Пример #1
0
 /**
  * Is a user authorized to add, edit or delete a downtime over the passed SEs?
  * @param Array $ses An array of Service objects
  * @param \User $user The user making the request
  */
 public function authorization($ses, \User $user = null)
 {
     if (is_null($user)) {
         throw new \Exception("Unregistered users can't edit a downtime.");
     }
     require_once __DIR__ . '/ServiceService.php';
     $serviceService = new \org\gocdb\services\ServiceService();
     $serviceService->setEntityManager($this->em);
     foreach ($ses as $se) {
         if (count($serviceService->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) == 0) {
             throw new \Exception("You do not have permission over {$se}.");
         }
     }
 }
 /**
  * Persist some seed data - roletypes, user, Project, NGI, sites and SEs and 
  * assert that the user has the expected number of roles that grant specific 
  * actions over the owned objects. For example, assert that the user has 'n' 
  * number of roles that allow a particular site to be edited, or 'n' number 
  * of roles that allow an NGI certification status change.  
  */
 public function testAuthorizeAction1()
 {
     print __METHOD__ . "\n";
     // Create roletypes
     $siteAdminRT = TestUtil::createSampleRoleType(RoleTypeName::SITE_ADMIN);
     $ngiManRT = TestUtil::createSampleRoleType(RoleTypeName::NGI_OPS_MAN);
     $rodRT = TestUtil::createSampleRoleType(RoleTypeName::REG_STAFF_ROD);
     $codRT = TestUtil::createSampleRoleType(RoleTypeName::COD_ADMIN);
     $this->em->persist($siteAdminRT);
     // edit site1 (but not cert status)
     $this->em->persist($ngiManRT);
     // edit owned site1/site2 and cert status
     $this->em->persist($rodRT);
     // edit owned sites 1and2 (but not cert status)
     $this->em->persist($codRT);
     // edit all sites cert status only
     // Create a user
     $u = TestUtil::createSampleUser("Test", "Testing", "/c=test");
     $this->em->persist($u);
     // Create a linked object graph
     // NGI->Site1->SE
     //   |->Site2
     $ngi = TestUtil::createSampleNGI("MYNGI");
     $this->em->persist($ngi);
     $site1 = TestUtil::createSampleSite("SITENAME");
     //$site1->setNgiDoJoin($ngi);
     $ngi->addSiteDoJoin($site1);
     $this->em->persist($site1);
     $se1 = TestUtil::createSampleService('somelabel');
     $site1->addServiceDoJoin($se1);
     $this->em->persist($se1);
     $site2_userHasNoDirectRole = TestUtil::createSampleSite("SITENAME_2");
     $ngi->addSiteDoJoin($site2_userHasNoDirectRole);
     //$site2_userHasNoDirectRole->setNgiDoJoin($ngi);
     $this->em->persist($site2_userHasNoDirectRole);
     // Create ngiManagerRole, ngiUserRole, siteAdminRole and link user and owned entities
     $ngiManagerRole = TestUtil::createSampleRole($u, $ngiManRT, $ngi, RoleStatus::GRANTED);
     $this->em->persist($ngiManagerRole);
     $rodUserRole = TestUtil::createSampleRole($u, $rodRT, $ngi, RoleStatus::GRANTED);
     $this->em->persist($rodUserRole);
     $siteAdminRole = TestUtil::createSampleRole($u, $siteAdminRT, $site1, RoleStatus::GRANTED);
     $this->em->persist($siteAdminRole);
     $this->em->flush();
     // ********MUST******** start a new connection to test transactional
     // isolation of RoleService methods.
     $em = $this->createEntityManager();
     $siteService = new org\gocdb\services\Site();
     $siteService->setEntityManager($em);
     // Assert user can edit site using 3 enabling roles
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(3, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Assert user can only edit cert status through his NGI_OPS_MAN role
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     // Add a new project and link ngi and give user COD_ADMIN Project role (use $this->em to isolate)
     // Project->NGI->Site1->SE
     //            |->Site2
     $proj = new Project('EGI project');
     $proj->addNgi($ngi);
     //$ngi->addProject($proj); // not strictly needed
     $this->em->persist($proj);
     $codRole = TestUtil::createSampleRole($u, $codRT, $proj, RoleStatus::GRANTED);
     $this->em->persist($codRole);
     $this->em->flush();
     // Assert user now has 2 roles that enable SITE_EDIT_CERT_STATUS change action
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(2, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::COD_ADMIN, $enablingRoles));
     // Assert user can edit SE using SITE_ADMIN, NGI_OPS_MAN, REG_STAFF_ROD roles (but not COD role)
     $seService = new org\gocdb\services\ServiceService();
     $seService->setEntityManager($em);
     $enablingRoles = $seService->authorizeAction(\Action::EDIT_OBJECT, $se1, $u);
     $this->assertEquals(3, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Assert User can only edit Site2 through his 2 indirect ngi roles
     // (user don't have any direct site level roles on this site and COD don't give edit perm)
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(2, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Delete the user's Project COD role
     $this->em->remove($codRole);
     $this->em->flush();
     // Assert user can only SITE_EDIT_CERT_STATUS through 1 role for both sites
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::NGI_OPS_MAN, $enablingRoles));
     // Delete the user's NGI manager role
     $this->em->remove($ngiManagerRole);
     $this->em->flush();
     // Assert user can't edit site2 cert status
     $enablingRoles = $siteService->authorizeAction(\Action::SITE_EDIT_CERT_STATUS, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(0, count($enablingRoles));
     // Assert user can still edit site via his ROD role
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::REG_STAFF_ROD, $enablingRoles));
     // Delete the user's NGI ROD role
     $this->em->remove($rodUserRole);
     $this->em->flush();
     // User can't edit site2
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site2_userHasNoDirectRole, $u);
     $this->assertEquals(0, count($enablingRoles));
     // Assert user can still edit SITE1 through his direct site level role (this role has not been deleted)
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(1, count($enablingRoles));
     $this->assertTrue(in_array(\RoleTypeName::SITE_ADMIN, $enablingRoles));
     // Delete user's remaining Site role
     $this->em->remove($siteAdminRole);
     $this->em->flush();
     // User can't edit site1
     $enablingRoles = $siteService->authorizeAction(\Action::EDIT_OBJECT, $site1, $u);
     $this->assertEquals(0, count($enablingRoles));
 }