[Test] public virtual void testGroupOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for group "sales" IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); groupRevoke.GroupId = "sales"; groupRevoke.Resource = (Resources)resource1.resourceType(); groupRevoke.ResourceId = AuthorizationFields.Any; groupRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(groupRevoke); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny does not have Permissions.All permissions if queried with groups Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); // if queried without groups he has Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); // jonny can't read if queried with groups Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // if queried without groups he has Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); // someone else who is in group "marketing" but but not "sales" can Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType())); // he could'nt if he were in jonny's groups Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // jonny can still Delete Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType())); }
[Test] public virtual void testUserOverrideGroupOverrideGlobalAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for group "sales" IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); groupRevoke.GroupId = "sales"; groupRevoke.Resource = (Resources)resource1.resourceType(); groupRevoke.ResourceId = AuthorizationFields.Any; groupRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(groupRevoke); // add Permissions.Read for jonny IAuthorization userGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); userGrant.UserId = "jonny"; userGrant.Resource = (Resources)resource1.resourceType(); userGrant.ResourceId = AuthorizationFields.Any; userGrant.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(userGrant); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny can read Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); // someone else in the same groups cannot Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // someone else in different groups can Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); }
[Test] public virtual void testUserOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for jonny IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); localRevoke.UserId = "jonny"; localRevoke.Resource = (Resources)resource1.resourceType(); localRevoke.ResourceId = AuthorizationFields.Any; localRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(localRevoke); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny does not have Permissions.All permissions Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); // jonny can't read Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // someone else can Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); // jonny can still Delete Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType())); }
public virtual void testCreateAuthorizationWithGroupId() { TestResource resource1 = new TestResource("resource1", 100); // initially, no authorization exists: Assert.AreEqual(0, authorizationService.CreateAuthorizationQuery()); // simple create / Delete with userId IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.GroupId = "aGroupId"; ////authorization.Resource = resource1; // save the authorization authorizationService.SaveAuthorization(authorization); // authorization exists Assert.AreEqual(1, authorizationService.CreateAuthorizationQuery() /*.Count()*/); // Delete the authorization authorizationService.DeleteAuthorization(authorization.Id); // it's gone Assert.AreEqual(0, authorizationService.CreateAuthorizationQuery() /*.Count()*/); }
[Test] public virtual void testAuthorizationCheckEmptyDb() { TestResource resource1 = new TestResource("resource1", 100); TestResource resource2 = new TestResource("resource2", 101); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // Collections.singletonList("marketing"); // if no authorizations are in Db, nothing is authorized Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource2.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType(), "someId")); Assert.IsFalse(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource1.resourceType(), "someId")); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType(), "someOtherId")); }
public virtual void testUpdatePersistentAuthorization() { TestResource resource1 = new TestResource("resource1", 100); TestResource resource2 = new TestResource("resource1", 101); IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.UserId = "aUserId"; //authorization.Resource = resource1; authorization.ResourceId = "aResourceId"; authorization.AddPermission(Permissions.Access); // save the authorization authorizationService.SaveAuthorization(authorization); // validate authorization IAuthorization savedAuthorization = authorizationService.CreateAuthorizationQuery().First(); Assert.AreEqual("aUserId", savedAuthorization.UserId); Assert.AreEqual(resource1.resourceType(), savedAuthorization.ResourceType); Assert.AreEqual("aResourceId", savedAuthorization.ResourceId); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access)); // update authorization savedAuthorization.UserId = "anotherUserId"; //savedAuthorization.Resource = resource2; savedAuthorization.ResourceId = "anotherResourceId"; savedAuthorization.AddPermission(Permissions.Delete); authorizationService.SaveAuthorization(savedAuthorization); // validate authorization updated savedAuthorization = authorizationService.CreateAuthorizationQuery().First(); Assert.AreEqual("anotherUserId", savedAuthorization.UserId); Assert.AreEqual(resource2.resourceType(), savedAuthorization.ResourceType); Assert.AreEqual("anotherResourceId", savedAuthorization.ResourceId); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access)); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Delete)); }
public virtual void testInvalidCreateAuthorization() { TestResource resource1 = new TestResource("resource1", 100); // case 1: no user id & no group id //////////// IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); //authorization.Resource = resource1; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (ProcessEngineException e) { Assert.True(e.Message.Contains("IAuthorization must either have a 'userId' or a 'groupId'.")); } // case 2: both user id & group id //////////// authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.GroupId = "someId"; authorization.UserId = "someOtherId"; //authorization.Resource = resource1; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (ProcessEngineException e) { AssertTextPresent("IAuthorization must either have a 'userId' or a 'groupId'.", e.Message); } // case 3: no resourceType //////////// authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.UserId = "someId"; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (ProcessEngineException e) { Assert.True(e.Message.Contains("IAuthorization 'resourceType' cannot be null.")); } // case 4: no permissions ///////////////// authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); authorization.UserId = "someId"; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (ProcessEngineException e) { Assert.True(e.Message.Contains("IAuthorization 'resourceType' cannot be null.")); } }
[Test] public virtual void testNullAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); Assert.IsFalse(authorizationService.IsUserAuthorized(null, null, Permissions.Update, (Resources)resource1.resourceType())); }