source: stable/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 12962

Last change on this file since 12962 was 12962, checked in by ascheibe, 7 years ago

#2388 merged r12878, r12879, r12883, r12885, r12913, r12914, r12925, r12932, r12961 into stable

File size: 4.1 KB
Line 
1#region License Information
2/* HeuristicLab
3 * Copyright (C) 2002-2015 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
24using HeuristicLab.Services.Access;
25using HeuristicLab.Services.Hive.DataAccess;
26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
28using DT = HeuristicLab.Services.Hive.DataTransfer;
29
30
31namespace HeuristicLab.Services.Hive {
32  public class AuthorizationManager : IAuthorizationManager {
33
34    private const string NOT_AUTHORIZED = "Current user is not authorized to access the requested resource";
35    private IPersistenceManager PersistenceManager {
36      get { return ServiceLocator.Instance.PersistenceManager; }
37    }
38
39    private IUserManager UserManager {
40      get { return ServiceLocator.Instance.UserManager; }
41    }
42
43    private IRoleVerifier RoleVerifier {
44      get { return ServiceLocator.Instance.RoleVerifier; }
45    }
46
47    public void Authorize(Guid userId) {
48      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
49        throw new SecurityException(NOT_AUTHORIZED);
50    }
51
52    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
53      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
54      var pm = PersistenceManager;
55      var taskDao = pm.TaskDao;
56      pm.UseTransaction(() => {
57        var task = taskDao.GetById(taskId);
58        if (task == null) throw new SecurityException(NOT_AUTHORIZED);
59        AuthorizeJob(pm, task.JobId, requiredPermission);
60      });
61    }
62
63    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
64      var pm = PersistenceManager;
65      pm.UseTransaction(() => {
66        AuthorizeJob(pm, jobId, requiredPermission);
67      });
68    }
69
70    public void AuthorizeForResourceAdministration(Guid resourceId) {
71      var pm = PersistenceManager;
72      var resourceDao = pm.ResourceDao;
73      pm.UseTransaction(() => {
74        var resource = resourceDao.GetById(resourceId);
75        if (resource == null) throw new SecurityException(NOT_AUTHORIZED);
76        if (resource.OwnerUserId != UserManager.CurrentUserId
77            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
78          throw new SecurityException(NOT_AUTHORIZED);
79        }
80      });
81    }
82
83    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
84      var jobDao = pm.JobDao;
85      var jobPermissionDao = pm.JobPermissionDao;
86      var job = jobDao.GetById(jobId);
87      if (job == null) return DA.Permission.NotAllowed;
88      if (job.OwnerUserId == userId) return DA.Permission.Full;
89      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
90      if (jobPermission == null) return DA.Permission.NotAllowed;
91      return jobPermission.Permission;
92    }
93
94    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
95      var requiredPermissionEntity = requiredPermission.ToEntity();
96      DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);
97      if (permission == Permission.NotAllowed
98          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
99        throw new SecurityException(NOT_AUTHORIZED);
100      }
101    }
102  }
103}
Note: See TracBrowser for help on using the repository browser.