Examples with Authorization org.camunda.bpm.engine.authorization.Authorization used on opensource projects

Example 91 with Authorization

use of org.camunda.bpm.engine.authorization.Authorization in project camunda-bpm-platform by camunda.

the class AuthorizationServiceAuthorizationsTest method testUserUpdateAuthorizations.

public void testUserUpdateAuthorizations() {
    // create global auth
    Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    basePerms.setResource(AUTHORIZATION);
    basePerms.setResourceId(ANY);
    basePerms.addPermission(ALL);
    // revoke update
    basePerms.removePermission(UPDATE);
    authorizationService.saveAuthorization(basePerms);
    // turn on authorization
    processEngineConfiguration.setAuthorizationEnabled(true);
    identityService.setAuthenticatedUserId(jonny2);
    // fetch authhorization
    basePerms = authorizationService.createAuthorizationQuery().singleResult();
    // make some change to the perms
    basePerms.addPermission(ALL);
    try {
        authorizationService.saveAuthorization(basePerms);
        fail("exception expected");
    } catch (AuthorizationException e) {
        assertEquals(1, e.getMissingAuthorizations().size());
        MissingAuthorization info = e.getMissingAuthorizations().get(0);
        assertEquals(jonny2, e.getUserId());
        assertExceptionInfo(UPDATE.getName(), AUTHORIZATION.resourceName(), basePerms.getId(), info);
    }
    // but we can create a new auth
    Authorization newAuth = authorizationService.createNewAuthorization(AUTH_TYPE_GRANT);
    newAuth.setUserId("jonny2");
    newAuth.setResource(AUTHORIZATION);
    newAuth.setResourceId(ANY);
    newAuth.addPermission(ALL);
    authorizationService.saveAuthorization(newAuth);
}

Example 92 with Authorization

use of org.camunda.bpm.engine.authorization.Authorization in project camunda-bpm-platform by camunda.

the class AuthorizationServiceAuthorizationsTest method testCreateAuthorization.

public void testCreateAuthorization() {
    // add base permission which allows nobody to create authorizations
    Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    basePerms.setResource(AUTHORIZATION);
    basePerms.setResourceId(ANY);
    // add all then remove 'create'
    basePerms.addPermission(ALL);
    basePerms.removePermission(CREATE);
    authorizationService.saveAuthorization(basePerms);
    // now enable authorizations:
    processEngineConfiguration.setAuthorizationEnabled(true);
    identityService.setAuthenticatedUserId(jonny2);
    try {
        // we cannot create another authorization
        authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
        fail("exception expected");
    } catch (AuthorizationException e) {
        assertEquals(1, e.getMissingAuthorizations().size());
        MissingAuthorization info = e.getMissingAuthorizations().get(0);
        assertEquals(jonny2, e.getUserId());
        assertExceptionInfo(CREATE.getName(), AUTHORIZATION.resourceName(), null, info);
    }
    // circumvent auth check to get new transient object
    Authorization authorization = new AuthorizationEntity(AUTH_TYPE_REVOKE);
    authorization.setUserId("someUserId");
    authorization.setResource(Resources.APPLICATION);
    try {
        authorizationService.saveAuthorization(authorization);
        fail("exception expected");
    } catch (AuthorizationException e) {
        assertEquals(1, e.getMissingAuthorizations().size());
        MissingAuthorization info = e.getMissingAuthorizations().get(0);
        assertEquals(jonny2, e.getUserId());
        assertExceptionInfo(CREATE.getName(), AUTHORIZATION.resourceName(), null, info);
    }
}

Example 93 with Authorization

use of org.camunda.bpm.engine.authorization.Authorization in project camunda-bpm-platform by camunda.

the class AuthorizationServiceAuthorizationsTest method testAuthorizationQueryAuthorizations.

public void testAuthorizationQueryAuthorizations() {
    // we are jonny2
    String authUserId = "jonny2";
    identityService.setAuthenticatedUserId(authUserId);
    // create new auth wich revokes read access on auth
    Authorization basePerms = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    basePerms.setResource(AUTHORIZATION);
    basePerms.setResourceId(ANY);
    authorizationService.saveAuthorization(basePerms);
    // I can see it
    assertEquals(1, authorizationService.createAuthorizationQuery().count());
    // now enable checks
    processEngineConfiguration.setAuthorizationEnabled(true);
    // I can't see it
    assertEquals(0, authorizationService.createAuthorizationQuery().count());
}

Example 94 with Authorization

use of org.camunda.bpm.engine.authorization.Authorization in project camunda-bpm-platform by camunda.

the class AuthorizationServiceWithEnabledAuthorizationTest method testGroupOverrideGlobalGrantAuthorizationCheck.

public void testGroupOverrideGlobalGrantAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);
    // create global authorization which grants all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.addPermission(ALL);
    authorizationService.saveAuthorization(globalGrant);
    // revoke READ for group "sales"
    Authorization groupRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    groupRevoke.setGroupId("sales");
    groupRevoke.setResource(resource1);
    groupRevoke.setResourceId(ANY);
    groupRevoke.removePermission(READ);
    authorizationService.saveAuthorization(groupRevoke);
    List<String> jonnysGroups = Arrays.asList("sales", "marketing");
    List<String> someOneElsesGroups = Collections.singletonList("marketing");
    // jonny does not have ALL permissions if queried with groups
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
    // if queried without groups he has
    assertTrue(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    // jonny can't read if queried with groups
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
    // if queried without groups he has
    assertTrue(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
    // someone else who is in group "marketing" but but not "sales" can
    assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, READ, resource1));
    // he could'nt if he were in jonny's groups
    assertFalse(authorizationService.isUserAuthorized("someone else", jonnysGroups, ALL, resource1));
    assertFalse(authorizationService.isUserAuthorized("someone else", jonnysGroups, READ, resource1));
    // jonny can still delete
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
}

Example 95 with Authorization

use of org.camunda.bpm.engine.authorization.Authorization in project camunda-bpm-platform by camunda.

the class AuthorizationServiceWithEnabledAuthorizationTest method testUserOverrideGlobalGrantAuthorizationCheck.

public void testUserOverrideGlobalGrantAuthorizationCheck() {
    TestResource resource1 = new TestResource("resource1", 100);
    // create global authorization which grants all permissions to all users  (on resource1):
    Authorization globalGrant = authorizationService.createNewAuthorization(AUTH_TYPE_GLOBAL);
    globalGrant.setResource(resource1);
    globalGrant.setResourceId(ANY);
    globalGrant.addPermission(ALL);
    authorizationService.saveAuthorization(globalGrant);
    // revoke READ for jonny
    Authorization localRevoke = authorizationService.createNewAuthorization(AUTH_TYPE_REVOKE);
    localRevoke.setUserId("jonny");
    localRevoke.setResource(resource1);
    localRevoke.setResourceId(ANY);
    localRevoke.removePermission(READ);
    authorizationService.saveAuthorization(localRevoke);
    List<String> jonnysGroups = Arrays.asList("sales", "marketing");
    List<String> someOneElsesGroups = Collections.singletonList("marketing");
    // jonny does not have ALL permissions
    assertFalse(authorizationService.isUserAuthorized("jonny", null, ALL, resource1));
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, ALL, resource1));
    // jonny can't read
    assertFalse(authorizationService.isUserAuthorized("jonny", null, READ, resource1));
    assertFalse(authorizationService.isUserAuthorized("jonny", jonnysGroups, READ, resource1));
    // someone else can
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", null, ALL, resource1));
    assertTrue(authorizationService.isUserAuthorized("someone else", someOneElsesGroups, READ, resource1));
    // jonny can still delete
    assertTrue(authorizationService.isUserAuthorized("jonny", null, DELETE, resource1));
    assertTrue(authorizationService.isUserAuthorized("jonny", jonnysGroups, DELETE, resource1));
}