Changeset 16141 for branches/2817-BinPackingSpeedup/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs
- Timestamp:
- 09/14/18 11:47:37 (6 years ago)
- Location:
- branches/2817-BinPackingSpeedup
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2817-BinPackingSpeedup
- Property svn:mergeinfo changed
-
branches/2817-BinPackingSpeedup/HeuristicLab.Services.Hive
- Property svn:mergeinfo changed
-
branches/2817-BinPackingSpeedup/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs
r16140 r16141 27 27 using DA = HeuristicLab.Services.Hive.DataAccess; 28 28 using DT = HeuristicLab.Services.Hive.DataTransfer; 29 29 using System.Collections.Generic; 30 using System.Linq; 30 31 31 32 namespace HeuristicLab.Services.Hive { 32 33 public class AuthorizationManager : IAuthorizationManager { 33 34 34 private const string NOT_AUTHORIZED = "Current user is not authorized to access the requested resource"; 35 private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource"; 36 private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project"; 37 private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job"; 38 private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource"; 39 private const string USER_NOT_IDENTIFIED = "User could not be identified"; 40 private const string TASK_NOT_EXISTENT = "Queried task could not be found"; 41 private const string PROJECT_NOT_EXISTENT = "Queried project could not be found"; 42 35 43 private IPersistenceManager PersistenceManager { 36 44 get { return ServiceLocator.Instance.PersistenceManager; } … … 47 55 public void Authorize(Guid userId) { 48 56 if (userId != ServiceLocator.Instance.UserManager.CurrentUserId) 49 throw new SecurityException(NOT_AUTHORIZED );57 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 50 58 } 51 59 … … 56 64 pm.UseTransaction(() => { 57 65 var task = taskDao.GetById(taskId); 58 if (task == null) throw new SecurityException( NOT_AUTHORIZED);66 if (task == null) throw new SecurityException(TASK_NOT_EXISTENT); 59 67 AuthorizeJob(pm, task.JobId, requiredPermission); 60 68 }); … … 68 76 } 69 77 78 // authorize if user is admin or resource owner 70 79 public void AuthorizeForResourceAdministration(Guid resourceId) { 80 var currentUserId = UserManager.CurrentUserId; 71 81 var pm = PersistenceManager; 72 82 var resourceDao = pm.ResourceDao; 73 83 pm.UseTransaction(() => { 74 84 var resource = resourceDao.GetById(resourceId); 75 if (resource == null) throw new SecurityException(NOT_AUTHORIZED); 76 if (resource.OwnerUserId != UserManager.CurrentUserId 85 if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 86 87 if (resource.OwnerUserId != currentUserId 77 88 && !RoleVerifier.IsInRole(HiveRoles.Administrator)) { 78 throw new SecurityException(NOT_AUTHORIZED); 79 } 80 }); 89 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 90 } 91 }); 92 } 93 94 // authorize if user is admin, project owner or owner of a parent project 95 public void AuthorizeForProjectAdministration(Guid projectId, bool parentalOwnership) { 96 if (projectId == null || projectId == Guid.Empty) return; 97 var currentUserId = UserManager.CurrentUserId; 98 var pm = PersistenceManager; 99 var projectDao = pm.ProjectDao; 100 pm.UseTransaction(() => { 101 var project = projectDao.GetById(projectId); 102 if (project == null) throw new ArgumentException(PROJECT_NOT_EXISTENT); 103 if(!RoleVerifier.IsInRole(HiveRoles.Administrator) 104 && !project.ParentProjectId.HasValue) { 105 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 106 } 107 108 List<Project> projectBranch = null; 109 if(parentalOwnership) projectBranch = projectDao.GetParentProjectsById(projectId).ToList(); 110 else projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList(); 111 112 if(!RoleVerifier.IsInRole(HiveRoles.Administrator) 113 && !projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)) { 114 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 115 } 116 }); 117 } 118 119 // authorize if user is admin, or owner of a project or parent project, for which the resources are assigned to 120 public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) { 121 if (projectId == null || projectId == Guid.Empty) return; 122 var currentUserId = UserManager.CurrentUserId; 123 var pm = PersistenceManager; 124 var projectDao = pm.ProjectDao; 125 var resourceDao = pm.ResourceDao; 126 var assignedProjectResourceDao = pm.AssignedProjectResourceDao; 127 pm.UseTransaction(() => { 128 // check if project exists (not necessary) 129 var project = projectDao.GetById(projectId); 130 if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 131 132 // check if resourceIds exist 133 if (resourceIds != null && resourceIds.Any() && !resourceDao.CheckExistence(resourceIds)) 134 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 135 136 // check if user is admin 137 if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return; 138 139 // check if user is owner of the project or a parent project 140 var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList(); 141 if (!projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId) 142 && !RoleVerifier.IsInRole(HiveRoles.Administrator)) { 143 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 144 } 145 146 // check if the all argument resourceIds are among the assigned resources of the owned projects 147 var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, currentUserId).ToList(); 148 if(resourceIds.Except(grantedResourceIds).Any()) { 149 throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE); 150 } 151 }); 152 } 153 154 // Check if a project is authorized to use a list of resources 155 public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) { 156 if (projectId == null || projectId == Guid.Empty || resourceIds == null || !resourceIds.Any()) return; 157 var pm = PersistenceManager; 158 var assignedProjectResourceDao = pm.AssignedProjectResourceDao; 159 if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds)) 160 throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE); 161 } 162 163 // Check if current user is authorized to use an explicit project (e.g. in order to add a job) 164 // note: administrators and project owner are NOT automatically granted 165 public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) { 166 if(userId == null || userId == Guid.Empty) { 167 throw new SecurityException(USER_NOT_IDENTIFIED); 168 } 169 if(projectId == null) return; 170 171 var pm = PersistenceManager; 172 // collect current and group membership Ids 173 var userAndGroupIds = new List<Guid>() { userId }; 174 userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId)); 175 // perform the actual check 176 var projectPermissionDao = pm.ProjectPermissionDao; 177 if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) { 178 throw new SecurityException(NOT_AUTHORIZED_USERPROJECT); 179 } 81 180 } 82 181 … … 93 192 94 193 private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) { 194 var currentUserId = UserManager.CurrentUserId; 95 195 var requiredPermissionEntity = requiredPermission.ToEntity(); 96 DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);196 DA.Permission permission = GetPermissionForJob(pm, jobId, currentUserId); 97 197 if (permission == Permission.NotAllowed 98 198 || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) { 99 throw new SecurityException(NOT_AUTHORIZED );199 throw new SecurityException(NOT_AUTHORIZED_USERJOB); 100 200 } 101 201 }
Note: See TracChangeset
for help on using the changeset viewer.