protected void setUp() throws Exception { // we are jonny identityService.setAuthenticatedUserId("jonny"); // make sure we can do stuff: Authorization jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); jonnyIsGod.setUserId("jonny"); jonnyIsGod.setResource(USER); jonnyIsGod.setResourceId(ANY); jonnyIsGod.addPermission(ALL); authorizationService.saveAuthorization(jonnyIsGod); jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); jonnyIsGod.setUserId("jonny"); jonnyIsGod.setResource(GROUP); jonnyIsGod.setResourceId(ANY); jonnyIsGod.addPermission(ALL); authorizationService.saveAuthorization(jonnyIsGod); jonnyIsGod = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); jonnyIsGod.setUserId("jonny"); jonnyIsGod.setResource(AUTHORIZATION); jonnyIsGod.setResourceId(ANY); jonnyIsGod.addPermission(ALL); authorizationService.saveAuthorization(jonnyIsGod); // enable authorizations processEngineConfiguration.setAuthorizationEnabled(true); super.setUp(); }
public void testInvalidCreateAuthorization() { TestResource resource1 = new TestResource("resource1", 100); // case 1: no user id & no group id //////////// Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setResource(resource1); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue( e.getMessage().contains("Authorization must either have a 'userId' or a 'groupId'.")); } // case 2: both user id & group id //////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setGroupId("someId"); authorization.setUserId("someOtherId"); authorization.setResource(resource1); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue( e.getMessage() .contains("Authorization cannot define 'userId' or a 'groupId' at the same time.")); } // case 3: no resourceType //////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setUserId("someId"); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null.")); } // case 4: no permissions ///////////////// authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization.setUserId("someId"); try { authorizationService.saveAuthorization(authorization); fail("exception expected"); } catch (ProcessEngineException e) { assertTrue(e.getMessage().contains("Authorization 'resourceType' cannot be null.")); } }
public void testUniqueUserConstraints() { TestResource resource1 = new TestResource("resource1", 100); Authorization authorization1 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); Authorization authorization2 = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization1.setResource(resource1); authorization1.setResourceId("someId"); authorization1.setUserId("someUser"); authorization2.setResource(resource1); authorization2.setResourceId("someId"); authorization2.setUserId("someUser"); // the first one can be saved authorizationService.saveAuthorization(authorization1); // the second one cannot try { authorizationService.saveAuthorization(authorization2); fail("exception expected"); } catch (Exception e) { // expected } // but I can add a AUTH_TYPE_REVOKE auth Authorization authorization3 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization3.setResource(resource1); authorization3.setResourceId("someId"); authorization3.setUserId("someUser"); authorizationService.saveAuthorization(authorization3); // but not a second Authorization authorization4 = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); authorization4.setResource(resource1); authorization4.setResourceId("someId"); authorization4.setUserId("someUser"); try { authorizationService.saveAuthorization(authorization4); fail("exception expected"); } catch (Exception e) { // expected } }
public void testUserOverrideGlobalRevokeAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which revokes all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.removePermission(ALL); authorizationService.saveAuthorization(globalGrant); // add READ for jonny Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); localRevoke.setUserId("jonny"); localRevoke.setResource(resource1); localRevoke.setResourceId(ANY); localRevoke.addPermission(READ); authorizationService.saveAuthorization(localRevoke); // jonny does not have ALL permissions assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1)); // jonny can read assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); // jonny can't delete assertFalse(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1)); // someone else can't do anything assertFalse(authorizationService.isUserAuthorized("someone else", null, ALL, resource1)); assertFalse(authorizationService.isUserAuthorized("someone else", null, READ, resource1)); assertFalse(authorizationService.isUserAuthorized("someone else", null, DELETE, resource1)); }
public void testUpdatePersistentAuthorization() { TestResource resource1 = new TestResource("resource1", 100); TestResource resource2 = new TestResource("resource1", 101); Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setUserId("aUserId"); authorization.setResource(resource1); authorization.setResourceId("aResourceId"); authorization.addPermission(ACCESS); // save the authorization authorizationService.saveAuthorization(authorization); // validate authorization Authorization savedAuthorization = authorizationService.createAuthorizationQuery().singleResult(); assertEquals("aUserId", savedAuthorization.getUserId()); assertEquals(resource1.resourceType(), savedAuthorization.getResourceType()); assertEquals("aResourceId", savedAuthorization.getResourceId()); assertTrue(savedAuthorization.hasPermission(ACCESS)); // update authorization savedAuthorization.setUserId("anotherUserId"); savedAuthorization.setResource(resource2); savedAuthorization.setResourceId("anotherResourceId"); savedAuthorization.addPermission(DELETE); authorizationService.saveAuthorization(savedAuthorization); // validate authorization updated savedAuthorization = authorizationService.createAuthorizationQuery().singleResult(); assertEquals("anotherUserId", savedAuthorization.getUserId()); assertEquals(resource2.resourceType(), savedAuthorization.getResourceType()); assertEquals("anotherResourceId", savedAuthorization.getResourceId()); assertTrue(savedAuthorization.hasPermission(ACCESS)); assertTrue(savedAuthorization.hasPermission(DELETE)); }
public void testUserOverrideGroupOverrideGlobalAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.addPermission(ALL); authorizationService.saveAuthorization(globalGrant); // revoke READ for group "sales" Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); groupRevoke.setGroupId("sales"); groupRevoke.setResource(resource1); groupRevoke.setResourceId(ANY); groupRevoke.removePermission(READ); authorizationService.saveAuthorization(groupRevoke); // add READ for jonny Authorization userGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); userGrant.setUserId("jonny"); userGrant.setResource(resource1); userGrant.setResourceId(ANY); userGrant.addPermission(READ); authorizationService.saveAuthorization(userGrant); List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"}); List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"}); // jonny can read assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1)); assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); // someone else in the same groups cannot assertFalse( authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1)); // someone else in different groups can assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1)); }
public void testCreateAuthorizationWithUserId() { TestResource resource1 = new TestResource("resource1", 100); // initially, no authorization exists: assertEquals(0, authorizationService.createAuthorizationQuery().count()); // simple create / delete with userId Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); authorization.setUserId("aUserId"); authorization.setResource(resource1); // save the authorization authorizationService.saveAuthorization(authorization); // authorization exists assertEquals(1, authorizationService.createAuthorizationQuery().count()); // delete the authorization authorizationService.deleteAuthorization(authorization.getId()); // it's gone assertEquals(0, authorizationService.createAuthorizationQuery().count()); }
public void testUserOverrideGlobalGrantAuthorizationCheck() { TestResource resource1 = new TestResource("resource1", 100); // create global authorization which grants all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.addPermission(ALL); authorizationService.saveAuthorization(globalGrant); // revoke READ for jonny Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); localRevoke.setUserId("jonny"); localRevoke.setResource(resource1); localRevoke.setResourceId(ANY); localRevoke.removePermission(READ); authorizationService.saveAuthorization(localRevoke); List<String> jonnysGroups = Arrays.asList(new String[] {"sales", "marketing"}); List<String> someOneElsesGroups = Arrays.asList(new String[] {"marketing"}); // jonny does not have ALL permissions assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1)); assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1)); // jonny can't read assertFalse(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1)); // someone else can assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1)); assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1)); assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1)); assertTrue( authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1)); // jonny can still delete assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1)); assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1)); }