public void ExecuteWhenCurrentUserCreatedPoll()
{
var generator = new RandomObjectGenerator();
var userId = generator.Generate<int>();
var poll = new Mock<IPoll>(MockBehavior.Strict);
poll.Setup(_ => _.UserID).Returns(userId);
var identity = new Mock<IUserIdentity>(MockBehavior.Strict);
identity.Setup(_ => _.UserID).Returns(userId);
identity.Setup(_ => _.IsInRole(UserRoles.Admin)).Returns(false);
var principal = new Mock<IPrincipal>(MockBehavior.Strict);
principal.Setup(_ => _.Identity).Returns(identity.Object);
using (principal.Object.Bind(() => ApplicationContext.User))
{
var rule = new CanDeletePollRule();
var context = new AuthorizationContext(rule, poll.Object, typeof(IPoll));
(rule as IAuthorizationRule).Execute(context);
Assert.IsTrue(context.HasPermission, context.GetPropertyName(_ => _.HasPermission));
}
principal.VerifyAll();
identity.VerifyAll();
poll.VerifyAll();
}
// TODO: Uncomment this property if rule result is not static.
/// <summary>
/// Notify RuelEngine that the result of this AuthzRule can not be cached.
/// Default is true so AuthzRules will only run once.
/// </summary>
//public override bool CacheResult
//{
// get { return false; }
//}
protected override void Execute(AuthorizationContext context)
{
// TODO: Add actual rule code here.
//if (!access_condition)
//{
// context.HasPermission = false;
//}
}
protected override void Execute(AuthorizationContext context)
{
var pollUserId = (context.Target as IPoll).UserID;
var currentUser = ApplicationContext.User.Identity as IUserIdentity;
context.HasPermission = currentUser != null && (
currentUser.IsInRole(UserRoles.Admin) || currentUser.UserID == pollUserId);
}
protected override void Execute(AuthorizationContext context)
{
if (context.Target != null)
{
var val1 = (string)ReadProperty(context.Target, _prop1);
var val2 = (string)ReadProperty(context.Target, _prop2);
// add my own if tests here
}
}
protected override void Execute(AuthorizationContext context)
{
// chect the base rule
base.Execute(context);
if (!context.HasPermission) return;
if (context.Target != null)
{
var val1 = (string) ReadProperty(context.Target, _prop1);
var val2 = (string) ReadProperty(context.Target, _prop2);
// add my own if tests here
}
}
public void ExecuteWhenApplicationContextUserIsNotIUserIdentity()
{
var principal = new Mock<IPrincipal>(MockBehavior.Strict);
principal.Setup(_ => _.Identity).Returns(Mock.Of<IIdentity>());
using (principal.Object.Bind(() => ApplicationContext.User))
{
var rule = new CanDeletePollRule();
var context = new AuthorizationContext(rule, Mock.Of<IPoll>(), typeof(IPoll));
(rule as IAuthorizationRule).Execute(context);
Assert.IsFalse(context.HasPermission, context.GetPropertyName(_ => _.HasPermission));
}
principal.VerifyAll();
}
public void WhenAccountIsNotReadOnly_UserCanEditObject()
{
var rule = new HasAccessToProcess(AuthorizationActions.EditObject, new HasAccessToProcess.ProcessSecurityConfiguration[] {});
var identity = new Mock<IMQ1Identity>();
identity.Setup(x => x.IsAuthenticated).Returns(true);
identity.Setup(x => x.IsAdmin).Returns(false);
identity.Setup(x => x.LicenseType).Returns(LicenseTypes.Concurrent);
Csla.ApplicationContext.User = new GenericPrincipal(identity.Object, new string[] { });
var item = new Mock<IEditableRoot>();
var context = new AuthorizationContext(rule, item.Object, item.Object.GetType());
((IAuthorizationRule)rule).Execute(context);
Assert.IsTrue(context.HasPermission);
}
public void DifferentBadgeTypeAllowedForUnauthorizedUser()
{
var mockPrincipal = new Mock<ICslaPrincipal>();
mockPrincipal.Setup(i => i.IsInRole(Common.Enums.PermissionType.Administrator.ToString())).Returns(false);
Csla.ApplicationContext.User = mockPrincipal.Object;
var mockTypeProperty = new Mock<IPropertyInfo>();
mockTypeProperty.Setup(mp => mp.Type).Returns(typeof(Common.Enums.BadgeType));
mockTypeProperty.Setup(mp => mp.Name).Returns("Type");
var newRule = new Rules.CanSetBadgeType(AuthorizationActions.WriteProperty, mockTypeProperty.Object, Common.Enums.BadgeType.Corporate, Common.Enums.PermissionType.Administrator.ToString());
var targetObject = new Mock<IBadgeEdit>();
targetObject.Setup(to => to.Type).Returns(Common.Enums.BadgeType.Community);
var ruleContext = new AuthorizationContext(newRule, targetObject.Object, typeof(IBadgeEdit));
var ruleRunner = (IAuthorizationRule)newRule;
ruleRunner.Execute(ruleContext);
Assert.IsTrue(ruleContext.HasPermission);
}
protected override void Execute(AuthorizationContext context)
{
var country = (string)MethodCaller.CallPropertyGetter(context.Target, CountryField.Name);
context.HasPermission = country.Equals(CountryNVL.UnitedStates);
}
/// <summary>
/// The execute.
/// </summary>
/// <param name="context">
/// The context.
/// </param>
protected override void Execute(AuthorizationContext context)
{
var value = (string) ReadProperty(context.Target, CountryProperty);
context.HasPermission = value == "US";
}
/// <summary>
/// Initializes the test.
/// </summary>
/// <param name="rule">The rule.</param>
/// <param name="target">The target.</param>
/// <param name="type">The type.</param>
public void InitializeTest(IAuthorizationRule rule, object target, Type type)
{
AuthorizationContext = new AuthorizationContext(rule, target, type);
}
/// <summary>
/// Gets the permission.
/// </summary>
/// <param name="context">The context.</param>
/// <param name="config">The configuration.</param>
/// <param name="isAccountReadOnly">if set to <c>true</c> [is account read only].</param>
/// <returns><c>true</c> if permission is granted, <c>false</c> otherwise.</returns>
/// <exception cref="Cebos.Veyron.SharedTypes.VeyronException">Unknown Authorization Action</exception>
private static bool GetPermission(AuthorizationContext context, ProcessSecurityConfiguration config,
bool isAccountReadOnly)
{
switch (context.Rule.Action)
{
case AuthorizationActions.CreateObject:
return config.CanCreate & !isAccountReadOnly;
case AuthorizationActions.DeleteObject:
return config.CanDelete & !isAccountReadOnly;
case AuthorizationActions.EditObject:
return !isAccountReadOnly;
default:
throw new VeyronException("Unknown Authorization Action");
}
}
/// <summary>
/// Sets the permission.
/// </summary>
/// <param name="context">The context.</param>
/// <param name="configs">The configs.</param>
/// <param name="isAccountReadOnly">if set to <c>true</c> then account is read only.</param>
private static void SetPermission(AuthorizationContext context, IEnumerable<ProcessSecurityConfiguration> configs, bool isAccountReadOnly)
{
foreach (var config in configs)
{
context.HasPermission = context.HasPermission || GetPermission(context, config, isAccountReadOnly);
}
}
private static bool HasPermission(AuthorizationActions action, object obj, Type objType, string ruleSet)
{
if (action == AuthorizationActions.ReadProperty ||
action == AuthorizationActions.WriteProperty ||
action == AuthorizationActions.ExecuteMethod)
throw new ArgumentOutOfRangeException("action");
bool result = true;
var rule =
AuthorizationRuleManager.GetRulesForType(objType, ruleSet).Rules.FirstOrDefault(c => c.Element == null && c.Action == action);
if (rule != null)
{
var context = new AuthorizationContext { Rule = rule, Target = obj, TargetType = objType };
rule.Execute(context);
result = context.HasPermission;
}
return result;
}
/// <summary> /// Authorization rule implementation. /// </summary> /// <param name="context">Rule context object.</param> protected abstract void Execute(AuthorizationContext context);
protected override void Execute(AuthorizationContext context)
{
context.HasPermission = Provider.Get().HasOperationForProgram(_programId, EDefaultOperation.WriteData);
}
protected override void Execute(AuthorizationContext context)
{
context.HasPermission = Provider.Get()
.HasOperationForProgram(_programId, EDefaultOperation.ReadDataAndAccessModule);
}
/// <summary>
/// Checks per-property authorization rules.
/// </summary>
/// <param name="action">Authorization action.</param>
/// <param name="element">Property or method to check.</param>
public bool HasPermission(AuthorizationActions action, Csla.Core.IMemberInfo element)
{
if (_suppressRuleChecking)
return true;
if (action == AuthorizationActions.CreateObject ||
action == AuthorizationActions.DeleteObject ||
action == AuthorizationActions.GetObject ||
action == AuthorizationActions.EditObject)
throw new ArgumentOutOfRangeException("action");
bool result = true;
var rule =
TypeAuthRules.Rules.FirstOrDefault(c => c.Element != null && c.Element.Name == element.Name && c.Action == action);
if (rule != null)
{
var context = new AuthorizationContext { Rule = rule, Target = this.Target, TargetType = this.Target.GetType() };
rule.Execute(context);
result = context.HasPermission;
}
return result;
}
void IAuthorizationRule.Execute(AuthorizationContext context)
{
if (!_locked)
_locked = true;
Execute(context);
}
/// <summary>
/// Sets the permission.
/// </summary>
/// <param name="context">The context.</param>
/// <param name="config">The configuration.</param>
/// <param name="isAccountReadOnly">if set to <c>true</c> then account is read only.</param>
/// <exception cref="VeyronException"></exception>
private static void SetPermission(AuthorizationContext context, ProcessSecurityConfiguration config, bool isAccountReadOnly)
{
context.HasPermission = GetPermission(context, config, isAccountReadOnly);
}
/// <summary> /// Authorization rule implementation. /// </summary> /// <param name="context">Rule context object.</param> protected abstract void Execute(AuthorizationContext context);
/// <summary>
/// Authorization rule implementation.
/// </summary>
/// <param name="context">Rule context object.</param>
protected override void Execute(AuthorizationContext context)
{
if (context == null)
return;
if (BypassPropertyCheckContext.Current != null)
{
context.HasPermission = true;
return;
}
if (ThreadLocalBypassPropertyCheckContext.Current != null)
{
context.HasPermission = true;
return;
}
// check if object is irremovable and deny delete
if (Action == AuthorizationActions.DeleteObject)
{
var editableRoot = context.Target as IHasUnremovableCapability;
if (editableRoot != null && editableRoot.IsUnremovable)
{
context.HasPermission = false;
return;
}
}
context.HasPermission = false;
var user = Csla.ApplicationContext.User;
if (!user.Identity.IsAuthenticated)
{
return;
}
var identity = user.Identity as IMQ1Identity;
if (identity == null)
{
return;
}
if (identity.IsAdmin)
{
context.HasPermission = true;
return;
}
if (Action == AuthorizationActions.EditObject)
{
context.HasPermission = identity.LicenseType != LicenseTypes.Viewonly;
return;
}
// find exact match
var configs = SecurityConfigurations.Where(c => c.BusinessUnitId == identity.BusinessUnitId && identity.RolesId.Contains(c.RoleId)).ToList();
if (configs.Any())
{
SetPermission(context, configs, identity.LicenseType == LicenseTypes.Viewonly);
return;
}
// find partial matches
configs = SecurityConfigurations.Where(c =>
(c.BusinessUnitId == identity.BusinessUnitId && c.RoleId < 0)
|| (c.BusinessUnitId < 0 && identity.RolesId.Contains(c.RoleId))).ToList();
if (configs.Any())
{
SetPermission(context, configs, identity.LicenseType == LicenseTypes.Viewonly);
return;
}
// find any matches
configs = SecurityConfigurations.Where(c => c.BusinessUnitId < 0 && c.RoleId < 0).ToList();
if (configs.Any())
{
SetPermission(context, configs, identity.LicenseType == LicenseTypes.Viewonly);
}
// no permission
}
void IAuthorizationRule.Execute(AuthorizationContext context)
{
Execute(context);
}