Java Code Examples for org.camunda.bpm.engine.authorization.Authorization#removePermission()
The following examples show how to use
org.camunda.bpm.engine.authorization.Authorization#removePermission() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ProcessDefinitionAuthorizationTest.java From camunda-bpm-platform with Apache License 2.0 | 6 votes |
|
public void testQueryWithRevokedReadPermission() {
// given
// given user gets all permissions on any process definition
createGrantAuthorization(PROCESS_DEFINITION, ANY, userId, ALL);
Authorization authorization = createRevokeAuthorization(PROCESS_DEFINITION, ONE_TASK_PROCESS_KEY);
authorization.setUserId(userId);
authorization.removePermission(READ);
saveAuthorization(authorization);
// when
ProcessDefinitionQuery query = repositoryService.createProcessDefinitionQuery();
// then
verifyQueryResults(query, 1);
ProcessDefinition definition = query.singleResult();
assertNotNull(definition);
assertEquals(TWO_TASKS_PROCESS_KEY, definition.getKey());
}
Example 2
| Source File: AuthorizationServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 6 votes |
|
public void testDeleteAuthorization() {
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(AUTHORIZATION);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(DELETE); // revoke delete
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
// try to delete authorization
authorizationService.deleteAuthorization(basePerms.getId());
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(DELETE.getName(), AUTHORIZATION.resourceName(), basePerms.getId(), info);
}
}
Example 3
| Source File: AuthorizationServiceTest.java From camunda-bpm-platform with Apache License 2.0 | 6 votes |
|
public void testIsPermissionRevokedAccess() {
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
String userId = "userId";
authorization.setUserId(userId);
authorization.removePermission(Permissions.ACCESS);
authorization.setResource(Resources.APPLICATION);
authorization.setResourceId(ANY);
authorizationService.saveAuthorization(authorization);
// then
Authorization authorizationResult = authorizationService.createAuthorizationQuery().userIdIn(userId).singleResult();
assertTrue(authorizationResult.isPermissionRevoked(Permissions.ACCESS));
assertFalse(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES));
assertFalse(authorizationResult.isPermissionRevoked(ProcessInstancePermissions.RETRY_JOB));
assertFalse(authorizationResult.isPermissionRevoked(ProcessDefinitionPermissions.RETRY_JOB));
}
Example 4
| Source File: AuthorizationServiceTest.java From camunda-bpm-platform with Apache License 2.0 | 6 votes |
|
public void testIsPermissionRevokedRetryJob() {
// given
Authorization authorization = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
String userId = "userId";
authorization.setUserId(userId);
authorization.removePermission(ProcessInstancePermissions.RETRY_JOB);
authorization.setResource(Resources.PROCESS_INSTANCE);
authorization.setResourceId(ANY);
authorizationService.saveAuthorization(authorization);
// then
Authorization authorizationResult = authorizationService.createAuthorizationQuery().userIdIn(userId).singleResult();
assertTrue(authorizationResult.isPermissionRevoked(ProcessInstancePermissions.RETRY_JOB));
assertFalse(authorizationResult.isPermissionRevoked(Permissions.ACCESS));
assertFalse(authorizationResult.isPermissionRevoked(BatchPermissions.CREATE_BATCH_MIGRATE_PROCESS_INSTANCES));
assertFalse(authorizationResult.isPermissionRevoked(ProcessDefinitionPermissions.RETRY_JOB));
}
Example 5
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testTenantUserMembershipCreateAuthorizations() {
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
Tenant tenant1 = identityService.newTenant("tenant1");
identityService.saveTenant(tenant1);
// add base permission which allows nobody to create memberships
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT_MEMBERSHIP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL); // add all then remove 'create'
basePerms.removePermission(CREATE);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.createTenantUserMembership("tenant1", "jonny1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(CREATE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info);
}
}
Example 6
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testMembershipCreateAuthorizations() {
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
Group group1 = identityService.newGroup("group1");
identityService.saveGroup(group1);
// add base permission which allows nobody to add users to groups
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(GROUP_MEMBERSHIP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL); // add all then remove 'crate'
basePerms.removePermission(CREATE);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.createMembership("jonny1", "group1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(CREATE.getName(), GROUP_MEMBERSHIP.resourceName(), "group1", info);
}
}
Example 7
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testTenantUpdateAuthorizations() {
// create tenant
Tenant tenant = new TenantEntity("tenant");
identityService.saveTenant(tenant);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(UPDATE); // revoke update
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
// fetch user:
tenant = identityService.createTenantQuery().singleResult();
tenant.setName("newName");
try {
identityService.saveTenant(tenant);
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(UPDATE.getName(), TENANT.resourceName(), "tenant", info);
}
// but I can create a new tenant:
Tenant newTenant = identityService.newTenant("newTenant");
identityService.saveTenant(newTenant);
}
Example 8
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testTenantDeleteAuthorizations() {
// create tenant
Tenant tenant = new TenantEntity("tenant");
identityService.saveTenant(tenant);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(DELETE); // revoke delete
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.deleteTenant("tenant");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(DELETE.getName(), TENANT.resourceName(), "tenant", info);
}
}
Example 9
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testGroupUpdateAuthorizations() {
// crate group while still in god-mode:
Group group1 = identityService.newGroup("group1");
identityService.saveGroup(group1);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(GROUP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(UPDATE); // revoke update
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
// fetch user:
group1 = identityService.createGroupQuery().singleResult();
group1.setName("Group 1");
try {
identityService.saveGroup(group1);
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(UPDATE.getName(), GROUP.resourceName(), "group1", info);
}
// but I can create a new group:
Group group2 = identityService.newGroup("group2");
identityService.saveGroup(group2);
}
Example 10
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testGroupDeleteAuthorizations() {
// crate group while still in god-mode:
Group group1 = identityService.newGroup("group1");
identityService.saveGroup(group1);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(GROUP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(DELETE); // revoke delete
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.deleteGroup("group1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(DELETE.getName(), GROUP.resourceName(), "group1", info);
}
}
Example 11
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testUserUpdateAuthorizations() {
// crate user while still in god-mode:
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(USER);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(UPDATE); // revoke update
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
// fetch user:
jonny1 = identityService.createUserQuery().singleResult();
jonny1.setFirstName("Jonny");
try {
identityService.saveUser(jonny1);
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(UPDATE.getName(), USER.resourceName(), "jonny1", info);
}
// but I can create a new user:
User jonny3 = identityService.newUser("jonny3");
identityService.saveUser(jonny3);
}
Example 12
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testUserDeleteAuthorizations() {
// crate user while still in god-mode:
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(USER);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(DELETE); // revoke delete
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.deleteUser("jonny1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(DELETE.getName(), USER.resourceName(), "jonny1", info);
}
}
Example 13
| Source File: AuthorizationServiceWithEnabledAuthorizationTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testUserOverrideGroupOverrideGlobalAuthorizationCheck() {
Resource resource1 = TestResource.RESOURCE1;
// create global authorization which grants all permissions to all users (on resource1):
Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
globalGrant.setResource(resource1);
globalGrant.setResourceId(ANY);
globalGrant.addPermission(ALL);
authorizationService.saveAuthorization(globalGrant);
// revoke READ for group "sales"
Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
groupRevoke.setGroupId("sales");
groupRevoke.setResource(resource1);
groupRevoke.setResourceId(ANY);
groupRevoke.removePermission(READ);
authorizationService.saveAuthorization(groupRevoke);
// add READ for jonny
Authorization userGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
userGrant.setUserId("jonny");
userGrant.setResource(resource1);
userGrant.setResourceId(ANY);
userGrant.addPermission(READ);
authorizationService.saveAuthorization(userGrant);
List<String> jonnysGroups = Arrays.asList("sales", "marketing");
List<String> someOneElsesGroups = Collections.singletonList("marketing");
// jonny can read
assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
// someone else in the same groups cannot
assertFalse(authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));
// someone else in different groups can
assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
}
Example 14
| Source File: AuthorizationServiceWithEnabledAuthorizationTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testUserOverrideGlobalGrantAuthorizationCheck() {
Resource resource1 = TestResource.RESOURCE1;
// create global authorization which grants all permissions to all users (on resource1):
Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
globalGrant.setResource(resource1);
globalGrant.setResourceId(ANY);
globalGrant.addPermission(ALL);
authorizationService.saveAuthorization(globalGrant);
// revoke READ for jonny
Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
localRevoke.setUserId("jonny");
localRevoke.setResource(resource1);
localRevoke.setResourceId(ANY);
localRevoke.removePermission(READ);
authorizationService.saveAuthorization(localRevoke);
List<String> jonnysGroups = Arrays.asList("sales", "marketing");
List<String> someOneElsesGroups = Collections.singletonList("marketing");
// jonny does not have ALL permissions
assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
// jonny can't read
assertFalse(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
// someone else can
assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
// jonny can still delete
assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
}
Example 15
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testTenantUserMembershipDeleteAuthorizations() {
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
Tenant tenant1 = identityService.newTenant("tenant1");
identityService.saveTenant(tenant1);
// add base permission which allows nobody to delete memberships
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT_MEMBERSHIP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL); // add all then remove 'delete'
basePerms.removePermission(DELETE);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.deleteTenantUserMembership("tenant1", "jonny1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(DELETE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info);
}
}
Example 16
| Source File: AuthorizationServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testUserUpdateAuthorizations() {
// create global auth
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(AUTHORIZATION);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL);
basePerms.removePermission(UPDATE); // revoke update
authorizationService.saveAuthorization(basePerms);
// turn on authorization
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
// fetch authhorization
basePerms = authorizationService.createAuthorizationQuery().singleResult();
// make some change to the perms
basePerms.addPermission(ALL);
try {
authorizationService.saveAuthorization(basePerms);
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(UPDATE.getName(), AUTHORIZATION.resourceName(), basePerms.getId(), info);
}
// but we can create a new auth
Authorization newAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
newAuth.setUserId("jonny2");
newAuth.setResource(AUTHORIZATION);
newAuth.setResourceId(ANY);
newAuth.addPermission(ALL);
authorizationService.saveAuthorization(newAuth);
}
Example 17
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 5 votes |
|
public void testTenantGroupMembershipCreateAuthorizations() {
Group group1 = identityService.newGroup("group1");
identityService.saveGroup(group1);
Tenant tenant1 = identityService.newTenant("tenant1");
identityService.saveTenant(tenant1);
// add base permission which allows nobody to create memberships
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT_MEMBERSHIP);
basePerms.setResourceId(ANY);
basePerms.addPermission(ALL); // add all then remove 'create'
basePerms.removePermission(CREATE);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
identityService.setAuthenticatedUserId(jonny2);
try {
identityService.createTenantGroupMembership("tenant1", "group1");
fail("exception expected");
} catch (AuthorizationException e) {
assertEquals(1, e.getMissingAuthorizations().size());
MissingAuthorization info = e.getMissingAuthorizations().get(0);
assertEquals(jonny2, e.getUserId());
assertExceptionInfo(CREATE.getName(), TENANT_MEMBERSHIP.resourceName(), "tenant1", info);
}
}
Example 18
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 4 votes |
|
public void testUserQueryAuthorizations() {
// we are jonny2
String authUserId = "jonny2";
identityService.setAuthenticatedUserId(authUserId);
// create new user jonny1
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
// set base permission for all users (no-one has any permissions on users)
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(USER);
basePerms.setResourceId(ANY);
authorizationService.saveAuthorization(basePerms);
// now enable checks
processEngineConfiguration.setAuthorizationEnabled(true);
// we cannot fetch the user
assertNull(identityService.createUserQuery().singleResult());
assertEquals(0, identityService.createUserQuery().count());
processEngineConfiguration.setAuthorizationEnabled(false);
// now we add permission for jonny2 to read the user:
Authorization ourPerms = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
ourPerms.setUserId(authUserId);
ourPerms.setResource(USER);
ourPerms.setResourceId(ANY);
ourPerms.addPermission(READ);
authorizationService.saveAuthorization(ourPerms);
processEngineConfiguration.setAuthorizationEnabled(true);
// now we can fetch the user
assertNotNull(identityService.createUserQuery().singleResult());
assertEquals(1, identityService.createUserQuery().count());
// change the base permission:
processEngineConfiguration.setAuthorizationEnabled(false);
basePerms = authorizationService.createAuthorizationQuery().resourceType(USER).userIdIn("*").singleResult();
basePerms.addPermission(READ);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
// we can still fetch the user
assertNotNull(identityService.createUserQuery().singleResult());
assertEquals(1, identityService.createUserQuery().count());
// revoke permission for jonny2:
processEngineConfiguration.setAuthorizationEnabled(false);
ourPerms = authorizationService.createAuthorizationQuery().resourceType(USER).userIdIn(authUserId).singleResult();
ourPerms.removePermission(READ);
authorizationService.saveAuthorization(ourPerms);
Authorization revoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
revoke.setUserId(authUserId);
revoke.setResource(USER);
revoke.setResourceId(ANY);
revoke.removePermission(READ);
authorizationService.saveAuthorization(revoke);
processEngineConfiguration.setAuthorizationEnabled(true);
// now we cannot fetch the user
assertNull(identityService.createUserQuery().singleResult());
assertEquals(0, identityService.createUserQuery().count());
// delete our perms
processEngineConfiguration.setAuthorizationEnabled(false);
authorizationService.deleteAuthorization(ourPerms.getId());
authorizationService.deleteAuthorization(revoke.getId());
processEngineConfiguration.setAuthorizationEnabled(true);
// now the base permission applies and grants us read access
assertNotNull(identityService.createUserQuery().singleResult());
assertEquals(1, identityService.createUserQuery().count());
}
Example 19
| Source File: AuthorizationServiceWithEnabledAuthorizationTest.java From camunda-bpm-platform with Apache License 2.0 | 4 votes |
|
public void testGroupOverrideGlobalGrantAuthorizationCheck() {
Resource resource1 = TestResource.RESOURCE1;
// create global authorization which grants all permissions to all users (on resource1):
Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
globalGrant.setResource(resource1);
globalGrant.setResourceId(ANY);
globalGrant.addPermission(ALL);
authorizationService.saveAuthorization(globalGrant);
// revoke READ for group "sales"
Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
groupRevoke.setGroupId("sales");
groupRevoke.setResource(resource1);
groupRevoke.setResourceId(ANY);
groupRevoke.removePermission(READ);
authorizationService.saveAuthorization(groupRevoke);
List<String> jonnysGroups = Arrays.asList("sales", "marketing");
List<String> someOneElsesGroups = Collections.singletonList("marketing");
// jonny does not have ALL permissions if queried with groups
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
// if queried without groups he has
assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
// jonny can't read if queried with groups
assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
// if queried without groups he has
assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
// someone else who is in group "marketing" but but not "sales" can
assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, ALL, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
assertTrue(authorizationService.isUserAuthorized("someone else", null, READ, resource1));
// he could'nt if he were in jonny's groups
assertFalse(authorizationService.isUserAuthorized("someone else", jonnysGroups, ALL, resource1));
assertFalse(authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));
// jonny can still delete
assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
}
Example 20
| Source File: IdentityServiceAuthorizationsTest.java From camunda-bpm-platform with Apache License 2.0 | 4 votes |
|
public void testTenantQueryAuthorizations() {
// we are jonny2
String authUserId = "jonny2";
identityService.setAuthenticatedUserId(authUserId);
// create new user jonny1
User jonny1 = identityService.newUser("jonny1");
identityService.saveUser(jonny1);
// create new tenant
Tenant tenant = identityService.newTenant("tenant");
identityService.saveTenant(tenant);
// set base permission for all users (no-one has any permissions on tenants)
Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
basePerms.setResource(TENANT);
basePerms.setResourceId(ANY);
authorizationService.saveAuthorization(basePerms);
// now enable checks
processEngineConfiguration.setAuthorizationEnabled(true);
// we cannot fetch the tenants
assertEquals(0, identityService.createTenantQuery().count());
// now we add permission for jonny2 to read the tenants:
processEngineConfiguration.setAuthorizationEnabled(false);
Authorization ourPerms = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
ourPerms.setUserId(authUserId);
ourPerms.setResource(TENANT);
ourPerms.setResourceId(ANY);
ourPerms.addPermission(READ);
authorizationService.saveAuthorization(ourPerms);
processEngineConfiguration.setAuthorizationEnabled(true);
// now we can fetch the tenants
assertEquals(1, identityService.createTenantQuery().count());
// change the base permission:
processEngineConfiguration.setAuthorizationEnabled(false);
basePerms = authorizationService.createAuthorizationQuery().resourceType(TENANT).userIdIn("*").singleResult();
basePerms.addPermission(READ);
authorizationService.saveAuthorization(basePerms);
processEngineConfiguration.setAuthorizationEnabled(true);
// we can still fetch the tenants
assertEquals(1, identityService.createTenantQuery().count());
// revoke permission for jonny2:
processEngineConfiguration.setAuthorizationEnabled(false);
ourPerms = authorizationService.createAuthorizationQuery().resourceType(TENANT).userIdIn(authUserId).singleResult();
ourPerms.removePermission(READ);
authorizationService.saveAuthorization(ourPerms);
Authorization revoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
revoke.setUserId(authUserId);
revoke.setResource(TENANT);
revoke.setResourceId(ANY);
revoke.removePermission(READ);
authorizationService.saveAuthorization(revoke);
processEngineConfiguration.setAuthorizationEnabled(true);
// now we cannot fetch the tenants
assertEquals(0, identityService.createTenantQuery().count());
// delete our permissions
processEngineConfiguration.setAuthorizationEnabled(false);
authorizationService.deleteAuthorization(ourPerms.getId());
authorizationService.deleteAuthorization(revoke.getId());
processEngineConfiguration.setAuthorizationEnabled(true);
// now the base permission applies and grants us read access
assertEquals(1, identityService.createTenantQuery().count());
}
