source: branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 15552

Last change on this file since 15552 was 15552, checked in by jzenisek, 2 years ago

#2839 worked on permission checks in listing methods

File size: 7.9 KB
Line 
1#region License Information
2/* HeuristicLab
3 * Copyright (C) 2002-2016 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
24using HeuristicLab.Services.Access;
25using HeuristicLab.Services.Hive.DataAccess;
26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
28using DT = HeuristicLab.Services.Hive.DataTransfer;
29using System.Collections.Generic;
30using System.Linq;
31
32namespace HeuristicLab.Services.Hive {
33  public class AuthorizationManager : IAuthorizationManager {
34
35    private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource";
36    private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project";
37    private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
38    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
39
40    private IPersistenceManager PersistenceManager {
41      get { return ServiceLocator.Instance.PersistenceManager; }
42    }
43
44    private IUserManager UserManager {
45      get { return ServiceLocator.Instance.UserManager; }
46    }
47
48    private IRoleVerifier RoleVerifier {
49      get { return ServiceLocator.Instance.RoleVerifier; }
50    }
51
52    public void Authorize(Guid userId) {
53      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
54        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
55    }
56
57    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
58      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
59      var pm = PersistenceManager;
60      var taskDao = pm.TaskDao;
61      pm.UseTransaction(() => {
62        var task = taskDao.GetById(taskId);
63        if (task == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
64        AuthorizeJob(pm, task.JobId, requiredPermission);
65      });
66    }
67
68    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
69      var pm = PersistenceManager;
70      pm.UseTransaction(() => {
71        AuthorizeJob(pm, jobId, requiredPermission);
72      });
73    }
74
75    // authorize if user is admin or resource owner
76    public void AuthorizeForResourceAdministration(Guid resourceId) {
77      var pm = PersistenceManager;
78      var resourceDao = pm.ResourceDao;
79      pm.UseTransaction(() => {
80        var resource = resourceDao.GetById(resourceId);
81        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
82
83        if (resource.OwnerUserId != UserManager.CurrentUserId
84            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
85          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
86        }
87      });
88    }
89
90    // authorize if user is admin, project owner or owner of a parent project
91    public void AuthorizeForProjectAdministration(Guid projectId) {
92      var pm = PersistenceManager;
93      var projectDao = pm.ProjectDao;
94      pm.UseTransaction(() => {
95        // check if project exists (not necessary)
96        var project = projectDao.GetById(projectId);
97        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
98
99        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId);
100        if(!projectBranch.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
101            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
102          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
103        }
104      });
105    }
106
107    // authorize if user is admin, or owner of a parent project, for which the resources are assigned to
108    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
109      var pm = PersistenceManager;
110      var projectDao = pm.ProjectDao;
111      var resourceDao = pm.ResourceDao;
112      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
113      pm.UseTransaction(() => {
114        // check if project exists (not necessary)
115        var project = projectDao.GetById(projectId);
116        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
117
118        // check if resourceIds exist
119        if (!resourceDao.CheckExistence(resourceIds))
120          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
121
122        // check if user is admin
123        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
124
125        // check if user is owner of a parent project and...
126        // check if the all argument resourceIds are among the assigned resources of the owned projects
127        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, UserManager.CurrentUserId);
128        if(resourceIds.Except(grantedResourceIds).Any()) {
129          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
130        }
131      });
132    }
133
134    // Check if a project is authorized to use a list of resources
135    public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) {
136      var pm = PersistenceManager;
137      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
138      if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds))
139        throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE);
140    }
141
142    // Check if current user is authorized to use an explicit project (e.g. in order to add a job)
143    // note: administrators and project owner are NOT automatically granted
144    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
145      var pm = PersistenceManager;
146      // collect current and group membership Ids
147      var userAndGroupIds = new List<Guid>() { userId };
148      userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId));
149      // perform the actual check
150      var projectPermissionDao = pm.ProjectPermissionDao;
151      if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) {
152        throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
153      }
154    }
155
156    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
157      var jobDao = pm.JobDao;
158      var jobPermissionDao = pm.JobPermissionDao;
159      var job = jobDao.GetById(jobId);
160      if (job == null) return DA.Permission.NotAllowed;
161      if (job.OwnerUserId == userId) return DA.Permission.Full;
162      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
163      if (jobPermission == null) return DA.Permission.NotAllowed;
164      return jobPermission.Permission;
165    }
166
167    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
168      var requiredPermissionEntity = requiredPermission.ToEntity();
169      DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);
170      if (permission == Permission.NotAllowed
171          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
172        throw new SecurityException(NOT_AUTHORIZED_USERJOB);
173      }
174    }
175  }
176}
Note: See TracBrowser for help on using the repository browser.