public void AllTopicsAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// We should be able to get the list of topics even if we can't read some of them.
AuthorizationRule rule = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.GenericAll),
AuthorizationRulePolarity.Deny, AuthorizationRuleScope.Topic, SecurableAction.Read, 0);
manager.WriteTopicAndNewVersion("DeniedTopic", rule.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
QualifiedTopicNameCollection topics = provider.AllTopics();
Assert.AreEqual(4, topics.Count, "Checking that the right number of topics were returned.");
}
}
public void WriteNewTopicDenied()
{
FederationConfiguration configuration = new FederationConfiguration();
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleEmptyNamespace, configuration);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Set it up so we have Read
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
UnqualifiedTopicRevision revision = new UnqualifiedTopicRevision("NewTopic");
string content = "New content to be written";
using (new TestSecurityContext("someuser", "somerole"))
{
provider.WriteTopic(revision, content);
}
}
public void UnlockTopicAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the ManageNamespace permission, which should be what is needed.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
UnqualifiedTopicName topic = new UnqualifiedTopicName("TopicOne");
provider.LockTopic(topic);
Assert.IsFalse(provider.HasPermission(topic, TopicPermission.Edit),
"Checking that topic is not editable before UnlockTopic.");
Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Read),
"Checking that topic is readable before UnlockTopic.");
provider.UnlockTopic(topic);
Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Edit),
"Checking that topic is editable after UnlockTopic.");
Assert.IsTrue(provider.HasPermission(topic, TopicPermission.Read),
"Checking that topic is still readable after UnlockTopic.");
}
}
public void UnlockTopicDenied()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Edit permission, which should not be enough.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
manager.WriteTopicAndNewVersion(manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
UnqualifiedTopicName topic = new UnqualifiedTopicName("TopicOne");
provider.UnlockTopic(topic);
Assert.Fail("A security exception should have been thrown.");
}
}
public void TextReaderForTopicAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Read permission, which should be enough.
AuthorizationRule deny = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, deny.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
string contents = provider.TextReaderForTopic(new UnqualifiedTopicRevision("TopicOne")).ReadToEnd();
Assert.AreEqual(7, contents.Length, "Checking that the right contents were returned.");
}
}
public void TopicExistsNonexistentTopic()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Deny the Read permission. Topic existence shouldn't be affected by security policy.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Deny, AuthorizationRuleScope.Topic, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager, "TopicOne", allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsFalse(provider.TopicExists(new UnqualifiedTopicName("NoSuchTopic")),
"Checking that TopicExists returns false even when read permission is denied.");
}
}
public void HasPermissionNonexistentTopicDenied()
{
FederationConfiguration configuration = new FederationConfiguration();
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleEmptyNamespace, configuration);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Set it up so we only have Read
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsTrue(provider.HasPermission(new UnqualifiedTopicName("NoSuchTopic"),
TopicPermission.Read),
"Checking that allowing read at the namespace level grants read on nonexistent topics.");
Assert.IsFalse(provider.HasPermission(new UnqualifiedTopicName("NoSuchTopic"),
TopicPermission.Edit),
"Checking that allowing read at the namespace level denies edit on nonexistent topics.");
}
}
public void IsReadOnlyContentStoreReadWriteSecurityReadWrite()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Read permission, which should be what is needed.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsFalse(provider.IsReadOnly,
"Checking that the store is read-write when store and security policy are read-write.");
}
}
public void HasNamespacePermissionManageAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the ManageNamespace permission, which should be what is needed.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsTrue(provider.HasNamespacePermission(NamespacePermission.Manage));
}
}
public void HasPermissionDefinitionTopic()
{
FederationConfiguration configuration = new FederationConfiguration();
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleEmptyNamespace, configuration);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Set it up so we have Edit but not ManageNamespace
AuthorizationRule allowEdit = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allowEdit.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsFalse(provider.HasPermission(new UnqualifiedTopicName(manager.DefinitionTopicName.LocalName),
TopicPermission.Edit),
"Checking that allowing edit is not enough to grant editpermisison on the definition topic.");
}
// Now try it where we're granted ManageNamespace
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsTrue(provider.HasPermission(new UnqualifiedTopicName(manager.DefinitionTopicName.LocalName),
TopicPermission.Edit),
"Checking that granting ManageNamespace implies ability to edit definition topic.");
}
}
public void GetParsedTopicAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Read permission, which should be what is needed.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
ParsedTopic parsedTopic = provider.GetParsedTopic(new UnqualifiedTopicRevision("TopicOne"));
Assert.IsNotNull(parsedTopic,
"Checking that the parsed topic was returned.");
}
}
public void ExistsAllowedStoreNonexistent()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports, MockSetupOptions.StoreDoesNotExist);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Read permission at namespace, which should be what is needed.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.IsFalse(provider.Exists,
"Checking that the security provider returns false when read permission is granted on the namespace and store does not exist.");
}
}
public void DeleteTopicDenied()
{
// Use the default configuration, where everything is denied
FederationConfiguration configuration = new FederationConfiguration();
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports, configuration);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Grant the Read permission, which should be insufficient.
AuthorizationRule allow = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Read, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allow.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
"Checking that the right number of topics were returned before deletion");
provider.DeleteTopic(new UnqualifiedTopicName("TopicOne"), false);
Assert.Fail("A security exception should have been thrown");
}
}
public void DeleteAllTopicsAndHistoryDenied()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the Edit permission, which shouldn't be enough: ManageNamespace is required.
AuthorizationRule allowEdit = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.Edit, 0);
manager.WriteTopicAndNewVersion(manager.DefinitionTopicName.LocalName, allowEdit.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
"Checking that the right number of topics were returned before deletion");
provider.DeleteAllTopicsAndHistory();
Assert.Fail("DeleteAllTopicsAndHistory should have thrown an exception");
}
}
public void DeleteAllTopicsAndHistoryAllowed()
{
Federation federation = WikiTestUtilities.SetupFederation("test://AuthorizationProviderTests",
TestContentSets.SingleTopicNoImports);
NamespaceManager manager = WikiTestUtilities.GetNamespaceManagerBypassingSecurity(federation, "NamespaceOne");
AuthorizationProvider provider = GetSecurityProvider(manager);
// Use the default configuration, where everything is denied
federation.Configuration.AuthorizationRules.Clear();
// Grant the ManageNamespace permission, which should be what is needed.
AuthorizationRule allowManageNamespace = new AuthorizationRule(new AuthorizationRuleWho(AuthorizationRuleWhoType.User, "someuser"),
AuthorizationRulePolarity.Allow, AuthorizationRuleScope.Namespace, SecurableAction.ManageNamespace, 0);
WikiTestUtilities.WriteTopicAndNewVersionBypassingSecurity(manager,
manager.DefinitionTopicName.LocalName, allowManageNamespace.ToString("T"), "test");
using (new TestSecurityContext("someuser", "somerole"))
{
Assert.AreEqual(4, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
"Checking that the right number of topics were returned before deletion");
provider.DeleteAllTopicsAndHistory();
// Only built-in topics should remain
Assert.AreEqual(2, manager.AllTopics(ImportPolicy.DoNotIncludeImports).Count,
"Checking that the right number of topics were returned after deletion");
}
}
