Changeset 15715 for branches/HiveProjectManagement

Timestamp:

02/02/18 20:19:43 (7 years ago)

Author:

jzenisek

Message:

#2839 improved permission checking of HiveService methods

Location:

branches/HiveProjectManagement

Files:

• HeuristicLab.Services.Hive.DataAccess/3.3/Daos/AssignedProjectResourceDao.cs (modified) (1 diff)
• HeuristicLab.Services.Hive/3.3/HiveService.cs (modified) (27 diffs)
• HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs (modified) (3 diffs)
• HeuristicLab.Services.Hive/3.3/ServiceContracts/IHiveService.cs (modified) (3 diffs)

branches/HiveProjectManagement/HeuristicLab.Services.Hive.DataAccess/3.3/Daos/AssignedProjectResourceDao.cs

@@ -116 +116 @@
         WHERE ProjectId IN ({0})
     ";
-    // tested
     private const string CheckProjectGrantedForResourcesQueryString = @"
     WITH rtree AS

branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/HiveService.cs

@@ -72 +72 @@
     public Guid AddTask(DT.Task task, DT.TaskData taskData) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      AuthorizationManager.AuthorizeForJob(task.JobId, DT.Permission.Full);
       var pm = PersistenceManager;
       using (new PerformanceLogger("AddTask")) {
@@ -322 +323 @@
       var pm = PersistenceManager;
       using (new PerformanceLogger("GetJobs")) {
-        // TODO-JAN: optimization potential - avoid using too many joins in linq
         var jobDao = pm.JobDao;
         var jobPermissionDao = pm.JobPermissionDao;
@@ -336 +336 @@
             .Select(x => x.ToDto())
             .ToList();
-          // calculate stats only for owned & permitted jobs; TODO: query only needed ones, not all
           var statistics = taskDao.GetAll()
               .Where(x => jobs.Select(y => y.Id).Contains(x.JobId))
@@ -367 +366 @@
     }
 
-    public Guid AddJob(DT.Job jobDto) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      var pm = PersistenceManager;
-      using (new PerformanceLogger("AddJob")) {
-        var jobDao = pm.JobDao;
-        var userPriorityDao = pm.UserPriorityDao;
-        return pm.UseTransaction(() => {
-          jobDto.OwnerUserId = UserManager.CurrentUserId;
-          jobDto.DateCreated = DateTime.Now;
-          var job = jobDao.Save(jobDto.ToEntity());
-          if (userPriorityDao.GetById(jobDto.OwnerUserId) == null) {
-            userPriorityDao.Save(new DA.UserPriority {
-              UserId = jobDto.OwnerUserId,
-              DateEnqueued = jobDto.DateCreated
-            });
-          }
-          pm.SubmitChanges();
-          return job.JobId;
-        });
-      }
-    }
-
     public Guid AddJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -406 +383 @@
 
           // add resource assignments
-          newJob.AssignedJobResources.AddRange(resourceIds.Select(
-            x => new DA.AssignedJobResource {
-              ResourceId = x
-            }));
+          if (resourceIds != null && resourceIds.Any()) {           
+            newJob.AssignedJobResources.AddRange(resourceIds.Select(
+              x => new DA.AssignedJobResource {
+                ResourceId = x
+              }));
+          }
 
           var job = jobDao.Save(newJob);
@@ -424 +403 @@
     }
 
-    public void UpdateJob(DT.Job jobDto) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      AuthorizationManager.AuthorizeForJob(jobDto.Id, DT.Permission.Full);
-      var pm = PersistenceManager;
-      using (new PerformanceLogger("UpdateJob")) {
-        bool exists = true;
-        var jobDao = pm.JobDao;
-        pm.UseTransaction(() => {
-          var job = jobDao.GetById(jobDto.Id);
-          if (job == null) {
-            exists = false;
-            job = new DA.Job();
-          }
-          jobDto.CopyToEntity(job);
-          if (!exists) {
-            jobDao.Save(job);
-          }
-          pm.SubmitChanges();
-        });
-      }
-    }
-
     public void UpdateJob(DT.Job jobDto, IEnumerable<Guid> resourceIds) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -468 +425 @@
           if (!exists) {
             // add resource assignments
-            job.AssignedJobResources.AddRange(resourceIds.Select(
-              x => new DA.AssignedJobResource {
-                ResourceId = x
+            if (resourceIds != null && resourceIds.Any()) {
+              job.AssignedJobResources.AddRange(resourceIds.Select(
+                x => new DA.AssignedJobResource {
+                  ResourceId = x
               }));
+            }
             jobDao.Save(job);
-          } else {
+          } else if(resourceIds != null) {
             var addedJobResourceIds = resourceIds.Except(job.AssignedJobResources.Select(x => x.ResourceId));
             var removedJobResourceIds = job.AssignedJobResources
@@ -716 +675 @@
     #region Project Methods
     public Guid AddProject(DT.Project projectDto) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
+      if (projectDto == null) return Guid.Empty;
+      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      // check if current (non-admin) user is owner of one of projectDto's-parents
+      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
+        if(projectDto.ParentProjectId.HasValue) {
+          AuthorizationManager.AuthorizeForProjectAdministration(projectDto.ParentProjectId.Value);
+        } else {
+          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
+        }
+      }
+      
       var pm = PersistenceManager;
       using (new PerformanceLogger("AddProject")) {
@@ -729 +698 @@
 
     public void UpdateProject(DT.Project projectDto) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
+      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      // check if current (non-admin) user is owner of the project or the projectDto's-parents
+      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
+        AuthorizationManager.AuthorizeForProjectAdministration(projectDto.Id);
+      }
+
       var pm = PersistenceManager;
       using (new PerformanceLogger("UpdateProject")) {
@@ -746 +720 @@
 
     public void DeleteProject(Guid projectId) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
+      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      // check if current (non-admin) user is owner of the project or the projectDto's-parents
+      if (!RoleVerifier.IsInRole(HiveRoles.Administrator)) {
+        AuthorizationManager.AuthorizeForProjectAdministration(projectId);
+      }
+
       var pm = PersistenceManager;
       using (new PerformanceLogger("DeleteProject")) {
@@ -759 +738 @@
     }
 
+    // query granted project for use (i.e. to calculate on)
     public DT.Project GetProject(Guid projectId) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -764 +744 @@
       using (new PerformanceLogger("GetProject")) {
         var projectDao = pm.ProjectDao;
-        return pm.UseTransaction(() => projectDao.GetById(projectId).ToDto());
-      }
-    }
-
-    // query granted projects for use (i.e. to calculate on)
-    public IEnumerable<DT.Project> GetProjects() {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      //bool isAdministrator = RoleVerifier.IsInRole(HiveRoles.Administrator);
-      var pm = PersistenceManager;
-      using (new PerformanceLogger("GetProjects")) {
-        var projectDao = pm.ProjectDao;
-        //var projectPermissionDao = pm.ProjectPermissionDao;
         var currentUserId = UserManager.CurrentUserId;
         var userAndGroupIds = new List<Guid> { currentUserId };
@@ -781 +749 @@
         return pm.UseTransaction(() => {
           return projectDao.GetUsageGrantedProjectsForUser(userAndGroupIds)
+          .Where(x => x.ProjectId == projectId)
+          .Select(x => x.ToDto())
+          .SingleOrDefault(); 
+        });
+      }
+    }
+
+    // query granted projects for use (i.e. to calculate on)
+    public IEnumerable<DT.Project> GetProjects() {
+      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      var pm = PersistenceManager;
+      using (new PerformanceLogger("GetProjects")) {
+        var projectDao = pm.ProjectDao;
+        var currentUserId = UserManager.CurrentUserId;
+        var userAndGroupIds = new List<Guid> { currentUserId };
+        userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(currentUserId));
+        return pm.UseTransaction(() => {
+          return projectDao.GetUsageGrantedProjectsForUser(userAndGroupIds)
             .Select(x => x.ToDto()).ToList();
         });
@@ -792 +778 @@
       using (new PerformanceLogger("GetProjectsForAdministration")) {
         var projectDao = pm.ProjectDao;
-        //var projectPermissionDao = pm.ProjectPermissionDao;
         
         return pm.UseTransaction(() => {
@@ -803 +788 @@
 
           }
-
-          //var projectPermissions = projectPermissionDao.GetAll();
-          //return projectDao.GetAll().ToList()
-          //  .Where(x => isAdministrator
-          //    || x.OwnerUserId == currentUserId
-          //    || UserManager.VerifyUser(currentUserId, projectPermissions
-          //        .Where(y => y.ProjectId == x.ProjectId)
-          //        .Select(z => z.GrantedUserId)
-          //        .ToList())
-          //    )
-          //  .Select(x => x.ToDto())
-          //  .ToList();
         });
       }
@@ -903 +876 @@
     }
 
-    public void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
+    private void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
       throw new NotImplementedException();
     }
 
-    public void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
+    private void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
       if (projectId == null || grantedUserIds == null || !grantedUserIds.Any()) return;
@@ -960 +933 @@
           var project = projectDao.GetById(projectId);
           var assignedResources = project.AssignedProjectResources.Select(x => x.ResourceId).ToArray();
-          //var addedAssignments = resourceIds.Except(assignedResources);
           var removedAssignments = assignedResources.Except(resourceIds);
 
@@ -1000 +972 @@
               // remove project assignments
               if (reassignCascading) {
-                //assignedProjectResourceDao.DeleteByProjectIds(new List<Guid> { p.ProjectId });
                 p.AssignedProjectResources.Clear();
               } else {
-                //assignedProjectResourceDao.DeleteByProjectIdAndResourceIds(p.ProjectId, removedAssignments);
-                //for(int i = p.AssignedProjectResources.Count -1; i >= 0; i--) {
-                //  if(removedAssignments.Contains(p.AssignedProjectResources[i].ResourceId)) {
-                //    p.AssignedProjectResources.RemoveAt(i);
-                //  }
-                //}
                 foreach (var item in p.AssignedProjectResources
                   .Where(x => removedAssignments.Contains(x.ResourceId))
@@ -1032 +997 @@
     }
 
-    public void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
+    private void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
       throw new NotImplementedException();
     }
@@ -1038 +1003 @@
     // basic: unassign resourceIds from project and depending jobs
     // cascading: unassign resourceIds from all child-projects and their depending jobs
-    public void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
+    private void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
       if (projectId == null || resourceIds == null || !resourceIds.Any()) return;
@@ -1103 +1068 @@
 
     public Guid AddSlaveGroup(DT.SlaveGroup slaveGroupDto) {
-      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator);
       var pm = PersistenceManager;
       using (new PerformanceLogger("AddSlaveGroup")) {
@@ -1127 +1092 @@
     }
 
+    // query granted slaves for use (i.e. to calculate on)
     public IEnumerable<DT.Slave> GetSlaves() {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -1158 +1124 @@
     }
 
+    // query granted slave groups for use (i.e. to calculate on)
     public IEnumerable<DT.SlaveGroup> GetSlaveGroups() {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -1189 +1156 @@
     }
 
+    // query granted slaves for resource administration
     public IEnumerable<DT.Slave> GetSlavesForAdministration() {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -1222 +1190 @@
     }
 
+    // query granted slave groups for resource administration
     public IEnumerable<DT.SlaveGroup> GetSlaveGroupsForAdministration() {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
@@ -1257 +1226 @@
     public void UpdateSlave(DT.Slave slaveDto) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      if (slaveDto == null) return;
       AuthorizationManager.AuthorizeForResourceAdministration(slaveDto.Id);
       var pm = PersistenceManager;
@@ -1275 +1245 @@
     public void UpdateSlaveGroup(DT.SlaveGroup slaveGroupDto) {
       RoleVerifier.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      if (slaveGroupDto == null) return;
       AuthorizationManager.AuthorizeForResourceAdministration(slaveGroupDto.Id);
       var pm = PersistenceManager;

branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

@@ -37 +37 @@
     private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
     private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
+    private const string USER_NOT_IDENTIFIED = "User could not be identified";
+    private const string TASK_NOT_EXISTENT = "Queried task could not be found";
 
     private IPersistenceManager PersistenceManager {
@@ -61 +63 @@
       pm.UseTransaction(() => {
         var task = taskDao.GetById(taskId);
-        if (task == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
+        if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
         AuthorizeJob(pm, task.JobId, requiredPermission);
       });
@@ -151 +153 @@
     // note: administrators and project owner are NOT automatically granted
     public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
-      if (userId == null || projectId == null) return;
+      if(userId == null || userId == Guid.Empty) {
+        throw new SecurityException(USER_NOT_IDENTIFIED);
+      }
+      if(projectId == null) return;
+
       var pm = PersistenceManager;
       // collect current and group membership Ids

branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/ServiceContracts/IHiveService.cs

@@ -78 +78 @@
     IEnumerable<Job> GetJobs();
 
-    //[OperationContract]
-    //Guid AddJob(Job jobDto);
-
     [OperationContract]
     Guid AddJob(Job jobDto, IEnumerable<Guid> resourceIds);
-
-    //[OperationContract]
-    //void UpdateJob(Job jobDto);
 
     [OperationContract]
@@ -166 +160 @@
     void SaveProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool reassign, bool cascading, bool reassignCascading);
 
-    [OperationContract]
-    void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
-
-    [OperationContract]
-    void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
+    //[OperationContract]
+    //void GrantProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
+
+    //[OperationContract]
+    //void RevokeProjectPermissions(Guid projectId, List<Guid> grantedUserIds, bool cascading);
 
     [OperationContract]
@@ -180 +174 @@
     void SaveProjectResourceAssignments(Guid projectId, List<Guid> resourceIds, bool reassign, bool cascading, bool reassignCascading);
 
-    [OperationContract]
-    void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
-
-    [OperationContract]
-    void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
+    //[OperationContract]
+    //void AssignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
+
+    //[OperationContract]
+    //void UnassignProjectResources(Guid projectId, List<Guid> resourceIds, bool cascading);
 
     [OperationContract]