Free cookie consent management tool by TermsFeed Policy Generator

Ignore:
Timestamp:
12/07/17 18:14:13 (7 years ago)
Author:
jzenisek
Message:

#2839 added ResourcePermission handling (still in progress)

Location:
branches/HiveProjectManagement
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive.DataAccess/3.3/Daos/ResourceDao.cs

    r15497 r15503  
    4141    }
    4242
     43    public IEnumerable<Resource> GetResourcesByParentId(Guid id) {
     44      return DataContext.ExecuteQuery<Resource>(GetResourcesByParentIdQuery, id);
     45    }
     46
    4347    public IEnumerable<Guid> GetResourceIdsByParentId(Guid id) {
    4448      return DataContext.ExecuteQuery<Guid>(GetResourceIdsByParentIdQuery, id);
    4549    }
    4650
    47     public IEnumerable<Resource> GetResourcesByParentId(Guid id) {
    48       return DataContext.ExecuteQuery<Resource>(GetResourcesByParentIdQuery, id);
     51    public IEnumerable<Resource> GetResourcesByChildId(Guid id) {
     52      return DataContext.ExecuteQuery<Resource>(GetResourcesByChildIdQuery, id);
     53    }
     54
     55    public IEnumerable<Guid> GetResourceIdsByChildId(Guid id) {
     56      return DataContext.ExecuteQuery<Guid>(GetResourceIdsByChildIdQuery, id);
    4957    }
    5058
     
    6573    #region String queries
    6674    private const string GetResourcesByParentIdQuery = @"
    67       WITH rtree AS
    68       (
    69         SELECT ResourceId, ParentResourceId
    70         FROM [Resource]
    71         UNION ALL
    72         SELECT rt.ResourceId, r.ParentResourceId
    73         FROM [Resource] r
    74         JOIN rtree rt ON rt.ParentResourceId = r.ResourceId AND r.ParentResourceId <> r.ResourceId AND rt.ParentResourceId <> rt.ResourceId
    75       )
    76       SELECT DISTINCT rtree.ResourceId
    77       FROM rtree
    78       WHERE rtree.ParentResourceId = ({0})
    79     ";
    80     private const string GetResourceIdsByParentIdQuery = @"
    8175      WITH rtree AS
    8276      (
     
    9387      AND rtree.ResourceId = res.ResourceId
    9488    ";
     89    private const string GetResourceIdsByParentIdQuery = @"
     90      WITH rtree AS
     91      (
     92        SELECT ResourceId, ParentResourceId
     93        FROM [Resource]
     94        UNION ALL
     95        SELECT rt.ResourceId, r.ParentResourceId
     96        FROM [Resource] r
     97        JOIN rtree rt ON rt.ParentResourceId = r.ResourceId AND r.ParentResourceId <> r.ResourceId AND rt.ParentResourceId <> rt.ResourceId
     98      )
     99      SELECT DISTINCT rtree.ResourceId
     100      FROM rtree
     101      WHERE rtree.ParentResourceId = ({0})
     102    ";
     103    private const string GetResourcesByChildIdQuery = @"
     104      WITH rtree AS
     105      (
     106        SELECT ResourceId, ParentResourceId
     107        FROM [Resource]
     108        UNION ALL
     109        SELECT rt.ResourceId, r.ParentResourceId
     110        FROM [Resource] r
     111        JOIN rtree rt ON rt.ParentResourceId = r.ResourceId AND r.ParentResourceId <> r.ResourceId AND rt.ParentResourceId <> rt.ResourceId
     112      )
     113      SELECT DISTINCT res.*
     114      FROM rtree, [Resource] res
     115      WHERE rtree.ResourceId = ({0})
     116      AND rtree.ParentResourceId = res.ResourceId
     117    ";
     118    private const string GetResourceIdsByChildIdQuery = @"
     119      WITH rtree AS
     120      (
     121        SELECT ResourceId, ParentResourceId
     122        FROM [Resource]
     123        UNION ALL
     124        SELECT rt.ResourceId, r.ParentResourceId
     125        FROM [Resource] r
     126        JOIN rtree rt ON rt.ParentResourceId = r.ResourceId AND r.ParentResourceId <> r.ResourceId AND rt.ParentResourceId <> rt.ResourceId
     127      )
     128      SELECT DISTINCT rtree.ParentResourceId
     129      FROM rtree
     130      WHERE rtree.ResourceId = ({0})
     131    ";
    95132    #endregion
    96133  }
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive.DataAccess/3.3/Daos/ResourcePermissionDao.cs

    r15500 r15503  
    4343    }
    4444
     45    public void DeleteByResourceIdAndGrantedUserId(Guid resourceId, IEnumerable<Guid> grantedUserId) {
     46      string paramIds = string.Join(",", grantedUserId.Select(x => string.Format("'{0}'", x)));
     47      if (!string.IsNullOrWhiteSpace(paramIds)) {
     48        string query = string.Format(DeleteByGrantedUserQuery, resourceId, paramIds);
     49        DataContext.ExecuteCommand(query);
     50      }
     51    }
     52
    4553    #region Compiled queries
    4654    private static readonly Func<DataContext, Guid, IEnumerable<ResourcePermission>> GetByResourceIdQuery =
     
    7179      ;";
    7280
     81    private const string DeleteByGrantedUserQuery = @"
     82      DELETE FROM [ResourcePermission]
     83        WHERE ResourceId = '{0}'
     84        AND GrantedUserId IN ({1})
     85    ;";
    7386    #endregion
    7487  }
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/HiveService.cs

    r15500 r15503  
    4141  [HiveOperationContextBehavior]
    4242  public class HiveService : IHiveService {
     43    private const string NOT_AUTHORIZED_RESOURCE = "Current user is not authorized to access the requested resource";
     44    private const string NOT_AUTHORIZED_PROJECT = "Current user is not authorized to access the requested project";
     45
    4346    private static readonly DA.TaskState[] CompletedStates = { DA.TaskState.Finished, DA.TaskState.Aborted, DA.TaskState.Failed };
    4447
     
    7982        //// V1 user grant check
    8083        //// get granted (parent) resources
    81         //var userGrantedResourceIds = pm.UseTransaction(() => {
     84        //var allGrantedResourceIds = pm.UseTransaction(() => {
    8285        //  return resourcePermissionDao.GetAll().ToList()
    8386        //    .Where(x => x.GrantedUserId == currentUserId
     
    8992        //// get children of granted parent resources
    9093        //var userGrantedChildResourceIds = pm.UseTransaction(() => {
    91         //  return userGrantedResourceIds
     94        //  return allGrantedResourceIds
    9295        //  .SelectMany(x => resourceDao.GetResourcesByParentId(x))
    9396        //  .Select(y => y.ResourceId);
     
    9598
    9699        //// join list of parent and child resources
    97         //userGrantedResourceIds.AddRange(userGrantedChildResourceIds);
    98 
    99         //// filter initial resourceId list with the list of the granted ones
    100         //var allUserGrantedResourceIds = resourceIds
    101         //  .Where(x => userGrantedResourceIds.Contains(x))
    102         //  .Distinct().ToList();
     100        //allGrantedResourceIds.AddRange(userGrantedChildResourceIds);
    103101
    104102        // V2 user grant check
    105         var allUserGrantedResourceIds = pm.UseTransaction(() => {
     103        var allGrantedResourceIds = pm.UseTransaction(() => {
    106104          var groupAndGroupIds = new List<Guid> { currentUserId };
    107105          groupAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(currentUserId));
    108           return resourcePermissionDao.GetByUserAndGroupIds(groupAndGroupIds);
    109         });
     106          return resourcePermissionDao.GetByUserAndGroupIds(groupAndGroupIds).ToList();
     107        });
     108
     109        // get all owned resourceIds
     110        var ownedResourceIds = resourceDao.GetAll()
     111          .Where(x => x.OwnerUserId == currentUserId)
     112          .Select(x => x.ResourceId).ToList();
     113
     114        // join list of owned and granted resourceIds
     115        allGrantedResourceIds.AddRange(ownedResourceIds);
     116
     117        // filter initial resourceId list with the list of the granted ones
     118        var filteredResourceIds = resourceIds
     119          .Where(x => allGrantedResourceIds.Contains(x))
     120          .Distinct().ToList();
     121
     122        // TODO-JAN: Additional Filtering:
     123        // TODO-JAN: user - project check; project - resource check
     124
    110125
    111126        var newTask = task.ToEntity();
    112127        newTask.JobData = taskData.ToEntity();
    113128        newTask.JobData.LastUpdate = DateTime.Now;
    114         newTask.AssignedTaskResources.AddRange(allUserGrantedResourceIds.Select(
     129        newTask.AssignedTaskResources.AddRange(filteredResourceIds.Select(
    115130          x => new DA.AssignedTaskResource {
    116131            ResourceId = x
     
    10391054    #endregion
    10401055
     1056    #region ResourcePermission Methods
     1057    // only for authorized Administrator/ResourceOwner
     1058    public void GrantResourcePermissions(Guid resourceId, Guid[] grantedUserIds) {
     1059      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1060      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1061      var pm = PersistenceManager;
     1062      using(new PerformanceLogger("GrantResourcePermissions")) {
     1063        pm.UseTransaction(() => {
     1064          var resourceDao = pm.ResourceDao;
     1065          var resource = resourceDao.GetById(resourceId);
     1066          var resourcePermissions = resource.ResourcePermissions.ToList();
     1067          foreach(var id in grantedUserIds) {
     1068            if(resourcePermissions.All(x => x.GrantedUserId != id)) {
     1069              resource.ResourcePermissions.Add(new DA.ResourcePermission {
     1070                GrantedUserId = id,
     1071                GrantedByUserId = UserManager.CurrentUserId
     1072              });
     1073            }
     1074          }
     1075          pm.SubmitChanges();
     1076        });
     1077      }
     1078    }
     1079
     1080    // only for authorized Administrator/ResourceOwner/(Sub)ProjectOwner to which the Resource (i.e. resourceId) is assigned
     1081    public void GrantResourcePermissions(Guid resourceId, Guid projectId, Guid[] grantedUserIds) {
     1082      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1083      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1084      var pm = PersistenceManager;
     1085      using (new PerformanceLogger("GrantResourcePermissions")) {
     1086        pm.UseTransaction(() => {
     1087
     1088
     1089          // TODO-JAN
     1090
     1091
     1092          pm.SubmitChanges();
     1093        });
     1094      }
     1095    }
     1096
     1097    // only for authorized Administrator/ResourceOwner
     1098    public void RevokeResourcePermissions(Guid resourceId, Guid[] grantedUserIds) {
     1099      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1100      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1101      var pm = PersistenceManager;
     1102      using(new PerformanceLogger("RevokeResourcePermission")) {
     1103        pm.UseTransaction(() => {
     1104          var resourcePermissionDao = pm.ResourcePermissionDao;
     1105          resourcePermissionDao.DeleteByResourceIdAndGrantedUserId(resourceId, grantedUserIds);
     1106          pm.SubmitChanges();
     1107        });
     1108      }
     1109    }
     1110
     1111    // only for authorized Administrator/ResourceOwner/(Sub)ProjectOwner to which the Resource (i.e. resourceId) is assigned
     1112    public void RevokeResourcePermissions(Guid resourceId, Guid projectId, Guid[] grantedUserIds) {
     1113      // TODO-JAN
     1114    }
     1115
     1116    #endregion
     1117
    10411118    #region Downtime Methods
    10421119    public Guid AddDowntime(DT.Downtime downtimeDto) {
     
    11551232      var projectDao = pm.ProjectDao;
    11561233      var project = projectDao.GetById(projectId);
    1157       if (project == null) throw new SecurityException("Not authorized");
     1234      if (project == null) throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11581235      if (project.OwnerUserId != UserManager.CurrentUserId
    11591236          && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
    1160         throw new SecurityException("Not authorized");
     1237        throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11611238      }
    11621239      return project;
     1240    }
     1241
     1242    // Check if the current user is authorized (i.e. is owner of the (sub)project) to set permissions
     1243    // for a certain resource (resourceId) in the context of a certain project (projectId)
     1244    private DA.Resource AuthorizeForResource(IPersistenceManager pm, Guid resourceId, Guid projectId) {
     1245      var projectDao = pm.ProjectDao;
     1246      var project = projectDao.GetById(projectId);
     1247      if (project == null) throw new SecurityException(NOT_AUTHORIZED_PROJECT);
     1248
     1249      var resourceDao = pm.ResourceDao;
     1250      var resource = resourceDao.GetById(resourceId);
     1251      if (resource == null) throw new SecurityException(NOT_AUTHORIZED_RESOURCE);
     1252
     1253
     1254      if (project.OwnerUserId != UserManager.CurrentUserId
     1255        && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     1256        throw new SecurityException(NOT_AUTHORIZED_PROJECT);
     1257      }
     1258
     1259      // look up if resourceId is amongst the assigned ones
     1260      var assignedResources = project.AssignedProjectResources.ToList();
     1261      if (assignedResources.Select(x => x.ResourceId).Contains(resourceId)) {
     1262        return resource;
     1263      }
     1264
     1265      // look up if one of the parent resourceIds is amongst the assigned ones
     1266      // note: this should be faster than checking all children of the assigned
     1267      // resource(-groups) for the certain resourceId
     1268      var parentResourceIds = resourceDao.GetResourceIdsByChildId(resourceId);
     1269      if(assignedResources.Select(x => x.ResourceId)
     1270        .Intersect(parentResourceIds).Count() > 0) {
     1271        return resource;
     1272      }
     1273
     1274      throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11631275    }
    11641276    #endregion
Note: See TracChangeset for help on using the changeset viewer.