Free cookie consent management tool by TermsFeed Policy Generator

Ignore:
Timestamp:
12/15/18 12:07:16 (6 years ago)
Author:
gkronber
Message:

#2925 merged changes r15972:16382 from trunk to branch

Location:
branches/2925_AutoDiffForDynamicalModels
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/2925_AutoDiffForDynamicalModels

  • branches/2925_AutoDiffForDynamicalModels/HeuristicLab.Services.Hive

  • branches/2925_AutoDiffForDynamicalModels/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

    r15583 r16386  
    2727using DA = HeuristicLab.Services.Hive.DataAccess;
    2828using DT = HeuristicLab.Services.Hive.DataTransfer;
    29 
     29using System.Collections.Generic;
     30using System.Linq;
    3031
    3132namespace HeuristicLab.Services.Hive {
    3233  public class AuthorizationManager : IAuthorizationManager {
    3334
    34     private const string NOT_AUTHORIZED = "Current user is not authorized to access the requested resource";
     35    private const string NOT_AUTHORIZED_USERRESOURCE = "Current user is not authorized to access the requested resource";
     36    private const string NOT_AUTHORIZED_USERPROJECT = "Current user is not authorized to access the requested project";
     37    private const string NOT_AUTHORIZED_USERJOB = "Current user is not authorized to access the requested job";
     38    private const string NOT_AUTHORIZED_PROJECTRESOURCE = "Selected project is not authorized to access the requested resource";
     39    private const string USER_NOT_IDENTIFIED = "User could not be identified";
     40    private const string JOB_NOT_EXISTENT = "Queried job could not be found";
     41    private const string TASK_NOT_EXISTENT = "Queried task could not be found";
     42    private const string PROJECT_NOT_EXISTENT = "Queried project could not be found";
     43
    3544    private IPersistenceManager PersistenceManager {
    3645      get { return ServiceLocator.Instance.PersistenceManager; }
     
    4756    public void Authorize(Guid userId) {
    4857      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
    49         throw new SecurityException(NOT_AUTHORIZED);
     58        throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
    5059    }
    5160
    5261    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
    5362      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
     63      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all tasks
     64      var currentUserId = UserManager.CurrentUserId;
    5465      var pm = PersistenceManager;
    5566      var taskDao = pm.TaskDao;
     67      var projectDao = pm.ProjectDao;
    5668      pm.UseTransaction(() => {
    5769        var task = taskDao.GetById(taskId);
    58         if (task == null) throw new SecurityException(NOT_AUTHORIZED);
     70        if (task == null) throw new SecurityException(TASK_NOT_EXISTENT);
     71
     72        // check if user is granted to administer a job-parenting project
     73        var administrationGrantedProjects = projectDao
     74          .GetAdministrationGrantedProjectsForUser(currentUserId)
     75          .ToList();
     76        if (administrationGrantedProjects.Contains(task.Job.Project)) return;
     77
    5978        AuthorizeJob(pm, task.JobId, requiredPermission);
    6079      });
     
    6281
    6382    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
    64       var pm = PersistenceManager;
    65       pm.UseTransaction(() => {
     83      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Administrator)) return; // administrator can access all jobs
     84      var currentUserId = UserManager.CurrentUserId;
     85      var pm = PersistenceManager;
     86      var jobDao = pm.JobDao;
     87      var projectDao = pm.ProjectDao;
     88      pm.UseTransaction(() => {
     89        var job = jobDao.GetById(jobId);
     90        if(job == null) throw new SecurityException(JOB_NOT_EXISTENT);
     91
     92        // check if user is granted to administer a job-parenting project
     93        var administrationGrantedProjects = projectDao
     94          .GetAdministrationGrantedProjectsForUser(currentUserId)
     95          .ToList();
     96        if (administrationGrantedProjects.Contains(job.Project)) return;
     97
    6698        AuthorizeJob(pm, jobId, requiredPermission);
    6799      });
    68100    }
    69101
     102    // authorize if user is admin or resource owner
    70103    public void AuthorizeForResourceAdministration(Guid resourceId) {
     104      var currentUserId = UserManager.CurrentUserId;
    71105      var pm = PersistenceManager;
    72106      var resourceDao = pm.ResourceDao;
    73107      pm.UseTransaction(() => {
    74108        var resource = resourceDao.GetById(resourceId);
    75         if (resource == null) throw new SecurityException(NOT_AUTHORIZED);
    76         if (resource.OwnerUserId != UserManager.CurrentUserId
     109        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     110
     111        if (resource.OwnerUserId != currentUserId
    77112            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
    78           throw new SecurityException(NOT_AUTHORIZED);
    79         }
    80       });
     113          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     114        }
     115      });
     116    }
     117
     118    // authorize if user is admin, project owner or owner of a parent project
     119    public void AuthorizeForProjectAdministration(Guid projectId, bool parentalOwnership) {
     120      if (projectId == null || projectId == Guid.Empty) return;
     121      var currentUserId = UserManager.CurrentUserId;
     122      var pm = PersistenceManager;
     123      var projectDao = pm.ProjectDao;
     124      pm.UseTransaction(() => {
     125        var project = projectDao.GetById(projectId);
     126        if (project == null) throw new ArgumentException(PROJECT_NOT_EXISTENT);
     127        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
     128          && !project.ParentProjectId.HasValue) {
     129          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     130        }
     131
     132        List<Project> projectBranch = null;
     133        if(parentalOwnership) projectBranch = projectDao.GetParentProjectsById(projectId).ToList();
     134        else projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
     135
     136        if(!RoleVerifier.IsInRole(HiveRoles.Administrator)
     137            && !projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)) {
     138          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     139        }
     140      });
     141    }
     142
     143    // authorize if user is admin, or owner of a project or parent project, for which the resources are assigned to
     144    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
     145      if (projectId == null || projectId == Guid.Empty) return;
     146      var currentUserId = UserManager.CurrentUserId;
     147      var pm = PersistenceManager;
     148      var projectDao = pm.ProjectDao;
     149      var resourceDao = pm.ResourceDao;
     150      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
     151      pm.UseTransaction(() => {
     152        // check if project exists (not necessary)
     153        var project = projectDao.GetById(projectId);
     154        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     155
     156        // check if resourceIds exist
     157        if (resourceIds != null && resourceIds.Any() && !resourceDao.CheckExistence(resourceIds))
     158          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     159
     160        // check if user is admin
     161        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
     162
     163        // check if user is owner of the project or a parent project
     164        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId).ToList();
     165        if (!projectBranch.Select(x => x.OwnerUserId).Contains(currentUserId)
     166            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     167          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     168        }
     169
     170        // check if the all argument resourceIds are among the assigned resources of the owned projects
     171        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, currentUserId).ToList();
     172        if(resourceIds.Except(grantedResourceIds).Any()) {
     173          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     174        }
     175      });
     176    }
     177
     178    // Check if a project is authorized to use a list of resources
     179    public void AuthorizeProjectForResourcesUse(Guid projectId, IEnumerable<Guid> resourceIds) {
     180      if (projectId == null || projectId == Guid.Empty || resourceIds == null || !resourceIds.Any()) return;
     181      var pm = PersistenceManager;
     182      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
     183      if (!assignedProjectResourceDao.CheckProjectGrantedForResources(projectId, resourceIds))
     184        throw new SecurityException(NOT_AUTHORIZED_PROJECTRESOURCE);
     185    }
     186
     187    // Check if current user is authorized to use an explicit project (e.g. in order to add a job)
     188    // note: administrators and project owner are NOT automatically granted
     189    public void AuthorizeUserForProjectUse(Guid userId, Guid projectId) {
     190      if(userId == null || userId == Guid.Empty) {
     191        throw new SecurityException(USER_NOT_IDENTIFIED);
     192      }
     193      if(projectId == null) return;
     194
     195      var pm = PersistenceManager;
     196      // collect current and group membership Ids
     197      var userAndGroupIds = new List<Guid>() { userId };
     198      userAndGroupIds.AddRange(UserManager.GetUserGroupIdsOfUser(userId));
     199      // perform the actual check
     200      var projectPermissionDao = pm.ProjectPermissionDao;
     201      if (!projectPermissionDao.CheckUserGrantedForProject(projectId, userAndGroupIds)) {
     202        throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     203      }
    81204    }
    82205
     
    93216
    94217    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
     218      var currentUserId = UserManager.CurrentUserId;
    95219      var requiredPermissionEntity = requiredPermission.ToEntity();
    96       DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);
     220      DA.Permission permission = GetPermissionForJob(pm, jobId, currentUserId);
    97221      if (permission == Permission.NotAllowed
    98222          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
    99         throw new SecurityException(NOT_AUTHORIZED);
     223        throw new SecurityException(NOT_AUTHORIZED_USERJOB);
    100224      }
    101225    }
Note: See TracChangeset for help on using the changeset viewer.