public void GivenAnAuthenticationPopulatonWhenCreatingAnAccessListForGuestThenPermissionIsDenied()
{
this.Session.Derive();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var guest = new AutomatedAgents(this.Session).Guest;
var acls = new AccessControlLists(guest);
foreach (Object aco in (IObject[])session.Extent(M.Organisation.ObjectType))
{
// When
var accessList = acls[aco];
// Then
Assert.False(accessList.CanExecute(M.Organisation.JustDoIt));
}
session.Rollback();
}
}
private int CheckSecurity()
{
using (var session = this.databaseService.Database.CreateSession())
{
var people = new People(session);
var jane = people.FindBy(M.Person.FirstName, "jane");
var john = people.FindBy(M.Person.FirstName, "john");
var acls = new AccessControlLists(jane);
var acl = acls[john];
var accessControl = acl.AccessControls.Single();
var effectivePermissions = accessControl.EffectivePermissions;
var personPermissions = effectivePermissions.Where(v => v.ConcreteClass == M.Person.Class).ToArray();
var workspacePersonPermissions = personPermissions.Where(w => w.OperandType.Workspace).ToArray();
//var canRead = acl.CanRead(M.Person.Salutation);
//var canWrite = acl.CanRead(M.Person.Salutation);
}
return(0);
}
public void DelegateAccessReturnsTokens()
{
var administrator = new PersonBuilder(this.Session).WithUserName("administrator").Build();
var administrators = new UserGroups(this.Session).Administrators;
administrators.AddMember(administrator);
var accessClass = new AccessClassBuilder(this.Session).Build();
this.Session.Derive();
this.Session.Commit();
var defaultSecurityToken = new SecurityTokens(this.Session).DefaultSecurityToken;
var dstAcs = defaultSecurityToken.AccessControls.Where(v => v.EffectiveUsers.Contains(administrator));
var dstAcs2 = defaultSecurityToken.AccessControls.Where(v => v.SubjectGroups.Contains(administrators));
var acs = new AccessControls(this.Session).Extent().Where(v => v.EffectiveUsers.Contains(administrator));
var acs2 = new AccessControls(this.Session).Extent().Where(v => v.SubjectGroups.Contains(administrators));
var acl = new AccessControlLists(administrator)[accessClass];
Assert.True(acl.CanRead(M.AccessClass.Property));
Assert.True(acl.CanWrite(M.AccessClass.Property));
Assert.True(acl.CanRead(M.AccessClass.Property));
Assert.True(acl.CanWrite(M.AccessClass.Property));
}
public async void WithResult()
{
await this.SignIn(this.Administrator);
var data = new DataBuilder(this.Session).WithString("First").Build();
this.Session.Commit();
var uri = new Uri(@"allors/pull", UriKind.Relative);
var extent = new Allors.Data.Extent(M.Data.ObjectType);
var pullRequest = new PullRequest
{
P = new[]
{
new Pull
{
Extent = extent.Save(),
Results = new[]
{
new Result {
Name = "Datas"
},
},
},
},
};
var response = await this.PostAsJsonAsync(uri, pullRequest);
var pullResponse = await this.ReadAsAsync <PullResponse>(response);
var namedCollection = pullResponse.NamedCollections["Datas"];
Assert.Single(namedCollection);
var namedObject = namedCollection.First();
Assert.Equal(data.Id.ToString(), namedObject);
var objects = pullResponse.Objects;
Assert.Single(objects);
var @object = objects[0];
var acls = new AccessControlLists(this.Administrator);
var acl = acls[data];
Assert.Equal(3, @object.Length);
Assert.Equal(data.Strategy.ObjectId.ToString(), @object[0]);
Assert.Equal(data.Strategy.ObjectVersion.ToString(), @object[1]);
Assert.Equal(this.PrintAccessControls(acl), @object[2]);
}
public async void WithDeniedPermissions()
{
await this.SignIn(this.Administrator);
var data = new DataBuilder(this.Session).WithString("First").Build();
var permission = new Permissions(this.Session).Extent().First(v => v.ConcreteClass == M.Data.Class);
data.AddDeniedPermission(permission);
this.Session.Commit();
var uri = new Uri("pull", UriKind.Relative);
var extent = new Allors.Data.Extent(M.Data.ObjectType);
var pullRequest = new PullRequest
{
p = new[]
{
new Pull
{
extent = extent.Save(),
},
},
};
var response = await this.PostAsJsonAsync(uri, pullRequest);
var pullResponse = await this.ReadAsAsync <PullResponse>(response);
var namedCollection = pullResponse.namedCollections["Datas"];
Assert.Single(namedCollection);
var namedObject = namedCollection.First();
Assert.Equal(data.Id.ToString(), namedObject);
var objects = pullResponse.Objects;
Assert.Single(objects);
var @object = objects[0];
var acls = new AccessControlLists(this.Administrator);
var acl = acls[data];
Assert.Equal(4, @object.Length);
Assert.Equal(data.Strategy.ObjectId.ToString(), @object[0]);
Assert.Equal(data.Strategy.ObjectVersion.ToString(), @object[1]);
Assert.Equal(this.PrintAccessControls(acl), @object[2]);
Assert.Equal(this.PrintDeniedPermissions(acl), @object[3]);
}
public void GivenAnAccessListWhenRemovingUserFromACLThenUserHasNoAccessToThePermissionsInTheRole()
{
var permission = this.FindPermission(M.Organisation.Name, Operations.Read);
var role = new RoleBuilder(this.Session).WithName("Role").WithPermission(permission).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
var person2 = new PersonBuilder(this.Session).WithFirstName("Jane").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithSubject(person).WithRole(role).Build();
this.Session.Derive();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
this.Session.Derive();
var acl = new AccessControlLists(person)[organisation];
accessControl.RemoveSubject(person);
accessControl.AddSubject(person2);
this.Session.Derive();
acl = new AccessControlLists(person)[organisation];
Assert.False(acl.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void DeniedPermissions()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new AccessControlBuilder(this.Session).WithRole(databaseRole).WithSubject(person).Build();
this.Session.Derive();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.False(this.Session.Derive(false).HasErrors);
var acl = new AccessControlLists(person)[organisation];
Assert.True(acl.CanRead(M.Organisation.Name));
organisation.AddDeniedPermission(readOrganisationName);
acl = new AccessControlLists(person)[organisation];
Assert.False(acl.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void GivenAnotherUserGroupAndAnAccessControlledObjectWhenGettingTheAccessListThenUserHasAccessToThePermissionsInTheRole()
{
var readOrganisationName = this.FindPermission(M.Organisation.Name, Operations.Read);
var databaseRole = new RoleBuilder(this.Session).WithName("Role").WithPermission(readOrganisationName).Build();
var person = new PersonBuilder(this.Session).WithFirstName("John").WithLastName("Doe").Build();
new UserGroupBuilder(this.Session).WithName("Group").WithMember(person).Build();
var anotherUserGroup = new UserGroupBuilder(this.Session).WithName("AnotherGroup").Build();
this.Session.Derive();
this.Session.Commit();
new AccessControlBuilder(this.Session).WithSubjectGroup(anotherUserGroup).WithRole(databaseRole).Build();
this.Session.Commit();
var sessions = new ISession[] { this.Session };
foreach (var session in sessions)
{
session.Commit();
var organisation = new OrganisationBuilder(session).WithName("Organisation").Build();
var token = new SecurityTokenBuilder(session).Build();
organisation.AddSecurityToken(token);
var role = (Role)session.Instantiate(new Roles(this.Session).FindBy(M.Role.Name, "Role"));
var accessControl = (AccessControl)session.Instantiate(role.AccessControlsWhereRole.First);
token.AddAccessControl(accessControl);
Assert.False(this.Session.Derive(false).HasErrors);
var acl = new AccessControlLists(person)[organisation];
Assert.False(acl.CanRead(M.Organisation.Name));
session.Rollback();
}
}
public void DelegateAccessReturnsNoTokens()
{
var administrator = new PersonBuilder(this.Session).WithUserName("administrator").Build();
new UserGroups(this.Session).Administrators.AddMember(administrator);
var accessClass = new AccessClassBuilder(this.Session).WithBlock(true).Build();
accessClass.Block = true;
this.Session.Derive();
this.Session.Commit();
// Use default security from Singleton
var acl = new AccessControlLists(administrator)[accessClass];
Assert.True(acl.CanRead(M.AccessClass.Property));
Assert.True(acl.CanWrite(M.AccessClass.Property));
Assert.True(acl.CanRead(M.AccessClass.Property));
Assert.True(acl.CanWrite(M.AccessClass.Property));
}
