public void ComputeOnUpdatePrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on update principal (domain users only):
u2.Name = "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, u2x-\r2, u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update ignore non-domain users");
u2.Name = _domainPrefix + "u2x";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users");
u2.Name = _domainPrefix + "u2";
principals.Update(u2);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users 2");
}
}
public void RoleInheritance()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Modify role inheritance:
repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFromID = r1.ID, PermissionsFromID = r25.ID
} });
TestUtility.ShouldFail(() => repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
UsersFromID = r25.ID, PermissionsFromID = r2.ID
} }), "UserException",
"It is not allowed to add users or user groups here because this role is synchronized with an Active Directory group.",
"Please change the user membership on Active Directory instead.");
}
}
public void ComputeOnInsertPrincipal()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
Assert.AreEqual(@"\r1, \r2, r25", ReportRoles(roles.Load()), "roles created");
principals.Insert(u1, u2, u3, u5);
Assert.AreEqual(@"\u1, \u2, \u3, u5", ReportPrincipals(principals.Load()), "principals created");
// Recompute membership on insert domain users:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "auto-membership on insert");
// Inserting non-domain users and roles:
membership.Insert(new[] {
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
},
checkUserPermissions: true);
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "non-domain users and roles");
}
}
public void RecomputeMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership relations:
var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single();
membership.Delete(new[] { u1r1 }, checkUserPermissions: false);
Assert.AreEqual(@"\u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "modified membership");
repository.Common.PrincipalHasRole.RecomputeFromActiveDirectoryPrincipalHasRole();
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership");
}
}
/// <summary>Shortens and sorts the names.</summary>
private string ReportMembership(MockWindowsSecurityRhetosContainer container, object filter = null)
{
var context = container.Resolve <Common.ExecutionContext>();
var membership = context.Repository.Common.PrincipalHasRole;
var query = filter == null?membership.Query() : membership.Query(membership.Load(filter).Select(item => item.ID));
var reportData = query.Select(phr => new { PrincipalName = phr.Principal.Name, RoleName = phr.Role.Name }).ToList();
string report = TestUtility.DumpSorted(reportData, phr => Shorten(phr.PrincipalName) + "-" + Shorten(phr.RoleName));
Console.WriteLine("[ReportMembership] " + report);
return(report);
}
public void TestMock()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var ws = container.Resolve <Rhetos.Security.IWindowsSecurity>();
Assert.AreEqual("r1, r12", TestUtility.DumpSorted(ws.GetIdentityMembership(u1.Name)), "u1 active directory groups");
}
}
public void UserShouldNotUpdateDomainMembership()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2);
principals.Insert(u1, u2);
// The user should not update domain users/groups membership:
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container));
var u2r2 = membership.Query(m => m.Principal.Name.Contains(@"\u2")).Single();
membership.Delete(new[] { u2r2 }, checkUserPermissions: false);
Assert.AreEqual(@"\u1-\r1", ReportMembership(container));
var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single();
TestUtility.ShouldFail(
() => membership.Delete(new[] { u1r1 }, checkUserPermissions: true),
"It is not allowed to remove the user membership here, because role " + _domainPrefix + "r1 is synchronized with an Active Directory group");
}
}
public void ComputeOnAuthorization()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Delete(membership.Load());
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on authorization:
var authorizationProvider = container.Resolve <CommonAuthorizationProvider>();
Assert.AreEqual(@"\u2-r25, u5-r25", ReportMembership(container));
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2, r25", ReportRoles(userRoles, container), "mixed membership");
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u2");
}
AuthorizationDataCache.ClearCache();
membership.Delete(membership.Load());
Assert.AreEqual(@"", ReportMembership(container), "membership deleted");
{
var userRoles = authorizationProvider.GetUsersRoles(u1);
Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1", ReportMembership(container), "membership recomputed on authorization u1");
}
{
var userRoles = authorizationProvider.GetUsersRoles(u2);
Assert.AreEqual(@"\r2", ReportRoles(userRoles, container));
Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "membership recomputed on authorization u2");
}
}
}
public void ComputeOnUpdateRole()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >();
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Recompute membership on modified role should remove obsolete memebers:
Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "initial membership");
r2.Name = _domainPrefix + "r2x";
roles.Update(r2);
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership after rename role");
// New role members will not be added automatically, to avoid performance penalty:
// (the membership will be added on the principal's authorization check)
r2.Name = _domainPrefix + "r2";
roles.Update(r2);
// This is not reqested feature, this assert simply describes currently implemented behaviour:
Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container));
}
}
public void CommonFilters()
{
using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
{
container.Resolve <ISqlExecuter>()
.ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role");
// Insert test data:
var u1 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u1"
};
var u2 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u2"
};
var u3 = new Common.Principal {
ID = Guid.NewGuid(), Name = _domainPrefix + "u3"
};
var u5 = new Common.Principal {
ID = Guid.NewGuid(), Name = "u5"
};
var r1 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r1"
};
var r2 = new Common.Role {
ID = Guid.NewGuid(), Name = _domainPrefix + "r2"
};
var r25 = new Common.Role {
ID = Guid.NewGuid(), Name = "r25"
};
var repository = container.Resolve <Common.DomRepository>();
var roles = container.Resolve <GenericRepository <Common.Role> >();
var principals = container.Resolve <GenericRepository <Common.Principal> >();
var membership = repository.Common.PrincipalHasRole;
roles.Insert(r1, r2, r25);
principals.Insert(u1, u2, u3, u5);
membership.Insert(new[] { // Non-domain users and roles.
new Common.PrincipalHasRole {
PrincipalID = u2.ID, RoleID = r25.ID
},
new Common.PrincipalHasRole {
PrincipalID = u5.ID, RoleID = r25.ID
}
});
// Common filters:
var filter1 = new Common.ActiveDirectoryAllUsersParameter();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter1),
"filter ActiveDirectoryAllUsersParameter");
var filter2 = new[] { u1.Name, u2.Name }.Select(name => new Common.ActiveDirectoryUserParameter {
UserName = name
}).ToArray();
Assert.AreEqual(@"\u1-\r1, \u2-\r2",
ReportMembership(container, filter2),
"filter ActiveDirectoryUserParameter");
}
}
private string ReportRoles(IEnumerable <Guid> roles, MockWindowsSecurityRhetosContainer container)
{
var roleNames = container.Resolve <GenericRepository <Common.Role> >().Load().ToDictionary(r => r.ID, r => r.Name);
return(ReportRoles(roles.Select(id => roleNames[id])));
}
