public void AllTopicsAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // We should be able to get the list of topics even if we can't read some of them.
            AuthorizationRule rule = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.GenericAll),
                AuthorizationRulePolarity.Deny, AuthorizationRuleScope.Topic, SecurableAction.Read, 0);
            manager.WriteTopicAndNewVersion("DeniedTopic", rule.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                QualifiedTopicNameCollection topics = provider.AllTopics();

                Assert.AreEqual(4, topics.Count, "Checking that the right number of topics were returned.");
            }
        }
        public void WriteNewTopicDenied()
        {
            FederationConfiguration configuration = new FederationConfiguration();
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleEmptyNamespace, configuration);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Set it up so we have Read
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            UnqualifiedTopicRevision revision = new UnqualifiedTopicRevision("NewTopic");
            string content = "New content to be written";
            using (new TestSecurityContext("someuser", "somerole"))
            {
                provider.WriteTopic(revision, content);
            }
        }
        public void UnlockTopicAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the ManageNamespace permission, which should be what is needed.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                UnqualifiedTopicName topic = new UnqualifiedTopicName("TopicOne");
                provider.LockTopic(topic);
                Assert.IsFalse(provider.HasPermission(topic, TopicPermission.Edit),
                    "Checking that topic is not editable before UnlockTopic.");
                Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Read),
                    "Checking that topic is readable before UnlockTopic.");
                provider.UnlockTopic(topic);
                Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Edit),
                    "Checking that topic is editable after UnlockTopic.");
                Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Read),
                    "Checking that topic is still readable after UnlockTopic.");
            }
        }
        public void UnlockTopicDenied()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Edit permission, which should not be enough.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
            manager.WriteTopicAndNewVersion(manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                UnqualifiedTopicName topic = new UnqualifiedTopicName("TopicOne");
                provider.UnlockTopic(topic);

                Assert.Fail("A security exception should have been thrown.");
            }
        }
        public void TextReaderForTopicAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Read permission, which should be enough.
            AuthorizationRule deny = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, deny.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                string contents = provider.TextReaderForTopic(new UnqualifiedTopicRevision("TopicOne")).ReadToEnd();
                Assert.AreEqual(7, contents.Length, "Checking that the right contents were returned.");
            }
        }
        public void TopicExistsNonexistentTopic()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Deny the Read permission. Topic existence shouldn't be affected by security policy.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Deny, AuthorizationRuleScope.Topic, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager, "TopicOne", allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsFalse(provider.TopicExists(new UnqualifiedTopicName("NoSuchTopic")),
                    "Checking that TopicExists returns false even when read permission is denied.");
            }
        }
        public void HasPermissionNonexistentTopicDenied()
        {
            FederationConfiguration configuration = new FederationConfiguration();
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleEmptyNamespace, configuration);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Set it up so we only have Read
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsTrue(provider.HasPermission(new UnqualifiedTopicName("NoSuchTopic"),
                    TopicPermission.Read),
                    "Checking that allowing read at the namespace level grants read on nonexistent topics.");
                Assert.IsFalse(provider.HasPermission(new UnqualifiedTopicName("NoSuchTopic"),
                    TopicPermission.Edit),
                    "Checking that allowing read at the namespace level denies edit on nonexistent topics.");
            }
        }
        public void IsReadOnlyContentStoreReadWriteSecurityReadWrite()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Read permission, which should be what is needed.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsFalse(provider.IsReadOnly,
                    "Checking that the store is read-write when store and security policy are read-write.");
            }
        }
        public void HasNamespacePermissionManageAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the ManageNamespace permission, which should be what is needed.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsTrue(provider.HasNamespacePermission(NamespacePermission.Manage));
            }
        }
        public void HasPermissionDefinitionTopic()
        {
            FederationConfiguration configuration = new FederationConfiguration();
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleEmptyNamespace, configuration);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Set it up so we have Edit but not ManageNamespace
            AuthorizationRule allowEdit = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allowEdit.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsFalse(provider.HasPermission(new UnqualifiedTopicName(manager.DefinitionTopicName.LocalName),
                    TopicPermission.Edit),
                    "Checking that allowing edit is not enough to grant editpermisison on the definition topic.");
            }

            // Now try it where we're granted ManageNamespace
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsTrue(provider.HasPermission(new UnqualifiedTopicName(manager.DefinitionTopicName.LocalName),
                    TopicPermission.Edit),
                    "Checking that granting ManageNamespace implies ability to edit definition topic.");
            }
        }
        public void GetParsedTopicAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Read permission, which should be what is needed.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                ParsedTopic parsedTopic = provider.GetParsedTopic(new UnqualifiedTopicRevision("TopicOne"));
                Assert.IsNotNull(parsedTopic,
                    "Checking that the parsed topic was returned.");
            }
        }
        public void ExistsAllowedStoreNonexistent()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports, MockSetupOptions.StoreDoesNotExist);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Read permission at namespace, which should be what is needed.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.IsFalse(provider.Exists,
                    "Checking that the security provider returns false when read permission is granted on the namespace and store does not exist.");
            }
        }
        public void DeleteTopicDenied()
        {
            // Use the default configuration, where everything is denied
            FederationConfiguration configuration = new FederationConfiguration();
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports, configuration);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Grant the Read permission, which should be insufficient.
            AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
                    "Checking that the right number of topics were returned before deletion");
                provider.DeleteTopic(new UnqualifiedTopicName("TopicOne"), false);
                Assert.Fail("A security exception should have been thrown");
            }
        }
        public void DeleteAllTopicsAndHistoryDenied()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the Edit permission, which shouldn't be enough: ManageNamespace is required.
            AuthorizationRule allowEdit = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
            manager.WriteTopicAndNewVersion(manager.DefinitionTopicName.LocalName, allowEdit.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
                    "Checking that the right number of topics were returned before deletion");
                provider.DeleteAllTopicsAndHistory();
                Assert.Fail("DeleteAllTopicsAndHistory should have thrown an exception");
            }
        }
        public void DeleteAllTopicsAndHistoryAllowed()
        {
            Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
              TestContentSets.SingleTopicNoImports);
            NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
            AuthorizationProvider provider = GetSecurityProvider(manager);

            // Use the default configuration, where everything is denied
            federation.Configuration.AuthorizationRules.Clear();

            // Grant the ManageNamespace permission, which should be what is needed.
            AuthorizationRule allowManageNamespace = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
                AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
            WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
                manager.DefinitionTopicName.LocalName, allowManageNamespace.ToString("T"), "test");

            using (new TestSecurityContext("someuser", "somerole"))
            {
                Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
                    "Checking that the right number of topics were returned before deletion");
                provider.DeleteAllTopicsAndHistory();
                // Only built-in topics should remain
                Assert.AreEqual(2, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
                    "Checking that the right number of topics were returned after deletion");
            }
        }