source: trunk/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 16209

Last change on this file since 16209 was 16209, checked in by jzenisek, 12 months ago

#2839:

  • adapted job execution implementation at ProjectJobsView
  • prohibited resource checking for non-admins
File size: 10.6 KB
Line 
1#region License Information
2/* HeuristicLab
3 * Copyright (C) 2002-2018 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
24using HeuristicLab.Services.Access;
25using HeuristicLab.Services.Hive.DataAccess;
26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
28using DT = HeuristicLab.Services.Hive.DataTransfer;
29using System.Collections.Generic;
30using System.Linq;
31
32namespace HeuristicLab.Services.Hive {
33  public class AuthorizationManager : IAuthorizationManager {
34
35    private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource";
36    private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project";
37    private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
38    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
39    private const string USER_NOT_IDENTIFIED = "User could not be identified";
40    private const string JOB_NOT_EXISTENT = "Queried job could not be found";
41    private const string TASK_NOT_EXISTENT = "Queried task could not be found";
42    private const string PROJECT_NOT_EXISTENT = "Queried project could not be found";
43
44    private IPersistenceManager PersistenceManager {
45      get { return ServiceLocator.Instance.PersistenceManager; }
46    }
47
48    private IUserManager UserManager {
49      get { return ServiceLocator.Instance.UserManager; }
50    }
51
52    private IRoleVerifier RoleVerifier {
53      get { return ServiceLocator.Instance.RoleVerifier; }
54    }
55
56    public void Authorize(Guid userId) {
57      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
58        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
59    }
60
61    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
62      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
63      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all tasks
64      var currentUserId = UserManager.CurrentUserId;
65      var pm = PersistenceManager;
66      var taskDao = pm.TaskDao;
67      var projectDao = pm.ProjectDao;
68      pm.UseTransaction(() => {
69        var task = taskDao.GetById(taskId);
70        if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
71
72        // check if user is granted to administer a job-parenting project
73        var administrationGrantedProjects = projectDao
74          .GetAdministrationGrantedProjectsForUser(currentUserId)
75          .ToList();
76        if (administrationGrantedProjects.Contains(task.Job.Project)) return;
77
78        AuthorizeJob(pm, task.JobId, requiredPermission);
79      });
80    }
81
82    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
83      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all jobs
84      var currentUserId = UserManager.CurrentUserId;
85      var pm = PersistenceManager;
86      var jobDao = pm.JobDao;
87      var projectDao = pm.ProjectDao;
88      pm.UseTransaction(() => {
89        var job = jobDao.GetById(jobId);
90        if(job == null) throw new SecurityException(JOB_NOT_EXISTENT);
91
92        // check if user is granted to administer a job-parenting project
93        var administrationGrantedProjects = projectDao
94          .GetAdministrationGrantedProjectsForUser(currentUserId)
95          .ToList();
96        if (administrationGrantedProjects.Contains(job.Project)) return;
97
98        AuthorizeJob(pm, jobId, requiredPermission);
99      });
100    }
101
102    // authorize if user is admin or resource owner
103    public void AuthorizeForResourceAdministration(Guid resourceId) {
104      var currentUserId = UserManager.CurrentUserId;
105      var pm = PersistenceManager;
106      var resourceDao = pm.ResourceDao;
107      pm.UseTransaction(() => {
108        var resource = resourceDao.GetById(resourceId);
109        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
110
111        if (resource.OwnerUserId != currentUserId
112            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
113          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
114        }
115      });
116    }
117
118    // authorize if user is admin, project owner or owner of a parent project
119    public void AuthorizeForProjectAdministration(Guid projectId, bool parentalOwnership) {
120      if (projectId == null || projectId == Guid.Empty) return;
121      var currentUserId = UserManager.CurrentUserId;
122      var pm = PersistenceManager;
123      var projectDao = pm.ProjectDao;
124      pm.UseTransaction(() => {
125        var project = projectDao.GetById(projectId);
126        if (project == null) throw new ArgumentException(PROJECT_NOT_EXISTENT);
127        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
128          && !project.ParentProjectId.HasValue) {
129          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
130        }
131
132        List<Project> projectBranch = null;
133        if(parentalOwnership) projectBranch = projectDao.GetParentProjectsById(projectId).ToList();
134        else projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
135
136        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
137            && !projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)) {
138          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
139        }
140      });
141    }
142
143    // authorize if user is admin, or owner of a project or parent project, for which the resources are assigned to
144    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
145      if (projectId == null || projectId == Guid.Empty) return;
146      var currentUserId = UserManager.CurrentUserId;
147      var pm = PersistenceManager;
148      var projectDao = pm.ProjectDao;
149      var resourceDao = pm.ResourceDao;
150      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
151      pm.UseTransaction(() => {
152        // check if project exists (not necessary)
153        var project = projectDao.GetById(projectId);
154        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
155
156        // check if resourceIds exist
157        if (resourceIds != null && resourceIds.Any() && !resourceDao.CheckExistence(resourceIds))
158          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
159
160        // check if user is admin
161        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
162
163        // check if user is owner of the project or a parent project
164        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
165        if (!projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)
166            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
167          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
168        }
169
170        // check if the all argument resourceIds are among the assigned resources of the owned projects
171        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, currentUserId).ToList();
172        if(resourceIds.Except(grantedResourceIds).Any()) {
173          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
174        }
175      });
176    }
177
178    // Check if a project is authorized to use a list of resources
179    public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) {
180      if (projectId == null || projectId == Guid.Empty || resourceIds == null || !resourceIds.Any()) return;
181      var pm = PersistenceManager;
182      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
183      if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds))
184        throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE);
185    }
186
187    // Check if current user is authorized to use an explicit project (e.g. in order to add a job)
188    // note: administrators and project owner are NOT automatically granted
189    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
190      if(userId == null || userId == Guid.Empty) {
191        throw new SecurityException(USER_NOT_IDENTIFIED);
192      }
193      if(projectId == null) return;
194
195      var pm = PersistenceManager;
196      // collect current and group membership Ids
197      var userAndGroupIds = new List<Guid>() { userId };
198      userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId));
199      // perform the actual check
200      var projectPermissionDao = pm.ProjectPermissionDao;
201      if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) {
202        throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
203      }
204    }
205
206    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
207      var jobDao = pm.JobDao;
208      var jobPermissionDao = pm.JobPermissionDao;
209      var job = jobDao.GetById(jobId);
210      if (job == null) return DA.Permission.NotAllowed;
211      if (job.OwnerUserId == userId) return DA.Permission.Full;
212      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
213      if (jobPermission == null) return DA.Permission.NotAllowed;
214      return jobPermission.Permission;
215    }
216
217    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
218      var currentUserId = UserManager.CurrentUserId;
219      var requiredPermissionEntity = requiredPermission.ToEntity();
220      DA.Permission permission = GetPermissionForJob(pm, jobId, currentUserId);
221      if (permission == Permission.NotAllowed
222          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
223        throw new SecurityException(NOT_AUTHORIZED_USERJOB);
224      }
225    }
226  }
227}
Note: See TracBrowser for help on using the repository browser.