/**
* Is a user authorized to add, edit or delete a downtime over the passed SEs?
* @param Array $ses An array of Service objects
* @param \User $user The user making the request
*/
public function authorization($ses, \User $user = null)
{
if (is_null($user)) {
throw new \Exception("Unregistered users can't edit a downtime.");
}
require_once __DIR__ . '/ServiceService.php';
$serviceService = new \org\gocdb\services\ServiceService();
$serviceService->setEntityManager($this->em);
foreach ($ses as $se) {
if (count($serviceService->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) == 0) {
throw new \Exception("You do not have permission over {$se}.");
}
}
}
/**
* Persist some seed data - roletypes, user, Project, NGI, sites and SEs and
* assert that the user has the expected number of roles that grant specific
* actions over the owned objects. For example, assert that the user has 'n'
* number of roles that allow a particular site to be edited, or 'n' number
* of roles that allow an NGI certification status change.
*/
public function testAuthorizeAction1()
{
print __METHOD__ . "\n";
// Create roletypes
$siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN);
$ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN);
$rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD);
$codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN);
$this->em->persist($siteAdminRT);
// edit site1 (but not cert status)
$this->em->persist($ngiManRT);
// edit owned site1/site2 and cert status
$this->em->persist($rodRT);
// edit owned sites 1and2 (but not cert status)
$this->em->persist($codRT);
// edit all sites cert status only
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create a linked object graph
// NGI->Site1->SE
// |->Site2
$ngi = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($ngi);
$site1 = TestUtil::createSampleSite("SITENAME");
//$site1->setNgiDoJoin($ngi);
$ngi->addSiteDoJoin($site1);
$this->em->persist($site1);
$se1 = TestUtil::createSampleService('somelabel');
$site1->addServiceDoJoin($se1);
$this->em->persist($se1);
$site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2");
$ngi->addSiteDoJoin($site2_userHasNoDirectRole);
//$site2_userHasNoDirectRole->setNgiDoJoin($ngi);
$this->em->persist($site2_userHasNoDirectRole);
// Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities
$ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($ngiManagerRole);
$rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($rodUserRole);
$siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED);
$this->em->persist($siteAdminRole);
$this->em->flush();
// ********MUST******** start a new connection to test transactional
// isolation of RoleService methods.
$em = $this->createEntityManager();
$siteService = new org\gocdb\services\Site();
$siteService->setEntityManager($em);
// Assert user can edit site using 3 enabling roles
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert user can only edit cert status through his NGI_OPS_MAN role
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate)
// Project->NGI->Site1->SE
// |->Site2
$proj = new Project('EGI project');
$proj->addNgi($ngi);
//$ngi->addProject($proj); // not strictly needed
$this->em->persist($proj);
$codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED);
$this->em->persist($codRole);
$this->em->flush();
// Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles));
// Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role)
$seService = new org\gocdb\services\ServiceService();
$seService->setEntityManager($em);
$enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert User can only edit Site2 through his 2 indirect ngi roles
// (user don't have any direct site level roles on this site and COD don't give edit perm)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's Project COD role
$this->em->remove($codRole);
$this->em->flush();
// Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Delete the user's NGI manager role
$this->em->remove($ngiManagerRole);
$this->em->flush();
// Assert user can't edit site2 cert status
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit site via his ROD role
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's NGI ROD role
$this->em->remove($rodUserRole);
$this->em->flush();
// User can't edit site2
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit SITE1 through his direct site level role (this role has not been deleted)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
// Delete user's remaining Site role
$this->em->remove($siteAdminRole);
$this->em->flush();
// User can't edit site1
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(0, count($enablingRoles));
}
