Free cookie consent management tool by TermsFeed Policy Generator

source: branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 15530

Last change on this file since 15530 was 15530, checked in by jzenisek, 5 years ago

#2839

  • worked on Job operations add&update
  • worked on ProjectPermission handling
  • worked on Project-Resource assignment
File size: 6.3 KB
Line 
1#region License Information
2/* HeuristicLab
3 * Copyright (C) 2002-2016 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
24using HeuristicLab.Services.Access;
25using HeuristicLab.Services.Hive.DataAccess;
26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
28using DT = HeuristicLab.Services.Hive.DataTransfer;
29using System.Collections.Generic;
30using System.Linq;
31
32namespace HeuristicLab.Services.Hive {
33  public class AuthorizationManager : IAuthorizationManager {
34
35    private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource";
36    private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project";
37    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
38
39    private IPersistenceManager PersistenceManager {
40      get { return ServiceLocator.Instance.PersistenceManager; }
41    }
42
43    private IUserManager UserManager {
44      get { return ServiceLocator.Instance.UserManager; }
45    }
46
47    private IRoleVerifier RoleVerifier {
48      get { return ServiceLocator.Instance.RoleVerifier; }
49    }
50
51    public void Authorize(Guid userId) {
52      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
53        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
54    }
55
56    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
57      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
58      var pm = PersistenceManager;
59      var taskDao = pm.TaskDao;
60      pm.UseTransaction(() => {
61        var task = taskDao.GetById(taskId);
62        if (task == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
63        AuthorizeJob(pm, task.JobId, requiredPermission);
64      });
65    }
66
67    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
68      var pm = PersistenceManager;
69      pm.UseTransaction(() => {
70        AuthorizeJob(pm, jobId, requiredPermission);
71      });
72    }
73
74    public void AuthorizeForResourceAdministration(Guid resourceId) {
75      var pm = PersistenceManager;
76      var resourceDao = pm.ResourceDao;
77      pm.UseTransaction(() => {
78        var resource = resourceDao.GetById(resourceId);
79        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
80        if (resource.OwnerUserId != UserManager.CurrentUserId
81            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
82          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
83        }
84      });
85    }
86
87    public void AuthorizeForProjectAdministration(Guid projectId) {
88      var pm = PersistenceManager;
89      var projectDao = pm.ProjectDao;
90      pm.UseTransaction(() => {
91        var project = projectDao.GetById(projectId);
92        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
93
94        var projectTree = projectDao.GetCurrentAndParentProjectsById(projectId);
95        if(!projectTree.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
96            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
97          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
98        }
99      });
100    }
101
102    // Check if a project is authorized to use a list of resources
103    public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) {
104      var pm = PersistenceManager;
105      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
106      if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds))
107        throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE);
108    }
109
110    // Check if current user is authorized to use an explicit project (e.g. in order to add a job)
111    // note: administrators and project owner are NOT automatically granted
112    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
113      var pm = PersistenceManager;
114      // collect current and group membership Ids
115      var userAndGroupIds = new List<Guid>() { userId };
116      userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId));
117      // perform the actual check
118      var projectPermissionDao = pm.ProjectPermissionDao;
119      if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) {
120        throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
121      }
122    }
123
124    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
125      var jobDao = pm.JobDao;
126      var jobPermissionDao = pm.JobPermissionDao;
127      var job = jobDao.GetById(jobId);
128      if (job == null) return DA.Permission.NotAllowed;
129      if (job.OwnerUserId == userId) return DA.Permission.Full;
130      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
131      if (jobPermission == null) return DA.Permission.NotAllowed;
132      return jobPermission.Permission;
133    }
134
135    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
136      var requiredPermissionEntity = requiredPermission.ToEntity();
137      DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);
138      if (permission == Permission.NotAllowed
139          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
140        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
141      }
142    }
143  }
144}
Note: See TracBrowser for help on using the repository browser.