.Load());
Assert.AreEqual(@"", ReportMembership(container), "membership deleted");
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "membership recomputed on authorization u2");
}
}
}
public void RoleInheritance()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Modify role inheritance:
repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFrom = r1, PermissionsFrom = r25 } });
TestUtility.ShouldFail(() => repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFrom = r25, PermissionsFrom = r2 } }), "UserException",
"It is not allowed to add users or user groups here because this role is synchronized with an Active Directory group.",
"Please change the user membership on Active Directory instead.");
}
}
public void ComputeOnUpdateRole()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on modified role should remove obsolete memebers:
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "initial membership");
r2.Name = _domainPrefix + "r2x";
roles.Update(r2);
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership after rename role");
// New role members will not be added automatically, to avoid performance penalty:
// (the membership will be added on the principal's authorization check)
r2.Name = _domainPrefix + "r2";
roles.Update(r2);
// This is not reqested feature, this assert simply describes currently implemented behaviour:
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container));
}
}
public void ComputeOnInsertPrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
Assert.AreEqual(@"\r1, \r2, r25", ReportRoles(roles.Read()), "roles created");
principals.Insert(u1, u2, u3, u5);
Assert.AreEqual(@"\u1, \u2, \u3, u5", ReportPrincipals(principals.Read()), "principals created");
// Recompute membership on insert domain users:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "auto-membership on insert");
// Inserting non-domain users and roles:
membership.Insert(new[] {
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } },
checkUserPermissions: true);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "non-domain users and roles");
}
}
public void ComputeOnUpdatePrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Recompute membership on update principal (domain users only):
u2.Name = "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, u2x-\r2, u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update ignore non-domain users");
u2.Name = _domainPrefix + "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users");
u2.Name = _domainPrefix + "u2";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users 2");
}
}
public void CommonFilters()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Common filters:
var filter1 = new Common.ActiveDirectoryAllUsersParameter();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter1),
"filter ActiveDirectoryAllUsersParameter");
var filter2 = new[] { u1.Name, u2.Name }.Select(name => new Common.ActiveDirectoryUserParameter {
UserName = name
}).ToArray();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter2),
"filter ActiveDirectoryUserParameter");
}
}
public void ComputeOnUpdateRole()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Recompute membership on modified role should remove obsolete memebers:
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "initial membership");
r2.Name = _domainPrefix + "r2x";
roles.Update(r2);
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership after rename role");
// New role members will not be added automatically, to avoid performance penalty:
// (the membership will be added on the principal's authorization check)
r2.Name = _domainPrefix + "r2";
roles.Update(r2);
// This is not reqested feature, this assert simply describes currently implemented behaviour:
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container));
}
}
public void RecomputeMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Recompute membership relations:
var u1r1 = membership.Read(m => m.Principal.Name.Contains(@"\u1")).Single();
membership.Delete(new[] { u1r1 }, checkUserPermissions: false);
Assert.AreEqual(@"\u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "modified membership");
repository.Common.PrincipalHasRole.RecomputeFromActiveDirectoryPrincipalHasRole();
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership");
}
}
public static bool UpdateRole(Common.Role role)
{
Business.Role roleController = new Business.Role();
return(roleController.UpdateRole(role));
}
public void SystemRoles()
{
string testUserName = "******" + Guid.NewGuid().ToString();
string allPrincipals = SystemRole.AllPrincipals.ToString();
string anonymous = SystemRole.Anonymous.ToString();
AuthorizationDataCache.ClearCache();
using (var scope = TestScope.Create())
{
var context = scope.Resolve <Common.ExecutionContext>();
var repository = context.Repository;
// Insert test user and roles:
var testPrincipal = context.InsertPrincipalOrReadId(testUserName);
var roles = context.Repository.Common.Role;
if (!roles.Query().Any(r => r.Name == allPrincipals))
{
roles.Insert(new Common.Role {
Name = allPrincipals
});
}
var allPrincipalsRole = roles.Load(r => r.Name == allPrincipals).Single();
if (!roles.Query().Any(r => r.Name == anonymous))
{
roles.Insert(new Common.Role {
Name = anonymous
});
}
var anonymousRole = roles.Load(r => r.Name == anonymous).Single();
// Test automatically assigned system roles:
var authorizationProvider = (CommonAuthorizationProvider)scope.Resolve <IAuthorizationProvider>();
Func <IPrincipal, string[]> getUserRolesNames = principal =>
authorizationProvider.GetUsersRoles(principal).Select(id => repository.Common.Role.Load(new[] { id }).Single().Name).ToArray();
Assert.AreEqual(
TestUtility.DumpSorted(new[] { anonymous, allPrincipals }),
TestUtility.DumpSorted(getUserRolesNames(testPrincipal)));
Assert.AreEqual(
TestUtility.DumpSorted(new[] { anonymous }),
TestUtility.DumpSorted(getUserRolesNames(null)));
// Test system roles inheritance:
var allPrincipalsIndirectRole = new Common.Role {
Name = "allPrincipalsIndirectRole"
};
var anonymousIndirectRole = new Common.Role {
Name = "anonymousIndirectRole"
};
roles.Insert(allPrincipalsIndirectRole, anonymousIndirectRole);
repository.Common.RoleInheritsRole.Insert(
new Common.RoleInheritsRole {
UsersFromID = allPrincipalsRole.ID, PermissionsFromID = allPrincipalsIndirectRole.ID
},
new Common.RoleInheritsRole {
UsersFromID = anonymousRole.ID, PermissionsFromID = anonymousIndirectRole.ID
});
Assert.AreEqual(
TestUtility.DumpSorted(new[] { anonymous, anonymousIndirectRole.Name, allPrincipals, allPrincipalsIndirectRole.Name }),
TestUtility.DumpSorted(getUserRolesNames(testPrincipal)));
Assert.AreEqual(
TestUtility.DumpSorted(new[] { anonymous, anonymousIndirectRole.Name }),
TestUtility.DumpSorted(getUserRolesNames(null)));
// Remove the system roles:
// Considering the naming convention, it should be enough to rename the roles.
allPrincipalsRole.Name += Guid.NewGuid().ToString();
anonymousRole.Name += Guid.NewGuid().ToString();
repository.Common.Role.Update(allPrincipalsRole, anonymousRole);
Assert.AreEqual("", TestUtility.DumpSorted(getUserRolesNames(testPrincipal)));
Assert.AreEqual("", TestUtility.DumpSorted(getUserRolesNames(null)));
}
}
public void ComputeOnAuthorization()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Delete(membership.Read());
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole { Principal = u2, Role = r25 },
new Common.PrincipalHasRole { Principal = u5, Role = r25 } });
// Recompute membership on authorization:
var authorizationProvider = container.Resolve<CommonAuthorizationProvider>();
Assert.AreEqual(@"\u2-r25, u5-r25", ReportMembership(container));
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2, r25", ReportRoles(userRoles, container), "mixed membership");
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u2");
}
AuthorizationDataCache.ClearCache();
membership.Delete(membership.Read());
Assert.AreEqual(@"", ReportMembership(container), "membership deleted");
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "membership recomputed on authorization u2");
}
}
}
public void UserShouldNotUpdateDomainMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve<Common.ExecutionContext>().NHibernateSession
.CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
.ExecuteUpdate();
// Insert test data:
var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
var repository = container.Resolve<Common.DomRepository>();
var roles = container.Resolve<GenericRepository<Common.Role>>();
var principals = container.Resolve<GenericRepository<Common.Principal>>();
var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
roles.Insert(r1, r2);
principals.Insert(u1, u2);
// The user should not update domain users/groups membership:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container));
var u2r2 = membership.Read(m => m.Principal.Name.Contains(@"\u2")).Single();
membership.Delete(new[] { u2r2 }, checkUserPermissions: false);
Assert.AreEqual(@"\u1-\r1", ReportMembership(container));
var u1r1 = membership.Read(m => m.Principal.Name.Contains(@"\u1")).Single();
TestUtility.ShouldFail(
() => membership.Delete(new[] { u1r1 }, checkUserPermissions: true),
"It is not allowed to remove the user membership here, because role " + _domainPrefix + "r1 is synchronized with an Active Directory group");
}
}