Free cookie consent management tool by TermsFeed Policy Generator

Ignore:
Timestamp:
12/07/17 18:14:13 (5 years ago)
Author:
jzenisek
Message:

#2839 added ResourcePermission handling (still in progress)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/HiveService.cs

    r15500 r15503  
    4141  [HiveOperationContextBehavior]
    4242  public class HiveService : IHiveService {
     43    private const string NOT_AUTHORIZED_RESOURCE = "Current user is not authorized to access the requested resource";
     44    private const string NOT_AUTHORIZED_PROJECT = "Current user is not authorized to access the requested project";
     45
    4346    private static readonly DA.TaskState[] CompletedStates = { DA.TaskState.Finished, DA.TaskState.Aborted, DA.TaskState.Failed };
    4447
     
    7982        //// V1 user grant check
    8083        //// get granted (parent) resources
    81         //var userGrantedResourceIds = pm.UseTransaction(() => {
     84        //var allGrantedResourceIds = pm.UseTransaction(() => {
    8285        //  return resourcePermissionDao.GetAll().ToList()
    8386        //    .Where(x => x.GrantedUserId == currentUserId
     
    8992        //// get children of granted parent resources
    9093        //var userGrantedChildResourceIds = pm.UseTransaction(() => {
    91         //  return userGrantedResourceIds
     94        //  return allGrantedResourceIds
    9295        //  .SelectMany(x => resourceDao.GetResourcesByParentId(x))
    9396        //  .Select(y => y.ResourceId);
     
    9598
    9699        //// join list of parent and child resources
    97         //userGrantedResourceIds.AddRange(userGrantedChildResourceIds);
    98 
    99         //// filter initial resourceId list with the list of the granted ones
    100         //var allUserGrantedResourceIds = resourceIds
    101         //  .Where(x => userGrantedResourceIds.Contains(x))
    102         //  .Distinct().ToList();
     100        //allGrantedResourceIds.AddRange(userGrantedChildResourceIds);
    103101
    104102        // V2 user grant check
    105         var allUserGrantedResourceIds = pm.UseTransaction(() => {
     103        var allGrantedResourceIds = pm.UseTransaction(() => {
    106104          var groupAndGroupIds = new List<Guid> { currentUserId };
    107105          groupAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(currentUserId));
    108           return resourcePermissionDao.GetByUserAndGroupIds(groupAndGroupIds);
    109         });
     106          return resourcePermissionDao.GetByUserAndGroupIds(groupAndGroupIds).ToList();
     107        });
     108
     109        // get all owned resourceIds
     110        var ownedResourceIds = resourceDao.GetAll()
     111          .Where(x => x.OwnerUserId == currentUserId)
     112          .Select(x => x.ResourceId).ToList();
     113
     114        // join list of owned and granted resourceIds
     115        allGrantedResourceIds.AddRange(ownedResourceIds);
     116
     117        // filter initial resourceId list with the list of the granted ones
     118        var filteredResourceIds = resourceIds
     119          .Where(x => allGrantedResourceIds.Contains(x))
     120          .Distinct().ToList();
     121
     122        // TODO-JAN: Additional Filtering:
     123        // TODO-JAN: user - project check; project - resource check
     124
    110125
    111126        var newTask = task.ToEntity();
    112127        newTask.JobData = taskData.ToEntity();
    113128        newTask.JobData.LastUpdate = DateTime.Now;
    114         newTask.AssignedTaskResources.AddRange(allUserGrantedResourceIds.Select(
     129        newTask.AssignedTaskResources.AddRange(filteredResourceIds.Select(
    115130          x => new DA.AssignedTaskResource {
    116131            ResourceId = x
     
    10391054    #endregion
    10401055
     1056    #region ResourcePermission Methods
     1057    // only for authorized Administrator/ResourceOwner
     1058    public void GrantResourcePermissions(Guid resourceId, Guid[] grantedUserIds) {
     1059      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1060      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1061      var pm = PersistenceManager;
     1062      using(new PerformanceLogger("GrantResourcePermissions")) {
     1063        pm.UseTransaction(() => {
     1064          var resourceDao = pm.ResourceDao;
     1065          var resource = resourceDao.GetById(resourceId);
     1066          var resourcePermissions = resource.ResourcePermissions.ToList();
     1067          foreach(var id in grantedUserIds) {
     1068            if(resourcePermissions.All(x => x.GrantedUserId != id)) {
     1069              resource.ResourcePermissions.Add(new DA.ResourcePermission {
     1070                GrantedUserId = id,
     1071                GrantedByUserId = UserManager.CurrentUserId
     1072              });
     1073            }
     1074          }
     1075          pm.SubmitChanges();
     1076        });
     1077      }
     1078    }
     1079
     1080    // only for authorized Administrator/ResourceOwner/(Sub)ProjectOwner to which the Resource (i.e. resourceId) is assigned
     1081    public void GrantResourcePermissions(Guid resourceId, Guid projectId, Guid[] grantedUserIds) {
     1082      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1083      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1084      var pm = PersistenceManager;
     1085      using (new PerformanceLogger("GrantResourcePermissions")) {
     1086        pm.UseTransaction(() => {
     1087
     1088
     1089          // TODO-JAN
     1090
     1091
     1092          pm.SubmitChanges();
     1093        });
     1094      }
     1095    }
     1096
     1097    // only for authorized Administrator/ResourceOwner
     1098    public void RevokeResourcePermissions(Guid resourceId, Guid[] grantedUserIds) {
     1099      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     1100      AuthorizationManager.AuthorizeForResourceAdministration(resourceId);
     1101      var pm = PersistenceManager;
     1102      using(new PerformanceLogger("RevokeResourcePermission")) {
     1103        pm.UseTransaction(() => {
     1104          var resourcePermissionDao = pm.ResourcePermissionDao;
     1105          resourcePermissionDao.DeleteByResourceIdAndGrantedUserId(resourceId, grantedUserIds);
     1106          pm.SubmitChanges();
     1107        });
     1108      }
     1109    }
     1110
     1111    // only for authorized Administrator/ResourceOwner/(Sub)ProjectOwner to which the Resource (i.e. resourceId) is assigned
     1112    public void RevokeResourcePermissions(Guid resourceId, Guid projectId, Guid[] grantedUserIds) {
     1113      // TODO-JAN
     1114    }
     1115
     1116    #endregion
     1117
    10411118    #region Downtime Methods
    10421119    public Guid AddDowntime(DT.Downtime downtimeDto) {
     
    11551232      var projectDao = pm.ProjectDao;
    11561233      var project = projectDao.GetById(projectId);
    1157       if (project == null) throw new SecurityException("Not authorized");
     1234      if (project == null) throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11581235      if (project.OwnerUserId != UserManager.CurrentUserId
    11591236          && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
    1160         throw new SecurityException("Not authorized");
     1237        throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11611238      }
    11621239      return project;
     1240    }
     1241
     1242    // Check if the current user is authorized (i.e. is owner of the (sub)project) to set permissions
     1243    // for a certain resource (resourceId) in the context of a certain project (projectId)
     1244    private DA.Resource AuthorizeForResource(IPersistenceManager pm, Guid resourceId, Guid projectId) {
     1245      var projectDao = pm.ProjectDao;
     1246      var project = projectDao.GetById(projectId);
     1247      if (project == null) throw new SecurityException(NOT_AUTHORIZED_PROJECT);
     1248
     1249      var resourceDao = pm.ResourceDao;
     1250      var resource = resourceDao.GetById(resourceId);
     1251      if (resource == null) throw new SecurityException(NOT_AUTHORIZED_RESOURCE);
     1252
     1253
     1254      if (project.OwnerUserId != UserManager.CurrentUserId
     1255        && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     1256        throw new SecurityException(NOT_AUTHORIZED_PROJECT);
     1257      }
     1258
     1259      // look up if resourceId is amongst the assigned ones
     1260      var assignedResources = project.AssignedProjectResources.ToList();
     1261      if (assignedResources.Select(x => x.ResourceId).Contains(resourceId)) {
     1262        return resource;
     1263      }
     1264
     1265      // look up if one of the parent resourceIds is amongst the assigned ones
     1266      // note: this should be faster than checking all children of the assigned
     1267      // resource(-groups) for the certain resourceId
     1268      var parentResourceIds = resourceDao.GetResourceIdsByChildId(resourceId);
     1269      if(assignedResources.Select(x => x.ResourceId)
     1270        .Intersect(parentResourceIds).Count() > 0) {
     1271        return resource;
     1272      }
     1273
     1274      throw new SecurityException(NOT_AUTHORIZED_PROJECT);
    11631275    }
    11641276    #endregion
Note: See TracChangeset for help on using the changeset viewer.