public void testUniqueGroupConstraints() { TestResource resource1 = new TestResource("resource1", 100); Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization1.setResource(resource1); authorization1.setResourceId("someId"); authorization1.setGroupId("someGroup"); authorization2.setResource(resource1); authorization2.setResourceId("someId"); authorization2.setGroupId("someGroup"); // the first one can be saved authorizationService.saveAuthorization(authorization1); // the second one cannot try { authorizationService.saveAuthorization(authorization2); fail("exception expected"); } catch (Exception e) { // expected } // but I can add a AUTH_TYPE_REVOKE auth Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization3.setResource(resource1); authorization3.setResourceId("someId"); authorization3.setGroupId("someGroup"); authorizationService.saveAuthorization(authorization3); // but not a second Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization4.setResource(resource1); authorization4.setResourceId("someId"); authorization4.setGroupId("someGroup"); try { authorizationService.saveAuthorization(authorization4); fail("exception expected"); } catch (Exception e) { // expected } }
public void testInvalidCreateAuthorization() { TestResource resource1 = new TestResource("resource1", 100); // case 1: no user id & no group id //////////// Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setResource(resource1); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue( e.getMessage().contains("Authorization must either have a 'userId' or a 'groupId'.")); } // case 2: both user id & group id //////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setGroupId("someId"); authorization.setUserId("someOtherId"); authorization.setResource(resource1); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue( e.getMessage() .contains("Authorization cannot define 'userId' or a 'groupId' at the same time.")); } // case 3: no resourceType //////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setUserId("someId"); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null.")); } // case 4: no permissions ///////////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization.setUserId("someId"); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null.")); } }
public void testGroupOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.addPermission(ALL); authorizationService.saveAuthorization(globalGrant); // revoke READ for group "sales" Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); groupRevoke.setGroupId("sales"); groupRevoke.setResource(resource1); groupRevoke.setResourceId(ANY); groupRevoke.removePermission(READ); authorizationService.saveAuthorization(groupRevoke); List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"}); List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"}); // jonny does not have ALL permissions if queried with groups assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1)); // if queried without groups he has assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1)); // jonny can't read if queried with groups assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1)); // if queried without groups he has assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); // someone else who is in group "marketing" but but not "sales" can assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, ALL, resource1)); assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1)); assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1)); assertTrue(authorizationService.isUserAuthorized("someone else", null, READ, resource1)); // he could'nt if he were in jonny's groups assertFalse( authorizationService.isUserAuthorized("someone else", jonnysGroups, ALL, resource1)); assertFalse( authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1)); // jonny can still delete assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1)); assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1)); }
public void testUserOverrideGroupOverrideGlobalAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.addPermission(ALL); authorizationService.saveAuthorization(globalGrant); // revoke READ for group "sales" Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); groupRevoke.setGroupId("sales"); groupRevoke.setResource(resource1); groupRevoke.setResourceId(ANY); groupRevoke.removePermission(READ); authorizationService.saveAuthorization(groupRevoke); // add READ for jonny Authorization userGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); userGrant.setUserId("jonny"); userGrant.setResource(resource1); userGrant.setResourceId(ANY); userGrant.addPermission(READ); authorizationService.saveAuthorization(userGrant); List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"}); List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"}); // jonny can read assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1)); assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); // someone else in the same groups cannot assertFalse( authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1)); // someone else in different groups can assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1)); }
public void testCreateAuthorizationWithGroupId() { TestResource resource1 = new TestResource("resource1", 100); // initially, no authorization exists: assertEquals(0, authorizationService.createAuthorizationQuery().count()); // simple create / delete with userId Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setGroupId("aGroupId"); authorization.setResource(resource1); // save the authorization authorizationService.saveAuthorization(authorization); // authorization exists assertEquals(1, authorizationService.createAuthorizationQuery().count()); // delete the authorization authorizationService.deleteAuthorization(authorization.getId()); // it's gone assertEquals(0, authorizationService.createAuthorizationQuery().count()); }