public void TestOnDeleteAccessRule()
{
bool success = true;
string subjectName = "Role" + Guid.NewGuid();
string typeName = "Type" + Guid.NewGuid();
string reportName = "Report" + Guid.NewGuid();
var mockAuditLog = new Mock <IAuditLog>(MockBehavior.Strict);
mockAuditLog.Setup(al => al.OnDeleteAccessRule(success, subjectName, typeName, reportName));
var eventTarget = new AuditLogAccessRuleEventTarget(mockAuditLog.Object);
var subject = new Role {
Name = subjectName
};
var type = new EntityType {
Name = typeName
};
var report = new Report {
Name = reportName
};
var accessRule = new AccessRule {
AllowAccessBy = subject.As <Subject>(), ControlAccess = type.As <SecurableEntity>(), AccessRuleReport = report
};
IDictionary <string, object> state = new Dictionary <string, object>();
eventTarget.GatherAuditLogEntityDetailsForDelete(accessRule, state);
eventTarget.WriteDeleteAuditLogEntries(success, accessRule.Id, state);
mockAuditLog.VerifyAll();
}
public void Test_IncludedRoles( )
{
// Note: ExpectedResult is null when we expect no grant
Definition type = null; // needs to be definition, otherwise gets filtered from the report.
Role parentRole = null;
Role childRole = null;
List <IEntity> cleanup = new List <IEntity>( );
try
{
EntityType editableResource = UserResource.UserResource_Type;
// Setup scenario
type = Entity.Create <Definition>( );
type.Name = Guid.NewGuid().ToString( );
type.Inherits.Add(editableResource);
type.Save( );
cleanup.Add(type);
// Set up roles
parentRole = Entity.Create <Role>( );
childRole = Entity.Create <Role>( );
parentRole.IncludesRoles.Add(childRole);
parentRole.Save( );
cleanup.Add(parentRole);
cleanup.Add(childRole);
new AccessRuleFactory( ).AddAllowReadQuery(parentRole.As <Subject>( ), type.As <SecurableEntity>( ), TestQueries.Entities(type).ToReport( ));
new AccessRuleFactory( ).AddAllowModifyQuery(childRole.As <Subject>( ), type.As <SecurableEntity>( ), TestQueries.Entities(type).ToReport( ));
// Tests
ITypeAccessReasonService service = Factory.Current.Resolve <ITypeAccessReasonService>( );
var reasons = service.GetTypeAccessReasons(childRole.Id, TypeAccessReasonSettings.Default);
Assert.That(reasons.Where(reason => reason.SubjectId == WellKnownAliases.CurrentTenant.EveryoneRole).Count(), Is.GreaterThan(0));
// Sanity check for the type we explicitly grant accses
AccessReason childReason = reasons.SingleOrDefault(r => r.SubjectId == childRole.Id);
AccessReason parentReason = reasons.SingleOrDefault(r => r.SubjectId == parentRole.Id);
Assert.That(childReason, Is.Not.Null, "child reason");
Assert.That(parentReason, Is.Not.Null, "parent reason");
Assert.That(childReason.TypeId, Is.EqualTo(type.Id), "child reason type");
Assert.That(parentReason.TypeId, Is.EqualTo(type.Id), "parent reason type");
}
finally
{
Entity.Delete(cleanup.Select(e => new EntityRef(e)));
}
}
public void Test_AddingNewRuleToRole( )
{
EntityType entityType1;
EntityType entityType2;
UserAccount userAccount;
Role role1;
UserRuleSet userRuleSet1;
IUserRuleSetProvider userRuleSetProvider;
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
entityType1 = EDC.ReadiNow.Model.Entity.Create <EntityType>();
entityType1.Save();
entityType2 = EDC.ReadiNow.Model.Entity.Create <EntityType>();
entityType2.Save();
role1 = new Role();
role1.Save();
userAccount = new UserAccount();
userAccount.UserHasRole.Add(role1);
userAccount.Save();
new AccessRuleFactory().AddAllowReadQuery(role1.As <Subject>(), entityType1.As <SecurableEntity>(), TestQueries.Entities(entityType1).ToReport());
userRuleSetProvider = Factory.UserRuleSetProvider;
userRuleSet1 = userRuleSetProvider.GetUserRuleSet(userAccount.Id, Permissions.Read);
// Add a new rule
new AccessRuleFactory().AddAllowReadQuery(role1.As <Subject>(), entityType2.As <SecurableEntity>(), TestQueries.Entities(entityType2).ToReport());
ctx.CommitTransaction();
}
UserRuleSet userRuleSet2 = userRuleSetProvider.GetUserRuleSet(userAccount.Id, Permissions.Read);
Assert.That(userRuleSet1, Is.Not.EqualTo(userRuleSet2));
}
public void TestOnChangeAccessRulePermissions()
{
bool success = true;
string subjectName = "Role" + Guid.NewGuid();
string typeName = "Type" + Guid.NewGuid();
string reportName = "Report" + Guid.NewGuid();
var read = Entity.Get <Permission>("read");
var delete = Entity.Get <Permission>("delete");
ISet <string> oldPerm = new SortedSet <string> {
read.Name
};
ISet <string> newPerm = new SortedSet <string> {
read.Name, delete.Name
};
var mockAuditLog = new Mock <IAuditLog>(MockBehavior.Strict);
mockAuditLog.Setup(al => al.OnChangeAccessRulePermissions(success, subjectName, typeName, reportName, It.Is <ISet <string> >(p => oldPerm.SetEquals(p)), It.Is <ISet <string> >(p => newPerm.SetEquals(p))));
var eventTarget = new AuditLogAccessRuleEventTarget(mockAuditLog.Object);
var subject = new Role {
Name = subjectName
};
var type = new EntityType {
Name = typeName
};
var report = new Report {
Name = reportName
};
var accessRule = new AccessRule {
AllowAccessBy = subject.As <Subject>(), ControlAccess = type.As <SecurableEntity>(), AccessRuleReport = report
};
accessRule.PermissionAccess.Add(read);
accessRule.Save();
// Change permissions
accessRule.PermissionAccess.Add(delete);
IDictionary <string, object> state = new Dictionary <string, object>();
eventTarget.GatherAuditLogEntityDetailsForSave(accessRule, state);
eventTarget.WriteSaveAuditLogEntries(success, accessRule.Id, state);
mockAuditLog.VerifyAll();
}
public void Test_Secured_By_Relationship_Chained( )
{
// Note: ExpectedResult is null when we expect no grant
Definition typeExplicitlyGranted = null; // needs to be definition, otherwise gets filtered from the report.
Definition typeMiddle = null;
Definition typeToBeChecked = null;
Relationship rel = null;
Relationship rel2 = null;
Role role = null;
List <IEntity> cleanup = new List <IEntity>( );
try
{
EntityType editableResource = UserResource.UserResource_Type;
// Setup scenario
typeExplicitlyGranted = Entity.Create <Definition>( );
typeExplicitlyGranted.Name = "ExplicitType";
typeExplicitlyGranted.Inherits.Add(editableResource);
typeExplicitlyGranted.Save( );
cleanup.Add(typeExplicitlyGranted);
typeMiddle = Entity.Create <Definition>( );
typeMiddle.Name = "MiddleType";
typeMiddle.Inherits.Add(editableResource);
typeMiddle.Save( );
cleanup.Add(typeMiddle);
typeToBeChecked = Entity.Create <Definition>( );
typeToBeChecked.Name = "CheckedType";
typeToBeChecked.Inherits.Add(editableResource);
typeToBeChecked.Save( );
cleanup.Add(typeToBeChecked);
// Set up relationship
rel = Entity.Create <Relationship>( );
rel.Cardinality_Enum = CardinalityEnum_Enumeration.ManyToMany;
rel.Name = "RelName1";
rel.ToName = "ToName1";
rel.FromName = "FromName1";
rel.FromType = typeExplicitlyGranted.Cast <EntityType>( );
rel.ToType = typeMiddle.Cast <EntityType>( );
rel.SecuresTo = true;
rel.Save( );
cleanup.Add(rel);
rel2 = Entity.Create <Relationship>( );
rel2.Cardinality_Enum = CardinalityEnum_Enumeration.ManyToMany;
rel2.Name = "RelName2";
rel2.ToName = "ToName2";
rel2.FromName = "FromName2";
rel2.ToType = typeMiddle.Cast <EntityType>( );
rel2.FromType = typeToBeChecked.Cast <EntityType>( );
rel2.SecuresFrom = true;
rel2.Save( );
cleanup.Add(rel2);
// Set up role
role = new Role {
Name = "Role1"
};
role.Save( );
cleanup.Add(role);
new AccessRuleFactory( ).AddAllowReadQuery(role.As <Subject>( ), typeExplicitlyGranted.As <SecurableEntity>( ), TestQueries.Entities(typeExplicitlyGranted).ToReport( ));
// Tests
ITypeAccessReasonService service = Factory.Current.Resolve <ITypeAccessReasonService>( );
var reasons = service.GetTypeAccessReasons(role.Id, TypeAccessReasonSettings.Default);
// Sanity check for the type we explicitly grant accses
Assert.That(reasons.Where(r => r.TypeId == typeExplicitlyGranted.Id).Count( ), Is.EqualTo(1), "typeExplicitlyGranted");
AccessReason reason1 = reasons.Single(r => r.TypeId == typeExplicitlyGranted.Id);
AccessReason reason2 = reasons.Single(r => r.TypeId == typeMiddle.Id);
AccessReason reason3 = reasons.Single(r => r.TypeId == typeToBeChecked.Id);
Assert.That(reason1.Description, Is.EqualTo("Access rule: 'Role1' accessing 'ExplicitType'"), "rule1 desc");
Assert.That(reason2.Description, Is.EqualTo("Secured via 'ExplicitType' object: 'ToName1' relationship"), "rule2 desc");
Assert.That(reason3.Description, Is.EqualTo("Secured via 'ExplicitType' object: 'ToName1' -> 'FromName2' relationships"), "rule3 desc");
}
finally
{
Entity.Delete(cleanup.Select(e => new EntityRef(e)));
}
}
public string Test_Secured_By_Relationship(string settings)
{
// Note: ExpectedResult is null when we expect no grant
Definition typeExplicitlyGranted = null; // needs to be definition, otherwise gets filtered from the report.
Definition typeToBeChecked = null;
Definition fromType = null;
Definition toType = null;
Relationship rel = null;
Role role = null;
List <IEntity> cleanup = new List <IEntity>( );
try
{
EntityType editableResource = UserResource.UserResource_Type;
// Setup scenario
typeExplicitlyGranted = Entity.Create <Definition>( );
typeExplicitlyGranted.Name = "ExplicitType";
typeExplicitlyGranted.Inherits.Add(editableResource);
typeExplicitlyGranted.Save( );
cleanup.Add(typeExplicitlyGranted);
typeToBeChecked = Entity.Create <Definition>( );
typeToBeChecked.Name = "CheckedType";
typeToBeChecked.Inherits.Add(editableResource);
typeToBeChecked.Save( );
cleanup.Add(typeToBeChecked);
// Set up relationship
rel = Entity.Create <Relationship>( );
rel.Cardinality_Enum = CardinalityEnum_Enumeration.ManyToMany;
rel.Name = "RelName";
rel.ToName = "ToName";
rel.FromName = "FromName";
cleanup.Add(rel);
if (settings.Contains("fwd"))
{
fromType = typeExplicitlyGranted;
toType = typeToBeChecked;
}
else if (settings.Contains("rev"))
{
fromType = typeToBeChecked;
toType = typeExplicitlyGranted;
}
if (settings.Contains("fromAncestor") || settings.Contains("fromDerived"))
{
var oldFrom = fromType;
fromType = new Definition( );
if (settings.Contains("fromAncestor"))
{
fromType.Name = "FromAncestor";
fromType.Inherits.Add(editableResource);
fromType.DerivedTypes.Add(oldFrom.Cast <EntityType>( ));
}
else
{
fromType.Name = "FromDerived";
fromType.Inherits.Add(oldFrom.Cast <EntityType>( ));
}
fromType.Save( );
cleanup.Add(fromType);
}
if (settings.Contains("toAncestor") || settings.Contains("toDerived"))
{
var oldTo = toType;
toType = new Definition( );
if (settings.Contains("toAncestor"))
{
toType.Name = "ToAncestor";
toType.Inherits.Add(editableResource);
toType.DerivedTypes.Add(oldTo.Cast <EntityType>( ));
}
else
{
toType.Name = "ToDerived";
toType.Inherits.Add(oldTo.Cast <EntityType>( ));
}
toType.Save( );
cleanup.Add(toType);
}
rel.FromType = fromType.Cast <EntityType>( );
rel.ToType = toType.Cast <EntityType>( );
rel.SecuresTo = settings.Contains("securesTo");
rel.SecuresFrom = settings.Contains("securesFrom");
rel.Save( );
// Set up role
role = new Role {
Name = "Role1"
};
role.Save( );
cleanup.Add(role);
new AccessRuleFactory( ).AddAllowReadQuery(role.As <Subject>( ), typeExplicitlyGranted.As <SecurableEntity>( ), TestQueries.Entities(typeExplicitlyGranted).ToReport( ));
// Tests
ITypeAccessReasonService service = Factory.Current.Resolve <ITypeAccessReasonService>( );
var reasons = service.GetTypeAccessReasons(role.Id, TypeAccessReasonSettings.Default);
// Sanity check for the type we explicitly grant accses
Assert.That(reasons.Where(r => r.TypeId == typeExplicitlyGranted.Id).Count( ), Is.EqualTo(1), "typeExplicitlyGranted");
AccessReason reason1 = reasons.Single(r => r.TypeId == typeExplicitlyGranted.Id);
Assert.That(reason1.AccessRuleScope, Is.EqualTo(AccessRuleScope.AllInstances), "rule1 scope");
Assert.That(reason1.PermissionsText, Is.EqualTo("Read"), "rule1 perms");
Assert.That(reason1.SubjectId, Is.EqualTo(role.Id), "rule1 subject");
Assert.That(reason1.Description, Is.EqualTo("Access rule: 'Role1' accessing 'ExplicitType'"), "rule1 desc");
AccessReason reason2 = reasons.FirstOrDefault(r => r.TypeId == typeToBeChecked.Id);
if (reason2 != null)
{
Assert.That(reason2.AccessRuleScope, Is.EqualTo(AccessRuleScope.SecuredRelationship), "rule2 scope");
Assert.That(reason2.PermissionsText, Is.EqualTo("Read"), "rule2 perms");
Assert.That(reason2.SubjectId, Is.EqualTo(role.Id), "rule2 subject");
}
return(reason2?.Description); // actual string being tested
}
finally
{
Entity.Delete(cleanup.Select(e => new EntityRef(e)));
}
}
