protected internal virtual void setUp() { // we are jonny identityService.AuthenticatedUserId = "jonny"; // make sure we can do stuff: IAuthorization jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); jonnyIsGod.UserId = "jonny"; jonnyIsGod.Resource = Resources.User; jonnyIsGod.ResourceId = AuthorizationFields.Any; jonnyIsGod.AddPermission(Permissions.All); authorizationService.SaveAuthorization(jonnyIsGod); jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); jonnyIsGod.UserId = "jonny"; jonnyIsGod.Resource = Resources.Group; jonnyIsGod.ResourceId = AuthorizationFields.Any; jonnyIsGod.AddPermission(Permissions.All); authorizationService.SaveAuthorization(jonnyIsGod); jonnyIsGod = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); jonnyIsGod.UserId = "jonny"; jonnyIsGod.Resource = Resources.Authorization; jonnyIsGod.ResourceId = AuthorizationFields.Any; jonnyIsGod.AddPermission(Permissions.All); authorizationService.SaveAuthorization(jonnyIsGod); // enable authorizations processEngineConfiguration.SetAuthorizationEnabled(true); base.InitializeServices(); //base.SetUp(); }
public virtual void testPermissions() { IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); Assert.AreEqual(1, authorization.GetPermissions(authorization.GetPermissions(new Permissions[] {})).Length); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update)); authorization.AddPermission(Permissions.Access); Assert.True(authorization.IsPermissionGranted(Permissions.Access)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update)); authorization.AddPermission(Permissions.Delete); Assert.True(authorization.IsPermissionGranted(Permissions.Access)); Assert.True(authorization.IsPermissionGranted(Permissions.Delete)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update)); authorization.AddPermission(Permissions.Read); Assert.True(authorization.IsPermissionGranted(Permissions.Access)); Assert.True(authorization.IsPermissionGranted(Permissions.Delete)); Assert.True(authorization.IsPermissionGranted(Permissions.Read)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update)); authorization.AddPermission(Permissions.Update); Assert.True(authorization.IsPermissionGranted(Permissions.Access)); Assert.True(authorization.IsPermissionGranted(Permissions.Delete)); Assert.True(authorization.IsPermissionGranted(Permissions.Read)); Assert.True(authorization.IsPermissionGranted(Permissions.Update)); authorization.RemovePermission(Permissions.Access); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access)); Assert.True(authorization.IsPermissionGranted(Permissions.Delete)); Assert.True(authorization.IsPermissionGranted(Permissions.Read)); Assert.True(authorization.IsPermissionGranted(Permissions.Update)); authorization.RemovePermission(Permissions.Delete); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete)); Assert.True(authorization.IsPermissionGranted(Permissions.Read)); Assert.True(authorization.IsPermissionGranted(Permissions.Update)); authorization.RemovePermission(Permissions.Read); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read)); Assert.True(authorization.IsPermissionGranted(Permissions.Update)); authorization.RemovePermission(Permissions.Update); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Access)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Delete)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Read)); Assert.IsFalse(authorization.IsPermissionGranted(Permissions.Update)); }
[Test] public virtual void testUserOverrideGlobalRevokeAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which revokes all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.RemovePermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // add Permissions.Read for jonny IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); localRevoke.UserId = "jonny"; localRevoke.Resource = (Resources)resource1.resourceType(); localRevoke.ResourceId = AuthorizationFields.Any; localRevoke.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(localRevoke); // jonny does not have Permissions.All permissions Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); // jonny can read Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); // jonny can't Delete Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType())); // someone else can't do anything Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType())); }
public virtual void testQueryWithGroupAuthorizationRevokedReadPermission() { // given // given user gets all permissions on any process definition IAuthorization authorization = createGrantAuthorization(Resources.ProcessDefinition, AuthorizationFields.Any); authorization.GroupId = groupId; authorization.AddPermission(Permissions.All); saveAuthorization(authorization); authorization = createRevokeAuthorization(Resources.ProcessDefinition, ONE_TASK_PROCESS_KEY); authorization.GroupId = groupId; authorization.RemovePermission(Permissions.Read); saveAuthorization(authorization); // when IQueryable <IProcessDefinition> query = repositoryService.CreateProcessDefinitionQuery(); // then //verifyQueryResults(query, 1); IProcessDefinition definition = query.First(); Assert.NotNull(definition); Assert.AreEqual(TWO_TASKS_PROCESS_KEY, definition.Key); }
public virtual void testDeleteAuthorization() { // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Delete); // revoke Delete authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { // try to Delete authorization authorizationService.DeleteAuthorization(basePerms.Id); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info); } }
public virtual void testGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalAuth.Resource = (Resources)resource1.resourceType(); globalAuth.ResourceId = AuthorizationFields.Any; globalAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalAuth); IList <string> jonnysGroups = (new string[] { "sales", "marketing" }); IList <string> someOneElsesGroups = (new string[] { "marketing" }); // this authorizes any user to do anything in this resource: Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone", null, Permissions.Create, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone", someOneElsesGroups, Permissions.Create, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType(), "someId")); Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType(), "someId")); Assert.True(authorizationService.IsUserAuthorized("someone", null, Permissions.Create, (Resources)resource1.resourceType(), "someId")); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Delete, (Resources)resource1.resourceType(), "someOtherId")); }
[Test] public virtual void testTenanGroupMembershipDeleteAuthorizations() { IGroup group1 = identityService.NewGroup("group1"); identityService.SaveGroup(group1); ITenant tenant1 = identityService.NewTenant("tenant1"); identityService.SaveTenant(tenant1); // add base permission which allows nobody to Delete memberships IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.TenantMembership; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'Delete' basePerms.RemovePermission(Permissions.Delete); authorizationService.SaveAuthorization(basePerms); processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { identityService.DeleteTenantGroupMembership("tenant1", "group1"); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Delete.ToString(), Resources.TenantMembership.ToString() /*.ResourceName()*/, "tenant1", info); } }
public virtual void shouldFetchTaskCountWithAuthorization() { // given IUser user = identityService.NewUser(userId); identityService.SaveUser(user); IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.AddPermission(Permissions.Read); authorization.Resource = Resources.Task; authorization.ResourceId = AuthorizationFields.Any; authorization.UserId = userId; authorizationService.SaveAuthorization(authorization); processEngineConfiguration.SetAuthorizationEnabled(true); authenticate(); // when IList <ITaskCountByCandidateGroupResult> results = taskService.CreateTaskReport().TaskCountByCandidateGroup(); processEngineConfiguration.SetAuthorizationEnabled(false); authorizationService.DeleteAuthorization(authorization.Id); identityService.DeleteUser(userId); Assert.AreEqual(0, results.Count); }
// authorization /////////////////////////////////////////////////////// protected internal virtual void createGrantAuthorization(Resources resource, string resourceId, Permissions permission, string userId) { IAuthorization authorization = createGrantAuthorization(resource, resourceId); authorization.UserId = userId; authorization.AddPermission(permission); saveAuthorization(authorization); }
public virtual void testUserUpdateAuthorizations() { // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch authhorization basePerms = authorizationService.CreateAuthorizationQuery().First(); // make some change to the perms basePerms.AddPermission(Permissions.All); try { authorizationService.SaveAuthorization(basePerms); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, basePerms.Id, info); } // but we can create a new auth IAuthorization newAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); newAuth.UserId = "jonny2"; newAuth.Resource = Resources.Authorization; newAuth.ResourceId = AuthorizationFields.Any; newAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(newAuth); }
protected internal virtual void grantAuthorization(string userId, Resources resource, string resourceId, Permissions permission) { IAuthorization authorization = engineRule.IAuthorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.Resource = resource; authorization.ResourceId = resourceId; authorization.AddPermission(permission); authorization.UserId = userId; engineRule.IAuthorizationService.SaveAuthorization(authorization); authorizations.Add(authorization); }
// user //////////////////////////////////////////////////////////////// protected internal virtual IUser createUser(string userId) { IUser user = identityService.NewUser(userId); identityService.SaveUser(user); // give user all permission to manipulate authorizations IAuthorization authorization = createGrantAuthorization(Resources.Authorization, AuthorizationFields.Any); authorization.UserId = userId; authorization.AddPermission(Permissions.All); saveAuthorization(authorization); // give user all permission to manipulate users authorization = createGrantAuthorization(Resources.User, AuthorizationFields.Any); authorization.UserId = userId; authorization.AddPermission(Permissions.All); saveAuthorization(authorization); return(user); }
[Test] public virtual void testGroupOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for group "sales" IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); groupRevoke.GroupId = "sales"; groupRevoke.Resource = (Resources)resource1.resourceType(); groupRevoke.ResourceId = AuthorizationFields.Any; groupRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(groupRevoke); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny does not have Permissions.All permissions if queried with groups Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); // if queried without groups he has Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); // jonny can't read if queried with groups Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // if queried without groups he has Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); // someone else who is in group "marketing" but but not "sales" can Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.Read, (Resources)resource1.resourceType())); // he could'nt if he were in jonny's groups Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // jonny can still Delete Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType())); }
public virtual void testUpdateNewAuthorization() { TestResource resource1 = new TestResource("resource1", 100); TestResource resource2 = new TestResource("resource1", 101); IAuthorization authorization = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); authorization.UserId = "aUserId"; //authorization.Resource = resource1; authorization.ResourceId = "aResourceId"; authorization.AddPermission(Permissions.Access); // save the authorization authorizationService.SaveAuthorization(authorization); // validate authorization IAuthorization savedAuthorization = authorizationService.CreateAuthorizationQuery().First(); Assert.AreEqual("aUserId", savedAuthorization.UserId); //Assert.AreEqual(resource1.resourceType(), savedAuthorization.ResourceType); Assert.AreEqual("aResourceId", savedAuthorization.ResourceId); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access)); // update authorization authorization.UserId = "anotherUserId"; //authorization.Resource = resource2; authorization.ResourceId = "anotherResourceId"; authorization.AddPermission(Permissions.Delete); authorizationService.SaveAuthorization(authorization); // validate authorization updated savedAuthorization = authorizationService.CreateAuthorizationQuery().First(); Assert.AreEqual("anotherUserId", savedAuthorization.UserId); //Assert.AreEqual(resource2.resourceType(), savedAuthorization.ResourceType); Assert.AreEqual("anotherResourceId", savedAuthorization.ResourceId); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Access)); Assert.True(savedAuthorization.IsPermissionGranted(Permissions.Delete)); }
[Test] public virtual void testUserOverrideGroupOverrideGlobalAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for group "sales" IAuthorization groupRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); groupRevoke.GroupId = "sales"; groupRevoke.Resource = (Resources)resource1.resourceType(); groupRevoke.ResourceId = AuthorizationFields.Any; groupRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(groupRevoke); // add Permissions.Read for jonny IAuthorization userGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); userGrant.UserId = "jonny"; userGrant.Resource = (Resources)resource1.resourceType(); userGrant.ResourceId = AuthorizationFields.Any; userGrant.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(userGrant); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny can read Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); // someone else in the same groups cannot Assert.IsFalse(authorizationService.IsUserAuthorized("someone else", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // someone else in different groups can Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); }
public virtual void testCreateAuthorization() { // add base permission which allows nobody to create authorizations IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Authorization; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'create' basePerms.RemovePermission(Permissions.Create); authorizationService.SaveAuthorization(basePerms); // now enable authorizations: processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { // we cannot create another authorization authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info); } // circumvent auth check to get new transient object IAuthorization authorization = new AuthorizationEntity(AuthorizationFields.AuthTypeRevoke); authorization.UserId = "someUserId"; authorization.Resource = Resources.Application; try { authorizationService.SaveAuthorization(authorization); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Authorization.ToString() /*.ResourceName()*/, null, info); } }
[Test] public virtual void testUserOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): IAuthorization globalGrant = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); globalGrant.Resource = (Resources)resource1.resourceType(); globalGrant.ResourceId = AuthorizationFields.Any; globalGrant.AddPermission(Permissions.All); authorizationService.SaveAuthorization(globalGrant); // revoke Permissions.Read for jonny IAuthorization localRevoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); localRevoke.UserId = "jonny"; localRevoke.Resource = (Resources)resource1.resourceType(); localRevoke.ResourceId = AuthorizationFields.Any; localRevoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(localRevoke); IList <string> jonnysGroups = new List <string>() { "sales", "marketing" }; IList <string> someOneElsesGroups = new List <string>() { "marketing" }; // jonny does not have Permissions.All permissions Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.All, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.All, (Resources)resource1.resourceType())); // jonny can't read Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", null, Permissions.Read, (Resources)resource1.resourceType())); Assert.IsFalse(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Read, (Resources)resource1.resourceType())); // someone else can Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", null, Permissions.All, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("someone else", someOneElsesGroups, Permissions.Read, (Resources)resource1.resourceType())); // jonny can still Delete Assert.True(authorizationService.IsUserAuthorized("jonny", null, Permissions.Delete, (Resources)resource1.resourceType())); Assert.True(authorizationService.IsUserAuthorized("jonny", jonnysGroups, Permissions.Delete, (Resources)resource1.resourceType())); }
[Test] public virtual void testTenantCreateAuthorizations() { // add base permission which allows nobody to create tenants: IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Tenant; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); // add all then remove 'create' basePerms.RemovePermission(Permissions.Create); authorizationService.SaveAuthorization(basePerms); processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; try { identityService.NewTenant("tenant"); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info); } // circumvent auth check to get new transient userobject ITenant tenant = new TenantEntity("tenant"); try { identityService.SaveTenant(tenant); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Create.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, null, info); } }
[Test] public virtual void testTenantUpdateAuthorizations() { // create tenant ITenant tenant = new TenantEntity("tenant"); identityService.SaveTenant(tenant); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Tenant; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: tenant = identityService.CreateTenantQuery().First(); tenant.Name = "newName"; try { identityService.SaveTenant(tenant); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Tenant.ToString() /*.ResourceName()*/, "tenant", info); } // but I can create a new tenant: ITenant newTenant = identityService.NewTenant("newTenant"); identityService.SaveTenant(newTenant); }
[Test] public virtual void testGroupUpdateAuthorizations() { // crate group while still in god-mode: IGroup group1 = identityService.NewGroup("group1"); identityService.SaveGroup(group1); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Group; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: group1 = identityService.CreateGroupQuery().First(); //group1.ToString() = "IGroup 1"; try { identityService.SaveGroup(group1); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.Group.ToString() /*.ResourceName()*/, "group1", info); } // but I can create a new group: IGroup group2 = identityService.NewGroup("group2"); identityService.SaveGroup(group2); }
[Test] public virtual void testUserUpdateAuthorizations() { // crate user while still in god-mode: IUser jonny1 = identityService.NewUser("jonny1"); identityService.SaveUser(jonny1); // create global auth IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.User; basePerms.ResourceId = AuthorizationFields.Any; basePerms.AddPermission(Permissions.All); basePerms.RemovePermission(Permissions.Update); // revoke update authorizationService.SaveAuthorization(basePerms); // turn on authorization processEngineConfiguration.SetAuthorizationEnabled(true); identityService.AuthenticatedUserId = jonny2; // fetch user: jonny1 = identityService.CreateUserQuery().First(); jonny1.FirstName = "Jonny"; try { identityService.SaveUser(jonny1); Assert.Fail("exception expected"); } catch (AuthorizationException e) { Assert.AreEqual(1, e.MissingAuthorizations.Count); MissingAuthorization info = e.MissingAuthorizations[0]; Assert.AreEqual(jonny2, e.UserId); AuthorizationTestUtil.AssertExceptionInfo(Permissions.Update.ToString(), Resources.User.ToString() /*.ResourceName()*/, "jonny1", info); } // but I can create a new user: IUser jonny3 = identityService.NewUser("jonny3"); identityService.SaveUser(jonny3); }
[Test] public virtual void testUserQueryAuthorizationsMultipleGroups() { // we are jonny2 string authUserId = "jonny2"; identityService.AuthenticatedUserId = authUserId; IUser demo = identityService.NewUser("demo"); identityService.SaveUser(demo); IUser mary = identityService.NewUser("mary"); identityService.SaveUser(mary); IUser peter = identityService.NewUser("peter"); identityService.SaveUser(peter); IUser john = identityService.NewUser("john"); identityService.SaveUser(john); IGroup sales = identityService.NewGroup("sales"); identityService.SaveGroup(sales); IGroup accounting = identityService.NewGroup("accounting"); identityService.SaveGroup(accounting); IGroup management = identityService.NewGroup("management"); identityService.SaveGroup(management); identityService.CreateMembership("demo", "sales"); identityService.CreateMembership("demo", "accounting"); identityService.CreateMembership("demo", "management"); identityService.CreateMembership("john", "sales"); identityService.CreateMembership("mary", "accounting"); identityService.CreateMembership("peter", "management"); IAuthorization demoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); demoAuth.UserId = "demo"; demoAuth.Resource = Resources.User; demoAuth.ResourceId = "demo"; demoAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(demoAuth); IAuthorization johnAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); johnAuth.UserId = "john"; johnAuth.Resource = Resources.User; johnAuth.ResourceId = "john"; johnAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(johnAuth); IAuthorization maryAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); maryAuth.UserId = "mary"; maryAuth.Resource = Resources.User; maryAuth.ResourceId = "mary"; maryAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(maryAuth); IAuthorization peterAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); peterAuth.UserId = "peter"; peterAuth.Resource = Resources.User; peterAuth.ResourceId = "peter"; peterAuth.AddPermission(Permissions.All); authorizationService.SaveAuthorization(peterAuth); IAuthorization accAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); accAuth.GroupId = "accounting"; accAuth.Resource = Resources.Group; accAuth.ResourceId = "accounting"; accAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(accAuth); IAuthorization salesAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); salesAuth.GroupId = "sales"; salesAuth.Resource = Resources.Group; salesAuth.ResourceId = "sales"; salesAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(salesAuth); IAuthorization manAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); manAuth.GroupId = "management"; manAuth.Resource = Resources.Group; manAuth.ResourceId = "management"; manAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(manAuth); IAuthorization salesDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); salesDemoAuth.GroupId = "sales"; salesDemoAuth.Resource = Resources.User; salesDemoAuth.ResourceId = "demo"; salesDemoAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(salesDemoAuth); IAuthorization salesJohnAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); salesJohnAuth.GroupId = "sales"; salesJohnAuth.Resource = Resources.User; salesJohnAuth.ResourceId = "john"; salesJohnAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(salesJohnAuth); IAuthorization manDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); manDemoAuth.GroupId = "management"; manDemoAuth.Resource = Resources.User; manDemoAuth.ResourceId = "demo"; manDemoAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(manDemoAuth); IAuthorization manPeterAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); manPeterAuth.GroupId = "management"; manPeterAuth.Resource = Resources.User; manPeterAuth.ResourceId = "peter"; manPeterAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(manPeterAuth); IAuthorization accDemoAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); accDemoAuth.GroupId = "accounting"; accDemoAuth.Resource = Resources.User; accDemoAuth.ResourceId = "demo"; accDemoAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(accDemoAuth); IAuthorization accMaryAuth = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); accMaryAuth.GroupId = "accounting"; accMaryAuth.Resource = Resources.User; accMaryAuth.ResourceId = "mary"; accMaryAuth.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(accMaryAuth); IList <string> groups = new List <string>(); groups.Add("management"); groups.Add("accounting"); groups.Add("sales"); identityService.SetAuthentication("demo", groups); processEngineConfiguration.SetAuthorizationEnabled(true); IList <IUser> salesUser = identityService.CreateUserQuery() //.MemberOfGroup("sales") .ToList(); Assert.AreEqual(2, salesUser.Count); foreach (IUser user in salesUser) { if (!user.Id.Equals("demo") && !user.Id.Equals("john")) { Assert.Fail("Unexpected user for group sales: " + user.Id); } } IList <IUser> accountingUser = identityService.CreateUserQuery() //.MemberOfGroup("accounting") .ToList(); Assert.AreEqual(2, accountingUser.Count); foreach (IUser user in accountingUser) { if (!user.Id.Equals("demo") && !user.Id.Equals("mary")) { Assert.Fail("Unexpected user for group accounting: " + user.Id); } } IList <IUser> managementUser = identityService.CreateUserQuery() //.MemberOfGroup("management") .ToList(); Assert.AreEqual(2, managementUser.Count); foreach (IUser user in managementUser) { if (!user.Id.Equals("demo") && !user.Id.Equals("peter")) { Assert.Fail("Unexpected user for group managment: " + user.Id); } } }
[Test] public virtual void testTenantQueryAuthorizations() { // we are jonny2 string authUserId = "jonny2"; identityService.AuthenticatedUserId = authUserId; // create new user jonny1 IUser jonny1 = identityService.NewUser("jonny1"); identityService.SaveUser(jonny1); // create new tenant ITenant tenant = identityService.NewTenant("tenant"); identityService.SaveTenant(tenant); // set base permission for all users (no-one has any permissions on tenants) IAuthorization basePerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGlobal); basePerms.Resource = Resources.Tenant; basePerms.ResourceId = AuthorizationFields.Any; authorizationService.SaveAuthorization(basePerms); // now enable checks processEngineConfiguration.SetAuthorizationEnabled(true); // we cannot fetch the tenants Assert.AreEqual(0, identityService.CreateTenantQuery().Count()); // now we add permission for jonny2 to read the tenants: processEngineConfiguration.SetAuthorizationEnabled(false); IAuthorization ourPerms = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeGrant); ourPerms.UserId = authUserId; ourPerms.Resource = Resources.Tenant; ourPerms.ResourceId = AuthorizationFields.Any; ourPerms.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(ourPerms); processEngineConfiguration.SetAuthorizationEnabled(true); // now we can fetch the tenants Assert.AreEqual(1, identityService.CreateTenantQuery().Count()); // change the base permission: processEngineConfiguration.SetAuthorizationEnabled(false); basePerms = authorizationService.CreateAuthorizationQuery(c => c.ResourceType == Resources.Tenant && c.UserId == "*").First(); basePerms.AddPermission(Permissions.Read); authorizationService.SaveAuthorization(basePerms); processEngineConfiguration.SetAuthorizationEnabled(true); // we can still fetch the tenants Assert.AreEqual(1, identityService.CreateTenantQuery().Count()); // revoke permission for jonny2: processEngineConfiguration.SetAuthorizationEnabled(false); ourPerms = authorizationService.CreateAuthorizationQuery(c => c.ResourceType == Resources.Tenant && c.UserId == authUserId).First(); ourPerms.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(ourPerms); IAuthorization revoke = authorizationService.CreateNewAuthorization(AuthorizationFields.AuthTypeRevoke); revoke.UserId = authUserId; revoke.Resource = Resources.Tenant; revoke.ResourceId = AuthorizationFields.Any; revoke.RemovePermission(Permissions.Read); authorizationService.SaveAuthorization(revoke); processEngineConfiguration.SetAuthorizationEnabled(true); // now we cannot fetch the tenants Assert.AreEqual(0, identityService.CreateTenantQuery().Count()); // Delete our permissions processEngineConfiguration.SetAuthorizationEnabled(false); authorizationService.DeleteAuthorization(ourPerms.Id); authorizationService.DeleteAuthorization(revoke.Id); processEngineConfiguration.SetAuthorizationEnabled(true); // now the base permission applies and grants us read access Assert.AreEqual(1, identityService.CreateTenantQuery().Count()); }