public void SelfServeReportGrant( )
{
IAccessRuleFactory accessRuleFactory;
IAccessRuleReportFactory accessRuleReportFactory;
Subject selfServeRole;
Solution coreDataSolution;
accessRuleReportFactory = new AccessRuleDisplayReportFactory( );
accessRuleFactory = new AccessRuleFactory( );
using (DatabaseContext databaseContext = DatabaseContext.GetContext(true))
using (new SecurityBypassContext( ))
{
selfServeRole = Entity.Get <Subject>("core:selfServeRole", true);
coreDataSolution = CodeNameResolver.GetInstance("ReadiNow Core Data", "Application").As <Solution>( );
// Allow the test to be rerun by re-enabling the allow all Administrators access rule
//EnableAdministratorAccessAllRule( );
// Create access rules
//DeleteAccessRules( ReportTypeNames, SelfServeCreateAccessRuleNameTemplate );
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
selfServeRole,
SelfServeTypeNames,
new [] { Permissions.Create },
"core:createSelfServeComponentsAccessRule",
coreDataSolution);
// Disable the "allow all" administrator access rule
//DisableAdministratorAccessAllRule( );
databaseContext.CommitTransaction( );
}
}
public void Test_EnableCreateRule()
{
UserAccount userAccount;
EntityType entityType1;
AccessRule accessRule;
IEntityAccessControlService entityAccessControlService;
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
userAccount = new UserAccount();
userAccount.Name = Guid.NewGuid().ToString();
userAccount.Save();
entityType1 = new EntityType();
entityType1.Inherits.Add(UserResource.UserResource_Type);
entityType1.Save();
entityAccessControlService = Factory.EntityAccessControlService;
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False,
"User can somehow initially create entities (!?)");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
accessRule = new AccessRuleFactory().AddAllowCreate(
userAccount.As <Subject>(),
entityType1.As <SecurableEntity>());
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.True,
"User cannot initially create entities");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
accessRule.AccessRuleEnabled = false;
accessRule.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False,
"User can create entities afterwards (!?)");
}
}
public void HobbleAdministratorsRole()
{
IAccessRuleFactory accessRuleFactory;
IAccessRuleReportFactory accessRuleReportFactory;
Subject administratorsRole;
accessRuleReportFactory = new AccessRuleDisplayReportFactory();
accessRuleFactory = new AccessRuleFactory();
using (DatabaseContext databaseContext = DatabaseContext.GetContext(true))
using (new SecurityBypassContext())
{
administratorsRole = Entity.Get <Subject>("core:administratorRole", true);
// Allow the test to be rerun by re-enabling the allow all Administrators access rule
EnableAdministratorAccessAllRule();
// Create full control access rules
DeleteAccessRules(FullControlTypeNames, AdministratorsFullControlAccessRuleNameTemplate);
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
administratorsRole,
FullControlTypeNames,
new[] { Permissions.Create, Permissions.Read, Permissions.Modify, Permissions.Delete },
AdministratorsFullControlAccessRuleNameTemplate);
// Create read modify access rules
DeleteAccessRules(ReadModifyTypeNames, AdministratorsReadModifyAccessRuleNameTemplate);
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
administratorsRole,
ReadModifyTypeNames,
new[] { Permissions.Read, Permissions.Modify },
AdministratorsReadModifyAccessRuleNameTemplate);
// Create read only access rules
DeleteAccessRules(ReadOnlyTypeNames, AdministratorsReadOnlyAccessRuleNameTemplate);
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
administratorsRole,
ReadOnlyTypeNames,
new[] { Permissions.Read },
AdministratorsReadOnlyAccessRuleNameTemplate);
// Disable the "allow all" administrator access rule
DisableAdministratorAccessAllRule();
databaseContext.CommitTransaction();
}
}
public void AddMissingAccessRules()
{
IAccessRuleFactory accessRuleFactory;
IAccessRuleReportFactory accessRuleReportFactory;
Subject administratorsRole;
Subject everyoneRole;
Solution coreDataSolution;
accessRuleReportFactory = new AccessRuleDisplayReportFactory();
accessRuleFactory = new AccessRuleFactory();
using (DatabaseContext databaseContext = DatabaseContext.GetContext(true))
using (new SecurityBypassContext())
{
administratorsRole = Entity.Get <Subject>("core:administratorRole", true);
everyoneRole = Entity.Get <Subject>("core:everyoneRole", true);
coreDataSolution = CodeNameResolver.GetInstance("ReadiNow Core Data", "Application").As <Solution>();
Console.WriteLine("Create access rule in solution {0}", coreDataSolution.Id);
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
administratorsRole,
new [] { "core:importConfig" },
new [] { Permissions.Create, Permissions.Read, Permissions.Modify, Permissions.Delete },
AdministratorsFullControlAccessRuleNameTemplate,
coreDataSolution);
CreateAccessRules(
accessRuleFactory,
accessRuleReportFactory,
administratorsRole,
new [] { "core:importRun" },
new [] { Permissions.Read, Permissions.Modify },
AdministratorsReadModifyAccessRuleNameTemplate,
coreDataSolution);
//var types = new[] { "core:board", "core:boardDimension" };
//DeleteAccessRules(types, EveryoneReadModifyControlAccessRuleNameTemplate);
//CreateAccessRules(
// accessRuleFactory,
// accessRuleReportFactory,
// everyoneRole,
// types,
// new[] { Permissions.Create, Permissions.Read, Permissions.Modify },
// EveryoneReadModifyControlAccessRuleNameTemplate,
// coreDataSolution);
databaseContext.CommitTransaction();
}
}
public void CreateSuperAdminAccount()
{
UserAccount superAdministratorUserAccount;
IAccessRuleFactory accessRuleFactory;
superAdministratorUserAccount = new UserAccount
{
Name = SpecialStrings.SystemAdministratorUser,
AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Disabled
};
superAdministratorUserAccount.Save();
accessRuleFactory = new AccessRuleFactory();
accessRuleFactory.AddAllowByQuery(
superAdministratorUserAccount.As <Subject>(),
Entity.Get <SecurableEntity>("core:resource"),
new[] { Permissions.Create, Permissions.Read, Permissions.Modify, Permissions.Delete },
TestQueries.Entities().ToReport()
);
}
public void SetupEntities()
{
using (DatabaseContext context = DatabaseContext.GetContext(true))
{
using (new SecurityBypassContext())
{
Role administratorRole;
EntityType resourceType;
AccessRuleFactory accessControlHelper;
administratorRole = Entity.Get <Role>(new EntityRef("core", "administratorRole"), true);
resourceType = Entity.Get <EntityType>(new EntityRef("core", "resource"));
// resourceType = Entity.Get<EntityType>(new EntityRef("core", "securableEntity"));
accessControlHelper = new AccessRuleFactory();
accessControlHelper.AddAllowCreate(administratorRole.As <Subject>(), resourceType.As <SecurableEntity>());
accessControlHelper.AddAllowByQuery(administratorRole.As <Subject>(), resourceType.As <SecurableEntity>(),
new[] { Permissions.Read, Permissions.Modify, Permissions.Delete }, TestQueries.Entities().ToReport());
context.CommitTransaction();
}
}
}
public void Setup( )
{
// Getting Forbidden? Or ConnectorConfigException?
// Maybe there's duplicate copies of these objects in the DB.
// Define key and user
using (new TenantAdministratorContext(TenantName))
{
// Define schema
type = new EntityType( );
type.Inherits.Add(UserResource.UserResource_Type);
type.Name = "Test type " + Guid.NewGuid( );
type.Save( );
type2 = new EntityType();
type2.Inherits.Add(UserResource.UserResource_Type);
type2.Name = "Test type2 " + Guid.NewGuid();
type2.Save();
stringField = new StringField( );
stringField.Name = "Field 1";
stringField.FieldIsOnType = type;
stringField.Save( );
lookup = new Relationship();
lookup.Cardinality_Enum = CardinalityEnum_Enumeration.OneToOne;
lookup.FromType = type;
lookup.ToType = type2;
// Define API
mapping = new ApiResourceMapping( );
mapping.Name = "Test mapping " + Guid.NewGuid( );;
mapping.MappedType = type;
mapping.Save( );
lookupMapping = new ApiRelationshipMapping();
lookupMapping.Name = "lookup1";
lookupMapping.MappedRelationship = lookup;
lookupMapping.MemberForResourceMapping = mapping;
lookupMapping.Save();
fieldMapping = new ApiFieldMapping( );
fieldMapping.Name = "field1";
fieldMapping.MappedField = stringField.As <Field>( );
fieldMapping.MemberForResourceMapping = mapping;
fieldMapping.Save( );
endpoint = new ApiResourceEndpoint( );
endpoint.Name = "Test endpoint " + Guid.NewGuid( );
endpoint.ApiEndpointAddress = EndpointAddress;
endpoint.EndpointResourceMapping = mapping;
endpoint.ApiEndpointEnabled = true;
endpoint.EndpointCanCreate = true;
endpoint.EndpointCanDelete = true;
endpoint.EndpointCanUpdate = true;
endpoint.Save( );
api = new Api( );
api.Name = "Test API " + Guid.NewGuid( );;
api.ApiAddress = ApiAddress;
api.ApiEnabled = true;
api.ApiEndpoints.Add(endpoint.As <ApiEndpoint>( ));
api.Save( );
// Define access
userAccount = new UserAccount( );
userAccount.Name = "Test user " + Guid.NewGuid( );
userAccount.AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active;
userAccount.Password = "******";
userAccount.Save( );
key = new ApiKey( );
key.Name = ApiKey;
key.ApiKeyUserAccount = userAccount;
key.ApiKeyEnabled = true;
key.KeyForApis.Add(api);
key.Save( );
updateInstance = Entity.Create(type).AsWritable <Resource>( );
updateInstance.Name = updateInstanceName = "ResourceToUpdate" + Guid.NewGuid( );
updateInstance.Description = updateInstanceDesc = "ResourceToUpdate" + Guid.NewGuid( );
updateInstance.Save( );
updateInstanceGuid = updateInstance.UpgradeId;
IAccessRuleFactory accessControlHelper = new AccessRuleFactory( );
accessRule = accessControlHelper.AddAllowCreate(userAccount.As <Subject>( ), type.As <SecurableEntity>( ));
accessRule = accessControlHelper.AddAllowByQuery(userAccount.As <Subject>( ), type.As <SecurableEntity>( ), new[] { Permissions.Read, Permissions.Modify, Permissions.Delete }, TestQueries.Entities(type).ToReport( ));
}
cleanup = new List <IEntity> {
userAccount, key, api, type, mapping, endpoint, fieldMapping, stringField, accessRule, updateInstance
};
}
public void Test_ChangeAccessRuleForPermissions()
{
UserAccount userAccount;
EntityType entityType;
IEntity entity;
EntityRef entityRef;
AccessRule accessRule;
IEntityAccessControlService entityAccessControlService;
Permission readPermission;
Permission modifyPermission;
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
userAccount = new UserAccount();
userAccount.Name = Guid.NewGuid().ToString();
userAccount.Save();
entityType = new EntityType();
entityType.Inherits.Add(UserResource.UserResource_Type);
entityType.Save();
entity = Entity.Create(entityType);
entity.Save();
entityRef = new EntityRef(entity);
entityAccessControlService = Factory.EntityAccessControlService;
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False,
"User can somehow initially read entities (!?)");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can somehow initially write entities (!?)");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
accessRule = new AccessRuleFactory().AddAllowByQuery(
userAccount.As <Subject>(),
entityType.As <SecurableEntity>(),
new[] { Permissions.Read, Permissions.Modify },
TestQueries.Entities(entityType).ToReport());
ctx.CommitTransaction();
}
readPermission = Entity.Get <Permission>(Permissions.Read, true);
modifyPermission = Entity.Get <Permission>(Permissions.Modify, true);
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after access rule creation");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.True,
"User cannot modify entity after access rule creation");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
modifyPermission.PermissionAccessBy.Remove(accessRule);
modifyPermission.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after removing modify access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after removing modify access");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
readPermission.PermissionAccessBy.Remove(accessRule);
readPermission.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False,
"User can read entity after removing read access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after removing read access");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
readPermission.PermissionAccessBy.Add(accessRule);
readPermission.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after re-adding read access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after re-adding read access");
}
}
public HttpResponseMessage <long> Post([FromBody] NewAccessRuleInfo accessRuleInfo)
{
if (accessRuleInfo == null)
{
throw new WebArgumentNullException("accessRuleInfo");
}
SecurableEntity securableEntity;
Subject subject;
ReadiNow.Model.Report accessRuleReport;
AccessRule accessRule;
ISet <long> allowedTypes;
Solution solution = null;
securableEntity = ReadiNow.Model.Entity.Get <SecurableEntity>(accessRuleInfo.SecurableEntityId);
if (securableEntity == null)
{
throw new WebArgumentException(@"SecurableEntityId is not a type", "accessRuleInfo");
}
// Restrict to the types visible in the UI. If modifying this, also change the code in accessControlRepository.
allowedTypes = new[] { "console:customEditForm", "core:workflow", "core:reportTemplate", "core:fileType", "core:documentType", "core:imageFileType", "core:photoFileType" }
.Select(ReadiNow.Model.Entity.GetId)
.ToSet();
if (!(securableEntity.Is <ManagedType>() ||
allowedTypes.Contains(securableEntity.Id)))
{
throw new WebArgumentException(@"SecurableEntityId is not a supported type", "accessRuleInfo");
}
subject = ReadiNow.Model.Entity.Get <Subject>(accessRuleInfo.SubjectId, true);
if (subject == null)
{
throw new WebArgumentException(@"SubjectId is not a user or role", "accessRuleInfo");
}
if (accessRuleInfo.SolutionId > 0)
{
solution = ReadiNow.Model.Entity.Get <Solution>(accessRuleInfo.SolutionId);
}
accessRuleReport = ReportFactory.GetDisplayReportForSecurableEntity(securableEntity);
if (accessRuleReport == null)
{
throw new InvalidOperationException("No report found for target securable entity");
}
accessRule = new AccessRuleFactory().AddAllowByQuery(
subject,
securableEntity.As <SecurableEntity>( ),
new[]
{
Permissions.Read
},
accessRuleReport,
false, // Disabled by default
solution
);
return(new HttpResponseMessage <long>(accessRule.Id));
}
public void Setup( )
{
// Getting Forbidden? Or ConnectorConfigException?
// Maybe there's duplicate copies of these objects in the DB.
UserAccount userAccount;
AccessRule accessRule;
Api api;
// Define key and user
using (new TenantAdministratorContext(TenantName))
{
// Create Type
type = new EntityType
{
Fields =
{
new StringField {
Name = "Incident Description"
}.As <Field>( )
}
};
type.Inherits.Add(UserResource.UserResource_Type);
type.Save( );
// Define access
userAccount = new UserAccount
{
Name = "Test user " + Guid.NewGuid( ),
AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active,
Password = "******"
};
userAccount.Save( );
var field = type.Fields [0];
// Create import config
importConfig = new ImportConfig
{
Name = "Test import config " + Guid.NewGuid( ),
ImportFileType_Enum = ImportFileTypeEnum_Enumeration.ImportFileTypeExcel,
ImportConfigMapping = new ApiResourceMapping
{
MappingSourceReference = "Incident",
ImportHeadingRow = 4,
ImportDataRow = 5,
MappedType = type,
ResourceMemberMappings =
{
new ApiFieldMapping {
Name = "A", MappedField = Resource.Name_Field.As <Field>( ),
}.As <ApiMemberMapping>( ),
new ApiFieldMapping {
Name = "B", MappedField = field
}.As <ApiMemberMapping>( )
}
}
};
// Create API
api = new Api
{
Name = "Test API " + Guid.NewGuid( ),
ApiAddress = ApiAddress,
ApiEnabled = true,
ApiEndpoints =
{
new ApiSpreadsheetEndpoint
{
Name = "Test spreadsheet endpoint " + Guid.NewGuid( ),
ApiEndpointAddress = EndpointAddress,
ApiEndpointEnabled = true,
EndpointImportConfig = importConfig
}.As <ApiEndpoint>( )
},
ApiKeys =
{
new ApiKey
{
Name = ApiKey,
ApiKeyUserAccount = userAccount,
ApiKeyEnabled = true
}
}
};
api.Save( );
IAccessRuleFactory accessControlHelper = new AccessRuleFactory( );
accessRule = accessControlHelper.AddAllowCreate(userAccount.As <Subject>( ), type.As <SecurableEntity>( ));
//accessRule2 = accessControlHelper.AddAllowByQuery( userAccount.As<Subject>( ), type.As<SecurableEntity>( ), new [ ] { Permissions.Read, Permissions.Modify }, TestQueries.Entities( type ).ToReport( ) );
IEntity apiKey = api.ApiKeys? [0];
cleanup = new List <IEntity> {
userAccount, api, type, accessRule, importConfig, apiKey
};
}
}
private void CreateScenarioImpl(string testInstanceName, Func <EntityRef[]> permissionsCallback)
{
// Define key and user
using (new TenantAdministratorContext(TenantName))
{
// Define schema
type = new EntityType( );
type.Inherits.Add(UserResource.UserResource_Type);
type.Name = "Test type " + Guid.NewGuid( );
type.Save( );
type2 = new EntityType( );
type2.Inherits.Add(UserResource.UserResource_Type);
type2.Name = "Test type2 " + Guid.NewGuid( );
type2.Save( );
stringField = new StringField( );
stringField.Name = "Field 1";
stringField.FieldIsOnType = type;
stringField.MaxLength = 50;
stringField.Save( );
lookup = new Relationship( );
lookup.Cardinality_Enum = CardinalityEnum_Enumeration.OneToOne;
lookup.FromType = type;
lookup.ToType = type2;
relationship = new Relationship( );
relationship.Cardinality_Enum = CardinalityEnum_Enumeration.ManyToMany;
relationship.FromType = type;
relationship.ToType = type2;
// Define API
mapping = new ApiResourceMapping( );
mapping.Name = "Test mapping " + Guid.NewGuid( );;
mapping.MappedType = type;
mapping.Save( );
fieldMapping = new ApiFieldMapping( );
fieldMapping.Name = "field1";
fieldMapping.MappedField = stringField.As <Field>( );
fieldMapping.MemberForResourceMapping = mapping;
fieldMapping.Save( );
lookupMapping = new ApiRelationshipMapping( );
lookupMapping.Name = "lookup1";
lookupMapping.MappedRelationship = lookup;
lookupMapping.MemberForResourceMapping = mapping;
lookupMapping.Save( );
relationshipMapping = new ApiRelationshipMapping( );
relationshipMapping.Name = "rel1";
relationshipMapping.MappedRelationship = relationship;
relationshipMapping.MemberForResourceMapping = mapping;
relationshipMapping.Save( );
endpoint = new ApiResourceEndpoint( );
endpoint.Name = "Test endpoint " + Guid.NewGuid( );;
endpoint.ApiEndpointAddress = EndpointAddress;
endpoint.EndpointResourceMapping = mapping;
endpoint.ApiEndpointEnabled = true;
endpoint.EndpointCanCreate = true;
endpoint.EndpointCanUpdate = true;
endpoint.EndpointCanDelete = true;
endpoint.Save( );
api = new Api( );
api.Name = "Test API " + Guid.NewGuid( );;
api.ApiAddress = ApiAddress;
api.ApiEnabled = true;
api.ApiEndpoints.Add(endpoint.As <ApiEndpoint>( ));
api.Save( );
// Define access
userAccount = new UserAccount( );
userAccount.Name = "Test user " + Guid.NewGuid( );
userAccount.AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active;
userAccount.Password = "******";
userAccount.Save( );
key = new ApiKey( );
key.Name = ApiKey;
key.ApiKeyUserAccount = userAccount;
key.ApiKeyEnabled = true;
key.KeyForApis.Add(api);
key.Save( );
if (testInstanceName != null)
{
scenarioInstance = Entity.Create(type);
scenarioInstance.SetField("core:name", testInstanceName);
scenarioInstance.Save( );
}
foreignName = "Foreign" + Guid.NewGuid( ).ToString( );
foreignInstance = Entity.Create(type2);
foreignInstance.SetField("core:name", foreignName);
foreignInstance.Save( );
// Grant create
var permissions = permissionsCallback( );
IAccessRuleFactory accessControlHelper = new AccessRuleFactory( );
if (permissions [0] == Permissions.Create)
{
accessControlHelper.AddAllowCreate(userAccount.As <Subject>( ), type.As <SecurableEntity>( ));
}
else if (permissions.Length > 0)
{
accessControlHelper.AddAllowByQuery(userAccount.As <Subject>( ), type.As <SecurableEntity>( ), permissions, TestQueries.Entities(type).ToReport( ));
}
accessControlHelper.AddAllowByQuery(userAccount.As <Subject>( ), type2.As <SecurableEntity>( ), new [] { Permissions.Read, Permissions.Modify }, TestQueries.Entities(type2).ToReport( ));
}
}
