protected internal virtual void setUp()
{
// we are jonny
identityService.AuthenticatedUserId = "jonny";
// make sure we can do stuff:
IAuthorization jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
jonnyIsGod.UserId = "jonny";
jonnyIsGod.Resource = Resources.User;
jonnyIsGod.ResourceId = AuthorizationFields.Any;
jonnyIsGod.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(jonnyIsGod);
jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
jonnyIsGod.UserId = "jonny";
jonnyIsGod.Resource = Resources.Group;
jonnyIsGod.ResourceId = AuthorizationFields.Any;
jonnyIsGod.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(jonnyIsGod);
jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
jonnyIsGod.UserId = "jonny";
jonnyIsGod.Resource = Resources.Authorization;
jonnyIsGod.ResourceId = AuthorizationFields.Any;
jonnyIsGod.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(jonnyIsGod);
// enable authorizations
processEngineConfiguration.SetAuthorizationEnabled(true);
base.InitializeServices();
//base.SetUp();
}
public virtual void testPermissions()
{
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
Assert.AreEqual(1, authorization.GetPermissions(authorization.GetPermissions(new Permissions[] {})).Length);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update));
authorization.AddPermission(Permissions.Access);
Assert.True(authorization.IsPermissionGranted(Permissions.Access));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update));
authorization.AddPermission(Permissions.Delete);
Assert.True(authorization.IsPermissionGranted(Permissions.Access));
Assert.True(authorization.IsPermissionGranted(Permissions.Delete));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update));
authorization.AddPermission(Permissions.Read);
Assert.True(authorization.IsPermissionGranted(Permissions.Access));
Assert.True(authorization.IsPermissionGranted(Permissions.Delete));
Assert.True(authorization.IsPermissionGranted(Permissions.Read));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update));
authorization.AddPermission(Permissions.Update);
Assert.True(authorization.IsPermissionGranted(Permissions.Access));
Assert.True(authorization.IsPermissionGranted(Permissions.Delete));
Assert.True(authorization.IsPermissionGranted(Permissions.Read));
Assert.True(authorization.IsPermissionGranted(Permissions.Update));
authorization.RemovePermission(Permissions.Access);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access));
Assert.True(authorization.IsPermissionGranted(Permissions.Delete));
Assert.True(authorization.IsPermissionGranted(Permissions.Read));
Assert.True(authorization.IsPermissionGranted(Permissions.Update));
authorization.RemovePermission(Permissions.Delete);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete));
Assert.True(authorization.IsPermissionGranted(Permissions.Read));
Assert.True(authorization.IsPermissionGranted(Permissions.Update));
authorization.RemovePermission(Permissions.Read);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read));
Assert.True(authorization.IsPermissionGranted(Permissions.Update));
authorization.RemovePermission(Permissions.Update);
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read));
Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update));
}
[Test] public virtual void testUserOverrideGlobalRevokeAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which revokes all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.RemovePermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// add Permissions.Read for jonny
IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
localRevoke.UserId = "jonny";
localRevoke.Resource = (Resources)resource1.resourceType();
localRevoke.ResourceId = AuthorizationFields.Any;
localRevoke.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(localRevoke);
// jonny does not have Permissions.All permissions
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
// jonny can read
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
// jonny can't Delete
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType()));
// someone else can't do anything
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType()));
}
public virtual void testQueryWithGroupAuthorizationRevokedReadPermission()
{
// given
// given user gets all permissions on any process definition
IAuthorization authorization = createGrantAuthorization(Resources.ProcessDefinition, AuthorizationFields.Any);
authorization.GroupId = groupId;
authorization.AddPermission(Permissions.All);
saveAuthorization(authorization);
authorization = createRevokeAuthorization(Resources.ProcessDefinition, ONE_TASK_PROCESS_KEY);
authorization.GroupId = groupId;
authorization.RemovePermission(Permissions.Read);
saveAuthorization(authorization);
// when
IQueryable <IProcessDefinition> query = repositoryService.CreateProcessDefinitionQuery();
// then
//verifyQueryResults(query, 1);
IProcessDefinition definition = query.First();
Assert.NotNull(definition);
Assert.AreEqual(TWO_TASKS_PROCESS_KEY, definition.Key);
}
public virtual void testDeleteAuthorization()
{
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Delete); // revoke Delete
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
// try to Delete authorization
authorizationService.DeleteAuthorization(basePerms.Id);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info);
}
}
public virtual void testGlobalGrantAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalAuth.Resource = (Resources)resource1.resourceType();
globalAuth.ResourceId = AuthorizationFields.Any;
globalAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalAuth);
IList <string> jonnysGroups = (new string[] { "sales", "marketing" });
IList <string> someOneElsesGroups = (new string[] { "marketing" });
// this authorizes any user to do anything in this resource:
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone", null, Permissions.Create, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType(), "someId"));
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType(), "someId"));
Assert.True(authorizationService.IsUserAuthorized("someone", null, Permissions.Create, (Resources)resource1.resourceType(), "someId"));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType(), "someOtherId"));
}
[Test] public virtual void testTenanGroupMembershipDeleteAuthorizations()
{
IGroup group1 = identityService.NewGroup("group1");
identityService.SaveGroup(group1);
ITenant tenant1 = identityService.NewTenant("tenant1");
identityService.SaveTenant(tenant1);
// add base permission which allows nobody to Delete memberships
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.TenantMembership;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'Delete'
basePerms.RemovePermission(Permissions.Delete);
authorizationService.SaveAuthorization(basePerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
identityService.DeleteTenantGroupMembership("tenant1", "group1");
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.TenantMembership.ToString() /*.ResourceName()*/, "tenant1", info);
}
}
public virtual void shouldFetchTaskCountWithAuthorization()
{
// given
IUser user = identityService.NewUser(userId);
identityService.SaveUser(user);
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.AddPermission(Permissions.Read);
authorization.Resource = Resources.Task;
authorization.ResourceId = AuthorizationFields.Any;
authorization.UserId = userId;
authorizationService.SaveAuthorization(authorization);
processEngineConfiguration.SetAuthorizationEnabled(true);
authenticate();
// when
IList <ITaskCountByCandidateGroupResult> results = taskService.CreateTaskReport().TaskCountByCandidateGroup();
processEngineConfiguration.SetAuthorizationEnabled(false);
authorizationService.DeleteAuthorization(authorization.Id);
identityService.DeleteUser(userId);
Assert.AreEqual(0, results.Count);
}
// authorization ///////////////////////////////////////////////////////
protected internal virtual void createGrantAuthorization(Resources resource, string resourceId, Permissions permission, string userId)
{
IAuthorization authorization = createGrantAuthorization(resource, resourceId);
authorization.UserId = userId;
authorization.AddPermission(permission);
saveAuthorization(authorization);
}
public virtual void testUserUpdateAuthorizations()
{
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch authhorization
basePerms = authorizationService.CreateAuthorizationQuery().First();
// make some change to the perms
basePerms.AddPermission(Permissions.All);
try
{
authorizationService.SaveAuthorization(basePerms);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info);
}
// but we can create a new auth
IAuthorization newAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
newAuth.UserId = "jonny2";
newAuth.Resource = Resources.Authorization;
newAuth.ResourceId = AuthorizationFields.Any;
newAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(newAuth);
}
protected internal virtual void grantAuthorization(string userId, Resources resource, string resourceId, Permissions permission)
{
IAuthorization authorization = engineRule.IAuthorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.Resource = resource;
authorization.ResourceId = resourceId;
authorization.AddPermission(permission);
authorization.UserId = userId;
engineRule.IAuthorizationService.SaveAuthorization(authorization);
authorizations.Add(authorization);
}
// user ////////////////////////////////////////////////////////////////
protected internal virtual IUser createUser(string userId)
{
IUser user = identityService.NewUser(userId);
identityService.SaveUser(user);
// give user all permission to manipulate authorizations
IAuthorization authorization = createGrantAuthorization(Resources.Authorization, AuthorizationFields.Any);
authorization.UserId = userId;
authorization.AddPermission(Permissions.All);
saveAuthorization(authorization);
// give user all permission to manipulate users
authorization = createGrantAuthorization(Resources.User, AuthorizationFields.Any);
authorization.UserId = userId;
authorization.AddPermission(Permissions.All);
saveAuthorization(authorization);
return(user);
}
[Test] public virtual void testGroupOverrideGlobalGrantAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for group "sales"
IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
groupRevoke.GroupId = "sales";
groupRevoke.Resource = (Resources)resource1.resourceType();
groupRevoke.ResourceId = AuthorizationFields.Any;
groupRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(groupRevoke);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny does not have Permissions.All permissions if queried with groups
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
// if queried without groups he has
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
// jonny can't read if queried with groups
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// if queried without groups he has
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
// someone else who is in group "marketing" but but not "sales" can
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType()));
// he could'nt if he were in jonny's groups
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// jonny can still Delete
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType()));
}
public virtual void testUpdateNewAuthorization()
{
TestResource resource1 = new TestResource("resource1", 100);
TestResource resource2 = new TestResource("resource1", 101);
IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
authorization.UserId = "aUserId";
//authorization.Resource = resource1;
authorization.ResourceId = "aResourceId";
authorization.AddPermission(Permissions.Access);
// save the authorization
authorizationService.SaveAuthorization(authorization);
// validate authorization
IAuthorization savedAuthorization = authorizationService.CreateAuthorizationQuery().First();
Assert.AreEqual("aUserId", savedAuthorization.UserId);
//Assert.AreEqual(resource1.resourceType(), savedAuthorization.ResourceType);
Assert.AreEqual("aResourceId", savedAuthorization.ResourceId);
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access));
// update authorization
authorization.UserId = "anotherUserId";
//authorization.Resource = resource2;
authorization.ResourceId = "anotherResourceId";
authorization.AddPermission(Permissions.Delete);
authorizationService.SaveAuthorization(authorization);
// validate authorization updated
savedAuthorization = authorizationService.CreateAuthorizationQuery().First();
Assert.AreEqual("anotherUserId", savedAuthorization.UserId);
//Assert.AreEqual(resource2.resourceType(), savedAuthorization.ResourceType);
Assert.AreEqual("anotherResourceId", savedAuthorization.ResourceId);
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access));
Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Delete));
}
[Test] public virtual void testUserOverrideGroupOverrideGlobalAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for group "sales"
IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
groupRevoke.GroupId = "sales";
groupRevoke.Resource = (Resources)resource1.resourceType();
groupRevoke.ResourceId = AuthorizationFields.Any;
groupRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(groupRevoke);
// add Permissions.Read for jonny
IAuthorization userGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
userGrant.UserId = "jonny";
userGrant.Resource = (Resources)resource1.resourceType();
userGrant.ResourceId = AuthorizationFields.Any;
userGrant.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(userGrant);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny can read
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
// someone else in the same groups cannot
Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// someone else in different groups can
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
}
public virtual void testCreateAuthorization()
{
// add base permission which allows nobody to create authorizations
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Authorization;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'create'
basePerms.RemovePermission(Permissions.Create);
authorizationService.SaveAuthorization(basePerms);
// now enable authorizations:
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
// we cannot create another authorization
authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
// circumvent auth check to get new transient object
IAuthorization authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke);
authorization.UserId = "someUserId";
authorization.Resource = Resources.Application;
try
{
authorizationService.SaveAuthorization(authorization);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info);
}
}
[Test] public virtual void testUserOverrideGlobalGrantAuthorizationCheck()
{
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
globalGrant.Resource = (Resources)resource1.resourceType();
globalGrant.ResourceId = AuthorizationFields.Any;
globalGrant.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(globalGrant);
// revoke Permissions.Read for jonny
IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
localRevoke.UserId = "jonny";
localRevoke.Resource = (Resources)resource1.resourceType();
localRevoke.ResourceId = AuthorizationFields.Any;
localRevoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(localRevoke);
IList <string> jonnysGroups = new List <string>()
{
"sales", "marketing"
};
IList <string> someOneElsesGroups = new List <string>()
{
"marketing"
};
// jonny does not have Permissions.All permissions
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType()));
// jonny can't read
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType()));
Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType()));
// someone else can
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType()));
// jonny can still Delete
Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType()));
Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType()));
}
[Test] public virtual void testTenantCreateAuthorizations()
{
// add base permission which allows nobody to create tenants:
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Tenant;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All); // add all then remove 'create'
basePerms.RemovePermission(Permissions.Create);
authorizationService.SaveAuthorization(basePerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
try
{
identityService.NewTenant("tenant");
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info);
}
// circumvent auth check to get new transient userobject
ITenant tenant = new TenantEntity("tenant");
try
{
identityService.SaveTenant(tenant);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info);
}
}
[Test] public virtual void testTenantUpdateAuthorizations()
{
// create tenant
ITenant tenant = new TenantEntity("tenant");
identityService.SaveTenant(tenant);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Tenant;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
tenant = identityService.CreateTenantQuery().First();
tenant.Name = "newName";
try
{
identityService.SaveTenant(tenant);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, "tenant", info);
}
// but I can create a new tenant:
ITenant newTenant = identityService.NewTenant("newTenant");
identityService.SaveTenant(newTenant);
}
[Test] public virtual void testGroupUpdateAuthorizations()
{
// crate group while still in god-mode:
IGroup group1 = identityService.NewGroup("group1");
identityService.SaveGroup(group1);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Group;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
group1 = identityService.CreateGroupQuery().First();
//group1.ToString() = "IGroup 1";
try
{
identityService.SaveGroup(group1);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Group.ToString() /*.ResourceName()*/, "group1", info);
}
// but I can create a new group:
IGroup group2 = identityService.NewGroup("group2");
identityService.SaveGroup(group2);
}
[Test] public virtual void testUserUpdateAuthorizations()
{
// crate user while still in god-mode:
IUser jonny1 = identityService.NewUser("jonny1");
identityService.SaveUser(jonny1);
// create global auth
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.User;
basePerms.ResourceId = AuthorizationFields.Any;
basePerms.AddPermission(Permissions.All);
basePerms.RemovePermission(Permissions.Update); // revoke update
authorizationService.SaveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.SetAuthorizationEnabled(true);
identityService.AuthenticatedUserId = jonny2;
// fetch user:
jonny1 = identityService.CreateUserQuery().First();
jonny1.FirstName = "Jonny";
try
{
identityService.SaveUser(jonny1);
Assert.Fail("exception expected");
}
catch (AuthorizationException e)
{
Assert.AreEqual(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
Assert.AreEqual(jonny2, e.UserId);
AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.User.ToString() /*.ResourceName()*/, "jonny1", info);
}
// but I can create a new user:
IUser jonny3 = identityService.NewUser("jonny3");
identityService.SaveUser(jonny3);
}
[Test] public virtual void testUserQueryAuthorizationsMultipleGroups()
{
// we are jonny2
string authUserId = "jonny2";
identityService.AuthenticatedUserId = authUserId;
IUser demo = identityService.NewUser("demo");
identityService.SaveUser(demo);
IUser mary = identityService.NewUser("mary");
identityService.SaveUser(mary);
IUser peter = identityService.NewUser("peter");
identityService.SaveUser(peter);
IUser john = identityService.NewUser("john");
identityService.SaveUser(john);
IGroup sales = identityService.NewGroup("sales");
identityService.SaveGroup(sales);
IGroup accounting = identityService.NewGroup("accounting");
identityService.SaveGroup(accounting);
IGroup management = identityService.NewGroup("management");
identityService.SaveGroup(management);
identityService.CreateMembership("demo", "sales");
identityService.CreateMembership("demo", "accounting");
identityService.CreateMembership("demo", "management");
identityService.CreateMembership("john", "sales");
identityService.CreateMembership("mary", "accounting");
identityService.CreateMembership("peter", "management");
IAuthorization demoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
demoAuth.UserId = "demo";
demoAuth.Resource = Resources.User;
demoAuth.ResourceId = "demo";
demoAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(demoAuth);
IAuthorization johnAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
johnAuth.UserId = "john";
johnAuth.Resource = Resources.User;
johnAuth.ResourceId = "john";
johnAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(johnAuth);
IAuthorization maryAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
maryAuth.UserId = "mary";
maryAuth.Resource = Resources.User;
maryAuth.ResourceId = "mary";
maryAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(maryAuth);
IAuthorization peterAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
peterAuth.UserId = "peter";
peterAuth.Resource = Resources.User;
peterAuth.ResourceId = "peter";
peterAuth.AddPermission(Permissions.All);
authorizationService.SaveAuthorization(peterAuth);
IAuthorization accAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
accAuth.GroupId = "accounting";
accAuth.Resource = Resources.Group;
accAuth.ResourceId = "accounting";
accAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(accAuth);
IAuthorization salesAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
salesAuth.GroupId = "sales";
salesAuth.Resource = Resources.Group;
salesAuth.ResourceId = "sales";
salesAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(salesAuth);
IAuthorization manAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
manAuth.GroupId = "management";
manAuth.Resource = Resources.Group;
manAuth.ResourceId = "management";
manAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(manAuth);
IAuthorization salesDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
salesDemoAuth.GroupId = "sales";
salesDemoAuth.Resource = Resources.User;
salesDemoAuth.ResourceId = "demo";
salesDemoAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(salesDemoAuth);
IAuthorization salesJohnAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
salesJohnAuth.GroupId = "sales";
salesJohnAuth.Resource = Resources.User;
salesJohnAuth.ResourceId = "john";
salesJohnAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(salesJohnAuth);
IAuthorization manDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
manDemoAuth.GroupId = "management";
manDemoAuth.Resource = Resources.User;
manDemoAuth.ResourceId = "demo";
manDemoAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(manDemoAuth);
IAuthorization manPeterAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
manPeterAuth.GroupId = "management";
manPeterAuth.Resource = Resources.User;
manPeterAuth.ResourceId = "peter";
manPeterAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(manPeterAuth);
IAuthorization accDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
accDemoAuth.GroupId = "accounting";
accDemoAuth.Resource = Resources.User;
accDemoAuth.ResourceId = "demo";
accDemoAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(accDemoAuth);
IAuthorization accMaryAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
accMaryAuth.GroupId = "accounting";
accMaryAuth.Resource = Resources.User;
accMaryAuth.ResourceId = "mary";
accMaryAuth.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(accMaryAuth);
IList <string> groups = new List <string>();
groups.Add("management");
groups.Add("accounting");
groups.Add("sales");
identityService.SetAuthentication("demo", groups);
processEngineConfiguration.SetAuthorizationEnabled(true);
IList <IUser> salesUser = identityService.CreateUserQuery()
//.MemberOfGroup("sales")
.ToList();
Assert.AreEqual(2, salesUser.Count);
foreach (IUser user in salesUser)
{
if (!user.Id.Equals("demo") && !user.Id.Equals("john"))
{
Assert.Fail("Unexpected user for group sales: " + user.Id);
}
}
IList <IUser> accountingUser = identityService.CreateUserQuery() //.MemberOfGroup("accounting")
.ToList();
Assert.AreEqual(2, accountingUser.Count);
foreach (IUser user in accountingUser)
{
if (!user.Id.Equals("demo") && !user.Id.Equals("mary"))
{
Assert.Fail("Unexpected user for group accounting: " + user.Id);
}
}
IList <IUser> managementUser = identityService.CreateUserQuery() //.MemberOfGroup("management")
.ToList();
Assert.AreEqual(2, managementUser.Count);
foreach (IUser user in managementUser)
{
if (!user.Id.Equals("demo") && !user.Id.Equals("peter"))
{
Assert.Fail("Unexpected user for group managment: " + user.Id);
}
}
}
[Test] public virtual void testTenantQueryAuthorizations()
{
// we are jonny2
string authUserId = "jonny2";
identityService.AuthenticatedUserId = authUserId;
// create new user jonny1
IUser jonny1 = identityService.NewUser("jonny1");
identityService.SaveUser(jonny1);
// create new tenant
ITenant tenant = identityService.NewTenant("tenant");
identityService.SaveTenant(tenant);
// set base permission for all users (no-one has any permissions on tenants)
IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal);
basePerms.Resource = Resources.Tenant;
basePerms.ResourceId = AuthorizationFields.Any;
authorizationService.SaveAuthorization(basePerms);
// now enable checks
processEngineConfiguration.SetAuthorizationEnabled(true);
// we cannot fetch the tenants
Assert.AreEqual(0, identityService.CreateTenantQuery().Count());
// now we add permission for jonny2 to read the tenants:
processEngineConfiguration.SetAuthorizationEnabled(false);
IAuthorization ourPerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant);
ourPerms.UserId = authUserId;
ourPerms.Resource = Resources.Tenant;
ourPerms.ResourceId = AuthorizationFields.Any;
ourPerms.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(ourPerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
// now we can fetch the tenants
Assert.AreEqual(1, identityService.CreateTenantQuery().Count());
// change the base permission:
processEngineConfiguration.SetAuthorizationEnabled(false);
basePerms = authorizationService.CreateAuthorizationQuery(c => c.ResourceType == Resources.Tenant && c.UserId == "*").First();
basePerms.AddPermission(Permissions.Read);
authorizationService.SaveAuthorization(basePerms);
processEngineConfiguration.SetAuthorizationEnabled(true);
// we can still fetch the tenants
Assert.AreEqual(1, identityService.CreateTenantQuery().Count());
// revoke permission for jonny2:
processEngineConfiguration.SetAuthorizationEnabled(false);
ourPerms = authorizationService.CreateAuthorizationQuery(c => c.ResourceType == Resources.Tenant && c.UserId == authUserId).First();
ourPerms.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(ourPerms);
IAuthorization revoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke);
revoke.UserId = authUserId;
revoke.Resource = Resources.Tenant;
revoke.ResourceId = AuthorizationFields.Any;
revoke.RemovePermission(Permissions.Read);
authorizationService.SaveAuthorization(revoke);
processEngineConfiguration.SetAuthorizationEnabled(true);
// now we cannot fetch the tenants
Assert.AreEqual(0, identityService.CreateTenantQuery().Count());
// Delete our permissions
processEngineConfiguration.SetAuthorizationEnabled(false);
authorizationService.DeleteAuthorization(ourPerms.Id);
authorizationService.DeleteAuthorization(revoke.Id);
processEngineConfiguration.SetAuthorizationEnabled(true);
// now the base permission applies and grants us read access
Assert.AreEqual(1, identityService.CreateTenantQuery().Count());
}