public void TestPriorityModelIndeterminate()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._priorityModelText,
_testModelFixture._priorityIndeterminatePolicyText));
e.BuildRoleLinks();
TestEnforce(e, "alice", "data1", "read", false);
}
public void TestRbacModelWithOnlyDeny()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacWithNotDenyModelText,
_testModelFixture._rbacWithDenyPolicyText));
e.BuildRoleLinks();
TestEnforce(e, "alice", "data2", "write", false);
}
public void TestGetDomainsForUser()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacWithDomainsModelText,
_testModelFixture._rbacWithDomainsPolicy2Text));
e.BuildRoleLinks();
e.TestGetDomainsForUser("alice", new[] { "domain1", "domain2" });
e.TestGetDomainsForUser("bob", new[] { "domain2", "domain3" });
e.TestGetDomainsForUser("user", new[] { "domain3" });
}
public void TestBasicModelNoPolicy()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(_testModelFixture._basicModelText));
TestEnforce(e, "alice", "data1", "read", false);
TestEnforce(e, "alice", "data1", "write", false);
TestEnforce(e, "alice", "data2", "read", false);
TestEnforce(e, "alice", "data2", "write", false);
TestEnforce(e, "bob", "data1", "read", false);
TestEnforce(e, "bob", "data1", "write", false);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", false);
}
public async Task TestRbacModelWithDomainsAtRuntimeAsync()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(_testModelFixture._rbacWithDomainsModelText));
e.BuildRoleLinks();
await e.AddPolicyAsync("admin", "domain1", "data1", "read");
await e.AddPolicyAsync("admin", "domain1", "data1", "write");
await e.AddPolicyAsync("admin", "domain2", "data2", "read");
await e.AddPolicyAsync("admin", "domain2", "data2", "write");
await e.AddGroupingPolicyAsync("alice", "admin", "domain1");
await e.AddGroupingPolicyAsync("bob", "admin", "domain2");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", true);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", true);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove all policy rules related to domain1 and data1.
await e.RemoveFilteredPolicyAsync(1, "domain1", "data1");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", true);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
// Remove the specified policy rule.
await e.RemovePolicyAsync("admin", "domain2", "data2", "read");
TestDomainEnforce(e, "alice", "domain1", "data1", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data1", "write", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "read", false);
TestDomainEnforce(e, "alice", "domain1", "data2", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data1", "write", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "read", false);
TestDomainEnforce(e, "bob", "domain2", "data2", "write", true);
}
public void TestGetRolesFromUserWithDomains()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacWithDomainsModelText,
_testModelFixture._rbacWithHierarchyWithDomainsPolicyText));
e.BuildRoleLinks();
// This is only able to retrieve the first level of roles.
TestGetRolesInDomain(e, "alice", "domain1", AsList("role:global_admin"));
// Retrieve all inherit roles. It supports domains as well.
TestGetImplicitRolesInDomain(e, "alice", "domain1", AsList("role:global_admin", "role:reader", "role:writer"));
}
public void TestGetImplicitPermissionsForUserWithDomain()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacWithDomainsModelText,
_testModelFixture._rbacWithHierarchyWithDomainsPolicyText));
e.BuildRoleLinks();
TestGetImplicitPermissions(e, "alice", AsList(
AsList("alice", "domain1", "data2", "read"),
AsList("role:reader", "domain1", "data1", "read"),
AsList("role:writer", "domain1", "data1", "write")),
"domain1");
}
public void TestEnforceWithMultipleEval()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacMultipleEvalModelText,
_testModelFixture._rbacMultipleEvalPolicyText));
bool result = e.Enforce(
"domain1",
new { Role = "admin" },
new { Name = "admin_panel" },
"view");
Assert.True(result);
}
public void TestBasicModelWithRoot()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._basicWithRootModelText,
_testModelFixture._basicPolicyText));
TestEnforce(e, "alice", "data1", "read", true);
TestEnforce(e, "alice", "data1", "write", false);
TestEnforce(e, "alice", "data2", "read", false);
TestEnforce(e, "alice", "data2", "write", false);
TestEnforce(e, "bob", "data1", "read", false);
TestEnforce(e, "bob", "data1", "write", false);
TestEnforce(e, "bob", "data2", "read", false);
TestEnforce(e, "bob", "data2", "write", true);
TestEnforce(e, "root", "data1", "read", true);
TestEnforce(e, "root", "data1", "write", true);
TestEnforce(e, "root", "data2", "read", true);
TestEnforce(e, "root", "data2", "write", true);
}
public void GetImplicitRolesForUser()
{
// Arrange
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacModelText,
_testModelFixture._rbacWithHierarchyPolicyText));
e.BuildRoleLinks();
// Assert
TestGetPermissions(e, "alice", AsList(
AsList("alice", "data1", "read")));
TestGetPermissions(e, "bob", AsList(
AsList("bob", "data2", "write")));
Assert.Equal(new[] { "admin", "data1_admin", "data2_admin" },
e.GetImplicitRolesForUser("alice"));
Assert.Equal(new string[0],
e.GetImplicitRolesForUser("bob"));
}
public void TestEnforceWithMultipleRoleManager()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacMultipleModelText,
_testModelFixture._rbacMultiplePolicyText));
var roleManager = new DefaultRoleManager(5);
roleManager.AddMatchingFunc((arg1, arg2) => arg1.Equals(arg2));
e.SetRoleManager(roleManager);
bool result = e.Enforce("@adm-user", "org::customer1", "cust1", "manage");
Assert.True(result);
roleManager.AddMatchingFunc((arg1, arg2) => !arg1.Equals(arg2));
e.SetRoleManager(roleManager);
result = e.Enforce("@adm-user", "org::customer1", "cust1", "manage");
Assert.False(result);
}
public void TestGetImplicitPermissionsForUser()
{
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacModelText,
_testModelFixture._rbacWithHierarchyPolicyText));
e.BuildRoleLinks();
TestGetPermissions(e, "alice", AsList(
AsList("alice", "data1", "read")));
TestGetPermissions(e, "bob", AsList(
AsList("bob", "data2", "write")));
TestGetImplicitPermissions(e, "alice", AsList(
AsList("alice", "data1", "read"),
AsList("data1_admin", "data1", "read"),
AsList("data1_admin", "data1", "write"),
AsList("data2_admin", "data2", "read"),
AsList("data2_admin", "data2", "write")));
TestGetImplicitPermissions(e, "bob", AsList(
AsList("bob", "data2", "write")));
}
public void TestGetImplicitUsersForPermission()
{
// Arrange
var e = new Enforcer(TestModelFixture.GetNewTestModel(
_testModelFixture._rbacModelText,
_testModelFixture._rbacWithHierarchyPolicyText));
e.BuildRoleLinks();
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data1", "write"));
Assert.Equal(new[] { "alice" }, e.GetImplicitUsersForPermission("data2", "read"));
Assert.Equal(new[] { "alice", "bob" }, e.GetImplicitUsersForPermission("data2", "write"));
// Act
e.GetModel().ClearPolicy();
_ = e.AddPolicy("admin", "data1", "read");
_ = e.AddPolicy("bob", "data1", "read");
_ = e.AddGroupingPolicy("alice", "admin");
// Assert
Assert.Equal(new[] { "bob", "alice" }, e.GetImplicitUsersForPermission("data1", "read"));
}