public void ComputeOnUpdatePrincipal() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >(); roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Recompute membership on update principal (domain users only): u2.Name = "u2x"; principals.Update(u2); Assert.AreEqual(@"\u1-\r1, u2x-\r2, u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update ignore non-domain users"); u2.Name = _domainPrefix + "u2x"; principals.Update(u2); Assert.AreEqual(@"\u1-\r1, \u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users"); u2.Name = _domainPrefix + "u2"; principals.Update(u2); Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users 2"); } }
public void RoleInheritance() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >(); roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Modify role inheritance: repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole { UsersFromID = r1.ID, PermissionsFromID = r25.ID } }); TestUtility.ShouldFail(() => repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole { UsersFromID = r25.ID, PermissionsFromID = r2.ID } }), "UserException", "It is not allowed to add users or user groups here because this role is synchronized with an Active Directory group.", "Please change the user membership on Active Directory instead."); } }
public void ComputeOnInsertPrincipal() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >(); roles.Insert(r1, r2, r25); Assert.AreEqual(@"\r1, \r2, r25", ReportRoles(roles.Load()), "roles created"); principals.Insert(u1, u2, u3, u5); Assert.AreEqual(@"\u1, \u2, \u3, u5", ReportPrincipals(principals.Load()), "principals created"); // Recompute membership on insert domain users: Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "auto-membership on insert"); // Inserting non-domain users and roles: membership.Insert(new[] { new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }, checkUserPermissions: true); Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "non-domain users and roles"); } }
public void RecomputeMembership() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = repository.Common.PrincipalHasRole; roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Recompute membership relations: var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single(); membership.Delete(new[] { u1r1 }, checkUserPermissions: false); Assert.AreEqual(@"\u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "modified membership"); repository.Common.PrincipalHasRole.RecomputeFromActiveDirectoryPrincipalHasRole(); Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership"); } }
/// <summary>Shortens and sorts the names.</summary> private string ReportMembership(MockWindowsSecurityRhetosContainer container, object filter = null) { var context = container.Resolve <Common.ExecutionContext>(); var membership = context.Repository.Common.PrincipalHasRole; var query = filter == null?membership.Query() : membership.Query(membership.Load(filter).Select(item => item.ID)); var reportData = query.Select(phr => new { PrincipalName = phr.Principal.Name, RoleName = phr.Role.Name }).ToList(); string report = TestUtility.DumpSorted(reportData, phr => Shorten(phr.PrincipalName) + "-" + Shorten(phr.RoleName)); Console.WriteLine("[ReportMembership] " + report); return(report); }
public void TestMock() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var ws = container.Resolve <Rhetos.Security.IWindowsSecurity>(); Assert.AreEqual("r1, r12", TestUtility.DumpSorted(ws.GetIdentityMembership(u1.Name)), "u1 active directory groups"); } }
public void UserShouldNotUpdateDomainMembership() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = repository.Common.PrincipalHasRole; roles.Insert(r1, r2); principals.Insert(u1, u2); // The user should not update domain users/groups membership: Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container)); var u2r2 = membership.Query(m => m.Principal.Name.Contains(@"\u2")).Single(); membership.Delete(new[] { u2r2 }, checkUserPermissions: false); Assert.AreEqual(@"\u1-\r1", ReportMembership(container)); var u1r1 = membership.Query(m => m.Principal.Name.Contains(@"\u1")).Single(); TestUtility.ShouldFail( () => membership.Delete(new[] { u1r1 }, checkUserPermissions: true), "It is not allowed to remove the user membership here, because role " + _domainPrefix + "r1 is synchronized with an Active Directory group"); } }
public void ComputeOnAuthorization() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >(); roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Delete(membership.Load()); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Recompute membership on authorization: var authorizationProvider = container.Resolve <CommonAuthorizationProvider>(); Assert.AreEqual(@"\u2-r25, u5-r25", ReportMembership(container)); { var userRoles = authorizationProvider.GetUsersRoles(u1); Assert.AreEqual(@"\r1", ReportRoles(userRoles, container)); Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u1"); } { var userRoles = authorizationProvider.GetUsersRoles(u2); Assert.AreEqual(@"\r2, r25", ReportRoles(userRoles, container), "mixed membership"); Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u2"); } AuthorizationDataCache.ClearCache(); membership.Delete(membership.Load()); Assert.AreEqual(@"", ReportMembership(container), "membership deleted"); { var userRoles = authorizationProvider.GetUsersRoles(u1); Assert.AreEqual(@"\r1", ReportRoles(userRoles, container)); Assert.AreEqual(@"\u1-\r1", ReportMembership(container), "membership recomputed on authorization u1"); } { var userRoles = authorizationProvider.GetUsersRoles(u2); Assert.AreEqual(@"\r2", ReportRoles(userRoles, container)); Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "membership recomputed on authorization u2"); } } }
public void ComputeOnUpdateRole() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = container.Resolve <GenericRepository <Common.PrincipalHasRole> >(); roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Recompute membership on modified role should remove obsolete memebers: Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "initial membership"); r2.Name = _domainPrefix + "r2x"; roles.Update(r2); Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership after rename role"); // New role members will not be added automatically, to avoid performance penalty: // (the membership will be added on the principal's authorization check) r2.Name = _domainPrefix + "r2"; roles.Update(r2); // This is not reqested feature, this assert simply describes currently implemented behaviour: Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container)); } }
public void CommonFilters() { using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false)) { container.Resolve <ISqlExecuter>() .ExecuteSql("DELETE FROM Common.Principal; DELETE FROM Common.Role"); // Insert test data: var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" }; var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" }; var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" }; var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" }; var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" }; var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" }; var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" }; var repository = container.Resolve <Common.DomRepository>(); var roles = container.Resolve <GenericRepository <Common.Role> >(); var principals = container.Resolve <GenericRepository <Common.Principal> >(); var membership = repository.Common.PrincipalHasRole; roles.Insert(r1, r2, r25); principals.Insert(u1, u2, u3, u5); membership.Insert(new[] { // Non-domain users and roles. new Common.PrincipalHasRole { PrincipalID = u2.ID, RoleID = r25.ID }, new Common.PrincipalHasRole { PrincipalID = u5.ID, RoleID = r25.ID } }); // Common filters: var filter1 = new Common.ActiveDirectoryAllUsersParameter(); Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container, filter1), "filter ActiveDirectoryAllUsersParameter"); var filter2 = new[] { u1.Name, u2.Name }.Select(name => new Common.ActiveDirectoryUserParameter { UserName = name }).ToArray(); Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container, filter2), "filter ActiveDirectoryUserParameter"); } }
private string ReportRoles(IEnumerable <Guid> roles, MockWindowsSecurityRhetosContainer container) { var roleNames = container.Resolve <GenericRepository <Common.Role> >().Load().ToDictionary(r => r.ID, r => r.Name); return(ReportRoles(roles.Select(id => roleNames[id]))); }