- Timestamp:
- 12/15/17 17:51:28 (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/HiveService.cs
r15527 r15530 41 41 [HiveOperationContextBehavior] 42 42 public class HiveService : IHiveService { 43 private const string NOT_AUTHORIZED_ RESOURCE = "Current useris not authorized to access the requested resource";44 private const string NOT_AUTHORIZED_ PROJECT = "Current user is not authorized to access the requested project";43 private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource"; 44 private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project"; 45 45 46 46 private static readonly DA.TaskState[] CompletedStates = { DA.TaskState.Finished, DA.TaskState.Aborted, DA.TaskState.Failed }; … … 75 75 var taskDao = pm.TaskDao; 76 76 var stateLogDao = pm.StateLogDao; 77 78 pm.UseTransaction(() => {79 CheckTaskPermissions(pm, task, resourceIds);80 });81 77 82 78 var newTask = task.ToEntity(); … … 105 101 } 106 102 103 public Guid AddTask(DT.Task task, DT.TaskData taskData) { 104 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 105 var pm = PersistenceManager; 106 using (new PerformanceLogger("AddTask")) { 107 var taskDao = pm.TaskDao; 108 var stateLogDao = pm.StateLogDao; 109 var newTask = task.ToEntity(); 110 newTask.JobData = taskData.ToEntity(); 111 newTask.JobData.LastUpdate = DateTime.Now; 112 newTask.State = DA.TaskState.Waiting; 113 return pm.UseTransaction(() => { 114 taskDao.Save(newTask); 115 pm.SubmitChanges(); 116 stateLogDao.Save(new DA.StateLog { 117 State = DA.TaskState.Waiting, 118 DateTime = DateTime.Now, 119 TaskId = newTask.TaskId, 120 UserId = UserManager.CurrentUserId, 121 SlaveId = null, 122 Exception = null 123 }); 124 pm.SubmitChanges(); 125 return newTask.TaskId; 126 }, false, true); 127 } 128 } 129 107 130 public Guid AddChildTask(Guid parentTaskId, DT.Task task, DT.TaskData taskData) { 108 131 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 109 IEnumerable<Guid> resourceIds;110 var pm = PersistenceManager;111 using (new PerformanceLogger("AddChildTask")) {112 var assignedTaskResourceDao = pm.AssignedTaskResourceDao;113 resourceIds = pm.UseTransaction(() => {114 return assignedTaskResourceDao.GetByTaskId(parentTaskId)115 .Select(x => x.ResourceId)116 .ToList();117 });118 }119 132 task.ParentTaskId = parentTaskId; 120 return AddTask(task, taskData , resourceIds);133 return AddTask(task, taskData); 121 134 } 122 135 … … 402 415 } 403 416 417 public Guid AddJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) { 418 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 419 // check user - project 420 AuthorizationManager.AuthorizeUserForProjectUse(UserManager.CurrentUserId, jobDto.ProjectId); 421 // check project - resources 422 AuthorizationManager.AuthorizeProjectForResourcesUse(jobDto.ProjectId, resourceIds); 423 var pm = PersistenceManager; 424 using (new PerformanceLogger("AddJob")) { 425 var jobDao = pm.JobDao; 426 var userPriorityDao = pm.UserPriorityDao; 427 428 return pm.UseTransaction(() => { 429 var newJob = jobDto.ToEntity(); 430 newJob.OwnerUserId = UserManager.CurrentUserId; 431 newJob.DateCreated = DateTime.Now; 432 433 // add resource assignments 434 newJob.AssignedJobResources.AddRange(resourceIds.Select( 435 x => new DA.AssignedJobResource { 436 ResourceId = x 437 })); 438 439 var job = jobDao.Save(newJob); 440 if (userPriorityDao.GetById(jobDto.OwnerUserId) == null) { 441 userPriorityDao.Save(new DA.UserPriority { 442 UserId = jobDto.OwnerUserId, 443 DateEnqueued = jobDto.DateCreated 444 }); 445 } 446 pm.SubmitChanges(); 447 return job.JobId; 448 }); 449 } 450 } 451 404 452 public void UpdateJob(DT.Job jobDto) { 405 453 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); … … 416 464 } 417 465 jobDto.CopyToEntity(job); 466 if (!exists) { 467 jobDao.Save(job); 468 } 469 pm.SubmitChanges(); 470 }); 471 } 472 } 473 474 public void UpdateJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) { 475 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 476 AuthorizationManager.AuthorizeForJob(jobDto.Id, DT.Permission.Full); 477 // check user - project permission 478 AuthorizationManager.AuthorizeUserForProjectUse(UserManager.CurrentUserId, jobDto.ProjectId); 479 // check project - resources permission 480 AuthorizationManager.AuthorizeProjectForResourcesUse(jobDto.ProjectId, resourceIds); 481 482 var pm = PersistenceManager; 483 using (new PerformanceLogger("UpdateJob")) { 484 bool exists = true; 485 var jobDao = pm.JobDao; 486 pm.UseTransaction(() => { 487 var job = jobDao.GetById(jobDto.Id); 488 if (job == null) { 489 exists = false; 490 job = new DA.Job(); 491 } 492 jobDto.CopyToEntity(job); 493 494 // remove former resource assignments 495 job.AssignedJobResources.Clear(); 496 // add resource assignments 497 job.AssignedJobResources.AddRange(resourceIds.Select( 498 x => new DA.AssignedJobResource { 499 ResourceId = x 500 })); 501 418 502 if (!exists) { 419 503 jobDao.Save(job); … … 690 774 691 775 #region ProjectPermission Methods 692 public void GrantProjectPermissions(Guid projectId, Guid[] grantedUserIds ) {776 public void GrantProjectPermissions(Guid projectId, Guid[] grantedUserIds, bool cascading) { 693 777 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 694 778 AuthorizationManager.AuthorizeForProjectAdministration(projectId); … … 696 780 using (new PerformanceLogger("GrantProjectPermissions")) { 697 781 var projectDao = pm.ProjectDao; 782 698 783 pm.UseTransaction(() => { 699 784 var project = projectDao.GetById(projectId); 700 785 var projectPermissions = project.ProjectPermissions.ToList(); 701 786 foreach (var id in grantedUserIds) { 702 if (projectPermissions.All(x => x.GrantedUserId != id)) { 787 if (projectPermissions.All(x => x.GrantedUserId != id)) { 703 788 project.ProjectPermissions.Add(new DA.ProjectPermission { 704 789 GrantedUserId = id, … … 707 792 } 708 793 } 709 pm.SubmitChanges(); 710 }); 711 } 712 } 713 714 public void RevokeProjectPermissions(Guid projectId, Guid[] grantedUserIds) { 794 if(cascading) { 795 var childProjects = projectDao.GetChildProjectsById(projectId); 796 foreach (var p in childProjects) { 797 p.ProjectPermissions.Clear(); 798 foreach (var id in grantedUserIds) { 799 p.ProjectPermissions.Add(new DA.ProjectPermission { 800 GrantedUserId = id, 801 GrantedByUserId = UserManager.CurrentUserId 802 }); 803 } 804 } 805 } 806 pm.SubmitChanges(); 807 }); 808 } 809 } 810 811 public void RevokeProjectPermissions(Guid projectId, Guid[] grantedUserIds, bool cascading) { 715 812 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 716 813 AuthorizationManager.AuthorizeForProjectAdministration(projectId); … … 718 815 using (new PerformanceLogger("RevokeProjectPermissions")) { 719 816 var projectPermissionDao = pm.ProjectPermissionDao; 720 pm.UseTransaction(() => { 721 projectPermissionDao.DeleteByProjectAndGrantedUserId(projectId, grantedUserIds); 817 var projectDao = pm.ProjectDao; 818 pm.UseTransaction(() => { 819 if(cascading) { 820 var childProjectIds = projectDao.GetChildProjectIdsById(projectId); 821 projectPermissionDao.DeleteByProjectIdsAndGrantedUserIds(childProjectIds, grantedUserIds); 822 } 823 projectPermissionDao.DeleteByProjectIdAndGrantedUserIds(projectId, grantedUserIds); 722 824 pm.SubmitChanges(); 723 825 }); … … 749 851 var assignedProjectResources = project.AssignedProjectResources.ToList(); 750 852 853 // TODO-JAN 751 854 if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) 752 855 AuthorizeForResources(pm, project, resourceIds); … … 767 870 RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client); 768 871 AuthorizationManager.AuthorizeForProjectAdministration(projectId); 872 // TODO-JAN: adjust Authorization Method 873 // only users who are owners of a parent project of projectId are allowed to manage resources 874 // these users can only those resources which are already assigned to 875 // (1) the nearest parent they own 876 // (2) to any of the parent they own 769 877 var pm = PersistenceManager; 770 878 using (new PerformanceLogger("UnassignProjectResources")) { … … 1129 1237 } 1130 1238 1131 // OBSOLETE1132 // reason: only used for double checking! AuthorizationManager.AuthorizeForProjectAdministration(..) does the same!1133 //private DA.Project AuthorizeForProject(IPersistenceManager pm, Guid projectId) {1134 // var projectDao = pm.ProjectDao;1135 // var project = projectDao.GetById(projectId);1136 // if (project == null) throw new SecurityException(NOT_AUTHORIZED_PROJECT);1137 // if (project.OwnerUserId != UserManager.CurrentUserId1138 // && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {1139 // throw new SecurityException(NOT_AUTHORIZED_PROJECT);1140 // }1141 // return project;1142 //}1143 1144 private void CheckTaskPermissions(IPersistenceManager pm, DT.Task task, IEnumerable<Guid> resourceIds) {1145 var jobDao = pm.JobDao;1146 var projectDao = pm.ProjectDao;1147 var resourceDao = pm.ResourceDao;1148 var projectPermissionDao = pm.ProjectPermissionDao;1149 var currentUserId = UserManager.CurrentUserId;1150 1151 // PART 2: user-project permission check1152 var job = jobDao.GetById(task.JobId);1153 var project = projectDao.GetById(job.ProjectId);1154 AuthorizeForProjectTask(pm, project);1155 1156 // PART 3: project-resource permission check1157 var assignedResourceIds = project.AssignedProjectResources.Select(x => x.ResourceId).ToList();1158 var assignedChildResourceIds = assignedResourceIds.SelectMany(x => resourceDao.GetChildResourceIdsById(x));1159 assignedResourceIds.AddRange(assignedChildResourceIds);1160 if (resourceIds.Except(assignedResourceIds).Any()) {1161 throw new SecurityException(NOT_AUTHORIZED_PROJECT);1162 }1163 }1164 1165 // Check if current user is authorized to add a task on a explicit project1166 // case 1: user is administrator1167 // case 2: user is owner of project or parent project1168 // case 3: user has explicit permission on project or parent project1169 private void AuthorizeForProjectTask(IPersistenceManager pm, DA.Project project) {1170 if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // case 11171 1172 // case 21173 var projectDao = pm.ProjectDao;1174 var projectBranch = new List<DA.Project>() { project };1175 projectBranch.AddRange(projectDao.GetParentProjectsById(project.ProjectId));1176 if (projectBranch1177 .Select(x => x.OwnerUserId)1178 .Contains(UserManager.CurrentUserId)) {1179 return;1180 }1181 1182 // case 31183 if (project.ProjectPermissions1184 .Select(x => x.GrantedUserId)1185 .Contains(UserManager.CurrentUserId)) {1186 return;1187 }1188 if (projectBranch1189 .SelectMany(x => x.ProjectPermissions)1190 .Select(x => x.GrantedUserId)1191 .Contains(UserManager.CurrentUserId)) {1192 return;1193 }1194 1195 throw new SecurityException(NOT_AUTHORIZED_PROJECT);1196 }1197 1198 1239 // Check if the current user is authorized to administer resourceIds 1199 private void AuthorizeForResource s(IPersistenceManager pm, DA.Project project, Guid[] resourceIds) {1240 private void AuthorizeForResource(IPersistenceManager pm, DA.Project project, Guid[] resourceIds) { 1200 1241 var projectDao = pm.ProjectDao; 1201 1242 var resourceDao = pm.ResourceDao;
Note: See TracChangeset
for help on using the changeset viewer.