protected void createRevokeAuthorization(Resource resource, String resourceId, String userId, Permission... permissions) { Authorization authorization = createRevokeAuthorization(resource, resourceId); authorization.setUserId(userId); for (Permission permission : permissions) { authorization.removePermission(permission); } saveAuthorization(authorization); }
public void testIsPermissionRevokedBatchResource() { // given Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); String userId = "userId"; authorization.setUserId(userId); authorization.removePermission(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES); authorization.removePermission(BatchPermissions.CREATE_BATCH_DELETE_FINISHED_PROCESS_INSTANCES); authorization.removePermission(BatchPermissions.CREATE_BATCH_DELETE_RUNNING_PROCESS_INSTANCES); authorization.setResource(Resources.BATCH); authorization.setResourceId(ANY); authorizationService.saveAuthorization(authorization); // then Authorization authorizationResult = authorizationService.createAuthorizationQuery().userIdIn(userId).singleResult(); assertTrue(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES)); assertTrue(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_DELETE_FINISHED_PROCESS_INSTANCES)); assertTrue(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_DELETE_RUNNING_PROCESS_INSTANCES)); assertFalse(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MODIFY_PROCESS_INSTANCES)); assertFalse(authorizationResult.isPermissionRevoked(Permissions.ACCESS)); assertFalse(authorizationResult.isPermissionRevoked(Permissions.CREATE)); }
public void testQueryWithRevokedReadPermission() { // given // given user gets all permissions on any process definition createGrantAuthorization(PROCESS_DEFINITION, ANY, userId, ALL); Authorization authorization = createRevokeAuthorization(PROCESS_DEFINITION, ONE_TASK_PROCESS_KEY); authorization.setUserId(userId); authorization.removePermission(READ); saveAuthorization(authorization); // when ProcessDefinitionQuery query = repositoryService.createProcessDefinitionQuery(); // then verifyQueryResults(query, 1); ProcessDefinition definition = query.singleResult(); assertNotNull(definition); assertEquals(TWO_TASKS_PROCESS_KEY, definition.getKey()); }
public void testDeleteAuthorization() { // create global auth Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(AUTHORIZATION); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); basePerms.removePermission(DELETE); // revoke delete authorizationService.saveAuthorization(basePerms); // turn on authorization processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { // try to delete authorization authorizationService.deleteAuthorization(basePerms.getId()); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), AUTHORIZATION.resourceName(), basePerms.getId(), info); } }
public void testUserDeleteAuthorizations() { // crate user while still in god-mode: User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); // create global auth Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(USER); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); basePerms.removePermission(DELETE); // revoke delete authorizationService.saveAuthorization(basePerms); // turn on authorization processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteUser("jonny1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), USER.resourceName(), "jonny1", info); } }
public void testGroupDeleteAuthorizations() { // crate group while still in god-mode: Group group1 = identityService.newGroup("group1"); identityService.saveGroup(group1); // create global auth Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(GROUP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); basePerms.removePermission(DELETE); // revoke delete authorizationService.saveAuthorization(basePerms); // turn on authorization processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteGroup("group1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), GROUP.resourceName(), "group1", info); } }
public void testTenantDeleteAuthorizations() { // create tenant Tenant tenant = new TenantEntity("tenant"); identityService.saveTenant(tenant); // create global auth Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(TENANT); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); basePerms.removePermission(DELETE); // revoke delete authorizationService.saveAuthorization(basePerms); // turn on authorization processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteTenant("tenant"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), TENANT.resourceName(), "tenant", info); } }
basePerms.setResourceId(ANY); basePerms.removePermission(CREATE); authorizationService.saveAuthorization(basePerms);
basePerms.setResourceId(ANY); basePerms.removePermission(CREATE); authorizationService.saveAuthorization(basePerms);
public void testMembershipDeleteAuthorizations() { User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); Group group1 = identityService.newGroup("group1"); identityService.saveGroup(group1); // add base permission which allows nobody to add users to groups Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(GROUP_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'delete' basePerms.removePermission(DELETE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteMembership("jonny1", "group1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), GROUP_MEMBERSHIP.resourceName(), "group1", info); } }
public void testTenantGroupMembershipCreateAuthorizations() { Group group1 = identityService.newGroup("group1"); identityService.saveGroup(group1); Tenant tenant1 = identityService.newTenant("tenant1"); identityService.saveTenant(tenant1); // add base permission which allows nobody to create memberships Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(TENANT_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'create' basePerms.removePermission(CREATE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.createTenantGroupMembership("tenant1", "group1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(CREATE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info); } }
public void testTenantUserMembershipCreateAuthorizations() { User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); Tenant tenant1 = identityService.newTenant("tenant1"); identityService.saveTenant(tenant1); // add base permission which allows nobody to create memberships Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(TENANT_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'create' basePerms.removePermission(CREATE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.createTenantUserMembership("tenant1", "jonny1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(CREATE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info); } }
public void testTenantUserMembershipDeleteAuthorizations() { User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); Tenant tenant1 = identityService.newTenant("tenant1"); identityService.saveTenant(tenant1); // add base permission which allows nobody to delete memberships Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(TENANT_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'delete' basePerms.removePermission(DELETE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteTenantUserMembership("tenant1", "jonny1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info); } }
public void testMembershipCreateAuthorizations() { User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); Group group1 = identityService.newGroup("group1"); identityService.saveGroup(group1); // add base permission which allows nobody to add users to groups Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(GROUP_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'crate' basePerms.removePermission(CREATE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.createMembership("jonny1", "group1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(CREATE.getName(), GROUP_MEMBERSHIP.resourceName(), "group1", info); } }
public void testTenanGroupMembershipDeleteAuthorizations() { Group group1 = identityService.newGroup("group1"); identityService.saveGroup(group1); Tenant tenant1 = identityService.newTenant("tenant1"); identityService.saveTenant(tenant1); // add base permission which allows nobody to delete memberships Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(TENANT_MEMBERSHIP); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); // add all then remove 'delete' basePerms.removePermission(DELETE); authorizationService.saveAuthorization(basePerms); processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); try { identityService.deleteTenantGroupMembership("tenant1", "group1"); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(DELETE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info); } }
public void testQueryWithGroupAuthorizationRevokedReadPermission() { // given // given user gets all permissions on any process definition Authorization authorization = createGrantAuthorization(PROCESS_DEFINITION, ANY); authorization.setGroupId(groupId); authorization.addPermission(ALL); saveAuthorization(authorization); authorization = createRevokeAuthorization(PROCESS_DEFINITION, ONE_TASK_PROCESS_KEY); authorization.setGroupId(groupId); authorization.removePermission(READ); saveAuthorization(authorization); // when ProcessDefinitionQuery query = repositoryService.createProcessDefinitionQuery(); // then verifyQueryResults(query, 1); ProcessDefinition definition = query.singleResult(); assertNotNull(definition); assertEquals(TWO_TASKS_PROCESS_KEY, definition.getKey()); }
public void testIsPermissionRevokedAccess() { // given Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); String userId = "userId"; authorization.setUserId(userId); authorization.removePermission(Permissions.ACCESS); authorization.setResource(Resources.APPLICATION); authorization.setResourceId(ANY); authorizationService.saveAuthorization(authorization); // then Authorization authorizationResult = authorizationService.createAuthorizationQuery().userIdIn(userId).singleResult(); assertTrue(authorizationResult.isPermissionRevoked(Permissions.ACCESS)); assertFalse(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES)); assertFalse(authorizationResult.isPermissionRevoked(ProcessInstancePermissions.RETRY_JOB)); assertFalse(authorizationResult.isPermissionRevoked(ProcessDefinitionPermissions.RETRY_JOB)); }
public void testIsPermissionRevokedRetryJob() { // given Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE); String userId = "userId"; authorization.setUserId(userId); authorization.removePermission(ProcessInstancePermissions.RETRY_JOB); authorization.setResource(Resources.PROCESS_INSTANCE); authorization.setResourceId(ANY); authorizationService.saveAuthorization(authorization); // then Authorization authorizationResult = authorizationService.createAuthorizationQuery().userIdIn(userId).singleResult(); assertTrue(authorizationResult.isPermissionRevoked(ProcessInstancePermissions.RETRY_JOB)); assertFalse(authorizationResult.isPermissionRevoked(Permissions.ACCESS)); assertFalse(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES)); assertFalse(authorizationResult.isPermissionRevoked(ProcessDefinitionPermissions.RETRY_JOB)); }
public void testUserUpdateAuthorizations() { // crate user while still in god-mode: User jonny1 = identityService.newUser("jonny1"); identityService.saveUser(jonny1); // create global auth Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); basePerms.setResource(USER); basePerms.setResourceId(ANY); basePerms.addPermission(ALL); basePerms.removePermission(UPDATE); // revoke update authorizationService.saveAuthorization(basePerms); // turn on authorization processEngineConfiguration.setAuthorizationEnabled(true); identityService.setAuthenticatedUserId(jonny2); // fetch user: jonny1 = identityService.createUserQuery().singleResult(); jonny1.setFirstName("Jonny"); try { identityService.saveUser(jonny1); fail("exception expected"); } catch (AuthorizationException e) { assertEquals(1, e.getMissingAuthorizations().size()); MissingAuthorization info = e.getMissingAuthorizations().get(0); assertEquals(jonny2, e.getUserId()); assertExceptionInfo(UPDATE.getName(), USER.resourceName(), "jonny1", info); } // but I can create a new user: User jonny3 = identityService.newUser("jonny3"); identityService.saveUser(jonny3); }
public void testUserOverrideGlobalRevokeAuthorizationCheck() { Resource resource1 = TestResource.RESOURCE1; // create global authorization which revokes all permissions to all users (on resource1): Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL); globalGrant.setResource(resource1); globalGrant.setResourceId(ANY); globalGrant.removePermission(ALL); authorizationService.saveAuthorization(globalGrant); // add READ for jonny Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT); localRevoke.setUserId("jonny"); localRevoke.setResource(resource1); localRevoke.setResourceId(ANY); localRevoke.addPermission(READ); authorizationService.saveAuthorization(localRevoke); // jonny does not have ALL permissions assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1)); // jonny can read assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1)); // jonny can't delete assertFalse(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1)); // someone else can't do anything assertFalse(authorizationService.isUserAuthorized("someone else", null, ALL, resource1)); assertFalse(authorizationService.isUserAuthorized("someone else", null, READ, resource1)); assertFalse(authorizationService.isUserAuthorized("someone else", null, DELETE, resource1)); }