274 lines
10 KiB
C#
274 lines
10 KiB
C#
using System;
|
|
using Xunit;
|
|
using Newtonsoft.Json.Linq;
|
|
using FluentAssertions;
|
|
using System.Collections.Generic;
|
|
using System.Collections.Concurrent;
|
|
|
|
namespace raven_integration
|
|
{
|
|
// [Collection("APICOLLECTION")]
|
|
public class WidgetRights
|
|
{
|
|
|
|
|
|
/// <summary>
|
|
/// Test not authorized error return
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldNotAllowUnauthenticatedAccess()
|
|
{
|
|
ApiResponse a = await Util.GetAsync("Widget/list");
|
|
Util.ValidateHTTPStatusCode(a, 401);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Test insufficient read rights error return
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldNotAllowReadUnauthorizedAccess()
|
|
{
|
|
ApiResponse a = await Util.GetAsync("Widget/listwidgets", await Util.GetTokenAsync( "OpsAdminFull"));
|
|
//2004 unauthorized
|
|
Util.ValidateErrorCodeResponse(a, 2004, 403);
|
|
}
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Test insufficient create rights error return
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldNotAllowCreateUnauthorizedAccess()
|
|
{
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldNotAllowCreateUnauthorizedAccess TEST WIDGET");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
//BizAdminLimited user should not be able to create a widget, only read them
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "BizAdminLimited"), d.ToString());
|
|
|
|
//2004 unauthorized
|
|
Util.ValidateErrorCodeResponse(a, 2004, 403);
|
|
}
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights to modify
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldAllowOwnerOnlyRightsUserToPatchOwn()
|
|
{
|
|
|
|
// TECH FULL has owner only rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldAllowOwnerOnlyRightsUserToPatchOwn TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "TechFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
uint OriginalConcurrencyToken = a.ObjectResponse["data"]["concurrencyToken"].Value<uint>();
|
|
|
|
//Now attempt to modify it via patch
|
|
var newName = Util.Uniquify("ServerShouldAllowOwnerOnlyRightsUserToPatchOwn - UPDATED TEST WIDGET");
|
|
string patchJson = "[{\"value\": \"" + newName + "\",\"path\": \"/name\",\"op\": \"replace\"}]";
|
|
a = await Util.PatchAsync("Widget/" + Id.ToString() + "/" + OriginalConcurrencyToken.ToString(), await Util.GetTokenAsync( "TechFull"), patchJson);
|
|
Util.ValidateHTTPStatusCode(a, 200);
|
|
}
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights fails to modify other creator object
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldDisAllowOwnerOnlyRightsUserToPatchNonOwned()
|
|
{
|
|
// TECH FULL has owner only rights to widget
|
|
//INVENTORY FULL has full rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldDisAllowOwnerOnlyRightsUserToPatchNonOwned TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
//create via inventory full test user
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "InventoryFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
uint OriginalConcurrencyToken = a.ObjectResponse["data"]["concurrencyToken"].Value<uint>();
|
|
|
|
//Now TechFullAuthToken attempt to modify it via patch
|
|
var newName = Util.Uniquify("ServerShouldDisAllowOwnerOnlyRightsUserToPatchNonOwned - UPDATED TEST WIDGETB");
|
|
string patchJson = "[{\"value\": \"" + newName + "\",\"path\": \"/name\",\"op\": \"replace\"}]";
|
|
a = await Util.PatchAsync("Widget/" + Id.ToString() + "/" + OriginalConcurrencyToken.ToString(), await Util.GetTokenAsync( "TechFull"), patchJson);
|
|
//2004 unauthorized expected
|
|
Util.ValidateErrorCodeResponse(a, 2004, 403);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights to modify
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldAllowOwnerOnlyRightsUserToPutOwn()
|
|
{
|
|
|
|
// TECH FULL has owner only rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldAllowOwnerOnlyRightsUserToPutOwn TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "TechFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
uint OriginalConcurrencyToken = a.ObjectResponse["data"]["concurrencyToken"].Value<uint>();
|
|
|
|
//Now attempt to modify it via patch
|
|
var newName = Util.Uniquify("ServerShouldAllowOwnerOnlyRightsUserToPutOwn - UPDATED TEST WIDGET");
|
|
d.OwnerId = 1;
|
|
d.name = newName;
|
|
d.concurrencyToken = OriginalConcurrencyToken;
|
|
|
|
a = await Util.PutAsync("Widget/" + Id.ToString(), await Util.GetTokenAsync( "TechFull"), d.ToString());
|
|
Util.ValidateHTTPStatusCode(a, 200);
|
|
}
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights fails to modify other creator object
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldDisAllowOwnerOnlyRightsUserToPutNonOwned()
|
|
{
|
|
// TECH FULL has owner only rights to widget
|
|
//INVENTORY FULL has full rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldDisAllowOwnerOnlyRightsUserToPutNonOwned TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
//create via inventory full test user
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "InventoryFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
|
|
//Now TechFullAuthToken attempt to modify it via patch
|
|
var newName = Util.Uniquify("ServerShouldDisAllowOwnerOnlyRightsUserToPutNonOwned - UPDATED TEST WIDGET");
|
|
d.name = newName;
|
|
a = await Util.PutAsync("Widget/" + Id.ToString(), await Util.GetTokenAsync( "TechFull"), d.ToString());
|
|
//2004 unauthorized expected
|
|
Util.ValidateErrorCodeResponse(a, 2004, 403);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights to delete
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldAllowOwnerOnlyRightsUserToDelete()
|
|
{
|
|
|
|
// TECH FULL has owner only rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldAllowOwnerOnlyRightsUserToDelete TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "TechFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
|
|
//Now attempt to delete it
|
|
a = await Util.DeleteAsync("Widget/" + Id.ToString(), await Util.GetTokenAsync( "TechFull"));
|
|
Util.ValidateHTTPStatusCode(a, 204);
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
/// Test owner rights fails to delete other creator object
|
|
/// </summary>
|
|
[Fact]
|
|
public async void ServerShouldDisAllowOwnerOnlyRightsUserToDeleteNonOwned()
|
|
{
|
|
// TECH FULL has owner only rights to widget
|
|
//INVENTORY FULL has full rights to widget
|
|
|
|
//CREATE
|
|
dynamic d = new JObject();
|
|
d.name = Util.Uniquify("ServerShouldDisAllowOwnerOnlyRightsUserToDeleteNonOwned TEST WIDGET");
|
|
d.notes="blah";
|
|
d.customFields = Util.GenerateCustomFieldsJsonString("Meh1");
|
|
d.created = DateTime.Now.ToString();
|
|
d.dollarAmount = 1.11m;
|
|
d.active = true;
|
|
d.roles = 0;
|
|
|
|
//create via inventory full test user
|
|
ApiResponse a = await Util.PostAsync("Widget", await Util.GetTokenAsync( "InventoryFull"), d.ToString());
|
|
Util.ValidateDataReturnResponseOk(a);
|
|
long Id = a.ObjectResponse["data"]["id"].Value<long>();
|
|
|
|
//Now attempt delete
|
|
a = await Util.DeleteAsync("Widget/" + Id.ToString(), await Util.GetTokenAsync( "TechFull"));
|
|
//2004 unauthorized expected
|
|
Util.ValidateErrorCodeResponse(a, 2004, 403);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//==================================================
|
|
|
|
}//eoc
|
|
}//eons
|