1 | using System;
|
---|
2 | using System.Collections.Generic;
|
---|
3 | using System.Linq;
|
---|
4 | using System.Text;
|
---|
5 | using HeuristicLab.Security.Contracts.Interfaces;
|
---|
6 | using HeuristicLab.DataAccess;
|
---|
7 | using HeuristicLab.Security.Contracts.BusinessObjects;
|
---|
8 | using HeuristicLab.Hive.Contracts.BusinessObjects;
|
---|
9 | using HeuristicLab.Hive.Contracts.Interfaces;
|
---|
10 | using HeuristicLab.Hive.Contracts;
|
---|
11 | using HeuristicLab.Hive.Server.Core.InternalInterfaces;
|
---|
12 | using System.ServiceModel;
|
---|
13 |
|
---|
14 | namespace HeuristicLab.Hive.Server.Core {
|
---|
15 | public class HivePermissionManager : IHivePermissionManager {
|
---|
16 |
|
---|
17 | private IJobManager jobManager = ServiceLocator.GetJobManager();
|
---|
18 |
|
---|
19 | private IPermissionManager permManager = ServiceLocator.GetPermissionManager();
|
---|
20 |
|
---|
21 | private IClientManager clientManager = ServiceLocator.GetClientManager();
|
---|
22 |
|
---|
23 | private PermissionCollection permissions = HivePermissions.GetPermissions();
|
---|
24 | private PolicyCollection policyCollection = HivePermissions.GetPolicies();
|
---|
25 |
|
---|
26 | /// <summary>
|
---|
27 | /// Authenticates an user and returns a valid guid if success.
|
---|
28 | /// </summary>
|
---|
29 | /// <param name="username"></param>
|
---|
30 | /// <param name="password"></param>
|
---|
31 | /// <returns></returns>
|
---|
32 | public Guid Login(string username, string password) {
|
---|
33 | return permManager.Authenticate(username, password);
|
---|
34 | }
|
---|
35 |
|
---|
36 | /// <summary>
|
---|
37 | /// Checks user permission against predefined policy.
|
---|
38 | /// </summary>
|
---|
39 | /// <param name="policyName">Policy Name defines the action.</param>
|
---|
40 | /// <param name="sessionID">Session ID identifies a currently logged on user.</param>
|
---|
41 | /// <param name="entityID">Entity ID can be some resource or emtpy.</param>
|
---|
42 | public void Authorize(string policyName, Guid sessionID, Guid entityID) {
|
---|
43 | //check if this policy has a permission with 'ANY' scope defined
|
---|
44 | Permission p = policyCollection[policyName].GetPermissionByContext("Any");
|
---|
45 |
|
---|
46 | //check if user has 'xxx.Any' permission
|
---|
47 | if (p != null)
|
---|
48 | if (CheckPermission(sessionID, p.Id, entityID)) return;
|
---|
49 |
|
---|
50 | //check if this policy has a permission with 'PROJECT' scope defined
|
---|
51 | p = policyCollection[policyName].GetPermissionByContext("Project");
|
---|
52 | //check if user has 'xxx.Project' permission
|
---|
53 | if (p != null)
|
---|
54 | if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.Project.Id)) return;
|
---|
55 |
|
---|
56 | //check if this policy has a permission with 'OWNER' scope defined
|
---|
57 | p = policyCollection[policyName].GetPermissionByContext("User");
|
---|
58 | //check if user has 'xxx.Owner' permission
|
---|
59 | if (p != null)
|
---|
60 | if (CheckPermission(sessionID, p.Id, jobManager.GetJobById(entityID).Obj.UserId)) return;
|
---|
61 | //throw an exception when user access fails
|
---|
62 | throw new PermissionException(policyName);
|
---|
63 | }
|
---|
64 |
|
---|
65 | /// <summary>
|
---|
66 | /// Checks if a user has permission for a specified action.
|
---|
67 | /// </summary>
|
---|
68 | /// <param name="sessionID">The current session.</param>
|
---|
69 | /// <param name="actionID">A pre-defined action that requires permission.</param>
|
---|
70 | /// <param name="entityID">A resource (Job,...)</param>
|
---|
71 | /// <returns></returns>
|
---|
72 | public bool CheckPermission(Guid sessionID, Guid actionID, Guid entityId) {
|
---|
73 | bool hasPerm = permManager.CheckPermission(sessionID, actionID, entityId);
|
---|
74 | PermissionCollection pc = HivePermissions.GetPermissions();
|
---|
75 | if (!hasPerm)
|
---|
76 | if (CheckPermissionHelper(sessionID, actionID, entityId)) return true;
|
---|
77 | return hasPerm;
|
---|
78 | }
|
---|
79 |
|
---|
80 | private bool CheckPermissionHelper(Guid sessionId, Guid actionId, Guid entityId) {
|
---|
81 | if (entityId == Guid.Empty) return true;
|
---|
82 | IList<ClientGroup> groups = clientManager.GetAllGroupsOfResource(entityId).Obj;
|
---|
83 | foreach (ClientGroup group in groups)
|
---|
84 | if (CheckPermission(sessionId, actionId, group.Id)) return true;
|
---|
85 | return false;
|
---|
86 | }
|
---|
87 | }
|
---|
88 | }
|
---|