xesmyd
433 lines
13 KiB
PHP
433 lines
13 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of the Symfony package.
|
|
*
|
|
* (c) Fabien Potencier <fabien@symfony.com>
|
|
*
|
|
* For the full copyright and license information, please view the LICENSE
|
|
* file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Symfony\Component\Security\Acl\Tests\Voter;
|
|
|
|
use Symfony\Component\Security\Acl\Domain\ObjectIdentity;
|
|
use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity;
|
|
use Symfony\Component\Security\Acl\Domain\UserSecurityIdentity;
|
|
use Symfony\Component\Security\Acl\Exception\AclNotFoundException;
|
|
use Symfony\Component\Security\Acl\Exception\NoAceFoundException;
|
|
use Symfony\Component\Security\Acl\Voter\AclVoter;
|
|
use Symfony\Component\Security\Acl\Voter\FieldVote;
|
|
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
|
|
|
|
class AclVoterTest extends \PHPUnit\Framework\TestCase
|
|
{
|
|
/**
|
|
* @dataProvider getSupportsAttributeTests
|
|
*/
|
|
public function testSupportsAttribute($attribute, $supported)
|
|
{
|
|
[$voter, , $permissionMap] = $this->getVoter(true, false);
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('contains')
|
|
->with($this->identicalTo($attribute))
|
|
->willReturn($supported)
|
|
;
|
|
|
|
$this->assertSame($supported, $voter->supportsAttribute($attribute));
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getSupportsAttributeNonStringTests
|
|
*/
|
|
public function testSupportsAttributeNonString($attribute)
|
|
{
|
|
[$voter] = $this->getVoter(true, false);
|
|
|
|
$this->assertFalse($voter->supportsAttribute($attribute));
|
|
}
|
|
|
|
public function getSupportsAttributeTests()
|
|
{
|
|
return [
|
|
['foo', true],
|
|
['foo', false],
|
|
];
|
|
}
|
|
|
|
public function getSupportsAttributeNonStringTests()
|
|
{
|
|
return [
|
|
[new \stdClass()],
|
|
[1],
|
|
[true],
|
|
[[]],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getSupportsClassTests
|
|
*/
|
|
public function testSupportsClass($class)
|
|
{
|
|
[$voter] = $this->getVoter();
|
|
|
|
$this->assertTrue($voter->supportsClass($class));
|
|
}
|
|
|
|
public function getSupportsClassTests()
|
|
{
|
|
return [
|
|
['foo'],
|
|
['bar'],
|
|
['moo'],
|
|
];
|
|
}
|
|
|
|
public function testVote()
|
|
{
|
|
[$voter, , $permissionMap] = $this->getVoter();
|
|
$permissionMap
|
|
->expects($this->atLeastOnce())
|
|
->method('getMasks')
|
|
->willReturn(null)
|
|
;
|
|
|
|
$this->assertSame(VoterInterface::ACCESS_ABSTAIN, $voter->vote($this->getToken(), null, ['VIEW', 'EDIT', 'DELETE']));
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getTrueFalseTests
|
|
*/
|
|
public function testVoteWhenNoObjectIsPassed($allowIfObjectIdentityUnavailable)
|
|
{
|
|
[$voter, , $permissionMap] = $this->getVoter($allowIfObjectIdentityUnavailable);
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->willReturn([])
|
|
;
|
|
|
|
if ($allowIfObjectIdentityUnavailable) {
|
|
$vote = VoterInterface::ACCESS_GRANTED;
|
|
} else {
|
|
$vote = VoterInterface::ACCESS_ABSTAIN;
|
|
}
|
|
|
|
$this->assertSame($vote, $voter->vote($this->getToken(), null, ['VIEW']));
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getTrueFalseTests
|
|
*/
|
|
public function testVoteWhenOidStrategyReturnsNull($allowIfUnavailable)
|
|
{
|
|
[$voter, , $permissionMap, $oidStrategy] = $this->getVoter($allowIfUnavailable);
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->willReturn([])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn(null)
|
|
;
|
|
|
|
if ($allowIfUnavailable) {
|
|
$vote = VoterInterface::ACCESS_GRANTED;
|
|
} else {
|
|
$vote = VoterInterface::ACCESS_ABSTAIN;
|
|
}
|
|
|
|
$this->assertSame($vote, $voter->vote($this->getToken(), new \stdClass(), ['VIEW']));
|
|
}
|
|
|
|
public function getTrueFalseTests()
|
|
{
|
|
return [[true], [false]];
|
|
}
|
|
|
|
public function testVoteNoAclFound()
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->willReturn([])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn($oid = new ObjectIdentity('1', 'Foo'))
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->will($this->throwException(new AclNotFoundException('Not found.')))
|
|
;
|
|
|
|
$this->assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->getToken(), new \stdClass(), ['VIEW']));
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getTrueFalseTests
|
|
*/
|
|
public function testVoteGrantsAccess($grant)
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->with($this->equalTo('VIEW'))
|
|
->willReturn($masks = [1, 2, 3])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn($oid = new ObjectIdentity('1', 'Foo'))
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->willReturn($acl = $this->createMock('Symfony\Component\Security\Acl\Model\AclInterface'))
|
|
;
|
|
|
|
$acl
|
|
->expects($this->once())
|
|
->method('isGranted')
|
|
->with($this->identicalTo($masks), $this->equalTo($sids), $this->isFalse())
|
|
->willReturn($grant)
|
|
;
|
|
|
|
if ($grant) {
|
|
$vote = VoterInterface::ACCESS_GRANTED;
|
|
} else {
|
|
$vote = VoterInterface::ACCESS_DENIED;
|
|
}
|
|
|
|
$this->assertSame($vote, $voter->vote($this->getToken(), new \stdClass(), ['VIEW']));
|
|
}
|
|
|
|
public function testVoteNoAceFound()
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->with($this->equalTo('VIEW'))
|
|
->willReturn($masks = [1, 2, 3])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn($oid = new ObjectIdentity('1', 'Foo'))
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->willReturn($acl = $this->createMock('Symfony\Component\Security\Acl\Model\AclInterface'))
|
|
;
|
|
|
|
$acl
|
|
->expects($this->once())
|
|
->method('isGranted')
|
|
->with($this->identicalTo($masks), $this->equalTo($sids), $this->isFalse())
|
|
->will($this->throwException(new NoAceFoundException('No ACE')))
|
|
;
|
|
|
|
$this->assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->getToken(), new \stdClass(), ['VIEW']));
|
|
}
|
|
|
|
/**
|
|
* @dataProvider getTrueFalseTests
|
|
*/
|
|
public function testVoteGrantsFieldAccess($grant)
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->with($this->equalTo('VIEW'))
|
|
->willReturn($masks = [1, 2, 3])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn($oid = new ObjectIdentity('1', 'Foo'))
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->willReturn($acl = $this->createMock('Symfony\Component\Security\Acl\Model\AclInterface'))
|
|
;
|
|
|
|
$acl
|
|
->expects($this->once())
|
|
->method('isFieldGranted')
|
|
->with($this->identicalTo('foo'), $this->identicalTo($masks), $this->equalTo($sids), $this->isFalse())
|
|
->willReturn($grant)
|
|
;
|
|
|
|
if ($grant) {
|
|
$vote = VoterInterface::ACCESS_GRANTED;
|
|
} else {
|
|
$vote = VoterInterface::ACCESS_DENIED;
|
|
}
|
|
|
|
$this->assertSame($vote, $voter->vote($this->getToken(), new FieldVote(new \stdClass(), 'foo'), ['VIEW']));
|
|
}
|
|
|
|
public function testVoteNoFieldAceFound()
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->with($this->equalTo('VIEW'))
|
|
->willReturn($masks = [1, 2, 3])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->once())
|
|
->method('getObjectIdentity')
|
|
->willReturn($oid = new ObjectIdentity('1', 'Foo'))
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->willReturn($acl = $this->createMock('Symfony\Component\Security\Acl\Model\AclInterface'))
|
|
;
|
|
|
|
$acl
|
|
->expects($this->once())
|
|
->method('isFieldGranted')
|
|
->with($this->identicalTo('foo'), $this->identicalTo($masks), $this->equalTo($sids), $this->isFalse())
|
|
->will($this->throwException(new NoAceFoundException('No ACE')))
|
|
;
|
|
|
|
$this->assertSame(VoterInterface::ACCESS_DENIED, $voter->vote($this->getToken(), new FieldVote(new \stdClass(), 'foo'), ['VIEW']));
|
|
}
|
|
|
|
public function testWhenReceivingAnObjectIdentityInterfaceWeDontRetrieveANewObjectIdentity()
|
|
{
|
|
[$voter, $provider, $permissionMap, $oidStrategy, $sidStrategy] = $this->getVoter();
|
|
|
|
$oid = new ObjectIdentity('someID', 'someType');
|
|
|
|
$permissionMap
|
|
->expects($this->once())
|
|
->method('getMasks')
|
|
->with($this->equalTo('VIEW'))
|
|
->willReturn($masks = [1, 2, 3])
|
|
;
|
|
|
|
$oidStrategy
|
|
->expects($this->never())
|
|
->method('getObjectIdentity')
|
|
;
|
|
|
|
$sidStrategy
|
|
->expects($this->once())
|
|
->method('getSecurityIdentities')
|
|
->willReturn($sids = [new UserSecurityIdentity('johannes', 'Foo'), new RoleSecurityIdentity('ROLE_FOO')])
|
|
;
|
|
|
|
$provider
|
|
->expects($this->once())
|
|
->method('findAcl')
|
|
->with($this->equalTo($oid), $this->equalTo($sids))
|
|
->willReturn($acl = $this->createMock('Symfony\Component\Security\Acl\Model\AclInterface'))
|
|
;
|
|
|
|
$acl
|
|
->expects($this->once())
|
|
->method('isGranted')
|
|
->with($this->identicalTo($masks), $this->equalTo($sids), $this->isFalse())
|
|
->will($this->throwException(new NoAceFoundException('No ACE')))
|
|
;
|
|
|
|
$voter->vote($this->getToken(), $oid, ['VIEW']);
|
|
}
|
|
|
|
protected function getToken()
|
|
{
|
|
return $this->createMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
|
|
}
|
|
|
|
protected function getVoter($allowIfObjectIdentityUnavailable = true, $alwaysContains = true)
|
|
{
|
|
$provider = $this->createMock('Symfony\Component\Security\Acl\Model\AclProviderInterface');
|
|
$permissionMap = $this->createMock('Symfony\Component\Security\Acl\Permission\PermissionMapInterface');
|
|
$oidStrategy = $this->createMock('Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface');
|
|
$sidStrategy = $this->createMock('Symfony\Component\Security\Acl\Model\SecurityIdentityRetrievalStrategyInterface');
|
|
|
|
if ($alwaysContains) {
|
|
$permissionMap
|
|
->expects($this->any())
|
|
->method('contains')
|
|
->willReturn(true);
|
|
}
|
|
|
|
return [
|
|
new AclVoter($provider, $oidStrategy, $sidStrategy, $permissionMap, null, $allowIfObjectIdentityUnavailable),
|
|
$provider,
|
|
$permissionMap,
|
|
$oidStrategy,
|
|
$sidStrategy,
|
|
];
|
|
}
|
|
}
|