public virtual void testDeleteAuthorization()
{
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.Resource = AUTHORIZATION;
basePerms.ResourceId = ANY;
basePerms.addPermission(ALL);
basePerms.removePermission(DELETE); // revoke delete
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.AuthorizationEnabled = true;
identityService.AuthenticatedUserId = jonny2;
try
{
// try to delete authorization
authorizationService.deleteAuthorization(basePerms.Id);
fail("exception expected");
}
catch (AuthorizationException e)
{
assertEquals(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
assertEquals(jonny2, e.UserId);
assertExceptionInfo(DELETE.Name, AUTHORIZATION.resourceName(), basePerms.Id, info);
}
}
//JAVA TO C# CONVERTER WARNING: Method 'throws' clauses are not available in .NET:
//ORIGINAL LINE: public void testSaveAuthorizationSetPermissionsWithValidResource() throws Exception
public virtual void testSaveAuthorizationSetPermissionsWithValidResource()
{
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.UserId = "userId";
authorization.addPermission(Permissions.ACCESS);
// 'ACCESS' is not allowed for Batches
// however, it will be reset by next line, so saveAuthorization will be successful
authorization.Permissions = new BatchPermissions[] { BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES, BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES };
authorization.Resource = Resources.BATCH;
authorization.ResourceId = ANY;
processEngineConfiguration.AuthorizationEnabled = true;
// when
authorizationService.saveAuthorization(authorization);
// then
Authorization authorizationResult = authorizationService.createAuthorizationQuery().resourceType(Resources.BATCH).singleResult();
assertNotNull(authorizationResult);
assertTrue(authorizationResult.isPermissionGranted(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES));
assertTrue(authorizationResult.isPermissionGranted(BatchPermissions.CREATE_BATCH_DELETE_DECISION_INSTANCES));
}
public virtual void testIsUserAuthorizedWithInvalidResourceMultiplePermissions()
{
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
string userId = "userId";
authorization.UserId = userId;
authorization.addPermission(ProcessInstancePermissions.READ);
authorization.addPermission(ProcessInstancePermissions.RETRY_JOB);
authorization.Resource = Resources.PROCESS_INSTANCE;
authorization.ResourceId = ANY;
authorizationService.saveAuthorization(authorization);
processEngineConfiguration.AuthorizationEnabled = true;
// then
assertEquals(true, authorizationService.isUserAuthorized(userId, null, Permissions.READ, Resources.PROCESS_INSTANCE));
assertEquals(true, authorizationService.isUserAuthorized(userId, null, ProcessInstancePermissions.RETRY_JOB, Resources.PROCESS_INSTANCE));
assertEquals(false, authorizationService.isUserAuthorized(userId, null, BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES, Resources.BATCH));
assertEquals(false, authorizationService.isUserAuthorized(userId, null, ProcessDefinitionPermissions.RETRY_JOB, Resources.PROCESS_DEFINITION));
assertEquals(false, authorizationService.isUserAuthorized(userId, null, Permissions.ACCESS, Resources.APPLICATION));
try
{
authorizationService.isUserAuthorized(userId, null, ProcessDefinitionPermissions.RETRY_JOB, Resources.PROCESS_INSTANCE);
fail("expected exception");
}
catch (BadUserRequestException e)
{
assertTrue(e.Message.contains("The resource type 'ProcessInstance' is not valid"));
assertTrue(e.Message.contains(ProcessDefinitionPermissions.RETRY_JOB.Name));
}
}
// authorization ///////////////////////////////////////////////////////
protected internal virtual void createGrantAuthorization(Resource resource, string resourceId, Permission permission, string userId)
{
Authorization authorization = createGrantAuthorization(resource, resourceId);
authorization.UserId = userId;
authorization.addPermission(permission);
saveAuthorization(authorization);
}
// transformers ///////////////////////////////////////
public static void update(AuthorizationCreateDto dto, Authorization dbAuthorization, ProcessEngineConfiguration engineConfiguration)
{
dbAuthorization.GroupId = dto.GroupId;
dbAuthorization.UserId = dto.UserId;
dbAuthorization.ResourceType = dto.ResourceType.Value;
dbAuthorization.ResourceId = dto.ResourceId;
dbAuthorization.Permissions = PermissionConverter.getPermissionsForNames(dto.Permissions, dto.ResourceType.Value, engineConfiguration);
}
public virtual void updateAuthorization(AuthorizationDto dto)
{
// get db auth
Authorization dbAuthorization = DbAuthorization;
// copy values from dto
AuthorizationDto.update(dto, dbAuthorization, processEngine.ProcessEngineConfiguration);
// save
authorizationService.saveAuthorization(dbAuthorization);
}
protected internal static Authorization createAuthorization(AuthorizationService authorizationService, Permission permission, Resources resource, string userId)
{
Authorization auth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
auth.addPermission(permission);
auth.Resource = resource;
auth.ResourceId = org.camunda.bpm.engine.authorization.Authorization_Fields.ANY;
auth.UserId = userId;
return(auth);
}
protected internal virtual void createGrantAuthorization(Resource resource, string resourceId, string userId, params Permission[] permissions)
{
Authorization authorization = createAuthorization(AUTH_TYPE_GRANT, resource, resourceId);
authorization.UserId = userId;
foreach (Permission permission in permissions)
{
authorization.addPermission(permission);
}
authorizationService.saveAuthorization(authorization);
}
protected internal virtual Authorization createAuthorization(int type, Resource resource, string resourceId)
{
Authorization authorization = authorizationService.createNewAuthorization(type);
authorization.Resource = resource;
if (!string.ReferenceEquals(resourceId, null))
{
authorization.ResourceId = resourceId;
}
return(authorization);
}
protected internal virtual void grouptGrant(string groupId, Resource resource, params Permission[] perms)
{
AuthorizationService authorizationService = engine.AuthorizationService;
Authorization groupGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
groupGrant.Resource = resource;
groupGrant.ResourceId = ANY;
foreach (Permission permission in perms)
{
groupGrant.addPermission(permission);
}
groupGrant.GroupId = groupId;
authorizationService.saveAuthorization(groupGrant);
}
public virtual void testCreateAuthorization()
{
// add base permission which allows nobody to create authorizations
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.Resource = AUTHORIZATION;
basePerms.ResourceId = ANY;
basePerms.addPermission(ALL); // add all then remove 'create'
basePerms.removePermission(CREATE);
authorizationService.saveAuthorization(basePerms);
// now enable authorizations:
processEngineConfiguration.AuthorizationEnabled = true;
identityService.AuthenticatedUserId = jonny2;
try
{
// we cannot create another authorization
authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
fail("exception expected");
}
catch (AuthorizationException e)
{
assertEquals(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
assertEquals(jonny2, e.UserId);
assertExceptionInfo(CREATE.Name, AUTHORIZATION.resourceName(), null, info);
}
// circumvent auth check to get new transient object
Authorization authorization = new AuthorizationEntity(AUTH_TYPE_REVOKE);
authorization.UserId = "someUserId";
authorization.Resource = Resources.APPLICATION;
try
{
authorizationService.saveAuthorization(authorization);
fail("exception expected");
}
catch (AuthorizationException e)
{
assertEquals(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
assertEquals(jonny2, e.UserId);
assertExceptionInfo(CREATE.Name, AUTHORIZATION.resourceName(), null, info);
}
}
public virtual void testIsUserAuthorizedWithValidResourceImpl()
{
// given
ResourceImpl resource = new ResourceImpl(this, "application", 0);
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
string userId = "userId";
authorization.UserId = userId;
authorization.addPermission(Permissions.ACCESS);
authorization.Resource = Resources.APPLICATION;
authorization.ResourceId = ANY;
authorizationService.saveAuthorization(authorization);
processEngineConfiguration.AuthorizationEnabled = true;
// then
assertEquals(true, authorizationService.isUserAuthorized(userId, null, Permissions.ACCESS, resource));
}
public virtual void testUserUpdateAuthorizations()
{
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.Resource = AUTHORIZATION;
basePerms.ResourceId = ANY;
basePerms.addPermission(ALL);
basePerms.removePermission(UPDATE); // revoke update
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.AuthorizationEnabled = true;
identityService.AuthenticatedUserId = jonny2;
// fetch authhorization
basePerms = authorizationService.createAuthorizationQuery().singleResult();
// make some change to the perms
basePerms.addPermission(ALL);
try
{
authorizationService.saveAuthorization(basePerms);
fail("exception expected");
}
catch (AuthorizationException e)
{
assertEquals(1, e.MissingAuthorizations.Count);
MissingAuthorization info = e.MissingAuthorizations[0];
assertEquals(jonny2, e.UserId);
assertExceptionInfo(UPDATE.Name, AUTHORIZATION.resourceName(), basePerms.Id, info);
}
// but we can create a new auth
Authorization newAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
newAuth.UserId = "jonny2";
newAuth.Resource = AUTHORIZATION;
newAuth.ResourceId = ANY;
newAuth.addPermission(ALL);
authorizationService.saveAuthorization(newAuth);
}
//JAVA TO C# CONVERTER WARNING: Method 'throws' clauses are not available in .NET:
//ORIGINAL LINE: public void testSaveAuthorizationSetPermissionsWithInvalidResource() throws Exception
public virtual void testSaveAuthorizationSetPermissionsWithInvalidResource()
{
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.UserId = "userId";
authorization.Permissions = new BatchPermissions[] { BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES };
authorization.Resource = Resources.PROCESS_INSTANCE;
authorization.ResourceId = ANY;
processEngineConfiguration.AuthorizationEnabled = true;
try
{
// when
authorizationService.saveAuthorization(authorization);
fail("expected exception");
}
catch (BadUserRequestException e)
{
// then
assertTrue(e.Message.contains("The resource type with id:'8' is not valid for 'CREATE_BATCH_MIGRATE_PROCESS_INSTANCES' permission."));
}
// given
authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.UserId = "userId";
authorization.Permissions = new Permissions[] { Permissions.CREATE, Permissions.ACCESS };
authorization.Resource = Resources.PROCESS_INSTANCE;
try
{
// when
authorizationService.saveAuthorization(authorization);
fail("expected exception");
}
catch (BadUserRequestException e)
{
// then
assertTrue(e.Message.contains("The resource type with id:'8' is not valid for 'ACCESS' permission."));
}
}
//JAVA TO C# CONVERTER TODO TASK: Most Java annotations will not have direct .NET equivalent attributes:
//ORIGINAL LINE: @Test public void testWithoutAdminUser()
public virtual void testWithoutAdminUser()
{
processEngineConfiguration.AuthorizationEnabled = false;
identityService.setAuthentication("adminUser", null, null);
Authorization userAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
userAuth.UserId = "adminUser";
userAuth.Resource = USER;
userAuth.ResourceId = ANY;
userAuth.addPermission(READ);
authorizationService.saveAuthorization(userAuth);
processEngineConfiguration.AuthorizationEnabled = true;
// then
thrown.expect(typeof(AuthorizationException));
thrown.expectMessage("Required admin authenticated group or user.");
// when
managementService.Properties;
}
//JAVA TO C# CONVERTER TODO TASK: Most Java annotations will not have direct .NET equivalent attributes:
//ORIGINAL LINE: @Test public void testWithAdminUser()
public virtual void testWithAdminUser()
{
processEngineConfiguration.AdminUsers.Add("adminUser");
processEngineConfiguration.AuthorizationEnabled = false;
identityService.setAuthentication("adminUser", null, null);
Authorization userAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
userAuth.UserId = "adminUser";
userAuth.Resource = USER;
userAuth.ResourceId = ANY;
userAuth.addPermission(READ);
authorizationService.saveAuthorization(userAuth);
processEngineConfiguration.AuthorizationEnabled = true;
// when
managementService.Properties;
// then no exception
}
// user ////////////////////////////////////////////////////////////////
protected internal virtual User createUser(string userId)
{
User user = identityService.newUser(userId);
identityService.saveUser(user);
// give user all permission to manipulate authorizations
Authorization authorization = createGrantAuthorization(AUTHORIZATION, ANY);
authorization.UserId = userId;
authorization.addPermission(ALL);
saveAuthorization(authorization);
// give user all permission to manipulate users
authorization = createGrantAuthorization(USER, ANY);
authorization.UserId = userId;
authorization.addPermission(Permissions.ALL);
saveAuthorization(authorization);
return(user);
}
//JAVA TO C# CONVERTER TODO TASK: Most Java annotations will not have direct .NET equivalent attributes:
//ORIGINAL LINE: @Test public void testWithAdminGroup()
public virtual void testWithAdminGroup()
{
processEngineConfiguration.AdminGroups.Add("adminGroup");
processEngineConfiguration.AuthorizationEnabled = false;
identityService.setAuthentication("admin", Collections.singletonList("adminGroup"), null);
Authorization userAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
userAuth.UserId = "admin";
userAuth.Resource = USER;
userAuth.ResourceId = ANY;
userAuth.addPermission(READ);
authorizationService.saveAuthorization(userAuth);
processEngineConfiguration.AuthorizationEnabled = true;
// when
identityService.unlockUser("jonny1");
// then no exception
}
public void execute(ProcessEngine engine, string scenarioName)
{
IdentityService identityService = engine.IdentityService;
string userId = USER_ID + scenarioName;
string groupid = GROUP_ID + scenarioName;
// create an user
User user = identityService.newUser(userId);
identityService.saveUser(user);
// create group
Group group = identityService.newGroup(groupid);
identityService.saveGroup(group);
// create membership
identityService.createMembership(userId, groupid);
//create full authorization
AuthorizationService authorizationService = engine.AuthorizationService;
//authorization for process definition
Authorization authProcDef = createAuthorization(authorizationService, Permissions.ALL, Resources.PROCESS_DEFINITION, userId);
engine.AuthorizationService.saveAuthorization(authProcDef);
//authorization for deployment
Authorization authDeployment = createAuthorization(authorizationService, Permissions.ALL, Resources.DEPLOYMENT, userId);
engine.AuthorizationService.saveAuthorization(authDeployment);
//authorization for process instance create
Authorization authProcessInstance = createAuthorization(authorizationService, Permissions.CREATE, Resources.PROCESS_INSTANCE, userId);
engine.AuthorizationService.saveAuthorization(authProcessInstance);
// start a process instance
engine.RuntimeService.startProcessInstanceByKey(PROCESS_DEF_KEY, scenarioName);
}
public virtual void testAuthorizationQueryAuthorizations()
{
// we are jonny2
string authUserId = "jonny2";
identityService.AuthenticatedUserId = authUserId;
// create new auth wich revokes read access on auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.Resource = AUTHORIZATION;
basePerms.ResourceId = ANY;
authorizationService.saveAuthorization(basePerms);
// I can see it
assertEquals(1, authorizationService.createAuthorizationQuery().count());
// now enable checks
processEngineConfiguration.AuthorizationEnabled = true;
// I can't see it
assertEquals(0, authorizationService.createAuthorizationQuery().count());
}
//JAVA TO C# CONVERTER WARNING: Method 'throws' clauses are not available in .NET:
//ORIGINAL LINE: public void testSaveAuthorizationMultipleResourcesIncludingInvalidResource() throws Exception
public virtual void testSaveAuthorizationMultipleResourcesIncludingInvalidResource()
{
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.UserId = "userId";
authorization.addPermission(Permissions.READ_HISTORY);
authorization.addPermission(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES);
authorization.Resource = Resources.PROCESS_DEFINITION;
processEngineConfiguration.AuthorizationEnabled = true;
try
{
// when
authorizationService.saveAuthorization(authorization);
fail("expected exception");
}
catch (BadUserRequestException e)
{
// then
assertTrue(e.Message.contains("The resource type with id:'6' is not valid for 'CREATE_BATCH_MIGRATE_PROCESS_INSTANCES' permission."));
}
}
protected internal virtual void saveAuthorization(Authorization authorization)
{
authorizationService.saveAuthorization(authorization);
}
protected internal virtual Authorization createGrantAuthorization(Resource resource, string resourceId)
{
Authorization authorization = createAuthorization(AUTH_TYPE_GRANT, resource, resourceId);
return(authorization);
}
public virtual void deleteAuthorization()
{
Authorization dbAuthorization = DbAuthorization;
authorizationService.deleteAuthorization(dbAuthorization.Id);
}
public virtual AuthorizationDto getAuthorization(UriInfo context)
{
Authorization dbAuthorization = DbAuthorization;
return(AuthorizationDto.fromAuthorization(dbAuthorization, processEngine.ProcessEngineConfiguration));
}
