1 | using System;
|
---|
2 | using System.Collections.Generic;
|
---|
3 | using System.Linq;
|
---|
4 | using System.Text;
|
---|
5 | using HeuristicLab.Security.Contracts.Interfaces;
|
---|
6 | using HeuristicLab.DataAccess;
|
---|
7 | using HeuristicLab.Security.Contracts.BusinessObjects;
|
---|
8 | using HeuristicLab.Hive.Contracts.BusinessObjects;
|
---|
9 | using HeuristicLab.Hive.Contracts.Interfaces;
|
---|
10 | using HeuristicLab.Hive.Contracts;
|
---|
11 | using HeuristicLab.Hive.Server.Core.InternalInterfaces;
|
---|
12 | using System.ServiceModel;
|
---|
13 |
|
---|
14 | namespace HeuristicLab.Hive.Server.Core {
|
---|
15 | public class HivePermissionManager : IHivePermissionManager {
|
---|
16 |
|
---|
17 | private IJobManager jobManager = ServiceLocator.GetJobManager();
|
---|
18 |
|
---|
19 | private IPermissionManager permManager = ServiceLocator.GetPermissionManager();
|
---|
20 |
|
---|
21 | private IClientManager clientManager = ServiceLocator.GetClientManager();
|
---|
22 |
|
---|
23 | private PermissionCollection permissions = HivePermissions.GetPermissions();
|
---|
24 | private PolicyCollection policyCollection = HivePermissions.GetPolicies();
|
---|
25 |
|
---|
26 | /// <summary>
|
---|
27 | /// Authenticates an user and returns a valid guid if success.
|
---|
28 | /// </summary>
|
---|
29 | /// <param name="username"></param>
|
---|
30 | /// <param name="password"></param>
|
---|
31 | /// <returns></returns>
|
---|
32 | public Guid Login(string username, string password) {
|
---|
33 | return permManager.Authenticate(username, password);
|
---|
34 | }
|
---|
35 |
|
---|
36 | /// <summary>
|
---|
37 | /// Checks user permission against predefined policy.
|
---|
38 | /// </summary>
|
---|
39 | /// <param name="policyName">Policy Name defines the action.</param>
|
---|
40 | /// <param name="sessionID">Session ID identifies a currently logged on user.</param>
|
---|
41 | /// <param name="entityID">Entity ID can be some resource or emtpy.</param>
|
---|
42 | public void Authorize(string policyName, Guid sessionID, Guid entityID) {
|
---|
43 | #region Use authorization method with scopes
|
---|
44 | //check if this policy has a permission with 'ANY' scope defined
|
---|
45 | Permission p = policyCollection[policyName].GetPermissionByContext("Any");
|
---|
46 | //check if user has 'xxx.Any' permission
|
---|
47 | if (p != null)
|
---|
48 | if (CheckPermission(sessionID, p.Id, entityID)) return;
|
---|
49 |
|
---|
50 | //check if this policy has a permission with 'PROJECT' scope defined
|
---|
51 | p = policyCollection[policyName].GetPermissionByContext("Project");
|
---|
52 | //check if user has 'xxx.Project' permission
|
---|
53 | if ((p != null) && (entityID!=Guid.Empty))
|
---|
54 | {
|
---|
55 | ResponseObject<Job> job = jobManager.GetJobById(entityID);
|
---|
56 | if (job.Obj.Project != null)
|
---|
57 | if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.Project.Id)) return;
|
---|
58 | }
|
---|
59 | //check if this policy has a permission with 'OWNER' scope defined
|
---|
60 | p = policyCollection[policyName].GetPermissionByContext("User");
|
---|
61 |
|
---|
62 | //check if user has 'xxx.Owner' permission
|
---|
63 | if (p != null)
|
---|
64 | if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.UserId)) return;
|
---|
65 | #endregion
|
---|
66 | #region Use authorization method when no scopes are present
|
---|
67 | //when no permission context is available, use primary authentification
|
---|
68 | foreach (KeyValuePair<Permission, PermissionContext> item in policyCollection[policyName].Permissions)
|
---|
69 | {
|
---|
70 | if (CheckPermission(sessionID, item.Key.Id, Guid.Empty)) return;
|
---|
71 | }
|
---|
72 | #endregion
|
---|
73 | //throw an exception when user access fails
|
---|
74 | throw new PermissionException(policyName);
|
---|
75 | }
|
---|
76 |
|
---|
77 | /// <summary>
|
---|
78 | /// Checks if a user has permission for a specified action.
|
---|
79 | /// </summary>
|
---|
80 | /// <param name="sessionID">The current session.</param>
|
---|
81 | /// <param name="actionID">A pre-defined action that requires permission.</param>
|
---|
82 | /// <param name="entityID">A resource (Job,...)</param>
|
---|
83 | /// <returns></returns>
|
---|
84 | public bool CheckPermission(Guid sessionID, Guid actionID, Guid entityId) {
|
---|
85 | bool hasPerm = permManager.CheckPermission(sessionID, actionID, entityId);
|
---|
86 | PermissionCollection pc = HivePermissions.GetPermissions();
|
---|
87 | if (!hasPerm)
|
---|
88 | if (CheckPermissionHelper(sessionID, actionID, entityId)) return true;
|
---|
89 | return hasPerm;
|
---|
90 | }
|
---|
91 |
|
---|
92 | private bool CheckPermissionHelper(Guid sessionId, Guid actionId, Guid entityId) {
|
---|
93 | if (entityId == Guid.Empty) return true;
|
---|
94 | IList<ClientGroup> groups = clientManager.GetAllGroupsOfResource(entityId).Obj;
|
---|
95 | foreach (ClientGroup group in groups)
|
---|
96 | if (CheckPermission(sessionId, actionId, group.Id)) return true;
|
---|
97 | return false;
|
---|
98 | }
|
---|
99 | }
|
---|
100 | }
|
---|