Free cookie consent management tool by TermsFeed Policy Generator

source: branches/Persistence Test/HeuristicLab.Hive.Server.Core/3.2/Authorization/HivePermissionManager.cs @ 3698

Last change on this file since 3698 was 2100, checked in by mbecirov, 15 years ago

#586: Fixed authorization when no policy scope is defined.

File size: 4.4 KB
Line 
1using System;
2using System.Collections.Generic;
3using System.Linq;
4using System.Text;
5using HeuristicLab.Security.Contracts.Interfaces;
6using HeuristicLab.DataAccess;
7using HeuristicLab.Security.Contracts.BusinessObjects;
8using HeuristicLab.Hive.Contracts.BusinessObjects;
9using HeuristicLab.Hive.Contracts.Interfaces;
10using HeuristicLab.Hive.Contracts;
11using HeuristicLab.Hive.Server.Core.InternalInterfaces;
12using System.ServiceModel;
13
14namespace HeuristicLab.Hive.Server.Core {
15  public class HivePermissionManager : IHivePermissionManager {
16
17    private IJobManager jobManager = ServiceLocator.GetJobManager();
18   
19    private IPermissionManager permManager = ServiceLocator.GetPermissionManager();
20
21    private IClientManager clientManager = ServiceLocator.GetClientManager();
22
23    private PermissionCollection permissions = HivePermissions.GetPermissions();
24    private PolicyCollection policyCollection = HivePermissions.GetPolicies();
25
26    /// <summary>
27    /// Authenticates an user and returns a valid guid if success.
28    /// </summary>
29    /// <param name="username"></param>
30    /// <param name="password"></param>
31    /// <returns></returns>
32    public Guid Login(string username, string password) {
33      return permManager.Authenticate(username, password);
34    }
35
36    /// <summary>
37    /// Checks user permission against predefined policy.
38    /// </summary>
39    /// <param name="policyName">Policy Name defines the action.</param>
40    /// <param name="sessionID">Session ID identifies a currently logged on user.</param>
41    /// <param name="entityID">Entity ID can be some resource or emtpy.</param>
42    public void Authorize(string policyName, Guid sessionID, Guid entityID) {
43      #region Use authorization method with scopes
44      //check if this policy has a permission with 'ANY' scope defined
45      Permission p = policyCollection[policyName].GetPermissionByContext("Any");
46      //check if user has 'xxx.Any' permission
47      if (p != null)
48        if (CheckPermission(sessionID, p.Id, entityID)) return;
49     
50      //check if this policy has a permission with 'PROJECT' scope defined
51      p = policyCollection[policyName].GetPermissionByContext("Project");
52      //check if user has 'xxx.Project' permission
53      if ((p != null) && (entityID!=Guid.Empty))
54      {
55          ResponseObject<Job> job = jobManager.GetJobById(entityID);
56          if (job.Obj.Project != null)
57              if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.Project.Id)) return;
58      }
59      //check if this policy has a permission with 'OWNER' scope defined
60      p = policyCollection[policyName].GetPermissionByContext("User");
61     
62      //check if user has 'xxx.Owner' permission
63      if (p != null)
64        if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.UserId)) return;
65      #endregion
66      #region Use authorization method when no scopes are present
67      //when no permission context is available, use primary authentification
68      foreach (KeyValuePair<Permission, PermissionContext> item in policyCollection[policyName].Permissions)
69      {
70          if (CheckPermission(sessionID, item.Key.Id, Guid.Empty)) return;
71      }
72      #endregion
73      //throw an exception when user access fails
74      throw new PermissionException(policyName);
75    }
76
77    /// <summary>
78    /// Checks if a user has permission for a specified action.
79    /// </summary>
80    /// <param name="sessionID">The current session.</param>
81    /// <param name="actionID">A pre-defined action that requires permission.</param>
82    /// <param name="entityID">A resource (Job,...)</param>
83    /// <returns></returns>
84    public bool CheckPermission(Guid sessionID, Guid actionID, Guid entityId) {
85      bool hasPerm = permManager.CheckPermission(sessionID, actionID, entityId);
86      PermissionCollection pc = HivePermissions.GetPermissions();
87      if (!hasPerm)
88          if (CheckPermissionHelper(sessionID, actionID, entityId)) return true;
89      return hasPerm;
90    }
91
92    private bool CheckPermissionHelper(Guid sessionId, Guid actionId, Guid entityId) {
93      if (entityId == Guid.Empty) return true;
94      IList<ClientGroup> groups = clientManager.GetAllGroupsOfResource(entityId).Obj;
95      foreach (ClientGroup group in groups)
96        if (CheckPermission(sessionId, actionId, group.Id)) return true;
97      return false;
98    }
99  }
100}
Note: See TracBrowser for help on using the repository browser.