예제 #1
0
 /// <summary>Shortens and sorts the names.</summary>
 private string ReportMembership(MockWindowsSecurityRhetosContainer container, object filter = null)
 {
     var context = container.Resolve<Common.ExecutionContext>();
     var membership = context.Repository.Common.PrincipalHasRole;
     var query = filter == null ? membership.Query() : membership.Query(membership.Load(filter).Select(item => item.ID));
     var reportData = query.Select(phr => new { PrincipalName = phr.Principal.Name, RoleName = phr.Role.Name }).ToList();
     string report = TestUtility.DumpSorted(reportData, phr => Shorten(phr.PrincipalName) + "-" + Shorten(phr.RoleName));
     Console.WriteLine("[ReportMembership] " + report);
     return report;
 }
예제 #2
0
        public void TestMock()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };

                var ws = container.Resolve<Rhetos.Security.IWindowsSecurity>();
                Assert.AreEqual("r1, r12", TestUtility.DumpSorted(ws.GetIdentityMembership(u1.Name)), "u1 active directory groups");
            }
        }
예제 #3
0
        public void CommonFilters()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Common filters:

                var filter1 = new Common.ActiveDirectoryAllUsersParameter();
                Assert.AreEqual(@"\u1-\r1, \u2-\r2",
                    ReportMembership(container, filter1),
                    "filter ActiveDirectoryAllUsersParameter");

                var filter2 = new[] { u1.Name, u2.Name }.Select(name => new Common.ActiveDirectoryUserParameter { UserName = name }).ToArray();
                Assert.AreEqual(@"\u1-\r1, \u2-\r2",
                    ReportMembership(container, filter2),
                    "filter ActiveDirectoryUserParameter");
            }
        }
예제 #4
0
        public void ComputeOnAuthorization()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Delete(membership.Read());
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Recompute membership on authorization:

                var authorizationProvider = container.Resolve<CommonAuthorizationProvider>();

                Assert.AreEqual(@"\u2-r25, u5-r25", ReportMembership(container));

                {
                    var userRoles = authorizationProvider.GetUsersRoles(u1);
                    Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
                    Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u1");
                }

                {
                    var userRoles = authorizationProvider.GetUsersRoles(u2);
                    Assert.AreEqual(@"\r2, r25", ReportRoles(userRoles, container), "mixed membership");
                    Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "membership recomputed on authorization u2");
                }

                AuthorizationDataCache.ClearCache();
                membership.Delete(membership.Read());
                Assert.AreEqual(@"", ReportMembership(container), "membership deleted");

                {
                    var userRoles = authorizationProvider.GetUsersRoles(u1);
                    Assert.AreEqual(@"\r1", ReportRoles(userRoles, container));
                    Assert.AreEqual(@"\u1-\r1", ReportMembership(container), "membership recomputed on authorization u1");
                }

                {
                    var userRoles = authorizationProvider.GetUsersRoles(u2);
                    Assert.AreEqual(@"\r2", ReportRoles(userRoles, container));
                    Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "membership recomputed on authorization u2");
                }
            }
        }
예제 #5
0
 private string ReportRoles(IEnumerable<Guid> roles, MockWindowsSecurityRhetosContainer container)
 {
     var roleNames = container.Resolve<GenericRepository<Common.Role>>().Read().ToDictionary(r => r.ID, r => r.Name);
     return ReportRoles(roles.Select(id => roleNames[id]));
 }
예제 #6
0
 /// <summary>Shortens and sorts the names.</summary>
 private string ReportMembership(MockWindowsSecurityRhetosContainer container, object filter = null)
 {
     var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();
     var query = filter == null ? membership.Read() : membership.Read(filter);
     string report = TestUtility.DumpSorted(query, phr => Shorten(phr.Principal.Name) + "-" + Shorten(phr.Role.Name));
     Console.WriteLine("[ReportMembership] " + report);
     return report;
 }
예제 #7
0
        public void UserShouldNotUpdateDomainMembership()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2);
                principals.Insert(u1, u2);

                // The user should not update domain users/groups membership:

                Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container));

                var u2r2 = membership.Read(m => m.Principal.Name.Contains(@"\u2")).Single();
                membership.Delete(new[] { u2r2 }, checkUserPermissions: false);
                Assert.AreEqual(@"\u1-\r1", ReportMembership(container));

                var u1r1 = membership.Read(m => m.Principal.Name.Contains(@"\u1")).Single();
                TestUtility.ShouldFail(
                    () => membership.Delete(new[] { u1r1 }, checkUserPermissions: true),
                    "It is not allowed to remove the user membership here, because role " + _domainPrefix + "r1 is synchronized with an Active Directory group");
            }
        }
예제 #8
0
        public void RoleInheritance()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Modify role inheritance:

                repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
                    UsersFrom = r1, PermissionsFrom = r25 } });

                TestUtility.ShouldFail(() => repository.Common.RoleInheritsRole.Insert(new[] { new Common.RoleInheritsRole {
                    UsersFrom = r25, PermissionsFrom = r2 } }), "UserException",
                    "It is not allowed to add users or user groups here because this role is synchronized with an Active Directory group.",
                    "Please change the user membership on Active Directory instead.");
            }
        }
예제 #9
0
        public void RecomputeMembership()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Recompute membership relations:

                var u1r1 = membership.Read(m => m.Principal.Name.Contains(@"\u1")).Single();
                membership.Delete(new[] { u1r1 }, checkUserPermissions: false);
                Assert.AreEqual(@"\u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "modified membership");

                repository.Common.PrincipalHasRole.RecomputeFromActiveDirectoryPrincipalHasRole();
                Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership");
            }
        }
예제 #10
0
        public void ComputeOnUpdateRole()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Recompute membership on modified role should remove obsolete memebers:

                Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "initial membership");

                r2.Name = _domainPrefix + "r2x";
                roles.Update(r2);
                Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container), "recomputed membership after rename role");

                // New role members will not be added automatically, to avoid performance penalty:
                // (the membership will be added on the principal's authorization check)

                r2.Name = _domainPrefix + "r2";
                roles.Update(r2);
                // This is not reqested feature, this assert simply describes currently implemented behaviour:
                Assert.AreEqual(@"\u1-\r1, \u2-r25, u5-r25", ReportMembership(container));
            }
        }
예제 #11
0
        public void ComputeOnUpdatePrincipal()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                principals.Insert(u1, u2, u3, u5);
                membership.Insert(new[] { // Non-domain users and roles.
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } });

                // Recompute membership on update principal (domain users only):

                u2.Name = "u2x";
                principals.Update(u2);
                Assert.AreEqual(@"\u1-\r1, u2x-\r2, u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update ignore non-domain users");
                u2.Name = _domainPrefix + "u2x";
                principals.Update(u2);
                Assert.AreEqual(@"\u1-\r1, \u2x-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users");
                u2.Name = _domainPrefix + "u2";
                principals.Update(u2);
                Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "auto-membership on update domain users 2");
            }
        }
예제 #12
0
        public void ComputeOnInsertPrincipal()
        {
            using (var container = new MockWindowsSecurityRhetosContainer("u1-r1 u1-r12 u2-r12 u2-r2", commitChanges: false))
            {
                container.Resolve<Common.ExecutionContext>().NHibernateSession
                    .CreateSQLQuery("DELETE FROM Common.Principal; DELETE FROM Common.Role")
                    .ExecuteUpdate();

                // Insert test data:

                var u1 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u1" };
                var u2 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u2" };
                var u3 = new Common.Principal { ID = Guid.NewGuid(), Name = _domainPrefix + "u3" };
                var u5 = new Common.Principal { ID = Guid.NewGuid(), Name = "u5" };
                var r1 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r1" };
                var r2 = new Common.Role { ID = Guid.NewGuid(), Name = _domainPrefix + "r2" };
                var r25 = new Common.Role { ID = Guid.NewGuid(), Name = "r25" };

                var repository = container.Resolve<Common.DomRepository>();
                var roles = container.Resolve<GenericRepository<Common.Role>>();
                var principals = container.Resolve<GenericRepository<Common.Principal>>();
                var membership = container.Resolve<GenericRepository<Common.PrincipalHasRole>>();

                roles.Insert(r1, r2, r25);
                Assert.AreEqual(@"\r1, \r2, r25", ReportRoles(roles.Read()), "roles created");

                principals.Insert(u1, u2, u3, u5);
                Assert.AreEqual(@"\u1, \u2, \u3, u5", ReportPrincipals(principals.Read()), "principals created");

                // Recompute membership on insert domain users:

                Assert.AreEqual(@"\u1-\r1, \u2-\r2", ReportMembership(container), "auto-membership on insert");

                // Inserting non-domain users and roles:

                membership.Insert(new[] {
                    new Common.PrincipalHasRole { Principal = u2, Role = r25 },
                    new Common.PrincipalHasRole { Principal = u5, Role = r25 } },
                    checkUserPermissions: true);
                Assert.AreEqual(@"\u1-\r1, \u2-\r2, \u2-r25, u5-r25", ReportMembership(container), "non-domain users and roles");
            }
        }