Free cookie consent management tool by TermsFeed Policy Generator

source: branches/2839_HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 18095

Last change on this file since 18095 was 16057, checked in by jkarder, 6 years ago

#2839:

File size: 9.4 KB
RevLine 
[6983]1#region License Information
2/* HeuristicLab
[16057]3 * Copyright (C) 2002-2018 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
[6983]4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
[12878]24using HeuristicLab.Services.Access;
[6983]25using HeuristicLab.Services.Hive.DataAccess;
[12878]26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
[6983]28using DT = HeuristicLab.Services.Hive.DataTransfer;
[15508]29using System.Collections.Generic;
30using System.Linq;
[6983]31
32namespace HeuristicLab.Services.Hive {
33  public class AuthorizationManager : IAuthorizationManager {
[12878]34
[15530]35    private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource";
36    private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project";
[15552]37    private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
[15530]38    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
[15715]39    private const string USER_NOT_IDENTIFIED = "User could not be identified";
40    private const string TASK_NOT_EXISTENT = "Queried task could not be found";
[15992]41    private const string PROJECT_NOT_EXISTENT = "Queried project could not be found";
[15530]42
[12878]43    private IPersistenceManager PersistenceManager {
44      get { return ServiceLocator.Instance.PersistenceManager; }
45    }
46
47    private IUserManager UserManager {
48      get { return ServiceLocator.Instance.UserManager; }
49    }
50
51    private IRoleVerifier RoleVerifier {
52      get { return ServiceLocator.Instance.RoleVerifier; }
53    }
54
[6983]55    public void Authorize(Guid userId) {
56      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
[15530]57        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
[6983]58    }
59
60    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
[8051]61      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
[12878]62      var pm = PersistenceManager;
63      var taskDao = pm.TaskDao;
64      pm.UseTransaction(() => {
65        var task = taskDao.GetById(taskId);
[15715]66        if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
[12878]67        AuthorizeJob(pm, task.JobId, requiredPermission);
68      });
[6983]69    }
70
71    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
[12878]72      var pm = PersistenceManager;
73      pm.UseTransaction(() => {
74        AuthorizeJob(pm, jobId, requiredPermission);
75      });
[6983]76    }
[8051]77
[15540]78    // authorize if user is admin or resource owner
[8051]79    public void AuthorizeForResourceAdministration(Guid resourceId) {
[15577]80      var currentUserId = UserManager.CurrentUserId;
[12878]81      var pm = PersistenceManager;
82      var resourceDao = pm.ResourceDao;
83      pm.UseTransaction(() => {
84        var resource = resourceDao.GetById(resourceId);
[15530]85        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
[15540]86
[15577]87        if (resource.OwnerUserId != currentUserId
[12878]88            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
[15530]89          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
[12878]90        }
91      });
[8051]92    }
[12878]93
[15540]94    // authorize if user is admin, project owner or owner of a parent project
[15737]95    public void AuthorizeForProjectAdministration(Guid projectId, bool parentalOwnership) {
[15813]96      if (projectId == null || projectId == Guid.Empty) return;
[15577]97      var currentUserId = UserManager.CurrentUserId;
[15380]98      var pm = PersistenceManager;
99      var projectDao = pm.ProjectDao;
100      pm.UseTransaction(() => {
[15992]101        var project = projectDao.GetById(projectId);
102        if (project == null) throw new ArgumentException(PROJECT_NOT_EXISTENT);
103        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
104          && !project.ParentProjectId.HasValue) {
105          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
106        }
107
[15737]108        List<Project> projectBranch = null;
[15813]109        if(parentalOwnership) projectBranch = projectDao.GetParentProjectsById(projectId).ToList();
[15737]110        else projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
111
112        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
113            && !projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)) {
[15530]114          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
[15380]115        }
116      });
117    }
118
[16043]119    // authorize if user is admin, or owner of a project or parent project, for which the resources are assigned to
[15540]120    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
[15813]121      if (projectId == null || projectId == Guid.Empty) return;
[15577]122      var currentUserId = UserManager.CurrentUserId;
[15540]123      var pm = PersistenceManager;
124      var projectDao = pm.ProjectDao;
125      var resourceDao = pm.ResourceDao;
126      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
127      pm.UseTransaction(() => {
128        // check if project exists (not necessary)
129        var project = projectDao.GetById(projectId);
130        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
131
132        // check if resourceIds exist
[15577]133        if (resourceIds != null && resourceIds.Any() && !resourceDao.CheckExistence(resourceIds))
[15540]134          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
135
136        // check if user is admin
137        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
138
[16040]139        // check if user is owner of the project or a parent project
140        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
[15577]141        if (!projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)
142            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
143          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
144        }
145
[15540]146        // check if the all argument resourceIds are among the assigned resources of the owned projects
[15628]147        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, currentUserId).ToList();
[15540]148        if(resourceIds.Except(grantedResourceIds).Any()) {
149          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
150        }
151      });
152    }
153
[15530]154    // Check if a project is authorized to use a list of resources
155    public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) {
[15813]156      if (projectId == null || projectId == Guid.Empty || resourceIds == null || !resourceIds.Any()) return;
[15530]157      var pm = PersistenceManager;
158      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
159      if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds))
160        throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE);
161    }
162
163    // Check if current user is authorized to use an explicit project (e.g. in order to add a job)
164    // note: administrators and project owner are NOT automatically granted
165    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
[15715]166      if(userId == null || userId == Guid.Empty) {
167        throw new SecurityException(USER_NOT_IDENTIFIED);
168      }
169      if(projectId == null) return;
170
[15530]171      var pm = PersistenceManager;
172      // collect current and group membership Ids
173      var userAndGroupIds = new List<Guid>() { userId };
174      userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId));
175      // perform the actual check
176      var projectPermissionDao = pm.ProjectPermissionDao;
177      if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) {
178        throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
179      }
180    }
181
[12878]182    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
183      var jobDao = pm.JobDao;
184      var jobPermissionDao = pm.JobPermissionDao;
185      var job = jobDao.GetById(jobId);
186      if (job == null) return DA.Permission.NotAllowed;
187      if (job.OwnerUserId == userId) return DA.Permission.Full;
188      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
189      if (jobPermission == null) return DA.Permission.NotAllowed;
190      return jobPermission.Permission;
191    }
192
193    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
[15577]194      var currentUserId = UserManager.CurrentUserId;
[12878]195      var requiredPermissionEntity = requiredPermission.ToEntity();
[15577]196      DA.Permission permission = GetPermissionForJob(pm, jobId, currentUserId);
[12878]197      if (permission == Permission.NotAllowed
198          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
[15552]199        throw new SecurityException(NOT_AUTHORIZED_USERJOB);
[12878]200      }
201    }
[6983]202  }
203}
Note: See TracBrowser for help on using the repository browser.