/**
* @expectedException \Doctrine\ORM\ORMInvalidArgumentException
*/
public function testShowMergeIsRequiredBetweenDifferentPersistenceCtxt()
{
print __METHOD__ . "\n";
// User
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$regFLSupportRT = TestUtil::createSampleRoleType(RoleTypeName::REG_FIRST_LINE_SUPPORT);
$this->em->persist($u);
$this->em->persist($regFLSupportRT);
$this->em->flush();
// If we create a new $this->em as below, we would need to merge detatched $u
// and $regFLSupportRT entities back into this persistence context
// before we can call a persist again (a persist on these entities
// called either by a CASCADE or direct call)!
$this->em = $this->createEntityManager();
// simply requires bootstrap_doctrine.php
//$u = $this->em->merge($u);
//$regFLSupportRT = $this->em->merge($regFLSupportRT);
// Create new NGI
$n = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($n);
$roleNgi = TestUtil::createSampleRole($u, $regFLSupportRT, $n, RoleStatus::GRANTED);
$this->em->persist($roleNgi);
// the flush below is what causes the expected exception
$this->em->flush();
}
$this->em->persist($service2);
$this->em->persist($certStatusLog1);
$this->em->persist($certStatusLog2);
$this->em->persist($endpoint1);
$this->em->persist($downtime1);
$this->em->persist($downtime2);
// Create some roles and link to the user, role type and ngi
// roles on ngi
$ngiRole1 = TestUtil::createSampleRole($userWithRoles, $roleType1, $ngi, RoleStatus::GRANTED);
$ngiRole2 = TestUtil::createSampleRole($userWithRoles, $roleType2, $ngi, RoleStatus::GRANTED);
// roles on site1
$site1Role1 = TestUtil::createSampleRole($userWithRoles, $roleType1, $site1, RoleStatus::GRANTED);
$site1Role2 = TestUtil::createSampleRole($userWithRoles, $roleType2, $site1, RoleStatus::GRANTED);
// roles on site2
$site2Role1 = TestUtil::createSampleRole($userWithRoles, $roleType1, $site2, RoleStatus::GRANTED);
$site2Role2 = TestUtil::createSampleRole($userWithRoles, $roleType2, $site2, RoleStatus::GRANTED);
$this->em->persist($ngiRole1);
$this->em->persist($ngiRole2);
$this->em->persist($site1Role1);
$this->em->persist($site1Role2);
$this->em->persist($site2Role1);
$this->em->persist($site2Role2);
$this->em->flush();
// Assert fixture data is setup correctly in the DB.
$testConn = $this->getConnection();
$result = $testConn->createQueryTable('results_table', "SELECT * FROM Users");
$this->assertTrue($result->getRowCount() == 1);
$result = $testConn->createQueryTable('results_table', "SELECT * FROM Roles");
$this->assertTrue($result->getRowCount() == 6);
$result = $testConn->createQueryTable('results_table', "SELECT * FROM NGIs");
$this->assertTrue($result->getRowCount() == 1);
/**
* Persist some seed data - roletypes, user, Project, NGI, sites and SEs and
* assert that the user has the expected number of roles that grant specific
* actions over the owned objects. For example, assert that the user has 'n'
* number of roles that allow a particular site to be edited, or 'n' number
* of roles that allow an NGI certification status change.
*/
public function testAuthorizeAction1()
{
print __METHOD__ . "\n";
// Create roletypes
$siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN);
$ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN);
$rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD);
$codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN);
$this->em->persist($siteAdminRT);
// edit site1 (but not cert status)
$this->em->persist($ngiManRT);
// edit owned site1/site2 and cert status
$this->em->persist($rodRT);
// edit owned sites 1and2 (but not cert status)
$this->em->persist($codRT);
// edit all sites cert status only
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create a linked object graph
// NGI->Site1->SE
// |->Site2
$ngi = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($ngi);
$site1 = TestUtil::createSampleSite("SITENAME");
//$site1->setNgiDoJoin($ngi);
$ngi->addSiteDoJoin($site1);
$this->em->persist($site1);
$se1 = TestUtil::createSampleService('somelabel');
$site1->addServiceDoJoin($se1);
$this->em->persist($se1);
$site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2");
$ngi->addSiteDoJoin($site2_userHasNoDirectRole);
//$site2_userHasNoDirectRole->setNgiDoJoin($ngi);
$this->em->persist($site2_userHasNoDirectRole);
// Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities
$ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($ngiManagerRole);
$rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED);
$this->em->persist($rodUserRole);
$siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED);
$this->em->persist($siteAdminRole);
$this->em->flush();
// ********MUST******** start a new connection to test transactional
// isolation of RoleService methods.
$em = $this->createEntityManager();
$siteService = new org\gocdb\services\Site();
$siteService->setEntityManager($em);
// Assert user can edit site using 3 enabling roles
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert user can only edit cert status through his NGI_OPS_MAN role
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate)
// Project->NGI->Site1->SE
// |->Site2
$proj = new Project('EGI project');
$proj->addNgi($ngi);
//$ngi->addProject($proj); // not strictly needed
$this->em->persist($proj);
$codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED);
$this->em->persist($codRole);
$this->em->flush();
// Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles));
// Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role)
$seService = new org\gocdb\services\ServiceService();
$seService->setEntityManager($em);
$enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u);
$this->assertEquals(3, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Assert User can only edit Site2 through his 2 indirect ngi roles
// (user don't have any direct site level roles on this site and COD don't give edit perm)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(2, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's Project COD role
$this->em->remove($codRole);
$this->em->flush();
// Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
// Delete the user's NGI manager role
$this->em->remove($ngiManagerRole);
$this->em->flush();
// Assert user can't edit site2 cert status
$enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit site via his ROD role
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
// Delete the user's NGI ROD role
$this->em->remove($rodUserRole);
$this->em->flush();
// User can't edit site2
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
$this->assertEquals(0, count($enablingRoles));
// Assert user can still edit SITE1 through his direct site level role (this role has not been deleted)
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(1, count($enablingRoles));
$this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
// Delete user's remaining Site role
$this->em->remove($siteAdminRole);
$this->em->flush();
// User can't edit site1
$enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
$this->assertEquals(0, count($enablingRoles));
}
public function testGetUserRoles()
{
print __METHOD__ . "\n";
// Create two roletypes
$ngiRoleType = TestUtil::createSampleRoleType("RT1_NAME");
$siteRoleType = TestUtil::createSampleRoleType("RT2_NAME");
$this->em->persist($ngiRoleType);
$this->em->persist($siteRoleType);
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create an NGI
$ngi = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($ngi);
// Create a Role and link to the User, ngiRoleType and ngi
$roleNgi = TestUtil::createSampleRole($u, $ngiRoleType, $ngi, RoleStatus::GRANTED);
$this->em->persist($roleNgi);
// Create a site
$site1 = TestUtil::createSampleSite("SITENAME");
$this->em->persist($site1);
// Create another role and link to the User, siteRoleType and site
$roleSite = TestUtil::createSampleRole($u, $siteRoleType, $site1, RoleStatus::GRANTED);
$this->em->persist($roleSite);
// Create a second and third sites and add to the NGI, but DO NOT add direct
// roles over those sites for the user. The user will still have role
// over the sites because they have a role over the NGI !
$site2 = TestUtil::createSampleSite("SITENAME2");
$site3 = TestUtil::createSampleSite("SITENAME3");
$this->em->persist($site2);
$this->em->persist($site3);
$ngi->addSiteDoJoin($site2);
$ngi->addSiteDoJoin($site3);
$this->em->flush();
// ********MUST******** start a new connection to test transactional
// isolation of RoleService methods.
$em = $this->createEntityManager();
$roleService = new org\gocdb\services\Role();
$roleService->setEntityManager($em);
// assert that user has expected roles
$roles = $roleService->getUserRoles($u, RoleStatus::GRANTED);
$this->assertEquals(2, sizeof($roles));
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($ngi, $u)) == 1);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site1, $u)) == 1);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site2, $u)) == 0);
$this->assertTrue(count($roleService->getUserRoleNamesOverEntity($site3, $u)) == 0);
// assert that the user has an expected site count with roles over those sites
$mySites = $roleService->getReachableSitesFromOwnedObjectRoles($u);
$this->assertEquals(3, sizeof($mySites));
// assert user don't have these pending/revoked roles
$roles = $roleService->getUserRoles($u, RoleStatus::PENDING);
$this->assertEmpty($roles);
}
/**
* Test Role's discriminator column
* Add a role type, user, NGI and a role linking
* them all together. Assert that $newRole->getOwnedEntity()
* returns an instance of NGI.
* @expectedException \Doctrine\DBAL\DBALException
*/
public function testRoleTypeIntegrityConstraint()
{
print __METHOD__ . "\n";
// Create a roletype
$rt = TestUtil::createSampleRoleType("NAME");
$this->em->persist($rt);
// Create a user
$u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
$this->em->persist($u);
// Create an NGI
$n = TestUtil::createSampleNGI("MYNGI");
$this->em->persist($n);
// Create a role and link to the user, role type and ngi
$r = TestUtil::createSampleRole($u, $rt, $n, RoleStatus::GRANTED);
$this->em->persist($r);
$this->em->flush();
// try to delete the role type before deleting
// the dependant role
$this->em->remove($rt);
$this->em->flush();
}
