Changeset 2065 for trunk/sources/HeuristicLab.Hive.Server.Core/3.2

Timestamp:

06/19/09 12:06:02 (15 years ago)

Author:

mbecirov

Message:

#586: Added authorization components.

Location:

trunk/sources/HeuristicLab.Hive.Server.Core/3.2

Files:

• Authorization (added)
• Authorization/HivePermissionManager.cs (added)
• Authorization/HivePermissionPolicy.xml (added)
• Authorization/HivePermissionSet.xml (added)
• Authorization/HivePermissionSet.xsd (added)
• Authorization/HivePermissions.cs (added)
• Authorization/PermissionCollection.cs (added)
• Authorization/PermissionContext.cs (added)
• Authorization/PermissionException.cs (added)
• Authorization/Policy.cs (added)
• Authorization/PolicyCollection.cs (added)
• HeuristicLab.Hive.Server.Core-3.2.csproj (modified) (5 diffs)
• InternalInterfaces/IHivePermissionManager.cs (modified) (1 diff)
• PermissiveSecurityConstants.cs (deleted)
• ServerConsoleFacade.cs (modified) (4 diffs)

trunk/sources/HeuristicLab.Hive.Server.Core/3.2/HeuristicLab.Hive.Server.Core-3.2.csproj

@@ -85 +85 @@
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="Authorization\HivePermissions.cs" />
+    <Compile Include="Authorization\PermissionCollection.cs" />
+    <Compile Include="Authorization\PermissionContext.cs" />
+    <Compile Include="Authorization\PermissionException.cs" />
+    <Compile Include="Authorization\Policy.cs" />
+    <Compile Include="Authorization\PolicyCollection.cs" />
     <Compile Include="ClientCommunicator.cs" />
     <Compile Include="ClientFacade.cs" />
@@ -90 +96 @@
     <Compile Include="DbTestApp.cs" />
     <Compile Include="ExecutionEngineFacade.cs" />
-    <Compile Include="HivePermissionManager.cs" />
+    <Compile Include="Authorization\HivePermissionManager.cs" />
     <Compile Include="HiveServerCorePlugin.cs" />
     <Compile Include="HiveServerMessages.Designer.cs" />
@@ -98 +104 @@
     <Compile Include="JobManager.cs" />
     <Compile Include="LifecycleManager.cs" />
-    <Compile Include="PermissiveSecurityConstants.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Compile Include="ServerConsoleFacade.cs" />
@@ -112 +117 @@
     <None Include="app.config" />
     <None Include="HeuristicLab.snk" />
+    <EmbeddedResource Include="Authorization\HivePermissionSet.xsd">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </EmbeddedResource>
     <None Include="Properties\AssemblyInfo.frame" />
     <None Include="Properties\Settings.settings">
@@ -148 +156 @@
     </ProjectReference>
   </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="Authorization\HivePermissionSet.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <Content Include="Authorization\HivePermissionPolicy.xml" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 

trunk/sources/HeuristicLab.Hive.Server.Core/3.2/InternalInterfaces/IHivePermissionManager.cs

@@ -2 +2 @@
 namespace HeuristicLab.Hive.Server.Core.InternalInterfaces {
   public interface IHivePermissionManager {
+    /// <summary>
+    /// Checks user permission against predefined policy in database.
+    /// </summary>
+    /// <param name="permission">the name of policy defined in xml-file</param>
+    /// <param name="sessionID">the users current session ID</param>
+    /// <param name="entityID"></param>
+    /// <exception cref="PermissionException">thrown when access denied</exception>
+    void Authorize(string policyName, Guid sessionID, Guid entityID);
     bool CheckPermission(Guid sessionID, Guid actionID, Guid entityId);
     Guid Login(string username, string password);

trunk/sources/HeuristicLab.Hive.Server.Core/3.2/ServerConsoleFacade.cs

@@ -29 +29 @@
 using HeuristicLab.Security.Contracts.Interfaces;
 using HeuristicLab.Hive.Server.Core.InternalInterfaces;
+using System.ServiceModel;
+
 
 namespace HeuristicLab.Hive.Server.Core {
@@ -45 +47 @@
       Response resp = new Response();
      
-      /*
       sessionID = secMan.Login(username, password);
       if (sessionID == Guid.Empty) {
@@ -55 +56 @@
           ApplicationConstants.RESPONSE_SERVERCONSOLE_LOGIN_SUCCESS;
       }
-      */ 
-      sessionID = Guid.Empty;
-      resp.Success = true;
-      resp.StatusMessage = ApplicationConstants.RESPONSE_SERVERCONSOLE_LOGIN_SUCCESS;
       return resp;
     }
@@ -64 +61 @@
 
     public ResponseList<ClientInfo> GetAllClients() {
-      if (HasPermission(PermissiveSecurityAction.List_AllClients))
-        return clientManager.GetAllClients();
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessClients", sessionID, Guid.Empty);
+      return clientManager.GetAllClients();
     }
 
     public ResponseList<ClientGroup> GetAllClientGroups() {
-      if (HasPermission(PermissiveSecurityAction.List_AllClientGroups))
-        return clientManager.GetAllClientGroups();
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessClientGroup", sessionID, Guid.Empty);
+      return clientManager.GetAllClientGroups();
     }
 
     public ResponseList<UpTimeStatistics> GetAllUpTimeStatistics() {
-      if (HasPermission(PermissiveSecurityAction.Show_Statistics))
-        return clientManager.GetAllUpTimeStatistics();
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessStatistics", sessionID, Guid.Empty);
+      return clientManager.GetAllUpTimeStatistics();
     }
 
     public ResponseObject<ClientGroup> AddClientGroup(ClientGroup clientGroup) {
-      if (HasPermission(PermissiveSecurityAction.Add_ClientGroup))
-        return clientManager.AddClientGroup(clientGroup);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AddClientGroup", sessionID, Guid.Empty);
+      return clientManager.AddClientGroup(clientGroup);
     }
 
     public Response AddResourceToGroup(Guid clientGroupId, Resource resource) {
-      if (HasPermission(PermissiveSecurityAction.Add_Resource))
-        return clientManager.AddResourceToGroup(clientGroupId, resource);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AddResource", sessionID, Guid.Empty);                
+      return clientManager.AddResourceToGroup(clientGroupId, resource);
     }
 
     public Response DeleteResourceFromGroup(Guid clientGroupId, Guid resourceId) {
-      if (HasPermission(PermissiveSecurityAction.Delete_Resource))
         return clientManager.DeleteResourceFromGroup(clientGroupId, resourceId);
-      else
-        throw new PermissionException();
     }
 
-
-    public ResponseList<HeuristicLab.Hive.Contracts.BusinessObjects.Job> GetAllJobs() {
-      if (HasPermission(PermissiveSecurityAction.Get_AllJobs))
-        return jobManager.GetAllJobs();
-      else
-        throw new PermissionException();
+    public ResponseList<Job> GetAllJobs() {
+      secMan.Authorize("AccessJobs", sessionID, Guid.Empty);
+      return jobManager.GetAllJobs();
     }
 
-    public ResponseObject<HeuristicLab.Hive.Contracts.BusinessObjects.Job> GetJobById(Guid jobId) {
+    public ResponseObject<Job> GetJobById(Guid jobId) {
+      secMan.Authorize("AccessJobs", sessionID, jobId);
       return jobManager.GetJobById(jobId);
     }
 
     public ResponseObject<Job> AddNewJob(Job job) {
-      if (HasPermission(PermissiveSecurityAction.Add_Job))
-        return jobManager.AddNewJob(job);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AddJob", sessionID, job.Id);
+      return jobManager.AddNewJob(job);
     }
 
     public ResponseObject<JobResult> GetLastJobResultOf(Guid jobId, bool requested) {
-      if (HasPermission(PermissiveSecurityAction.Get_LastJobResult))
-        return jobManager.GetLastJobResultOf(jobId, requested);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessJobResults", sessionID, jobId);
+      return jobManager.GetLastJobResultOf(jobId, requested);
     }
 
     public ResponseList<JobResult> GetAllJobResults(Guid jobId) {
-      if (HasPermission(PermissiveSecurityAction.Get_AllJobResults))
-        return jobManager.GetAllJobResults(jobId);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessJobResults", sessionID, jobId);  
+      return jobManager.GetAllJobResults(jobId);
     }
 
     public Response RemoveJob(Guid jobId) {
-      if (HasPermission(PermissiveSecurityAction.Remove_Job))
-        return jobManager.RemoveJob(jobId);
-      else
-        throw new PermissionException();
+      secMan.Authorize("RemoveJob", sessionID, jobId);
+      return jobManager.RemoveJob(jobId);
     }
 
     public Response RequestSnapshot(Guid jobId) {
-      if (HasPermission(PermissiveSecurityAction.Request_Snapshot))
-        return jobManager.RequestSnapshot(jobId);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AccessJobResults", sessionID, jobId);  
+      return jobManager.RequestSnapshot(jobId);
     }
 
     public Response AbortJob(Guid jobId) {
-      if (HasPermission(PermissiveSecurityAction.Abort_Job))
-        return jobManager.AbortJob(jobId);
-      else
-        throw new PermissionException();
+      secMan.Authorize("AbortJob", sessionID, Guid.Empty);
+      return jobManager.AbortJob(jobId);
     }
 
     public ResponseObject<List<ClientGroup>> GetAllGroupsOfResource(Guid resourceId) {
-      if (HasPermission(PermissiveSecurityAction.Get_AllGroupsOfResource))
-        return clientManager.GetAllGroupsOfResource(resourceId);
-      else
-        throw new PermissionException();      
+      secMan.Authorize("AccessUserGroup", sessionID, Guid.Empty);
+      return clientManager.GetAllGroupsOfResource(resourceId);
     }
 
     public Response DeleteClientGroup(Guid clientGroupId) {
+      secMan.Authorize("DeleteClientGroup", sessionID, Guid.Empty);
       return clientManager.DeleteClientGroup(clientGroupId);
     }
 
-  /*
-    private bool HasPermission(Guid action) {
-      return (sessionID == Guid.Empty) ? false : secMan.CheckPermission(sessionID, action, Guid.Empty);
-    }
-
-    private bool HasPermission(Guid action, Guid entityId) {
-      return (sessionID == Guid.Empty) ? false : secMan.CheckPermission(sessionID, action, entityId);
-    }
-   */
-
-    [Obsolete("Only for testing!")]
-    private bool HasPermission(Guid g) { return true; }
-    [Obsolete("Only for testing!")]
-    private bool HasPermission(Guid g, Guid f) { return true; }
-
-    public class PermissionException : Exception {
-      public PermissionException()
-        : base("Current user has insufficent rights for this action!") {
-      }
-
-      public PermissionException(string msg)
-        : base(msg) {
-      }
-
-
-    }
-
     public ResponseList<Project> GetAllProjects() {
+      secMan.Authorize("AccessProjects", sessionID, Guid.Empty);
       return jobManager.GetAllProjects();
     }
 
     public Response CreateProject(Project project) {
+      secMan.Authorize("CreateProjects", sessionID, Guid.Empty);
       return jobManager.CreateProject(project);
     }
 
     public Response ChangeProject(Project project) {
+      secMan.Authorize("ChangeProjects", sessionID, Guid.Empty);
       return jobManager.ChangeProject(project);
     }
 
     public Response DeleteProject(Guid projectId) {
+      secMan.Authorize("DeleteProjects", sessionID, projectId);
       return jobManager.DeleteProject(projectId);
     }
 
     public ResponseList<Job> GetJobsByProject(Guid projectId) {
+      secMan.Authorize("AccessJobs", sessionID, Guid.Empty);
       return jobManager.GetJobsByProject(projectId);
     }