1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221: 222: 223: 224: 225: 226: 227: 228: 229: 230: 231: 232: 233: 234: 235: 236: 237: 238: 239: 240: 241: 242: 243: 244: 245: 246: 247: 248: 249: 250: 251: 252: 253: 254: 255: 256: 257: 258: 259: 260: 261: 262: 263: 264: 265: 266: 267: 268:
<?php
namespace Nethgui\Test\Unit\Nethgui\Authorization;
class JsonPolicyDecisionPointTest extends \PHPUnit_Framework_TestCase
{
protected $object;
private $phpMock;
protected function setUp()
{
$this->phpMock = $this->getMockBuilder('Nethgui\Utility\PhpWrapper')
->setMethods(array('file_get_contents'))
->getMock()
;
$this->object = new \Nethgui\Authorization\JsonPolicyDecisionPoint(function($name) {
return '/prefix/' . str_replace('\\', '/', $name);
}, $this->phpMock);
}
private function getSubject($username = FALSE, $groups = array())
{
return \Nethgui\Test\Tool\MockFactory::getAuthenticationSubject($this, $username, $groups);
}
private function loadPolicy($policy)
{
$this->phpMock->expects($this->once())
->method('file_get_contents')
->with('/prefix/Nethgui/Authorization/BasicPolicy.json')
->will($this->returnValue($policy))
;
$this->object->loadPolicy('Nethgui\Authorization\BasicPolicy.json');
}
public function testEmptyPdp()
{
$this->assertTrue($this->object->authorize('S', 'R', 'A')->isAllowed());
}
public function testNoMatchPdp()
{
$this->loadPolicy('[{"Id": 1234, "Effect": "ALLOW", "Subject": "XXX", "Action": "XXX", "Resource": "XXX"}]');
$this->assertFalse($this->object->authorize('S', 'R', 'A')->isAllowed());
}
public function testGlobPolicyFiles()
{
$phpMock = $this->getMockBuilder('Nethgui\Utility\PhpWrapper')
->setMethods(array('file_get_contents', 'glob'))
->getMock()
;
$phpMock->expects($this->at(0))
->method('glob')
->with('/prefix/Nethgui/Authorization/*.json')
->will($this->returnValue(array('/prefix/Nethgui/Authorization/A.json', '/prefix/Nethgui/Authorization/B.json')))
;
$phpMock->expects($this->at(1))
->method('file_get_contents')
->with('/prefix/Nethgui/Authorization/A.json')
->will($this->returnValue('[]'));
$phpMock->expects($this->at(2))
->method('file_get_contents')
->with('/prefix/Nethgui/Authorization/B.json')
->will($this->returnValue('[]'));
$phpMock->expects($this->at(3))
->method('glob')
->with('/prefix/Product/Authorization/*.json')
->will($this->returnValue(FALSE))
;
$logMock = $this->getMock('Nethgui\Log\Nullog', array('warning'));
$logMock->expects($this->once())
->method('warning')
->with($this->stringContains('invalid policy file specification'))
->will($this->returnValue($logMock));
$this->object->setPhpWrapper($phpMock)->setLog($logMock);
$this->object->loadPolicy('Nethgui\Authorization\*.json');
$this->object->loadPolicy('Product\Authorization\*.json');
$this->assertTrue($this->object->authorize('S', 'R', 'A')->isAllowed());
}
public function testAuthorizeLogin1()
{
$this->loadPolicy('[
{
"Id": 2,
"Final": true,
"Effect": "ALLOW",
"Subject": "admin",
"Action": "*",
"Resource": "*",
"Description":
"Admin has the full powa"
}
,
{
"Id": 3,
"Effect": "DENY",
"Subject": "*",
"Action": "*",
"Resource": "PROCESSOR*",
"Description":
"Unauthenticated users cannot access any PROCESSOR"
}
,
{
"Id": 2,
"Effect": "DENY",
"Subject": "admin",
"Action": "*",
"Resource": "*",
"Description":
"Try to override rule#2"
}
,
{
"Id": 1,
"Effect": "ALLOW",
"Subject": ".groups HAS g1 OR .groups HAS g2",
"Action": "USE OR SUSPEND OR RESUME",
"Resource": "PROCESSOR1",
"Description":
"g1 and g2 groups have access to PROCESSOR1"
}
,
{
"Id": 3,
"Effect": "DENY",
"Subject": "*",
"Action": "*",
"Resource": "PROC*",
"Description":
"Generic user has no access to any PROCESSOR (Override)"
}
]');
$assertions = array(
0 => array($this->object->authorize($this->getSubject('admin'), 'PROCESSOR2', 'HALT'), TRUE),
1 => array($this->object->authorize($this->getSubject('dude', array('g1')), 'PROCESSOR1', 'USE'), TRUE),
2 => array($this->object->authorize($this->getSubject('dude', array('g2')), 'PROCESSOR1', 'HALT'), FALSE),
3 => array($this->object->authorize($this->getSubject('dude', array('g1', 'g2')), 'PROCESSOR2', 'USE'), FALSE),
4 => array($this->object->authorize($this->getSubject(FALSE), 'PROCESSOR3', 'USE'), FALSE),
5 => array($this->object->authorize($this->getSubject('user', array('g1')), 'PROCESSOR3', 'USE'), FALSE),
6 => array($this->object->authorize($this->getSubject('dude', array('g2')), 'PROCESSOR1', 'USE'), TRUE),
);
foreach ($assertions as $index => $assertion) {
list($auth, $pass) = $assertion;
if ( ! $auth instanceof \Nethgui\Authorization\AccessControlResponseInterface)
continue;
$cond = $pass ? $auth->isAllowed() : $auth->isDenied();
$failMsg = sprintf('assertion[%d]: Rule#%d - %s', $index, $auth->getCode(), $auth->getMessage());
$this->assertTrue($cond, $failMsg);
}
}
public function testAuthorizeLogin2()
{
$this->loadPolicy('error');
$subject = $this->getSubject();
$resource = 'Nethgui\Module\Login';
$action = \Nethgui\Authorization\PolicyDecisionPointInterface::QUERY;
$this->object->authorize($subject, $resource, $action)->isAllowed();
}
public function testAuthorizeLogin3()
{
$this->loadPolicy('"error"');
$subject = $this->getSubject();
$resource = 'Nethgui\Module\Login';
$action = \Nethgui\Authorization\PolicyDecisionPointInterface::QUERY;
$this->object->authorize($subject, $resource, $action)->isAllowed();
}
public function testAuthorizeLogin4()
{
$this->loadPolicy('[]');
$subject = $this->getSubject('admin');
$resource = 'None';
$action = 'None';
$this->object->authorize($subject, $resource, $action)->isAllowed();
}
public function testSetPhpWrapper()
{
$php = new \Nethgui\Utility\PhpWrapper();
$this->assertSame($this->object, $this->object->setPhpWrapper($php));
}
public function testGetLog()
{
$this->assertInstanceOf('Nethgui\Log\LogInterface', $this->object->getLog());
}
public function testSetLog()
{
$log = new \Nethgui\Log\Nullog();
$this->assertSame($this->object, $this->object->setLog($log));
$this->assertInstanceOf('Nethgui\Log\LogInterface', $this->object->getLog());
}
}