public void MoveToLaterPosition()
{
var accessType0 = AccessTypeDefinition.NewObject();
var accessType1 = AccessTypeDefinition.NewObject();
var accessType2 = AccessTypeDefinition.NewObject();
var accessType3 = AccessTypeDefinition.NewObject();
var accessType4 = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.AddAccessType(accessType0);
securableClassDefinition.AddAccessType(accessType1);
securableClassDefinition.AddAccessType(accessType2);
securableClassDefinition.AddAccessType(accessType3);
securableClassDefinition.AddAccessType(accessType4);
securableClassDefinition.MoveAccessType(3, accessType1);
Assert.That(securableClassDefinition.AccessTypes, Is.EqualTo(new[] { accessType0, accessType2, accessType3, accessType1, accessType4 }));
var references = new SecurableClassDefinitionWrapper(securableClassDefinition).AccessTypeReferences;
for (int i = 0; i < references.Count; i++)
{
Assert.That(((AccessTypeReference)references[i]).Index, Is.EqualTo(i));
}
}
public void RemovesPermissionsForRemovedAccessType()
{
var accessType0 = AccessTypeDefinition.NewObject();
var accessType1 = AccessTypeDefinition.NewObject();
var accessType2 = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.AddAccessType(accessType0);
securableClassDefinition.AddAccessType(accessType1);
securableClassDefinition.AddAccessType(accessType2);
var testHelper = new AccessControlTestHelper(ClientTransaction.Current);
var acls = new List <AccessControlList>();
acls.Add(testHelper.CreateStatefulAcl(securableClassDefinition));
acls.Add(testHelper.CreateStatelessAcl(securableClassDefinition));
foreach (var acl in acls)
{
acl.CreateAccessControlEntry();
}
securableClassDefinition.RemoveAccessType(accessType1);
foreach (var acl in acls)
{
var permissions = acl.AccessControlEntries[0].GetPermissions();
Assert.That(permissions.Count, Is.EqualTo(2));
Assert.That(permissions[0].AccessType, Is.SameAs(accessType0));
Assert.That(permissions[1].AccessType, Is.SameAs(accessType2));
}
}
public void LeavesPermissionsUntouched()
{
var accessType0 = AccessTypeDefinition.NewObject();
var accessType1 = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.AddAccessType(accessType0);
securableClassDefinition.AddAccessType(accessType1);
var testHelper = new AccessControlTestHelper(ClientTransaction.Current);
var acls = new List <AccessControlList>();
acls.Add(testHelper.CreateStatefulAcl(securableClassDefinition));
acls.Add(testHelper.CreateStatelessAcl(securableClassDefinition));
foreach (var acl in acls)
{
var ace = acl.CreateAccessControlEntry();
ace.DenyAccess(accessType0);
ace.AllowAccess(accessType1);
}
securableClassDefinition.MoveAccessType(0, accessType1);
foreach (var acl in acls)
{
var permissions = acl.AccessControlEntries[0].GetPermissions();
Assert.That(permissions.Count, Is.EqualTo(2));
Assert.That(permissions[0].AccessType, Is.SameAs(accessType1));
Assert.That(permissions[0].Allowed, Is.True);
Assert.That(permissions[1].AccessType, Is.SameAs(accessType0));
Assert.That(permissions[1].Allowed, Is.False);
}
}
public void RemovesAccessType()
{
var accessType0 = AccessTypeDefinition.NewObject();
var accessType1 = AccessTypeDefinition.NewObject();
var accessType2 = AccessTypeDefinition.NewObject();
var accessType3 = AccessTypeDefinition.NewObject();
var accessType4 = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.AddAccessType(accessType0);
securableClassDefinition.AddAccessType(accessType1);
securableClassDefinition.AddAccessType(accessType2);
securableClassDefinition.AddAccessType(accessType3);
securableClassDefinition.AddAccessType(accessType4);
securableClassDefinition.RemoveAccessType(accessType2);
Assert.That(securableClassDefinition.AccessTypes, Is.EqualTo(new[] { accessType0, accessType1, accessType3, accessType4 }));
var references = new SecurableClassDefinitionWrapper(securableClassDefinition).AccessTypeReferences;
Assert.That(((AccessTypeReference)references[0]).Index, Is.EqualTo(0));
Assert.That(((AccessTypeReference)references[1]).Index, Is.EqualTo(1));
Assert.That(((AccessTypeReference)references[2]).Index, Is.EqualTo(2));
Assert.That(((AccessTypeReference)references[3]).Index, Is.EqualTo(3));
}
public void Import_3AccessTypes()
{
string metadataXml =
@"
<securityMetadata xmlns=""http://www.re-motion.org/Security/Metadata/1.0"">
<classes />
<stateProperties />
<accessTypes>
<accessType id=""1d6d25bc-4e85-43ab-a42d-fb5a829c30d5"" name=""Create|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""0"" />
<accessType id=""62dfcd92-a480-4d57-95f1-28c0f5996b3a"" name=""Read|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""1"" />
<accessType id=""11186122-6de0-4194-b434-9979230c41fd"" name=""Edit|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""2"" />
</accessTypes>
<abstractRoles />
</securityMetadata>
";
_importer.Import(GetXmlDocument(metadataXml));
using (_testHelper.Transaction.EnterNonDiscardingScope())
{
Assert.AreEqual(0, _importer.Classes.Count, "Class count");
Assert.AreEqual(0, _importer.StateProperties.Count, "State property count");
Assert.AreEqual(0, _importer.AbstractRoles.Count, "Abstract role count");
Assert.AreEqual(3, _importer.AccessTypes.Count, "Access type count");
AccessTypeDefinition expectedAccessType1 = _testHelper.CreateAccessTypeCreate(0);
MetadataObjectAssert.AreEqual(expectedAccessType1, _importer.AccessTypes[expectedAccessType1.MetadataItemID], "Access Type Create");
AccessTypeDefinition expectedAccessType2 = _testHelper.CreateAccessTypeRead(1);
MetadataObjectAssert.AreEqual(expectedAccessType2, _importer.AccessTypes[expectedAccessType2.MetadataItemID], "Access Type Read");
AccessTypeDefinition expectedAccessType3 = _testHelper.CreateAccessTypeEdit(2);
MetadataObjectAssert.AreEqual(expectedAccessType3, _importer.AccessTypes[expectedAccessType3.MetadataItemID], "Access Type Edit");
}
}
public AccessTypeDefinition CreateJournalizeAccessType()
{
using (_transaction.EnterNonDiscardingScope())
{
return(AccessTypeDefinition.NewObject(Guid.NewGuid(), "Journalize", 42));
}
}
public AccessTypeDefinition CreateAccessType(Guid metadataItemID, string name, int value)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition accessType = AccessTypeDefinition.NewObject(metadataItemID, name, value);
return(accessType);
}
}
public void RemoveAccess(AccessTypeDefinition accessType)
{
ArgumentUtility.CheckNotNull("accessType", accessType);
var permission = GetPermission(accessType);
permission.Allowed = null;
}
private AccessTypeDefinition CreateAccessType(Guid metadataItemID, string name)
{
AccessTypeDefinition accessType = AccessTypeDefinition.NewObject();
accessType.MetadataItemID = metadataItemID;
accessType.Name = name;
return(accessType);
}
public void GetAccessTypes_WithMultipleMatchingAces()
{
AbstractRoleDefinition role1 = AbstractRoleDefinition.NewObject(Guid.NewGuid(), "QualityManager", 0);
AccessControlEntry ace1 = AccessControlEntry.NewObject();
ace1.SpecificAbstractRole = role1;
AccessTypeDefinition readAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Read", 0);
AccessTypeDefinition copyAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Copy", 1);
AccessTypeDefinition indexAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Index", 2);
AccessTypeDefinition moveAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Move", 3);
AccessTypeDefinition appendAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Append", 4);
AccessTypeDefinition renameAccessType = _testHelper.CreateAccessTypeForAce(ace1, false, Guid.NewGuid(), "Rename", 5);
AccessTypeDefinition writeAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Write", 6);
AccessTypeDefinition deleteAccessType = _testHelper.CreateAccessTypeForAce(ace1, true, Guid.NewGuid(), "Delete", 7);
AccessTypeDefinition findAccessType = _testHelper.CreateAccessTypeForAce(ace1, null, Guid.NewGuid(), "Find", 8);
AbstractRoleDefinition role2 = AbstractRoleDefinition.NewObject(Guid.NewGuid(), "SoftwareDeveloper", 1);
AccessControlEntry ace2 = AccessControlEntry.NewObject();
ace2.SpecificAbstractRole = role2;
_testHelper.AttachAccessType(ace2, readAccessType, true);
_testHelper.AttachAccessType(ace2, copyAccessType, false);
_testHelper.AttachAccessType(ace2, indexAccessType, null);
_testHelper.AttachAccessType(ace2, moveAccessType, true);
_testHelper.AttachAccessType(ace2, appendAccessType, false);
_testHelper.AttachAccessType(ace2, renameAccessType, null);
_testHelper.AttachAccessType(ace2, writeAccessType, true);
_testHelper.AttachAccessType(ace2, deleteAccessType, false);
_testHelper.AttachAccessType(ace2, findAccessType, null);
AccessControlList acl = _testHelper.CreateStatefulAcl(ace1, ace2);
SecurityToken token = _testHelper.CreateTokenWithAbstractRole(role1, role2);
AccessInformation accessInformation = acl.GetAccessTypes(token);
//read y y y
//copy y n n
//index y - y
//move n y n
//append n n n
//rename n - n
//write - y y
//delete - n n
//find - - -
Assert.That(
accessInformation.AllowedAccessTypes,
Is.EquivalentTo(new[] { readAccessType, indexAccessType, writeAccessType }));
Assert.That(
accessInformation.DeniedAccessTypes,
Is.EquivalentTo(new[] { copyAccessType, moveAccessType, appendAccessType, renameAccessType, deleteAccessType }));
}
public AccessTypeDefinition CreateAccessTypeForAce(AccessControlEntry ace, bool?allowAccess, Guid metadataItemID, string name, int value)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition accessType = AccessTypeDefinition.NewObject(metadataItemID, name, value);
AttachAccessType(ace, accessType, allowAccess);
return(accessType);
}
}
public AccessTypeDefinition CreateDeleteAccessTypeAndAttachToAce(AccessControlEntry ace, bool?allowAccess)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition accessType = CreateDeleteAccessType();
AttachAccessType(ace, accessType, allowAccess);
return(accessType);
}
}
public AccessTypeDefinition AttachJournalizeAccessType(SecurableClassDefinition classDefinition)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition accessType = CreateJournalizeAccessType();
classDefinition.AddAccessType(accessType);
return(accessType);
}
}
public AccessTypeDefinition AttachAccessType(SecurableClassDefinition classDefinition, Guid metadataItemID, string name, int value)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition accessType = AccessTypeDefinition.NewObject(metadataItemID, name, value);
classDefinition.AddAccessType(accessType);
return(accessType);
}
}
private Permission GetPermission(AccessTypeDefinition accessType)
{
var permission = FindPermission(accessType);
if (permission == null)
{
throw new ArgumentException(
string.Format("The access type '{0}' is not assigned to this access control entry.", accessType.Name), "accessType");
}
return(permission);
}
public void FailsForIndexGreaterThanNumberOfItems()
{
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.Name = "Class";
securableClassDefinition.AddAccessType(AccessTypeDefinition.NewObject());
Assert.That(
() => securableClassDefinition.InsertAccessType(2, AccessTypeDefinition.NewObject()),
Throws.TypeOf <ArgumentOutOfRangeException>()
.And.Message.StartsWith(
"The index must not be less than 0 or greater than the total number of access types for the securable class definition."));
}
public void FailsForNonExistentAccessType()
{
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.Name = "Class";
securableClassDefinition.AddAccessType(AccessTypeDefinition.NewObject());
securableClassDefinition.AddAccessType(AccessTypeDefinition.NewObject());
Assert.That(
() => securableClassDefinition.RemoveAccessType(AccessTypeDefinition.NewObject(Guid.NewGuid(), "Test", 42)),
Throws.ArgumentException
.And.Message.StartsWith("The access type 'Test' is not associated with the securable class definition."));
}
public AccessTypeDefinition CreateAccessTypeCreate(int index)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition type = AccessTypeDefinition.NewObject(
new Guid("1d6d25bc-4e85-43ab-a42d-fb5a829c30d5"),
"Create|Remotion.Security.GeneralAccessTypes, Remotion.Security",
0);
type.Index = index;
return(type);
}
}
public void FailsForExistingAccessType()
{
var accessType = AccessTypeDefinition.NewObject(Guid.NewGuid(), "Test", 42);
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.Name = "Class";
securableClassDefinition.AddAccessType(accessType);
Assert.That(
() => securableClassDefinition.AddAccessType(accessType),
Throws.ArgumentException
.And.Message.StartsWith("The access type 'Test' has already been added to the securable class definition."));
}
private SecurableClassDefinition CreateSecurableClassDefinitionWithAccessTypes(int accessTypes)
{
SecurableClassDefinition classDefinition = CreateOrderSecurableClassDefinition();
for (int i = 0; i < accessTypes; i++)
{
AccessTypeDefinition accessType = CreateAccessType(Guid.NewGuid(), string.Format("Access Type {0}", i));
accessType.Index = i;
classDefinition.AddAccessType(accessType);
}
return(classDefinition);
}
public AccessTypeDefinition CreateAccessTypeEdit(int index)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition type = AccessTypeDefinition.NewObject(
new Guid("11186122-6de0-4194-b434-9979230c41fd"),
"Edit|Remotion.Security.GeneralAccessTypes, Remotion.Security",
2);
type.Index = index;
return(type);
}
}
public AccessTypeDefinition CreateAccessTypeRead(int index)
{
using (_transaction.EnterNonDiscardingScope())
{
AccessTypeDefinition type = AccessTypeDefinition.NewObject(
new Guid("62dfcd92-a480-4d57-95f1-28c0f5996b3a"),
"Read|Remotion.Security.GeneralAccessTypes, Remotion.Security",
1);
type.Index = index;
return(type);
}
}
public void TouchesSecurableClassDefinition()
{
var securableClassDefinition = SecurableClassDefinition.NewObject();
using (ClientTransaction.Current.CreateSubTransaction().EnterDiscardingScope())
{
securableClassDefinition.EnsureDataAvailable();
Assert.That(securableClassDefinition.State, Is.EqualTo(StateType.Unchanged));
securableClassDefinition.AddAccessType(AccessTypeDefinition.NewObject());
Assert.That(securableClassDefinition.State, Is.EqualTo(StateType.Changed));
}
}
public void FailsForIndexLessThanZero()
{
var accessType = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.Name = "Class";
securableClassDefinition.AddAccessType(AccessTypeDefinition.NewObject());
securableClassDefinition.AddAccessType(accessType);
Assert.That(
() => securableClassDefinition.MoveAccessType(-1, accessType),
Throws.TypeOf <ArgumentOutOfRangeException>()
.And.Message.StartsWith(
"The index must not be less than 0 or greater than the top index of the access types for the securable class definition."));
}
public void RemoveAccessType(AccessTypeDefinition accessType)
{
ArgumentUtility.CheckNotNull("accessType", accessType);
var permission = FindPermission(accessType);
if (permission == null)
{
throw new ArgumentException(
string.Format("The access type '{0}' is not associated with the access control entry.", accessType.Name), "accessType");
}
permission.Delete();
}
public void AddsAccessTypes()
{
var accessType0 = AccessTypeDefinition.NewObject();
var accessType1 = AccessTypeDefinition.NewObject();
var securableClassDefinition = SecurableClassDefinition.NewObject();
securableClassDefinition.AddAccessType(accessType0);
securableClassDefinition.AddAccessType(accessType1);
Assert.That(securableClassDefinition.AccessTypes, Is.EqualTo(new[] { accessType0, accessType1 }));
var references = new SecurableClassDefinitionWrapper(securableClassDefinition).AccessTypeReferences;
Assert.That(((AccessTypeReference)references[0]).Index, Is.EqualTo(0));
Assert.That(((AccessTypeReference)references[1]).Index, Is.EqualTo(1));
}
public void AddAccessType(AccessTypeDefinition accessType)
{
ArgumentUtility.CheckNotNull("accessType", accessType);
if (FindPermission(accessType) != null)
{
throw new ArgumentException(
string.Format("The access type '{0}' has already been added to this access control entry.", accessType.Name), "accessType");
}
var permission = Permission.NewObject();
permission.AccessType = accessType;
permission.Allowed = null;
PermissionsInternal.Add(permission);
}
public void Import_1ClassAnd8AccessTypes()
{
string metadataXml =
@"
<securityMetadata xmlns=""http://www.re-motion.org/Security/Metadata/1.0"">
<classes>
<class id=""00000000-0000-0000-0001-000000000000"" name=""Remotion.Security.UnitTests.TestDomain.File"">
<accessTypes>
<accessTypeRef>62dfcd92-a480-4d57-95f1-28c0f5996b3a</accessTypeRef>
</accessTypes>
</class>
</classes>
<stateProperties />
<accessTypes>
<accessType id=""1d6d25bc-4e85-43ab-a42d-fb5a829c30d5"" name=""Create|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""0"" />
<accessType id=""62dfcd92-a480-4d57-95f1-28c0f5996b3a"" name=""Read|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""1"" />
<accessType id=""11186122-6de0-4194-b434-9979230c41fd"" name=""Edit|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""2"" />
<accessType id=""305fbb40-75c8-423a-84b2-b26ea9e7cae7"" name=""Delete|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""3"" />
<accessType id=""67cea479-0be7-4e2f-b2e0-bb1fcc9ea1d6"" name=""Search|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""4"" />
<accessType id=""203b7478-96f1-4bf1-b4ea-5bdd1206252c"" name=""Find|Remotion.Security.GeneralAccessTypes, Remotion.Security"" value=""5"" />
<accessType id=""00000002-0001-0000-0000-000000000000"" name=""Journalize|Remotion.Security.UnitTests.TestDomain.DomainAccessTypes, Remotion.Security.UnitTests.TestDomain"" value=""0"" />
<accessType id=""00000002-0002-0000-0000-000000000000"" name=""Archive|Remotion.Security.UnitTests.TestDomain.DomainAccessTypes, Remotion.Security.UnitTests.TestDomain"" value=""1"" />
</accessTypes>
<abstractRoles />
</securityMetadata>";
_importer.Import(GetXmlDocument(metadataXml));
using (_testHelper.Transaction.EnterNonDiscardingScope())
{
Assert.AreEqual(1, _importer.Classes.Count, "Class count");
Assert.AreEqual(0, _importer.StateProperties.Count, "State property count");
Assert.AreEqual(0, _importer.AbstractRoles.Count, "Abstract role count");
Assert.AreEqual(8, _importer.AccessTypes.Count, "Access type count");
SecurableClassDefinition classDefinition = _importer.Classes[new Guid("00000000-0000-0000-0001-000000000000")];
AccessTypeDefinition accessType = _importer.AccessTypes[new Guid("62dfcd92-a480-4d57-95f1-28c0f5996b3a")];
Assert.AreEqual(1, classDefinition.AccessTypes.Count, "Access type count");
Assert.That(classDefinition.AccessTypes[0], Is.SameAs(accessType));
}
}
public void GetAccessTypes_WithMatchingAce()
{
AccessControlEntry ace = AccessControlEntry.NewObject();
AccessTypeDefinition readAccessType = _testHelper.CreateReadAccessTypeAndAttachToAce(ace, true);
_testHelper.CreateWriteAccessTypeAndAttachToAce(ace, null);
AccessTypeDefinition deleteAccessType = _testHelper.CreateDeleteAccessTypeAndAttachToAce(ace, false);
AccessTypeDefinition copyAccessType = _testHelper.CreateAccessTypeForAce(ace, true, Guid.NewGuid(), "Copy", 3);
AccessTypeDefinition moveAccessType = _testHelper.CreateAccessTypeForAce(ace, false, Guid.NewGuid(), "Move", 4);
AccessControlList acl = _testHelper.CreateStatefulAcl(ace);
SecurityToken token = _testHelper.CreateTokenWithoutUser();
AccessInformation accessInformation = acl.GetAccessTypes(token);
Assert.That(accessInformation.AllowedAccessTypes, Is.EquivalentTo(new[] { readAccessType, copyAccessType }));
Assert.That(accessInformation.DeniedAccessTypes, Is.EquivalentTo(new[] { deleteAccessType, moveAccessType }));
}
public void AttachAccessType(AccessControlEntry ace, AccessTypeDefinition accessType, bool?allowAccess)
{
using (_transaction.EnterNonDiscardingScope())
{
ace.AddAccessType(accessType);
if (!allowAccess.HasValue)
{
ace.RemoveAccess(accessType);
}
else if (allowAccess.Value)
{
ace.AllowAccess(accessType);
}
else
{
ace.DenyAccess(accessType);
}
}
}