public void GivenAnAccessListWhenRemovingUserFromACLThenUserHasNoAccessToThePermissionsInTheRole() { var permission = this.FindPermission(M.Organisation.Name, Operations.Read); var role = new RoleBuilder(this.Session).WithName("Role").WithPermission(permission).Build(); var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build(); var person2 = new PersonBuilder(this.Session).WithFirstName("Jane").WithLastName("Doe").Build(); new AccessControlBuilder(this.Session).WithSubject(person).WithRole(role).Build(); this.Session.Derive(); this.Session.Commit(); var sessions = new ISession[] { this.Session }; foreach (var session in sessions) { session.Commit(); var organisation = new OrganisationBuilder(session).WithName("Organisation").Build(); var token = new SecurityTokenBuilder(session).Build(); organisation.AddSecurityToken(token); var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First); token.AddAccessControl(accessControl); this.Session.Derive(); var acl = new AccessControlLists(person)[organisation]; accessControl.RemoveSubject(person); accessControl.AddSubject(person2); this.Session.Derive(); acl = new AccessControlLists(person)[organisation]; Assert.False(acl.CanRead(M.Organisation.Name)); session.Rollback(); } }
public void GivenNoAccessControlWhenCreatingAnAccessControlWithoutARoleThenAccessControlIsInvalid() { var userGroup = new UserGroupBuilder(this.Session).WithName("UserGroup").Build(); var securityToken = new SecurityTokenBuilder(this.Session).Build(); securityToken.AddAccessControl(new AccessControlBuilder(this.Session) .WithSubjectGroup(userGroup) .Build()); var validation = this.Session.Derive(false); Assert.True(validation.HasErrors); Assert.Equal(1, validation.Errors.Length); var derivationError = validation.Errors[0]; Assert.Equal(1, derivationError.Relations.Length); Assert.Equal(typeof(DerivationErrorRequired), derivationError.GetType()); Assert.Equal(M.AccessControl.Role, derivationError.Relations[0].RoleType); }
public void DeniedPermissions() { var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read); var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build(); var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build(); new AccessControlBuilder(this.Session).WithRole(databaseRole).WithSubject(person).Build(); this.Session.Derive(true); this.Session.Commit(); var sessions = new ISession[] { this.Session }; foreach (var session in sessions) { session.Commit(); var organisation = new OrganisationBuilder(session).WithName("Organisation").Build(); var token = new SecurityTokenBuilder(session).Build(); organisation.AddSecurityToken(token); var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role")); var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First); token.AddAccessControl(accessControl); Assert.IsFalse(this.Session.Derive().HasErrors); var accessList = new AccessControlList(organisation, person); Assert.IsTrue(accessList.CanRead(M.Organisation.Name)); organisation.AddDeniedPermission(readOrganisationName); accessList = new AccessControlList(organisation, person); Assert.IsFalse(accessList.CanRead(M.Organisation.Name)); session.Rollback(); } }
public void GivenAnotherUserGroupAndAnAccessControlledObjectWhenGettingTheAccessListThenUserHasAccessToThePermissionsInTheRole() { var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read); var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build(); var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build(); new UserGroupBuilder(this.Session).WithName("Group").WithMember(person).Build(); var anotherUserGroup = new UserGroupBuilder(this.Session).WithName("AnotherGroup").Build(); this.Session.Derive(true); this.Session.Commit(); new AccessControlBuilder(this.Session).WithSubjectGroup(anotherUserGroup).WithRole(databaseRole).Build(); this.Session.Commit(); var sessions = new ISession[] { this.Session }; foreach (var session in sessions) { session.Commit(); var organisation = new OrganisationBuilder(session).WithName("Organisation").Build(); var token = new SecurityTokenBuilder(session).Build(); organisation.AddSecurityToken(token); var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role")); var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First); token.AddAccessControl(accessControl); Assert.IsFalse(this.Session.Derive().HasErrors); var accessList = new AccessControlList(organisation, person); Assert.IsFalse(accessList.CanRead(M.Organisation.Name)); session.Rollback(); } }
public void GivenNoAccessControlWhenCreatingAAccessControlWithoutAUserOrUserGroupThenAccessControlIsInvalid() { var securityToken = new SecurityTokenBuilder(this.Session).Build(); var role = new RoleBuilder(this.Session).WithName("Role").Build(); securityToken.AddAccessControl( new AccessControlBuilder(this.Session) .WithRole(role) .Build()); var validation = this.Session.Derive(false); Assert.True(validation.HasErrors); Assert.Equal(1, validation.Errors.Length); var derivationError = validation.Errors[0]; Assert.Equal(2, derivationError.Relations.Length); Assert.Equal(typeof(DerivationErrorAtLeastOne), derivationError.GetType()); Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.Subjects)); Assert.True(new ArrayList(derivationError.RoleTypes).Contains((RoleType)M.AccessControl.SubjectGroups)); }