public void testUniqueGroupConstraints() {
TestResource resource1 = new TestResource("resource1", 100);
Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization1.setResource(resource1);
authorization1.setResourceId("someId");
authorization1.setGroupId("someGroup");
authorization2.setResource(resource1);
authorization2.setResourceId("someId");
authorization2.setGroupId("someGroup");
// the first one can be saved
authorizationService.saveAuthorization(authorization1);
// the second one cannot
try {
authorizationService.saveAuthorization(authorization2);
fail("exception expected");
} catch (Exception e) {
// expected
}
// but I can add a AUTH_TYPE_REVOKE auth
Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
authorization3.setResource(resource1);
authorization3.setResourceId("someId");
authorization3.setGroupId("someGroup");
authorizationService.saveAuthorization(authorization3);
// but not a second
Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
authorization4.setResource(resource1);
authorization4.setResourceId("someId");
authorization4.setGroupId("someGroup");
try {
authorizationService.saveAuthorization(authorization4);
fail("exception expected");
} catch (Exception e) {
// expected
}
}
public void testInvalidCreateAuthorization() {
TestResource resource1 = new TestResource("resource1", 100);
// case 1: no user id & no group id ////////////
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.setResource(resource1);
try {
authorizationService.saveAuthorization(authorization);
fail("exception expected");
} catch (ProcessEngineException e) {
assertTrue(
e.getMessage().contains("Authorization must either have a 'userId' or a 'groupId'."));
}
// case 2: both user id & group id ////////////
authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.setGroupId("someId");
authorization.setUserId("someOtherId");
authorization.setResource(resource1);
try {
authorizationService.saveAuthorization(authorization);
fail("exception expected");
} catch (ProcessEngineException e) {
assertTrue(
e.getMessage()
.contains("Authorization cannot define 'userId' or a 'groupId' at the same time."));
}
// case 3: no resourceType ////////////
authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.setUserId("someId");
try {
authorizationService.saveAuthorization(authorization);
fail("exception expected");
} catch (ProcessEngineException e) {
assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null."));
}
// case 4: no permissions /////////////////
authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
authorization.setUserId("someId");
try {
authorizationService.saveAuthorization(authorization);
fail("exception expected");
} catch (ProcessEngineException e) {
assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null."));
}
}
public void testGroupOverrideGlobalGrantAuthorizationCheck() {
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
globalGrant.setResource(resource1);
globalGrant.setResourceId(ANY);
globalGrant.addPermission(ALL);
authorizationService.saveAuthorization(globalGrant);
// revoke READ for group "sales"
Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
groupRevoke.setGroupId("sales");
groupRevoke.setResource(resource1);
groupRevoke.setResourceId(ANY);
groupRevoke.removePermission(READ);
authorizationService.saveAuthorization(groupRevoke);
List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});
// jonny does not have ALL permissions if queried with groups
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
// if queried without groups he has
assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
// jonny can't read if queried with groups
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
// if queried without groups he has
assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
// someone else who is in group "marketing" but but not "sales" can
assertTrue(
authorizationService.isUserAuthorized("someone else", someOneElsesGroups, ALL, resource1));
assertTrue(
authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", null, READ, resource1));
// he could'nt if he were in jonny's groups
assertFalse(
authorizationService.isUserAuthorized("someone else", jonnysGroups, ALL, resource1));
assertFalse(
authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));
// jonny can still delete
assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
}
public void testUserOverrideGroupOverrideGlobalAuthorizationCheck() {
TestResource resource1 = new TestResource("resource1", 100);
// create global authorization which grants all permissions to all users (on resource1):
Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
globalGrant.setResource(resource1);
globalGrant.setResourceId(ANY);
globalGrant.addPermission(ALL);
authorizationService.saveAuthorization(globalGrant);
// revoke READ for group "sales"
Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
groupRevoke.setGroupId("sales");
groupRevoke.setResource(resource1);
groupRevoke.setResourceId(ANY);
groupRevoke.removePermission(READ);
authorizationService.saveAuthorization(groupRevoke);
// add READ for jonny
Authorization userGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
userGrant.setUserId("jonny");
userGrant.setResource(resource1);
userGrant.setResourceId(ANY);
userGrant.addPermission(READ);
authorizationService.saveAuthorization(userGrant);
List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"});
List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"});
// jonny can read
assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
// someone else in the same groups cannot
assertFalse(
authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));
// someone else in different groups can
assertTrue(
authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
}
public void testCreateAuthorizationWithGroupId() {
TestResource resource1 = new TestResource("resource1", 100);
// initially, no authorization exists:
assertEquals(0, authorizationService.createAuthorizationQuery().count());
// simple create / delete with userId
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
authorization.setGroupId("aGroupId");
authorization.setResource(resource1);
// save the authorization
authorizationService.saveAuthorization(authorization);
// authorization exists
assertEquals(1, authorizationService.createAuthorizationQuery().count());
// delete the authorization
authorizationService.deleteAuthorization(authorization.getId());
// it's gone
assertEquals(0, authorizationService.createAuthorizationQuery().count());
}