public void testGlobalGrantAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);

    // create global authorization which grants all permissions to all users (on resource1):
    Authorization globalAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalAuth.setResource(resource1);
    globalAuth.setResourceId(ANY);
    globalAuth.addPermission(ALL);
    authorizationService.saveAuthorization(globalAuth);

    List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
    List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});

    // this authorizes any user to do anything in this resource:
    assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone", null, CREATE, resource1));
    assertTrue(
        authorizationService.isUserAuthorized("someone", someOneElsesGroups, CREATE, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, DELETE, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1, "someId"));
    assertTrue(
        authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1, "someId"));
    assertTrue(authorizationService.isUserAuthorized("someone", null, CREATE, resource1, "someId"));
    assertTrue(
        authorizationService.isUserAuthorized(
            "someone else", null, DELETE, resource1, "someOtherId"));
  }
 protected void cleanupAfterTest() {
   for (User user : identityService.createUserQuery().list()) {
     identityService.deleteUser(user.getId());
   }
   for (Authorization authorization : authorizationService.createAuthorizationQuery().list()) {
     authorizationService.deleteAuthorization(authorization.getId());
   }
 }
 protected void tearDown() throws Exception {
   List<Authorization> jonnysAuths =
       authorizationService.createAuthorizationQuery().userIdIn("jonny").list();
   for (Authorization authorization : jonnysAuths) {
     authorizationService.deleteAuthorization(authorization.getId());
   }
   processEngineConfiguration.setAuthorizationEnabled(false);
   super.tearDown();
 }
  public void testUserOverrideGlobalRevokeAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);

    // create global authorization which revokes all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.removePermission(ALL);
    authorizationService.saveAuthorization(globalGrant);

    // add READ for jonny
    Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    localRevoke.setUserId("jonny");
    localRevoke.setResource(resource1);
    localRevoke.setResourceId(ANY);
    localRevoke.addPermission(READ);
    authorizationService.saveAuthorization(localRevoke);

    // jonny does not have ALL permissions
    assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    // jonny can read
    assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
    // jonny can't delete
    assertFalse(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));

    // someone else can't do anything
    assertFalse(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertFalse(authorizationService.isUserAuthorized("someone else", null, READ, resource1));
    assertFalse(authorizationService.isUserAuthorized("someone else", null, DELETE, resource1));
  }
  public void testGroupOverrideGlobalGrantAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);

    // create global authorization which grants all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.addPermission(ALL);
    authorizationService.saveAuthorization(globalGrant);

    // revoke READ for group "sales"
    Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    groupRevoke.setGroupId("sales");
    groupRevoke.setResource(resource1);
    groupRevoke.setResourceId(ANY);
    groupRevoke.removePermission(READ);
    authorizationService.saveAuthorization(groupRevoke);

    List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
    List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});

    // jonny does not have ALL permissions if queried with groups
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
    // if queried without groups he has
    assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));

    // jonny can't read if queried with groups
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
    // if queried without groups he has
    assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));

    // someone else who is in group "marketing" but but not "sales" can
    assertTrue(
        authorizationService.isUserAuthorized("someone else", someOneElsesGroups, ALL, resource1));
    assertTrue(
        authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, READ, resource1));
    // he could'nt if he were in jonny's groups
    assertFalse(
        authorizationService.isUserAuthorized("someone else", jonnysGroups, ALL, resource1));
    assertFalse(
        authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));

    // jonny can still delete
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
  }
  public void testInvalidCreateAuthorization() {

    TestResource resource1 = new TestResource("resource1", 100);

    // case 1: no user id & no group id ////////////

    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setResource(resource1);

    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch (ProcessEngineException e) {
      assertTrue(
          e.getMessage().contains("Authorization must either have a 'userId' or a 'groupId'."));
    }

    // case 2: both user id & group id ////////////

    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setGroupId("someId");
    authorization.setUserId("someOtherId");
    authorization.setResource(resource1);

    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch (ProcessEngineException e) {
      assertTrue(
          e.getMessage()
              .contains("Authorization cannot define 'userId' or a 'groupId' at the same time."));
    }

    // case 3: no resourceType ////////////

    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setUserId("someId");

    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch (ProcessEngineException e) {
      assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null."));
    }

    // case 4: no permissions /////////////////

    authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    authorization.setUserId("someId");

    try {
      authorizationService.saveAuthorization(authorization);
      fail("exception expected");
    } catch (ProcessEngineException e) {
      assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null."));
    }
  }
  public void testCreateAuthorizationWithGroupId() {

    TestResource resource1 = new TestResource("resource1", 100);

    // initially, no authorization exists:
    assertEquals(0, authorizationService.createAuthorizationQuery().count());

    // simple create / delete with userId
    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setGroupId("aGroupId");
    authorization.setResource(resource1);

    // save the authorization
    authorizationService.saveAuthorization(authorization);
    // authorization exists
    assertEquals(1, authorizationService.createAuthorizationQuery().count());
    // delete the authorization
    authorizationService.deleteAuthorization(authorization.getId());
    // it's gone
    assertEquals(0, authorizationService.createAuthorizationQuery().count());
  }
  public void testCreateGroup() {
    // initially there are no authorizations for group "sales":
    assertEquals(0, authorizationService.createAuthorizationQuery().groupIdIn("sales").count());

    // create new group
    identityService.saveGroup(identityService.newGroup("sales"));

    // now there is an authorization for sales which grants all members READ permissions
    Authorization authorization =
        authorizationService.createAuthorizationQuery().groupIdIn("sales").singleResult();
    assertNotNull(authorization);
    assertEquals(AUTH_TYPE_GRANT, authorization.getAuthorizationType());
    assertEquals(GROUP.resourceType(), authorization.getResourceType());
    assertEquals("sales", authorization.getResourceId());
    assertTrue(authorization.isPermissionGranted(READ));

    // delete the group
    identityService.deleteGroup("sales");

    // the authorization is deleted as well:
    assertEquals(0, authorizationService.createAuthorizationQuery().groupIdIn("sales").count());
  }
  public void testCreateUser() {
    // initially there are no authorizations for jonny2:
    assertEquals(0, authorizationService.createAuthorizationQuery().userIdIn("jonny2").count());

    // create new user
    identityService.saveUser(identityService.newUser("jonny2"));

    // now there is an authorization for jonny2 which grants him ALL permissions on himself
    Authorization authorization =
        authorizationService.createAuthorizationQuery().userIdIn("jonny2").singleResult();
    assertNotNull(authorization);
    assertEquals(AUTH_TYPE_GRANT, authorization.getAuthorizationType());
    assertEquals(USER.resourceType(), authorization.getResourceType());
    assertEquals("jonny2", authorization.getResourceId());
    assertTrue(authorization.isPermissionGranted(ALL));

    // delete the user
    identityService.deleteUser("jonny2");

    // the authorization is deleted as well:
    assertEquals(0, authorizationService.createAuthorizationQuery().userIdIn("jonny2").count());
  }
  public void testUserOverrideGlobalGrantAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);

    // create global authorization which grants all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.addPermission(ALL);
    authorizationService.saveAuthorization(globalGrant);

    // revoke READ for jonny
    Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    localRevoke.setUserId("jonny");
    localRevoke.setResource(resource1);
    localRevoke.setResourceId(ANY);
    localRevoke.removePermission(READ);
    authorizationService.saveAuthorization(localRevoke);

    List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
    List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});

    // jonny does not have ALL permissions
    assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
    // jonny can't read
    assertFalse(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
    // someone else can
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(
        authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(
        authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    // jonny can still delete
    assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
  }
  public void testGlobalUniqueConstraints() {

    TestResource resource1 = new TestResource("resource1", 100);

    Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);

    authorization1.setResource(resource1);
    authorization1.setResourceId("someId");

    authorization2.setResource(resource1);
    authorization2.setResourceId("someId");

    // the first one can be saved
    authorizationService.saveAuthorization(authorization1);

    // the second one cannot
    try {
      authorizationService.saveAuthorization(authorization2);
      fail("exception expected");
    } catch (Exception e) {
      // expected
    }
  }
  public void testUserOverrideGroupOverrideGlobalAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);

    // create global authorization which grants all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.addPermission(ALL);
    authorizationService.saveAuthorization(globalGrant);

    // revoke READ for group "sales"
    Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    groupRevoke.setGroupId("sales");
    groupRevoke.setResource(resource1);
    groupRevoke.setResourceId(ANY);
    groupRevoke.removePermission(READ);
    authorizationService.saveAuthorization(groupRevoke);

    // add READ for jonny
    Authorization userGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    userGrant.setUserId("jonny");
    userGrant.setResource(resource1);
    userGrant.setResourceId(ANY);
    userGrant.addPermission(READ);
    authorizationService.saveAuthorization(userGrant);

    List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
    List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});

    // jonny can read
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));

    // someone else in the same groups cannot
    assertFalse(
        authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));

    // someone else in different groups can
    assertTrue(
        authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
  }
  public void testPermissions() {

    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);

    assertEquals(0, authorization.getPermissions());

    assertFalse(authorization.hasPermission(ACCESS));
    assertFalse(authorization.hasPermission(DELETE));
    assertFalse(authorization.hasPermission(READ));
    assertFalse(authorization.hasPermission(UPDATE));

    authorization.addPermission(ACCESS);
    assertTrue(authorization.hasPermission(ACCESS));
    assertFalse(authorization.hasPermission(DELETE));
    assertFalse(authorization.hasPermission(READ));
    assertFalse(authorization.hasPermission(UPDATE));

    authorization.addPermission(DELETE);
    assertTrue(authorization.hasPermission(ACCESS));
    assertTrue(authorization.hasPermission(DELETE));
    assertFalse(authorization.hasPermission(READ));
    assertFalse(authorization.hasPermission(UPDATE));

    authorization.addPermission(READ);
    assertTrue(authorization.hasPermission(ACCESS));
    assertTrue(authorization.hasPermission(DELETE));
    assertTrue(authorization.hasPermission(READ));
    assertFalse(authorization.hasPermission(UPDATE));

    authorization.addPermission(UPDATE);
    assertTrue(authorization.hasPermission(ACCESS));
    assertTrue(authorization.hasPermission(DELETE));
    assertTrue(authorization.hasPermission(READ));
    assertTrue(authorization.hasPermission(UPDATE));

    authorization.removePermission(ACCESS);
    assertFalse(authorization.hasPermission(ACCESS));
    assertTrue(authorization.hasPermission(DELETE));
    assertTrue(authorization.hasPermission(READ));
    assertTrue(authorization.hasPermission(UPDATE));

    authorization.removePermission(DELETE);
    assertFalse(authorization.hasPermission(ACCESS));
    assertFalse(authorization.hasPermission(DELETE));
    assertTrue(authorization.hasPermission(READ));
    assertTrue(authorization.hasPermission(UPDATE));

    authorization.removePermission(READ);
    assertFalse(authorization.hasPermission(ACCESS));
    assertFalse(authorization.hasPermission(DELETE));
    assertFalse(authorization.hasPermission(READ));
    assertTrue(authorization.hasPermission(UPDATE));

    authorization.removePermission(UPDATE);
    assertFalse(authorization.hasPermission(ACCESS));
    assertFalse(authorization.hasPermission(DELETE));
    assertFalse(authorization.hasPermission(READ));
    assertFalse(authorization.hasPermission(UPDATE));
  }
  public void testUpdatePersistentAuthorization() {

    TestResource resource1 = new TestResource("resource1", 100);
    TestResource resource2 = new TestResource("resource1", 101);

    Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    authorization.setUserId("aUserId");
    authorization.setResource(resource1);
    authorization.setResourceId("aResourceId");
    authorization.addPermission(ACCESS);

    // save the authorization
    authorizationService.saveAuthorization(authorization);

    // validate authorization
    Authorization savedAuthorization =
        authorizationService.createAuthorizationQuery().singleResult();
    assertEquals("aUserId", savedAuthorization.getUserId());
    assertEquals(resource1.resourceType(), savedAuthorization.getResourceType());
    assertEquals("aResourceId", savedAuthorization.getResourceId());
    assertTrue(savedAuthorization.hasPermission(ACCESS));

    // update authorization
    savedAuthorization.setUserId("anotherUserId");
    savedAuthorization.setResource(resource2);
    savedAuthorization.setResourceId("anotherResourceId");
    savedAuthorization.addPermission(DELETE);
    authorizationService.saveAuthorization(savedAuthorization);

    // validate authorization updated
    savedAuthorization = authorizationService.createAuthorizationQuery().singleResult();
    assertEquals("anotherUserId", savedAuthorization.getUserId());
    assertEquals(resource2.resourceType(), savedAuthorization.getResourceType());
    assertEquals("anotherResourceId", savedAuthorization.getResourceId());
    assertTrue(savedAuthorization.hasPermission(ACCESS));
    assertTrue(savedAuthorization.hasPermission(DELETE));
  }
  public void testUniqueGroupConstraints() {

    TestResource resource1 = new TestResource("resource1", 100);

    Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);

    authorization1.setResource(resource1);
    authorization1.setResourceId("someId");
    authorization1.setGroupId("someGroup");

    authorization2.setResource(resource1);
    authorization2.setResourceId("someId");
    authorization2.setGroupId("someGroup");

    // the first one can be saved
    authorizationService.saveAuthorization(authorization1);

    // the second one cannot
    try {
      authorizationService.saveAuthorization(authorization2);
      fail("exception expected");
    } catch (Exception e) {
      // expected
    }

    // but I can add a AUTH_TYPE_REVOKE auth

    Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);

    authorization3.setResource(resource1);
    authorization3.setResourceId("someId");
    authorization3.setGroupId("someGroup");

    authorizationService.saveAuthorization(authorization3);

    // but not a second

    Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);

    authorization4.setResource(resource1);
    authorization4.setResourceId("someId");
    authorization4.setGroupId("someGroup");

    try {
      authorizationService.saveAuthorization(authorization4);
      fail("exception expected");
    } catch (Exception e) {
      // expected
    }
  }
  protected void setUp() throws Exception {
    // we are jonny
    identityService.setAuthenticatedUserId("jonny");
    // make sure we can do stuff:
    Authorization jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    jonnyIsGod.setUserId("jonny");
    jonnyIsGod.setResource(USER);
    jonnyIsGod.setResourceId(ANY);
    jonnyIsGod.addPermission(ALL);
    authorizationService.saveAuthorization(jonnyIsGod);

    jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    jonnyIsGod.setUserId("jonny");
    jonnyIsGod.setResource(GROUP);
    jonnyIsGod.setResourceId(ANY);
    jonnyIsGod.addPermission(ALL);
    authorizationService.saveAuthorization(jonnyIsGod);

    jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    jonnyIsGod.setUserId("jonny");
    jonnyIsGod.setResource(AUTHORIZATION);
    jonnyIsGod.setResourceId(ANY);
    jonnyIsGod.addPermission(ALL);
    authorizationService.saveAuthorization(jonnyIsGod);

    // enable authorizations
    processEngineConfiguration.setAuthorizationEnabled(true);
    super.setUp();
  }