Free cookie consent management tool by TermsFeed Policy Generator

Ignore:
Timestamp:
06/21/11 16:51:03 (13 years ago)
Author:
cneumuel
Message:

#1233

  • created user interface for experiment sharing
  • created UserManager which provides access to the users
  • inserted a lot of security and authorization checks serverside
  • minor fixes in experiment manager
Location:
branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4
Files:
7 added
4 deleted
5 edited

Legend:

Unmodified
Added
Removed
  • branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/HeuristicLab.Services.Hive-3.4.csproj

    r6369 r6463  
    103103  </ItemGroup>
    104104  <ItemGroup>
     105    <Compile Include="Interfaces\IUserManager.cs" />
     106    <Compile Include="Manager\UserManager.cs" />
    105107    <None Include="HeuristicLabServicesHivePlugin.cs.frame" />
    106108    <None Include="Properties\AssemblyInfo.cs.frame" />
    107     <Compile Include="AuthenticationManager.cs" />
    108     <Compile Include="HeartbeatManager.cs" />
     109    <Compile Include="Manager\AuthenticationManager.cs" />
     110    <Compile Include="Manager\HeartbeatManager.cs" />
    109111    <Compile Include="Interfaces\IAuthenticationManager.cs" />
    110112    <Compile Include="Interfaces\ILifecycleManager.cs" />
    111113    <Compile Include="Interfaces\IServiceLocator.cs" />
    112     <Compile Include="AuthorizationManager.cs" />
     114    <Compile Include="Manager\AuthorizationManager.cs" />
    113115    <Compile Include="HeuristicLabServicesHivePlugin.cs" />
    114     <Compile Include="LifecycleManager.cs" />
     116    <Compile Include="Manager\LifecycleManager.cs" />
    115117    <Compile Include="HiveRoles.cs" />
    116118    <Compile Include="HiveService.cs" />
  • branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/HiveService.cs

    r6457 r6463  
    5151      get { return ServiceLocator.Instance.LifecycleManager; }
    5252    }
     53    private IUserManager userManager {
     54      get { return ServiceLocator.Instance.UserManager; }
     55    }
    5356    private HeartbeatManager heartbeatManager {
    5457      get { return ServiceLocator.Instance.HeartbeatManager; }
     
    6669        }
    6770        dao.AddJobData(jobData);
    68         dao.UpdateJobState(job.Id, JobState.Waiting, null, author.UserId, null);
     71        dao.UpdateJobState(job.Id, JobState.Waiting, null, userManager.CurrentUserId, null);
    6972        return jobData.JobId;
    7073      }, false, true);
     
    8184    public Job GetJob(Guid jobId) {
    8285      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     86      author.AuthorizeForJob(jobId, Permission.Read);
    8387      return dao.GetJob(jobId);
    8488    }
     
    8690    public IEnumerable<Job> GetJobs() {
    8791      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    88       return dao.GetJobs(x => true);
     92      var jobs = dao.GetJobs(x => true);
     93      foreach (var job in jobs)
     94        author.AuthorizeForJob(job.Id, Permission.Read);
     95      return jobs;
    8996    }
    9097
    9198    public IEnumerable<LightweightJob> GetLightweightJobs(IEnumerable<Guid> jobIds) {
    9299      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    93       return dao.GetJobs(x => jobIds.Contains(x.JobId)).Select(x => new LightweightJob(x)).ToArray();
     100      var jobs = dao.GetJobs(x => jobIds.Contains(x.JobId)).Select(x => new LightweightJob(x)).ToArray();
     101      foreach (var job in jobs)
     102        author.AuthorizeForJob(job.Id, Permission.Read);
     103      return jobs;
    94104    }
    95105
    96106    public IEnumerable<LightweightJob> GetLightweightChildJobs(Guid? parentJobId, bool recursive, bool includeParent) {
    97107      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    98       return GetChildJobs(parentJobId, recursive, includeParent).Select(x => new LightweightJob(x)).ToArray();
     108      var jobs = GetChildJobs(parentJobId, recursive, includeParent).Select(x => new LightweightJob(x)).ToArray();
     109      foreach (var job in jobs)
     110        author.AuthorizeForJob(job.Id, Permission.Read);
     111      return jobs;
    99112    }
    100113
    101114    public IEnumerable<LightweightJob> GetLightweightExperimentJobs(Guid experimentId) {
    102115      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     116      author.AuthorizeForExperiment(experimentId, Permission.Read);
    103117      return dao.GetJobs(x => x.HiveExperimentId == experimentId).Select(x => new LightweightJob(x)).ToArray();
    104118    }
     
    106120    public JobData GetJobData(Guid jobId) {
    107121      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     122      author.AuthorizeForJob(jobId, Permission.Read);
    108123      return dao.GetJobData(jobId);
    109124    }
     
    111126    public void UpdateJob(Job job) {
    112127      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     128      author.AuthorizeForJob(job.Id, Permission.Full);
    113129      trans.UseTransaction(() => {
    114130        dao.UpdateJob(job);
     
    118134    public void UpdateJobData(Job job, JobData jobData) {
    119135      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     136      author.AuthorizeForJob(job.Id, Permission.Full);
     137      author.AuthorizeForJob(jobData.JobId, Permission.Full);
    120138      //trans.UseTransaction(() => { // cneumuel: try without transaction
    121139      jobData.LastUpdate = DateTime.Now;
     
    127145    public void DeleteJob(Guid jobId) {
    128146      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     147      author.AuthorizeForJob(jobId, Permission.Full);
    129148      trans.UseTransaction(() => {
    130149        dao.DeleteJob(jobId);
     
    134153    public void DeleteChildJobs(Guid parentJobId) {
    135154      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     155      author.AuthorizeForJob(parentJobId, Permission.Full);
    136156      trans.UseTransaction(() => {
    137157        var jobs = GetChildJobs(parentJobId, true, false);
     
    145165    public Job UpdateJobState(Guid jobId, JobState jobState, Guid? slaveId, Guid? userId, string exception) {
    146166      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     167      author.AuthorizeForJob(jobId, Permission.Full);
    147168      return trans.UseTransaction(() => {
    148169        Job job = dao.UpdateJobState(jobId, jobState, slaveId, userId, exception);
     
    166187    public IEnumerable<Job> GetJobsByResourceId(Guid resourceId) {
    167188      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    168       return trans.UseTransaction(() => dao.GetJobsByResourceId(resourceId));
     189      var jobs = trans.UseTransaction(() => dao.GetJobsByResourceId(resourceId));
     190      foreach(var job in jobs)
     191        author.AuthorizeForJob(job.Id, Permission.Read);
     192      return jobs;
    169193    }
    170194    #endregion
     
    173197    public void StopJob(Guid jobId) {
    174198      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     199      author.AuthorizeForJob(jobId, Permission.Full);
    175200      trans.UseTransaction(() => {
    176201        var job = dao.GetJob(jobId);
     
    188213    public void PauseJob(Guid jobId) {
    189214      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     215      author.AuthorizeForJob(jobId, Permission.Full);
    190216      trans.UseTransaction(() => {
    191217        var job = dao.GetJob(jobId);
     
    201227    public void RestartJob(Guid jobId) {
    202228      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
    203       trans.UseTransaction(() => {
    204         Job job = dao.UpdateJobState(jobId, JobState.Waiting, null, author.UserId, string.Empty);
     229      author.AuthorizeForJob(jobId, Permission.Full);
     230      trans.UseTransaction(() => {
     231        Job job = dao.UpdateJobState(jobId, JobState.Waiting, null, userManager.CurrentUserId, string.Empty);
    205232        job.Command = null;
    206233        dao.UpdateJob(job);
     
    212239    public HiveExperiment GetHiveExperiment(Guid id) {
    213240      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     241      author.AuthorizeForExperiment(id, Permission.Read);
    214242      var hiveExperiment = dao.GetHiveExperiments(x =>
    215243            x.HiveExperimentId == id
    216             && (x.OwnerUserId == author.UserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == author.UserId) > 0)
     244            && (x.OwnerUserId == userManager.CurrentUserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == userManager.CurrentUserId) > 0)
    217245          ).FirstOrDefault();
    218       if (hiveExperiment != null) hiveExperiment.Permission = dao.GetPermissionForExperiment(hiveExperiment.Id, author.UserId);
     246      if (hiveExperiment != null) hiveExperiment.Permission = dao.GetPermissionForExperiment(hiveExperiment.Id, userManager.CurrentUserId);
    219247      return hiveExperiment;
    220248    }
     
    222250    public IEnumerable<HiveExperiment> GetHiveExperiments() {
    223251      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    224       var hiveExperiments = dao.GetHiveExperiments(x => x.OwnerUserId == author.UserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == author.UserId) > 0);
    225       foreach (var he in hiveExperiments)
    226         he.Permission = dao.GetPermissionForExperiment(he.Id, author.UserId);
     252      var hiveExperiments = dao.GetHiveExperiments(x => x.OwnerUserId == userManager.CurrentUserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == userManager.CurrentUserId) > 0);
     253      foreach (var he in hiveExperiments) {
     254        author.AuthorizeForExperiment(he.Id, Permission.Read);
     255        he.Permission = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
     256      }
    227257      return hiveExperiments;
    228258    }
     
    231261      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    232262      var hiveExperiments = dao.GetHiveExperiments(x => true);
    233       foreach (var he in hiveExperiments)
    234         he.Permission = dao.GetPermissionForExperiment(he.Id, author.UserId);
     263      foreach (var he in hiveExperiments) // no authorization here, since this method is admin-only! (admin is allowed to read all jobs)
     264        he.Permission = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
    235265      return hiveExperiments;
    236266    }
     
    239269      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    240270      return trans.UseTransaction(() => {
    241         hiveExperimentDto.OwnerUserId = author.UserId;
     271        hiveExperimentDto.OwnerUserId = userManager.CurrentUserId;
    242272        hiveExperimentDto.DateCreated = DateTime.Now;
    243273        return dao.AddHiveExperiment(hiveExperimentDto);
     
    247277    public void UpdateHiveExperiment(HiveExperiment hiveExperimentDto) {
    248278      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     279      author.AuthorizeForExperiment(hiveExperimentDto.Id, Permission.Full);
    249280      trans.UseTransaction(() => {
    250281        dao.UpdateHiveExperiment(hiveExperimentDto);
     
    254285    public void DeleteHiveExperiment(Guid hiveExperimentId) {
    255286      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     287      author.AuthorizeForExperiment(hiveExperimentId, Permission.Full);
    256288      trans.UseTransaction(() => {
    257289        HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
     
    267299        HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
    268300        if (he == null) throw new FaultException<FaultReason>(new FaultReason("Could not find hiveExperiment with id " + hiveExperimentId));
    269         Permission perm = dao.GetPermissionForExperiment(he.Id, author.UserId);
     301        Permission perm = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
    270302        if (perm != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to grant permissions for this experiment"));
    271         dao.SetHiveExperimentPermission(hiveExperimentId, author.UserId, grantedUserId, permission);
     303        dao.SetHiveExperimentPermission(hiveExperimentId, userManager.CurrentUserId, grantedUserId, permission);
    272304      });
    273305    }
     
    278310        HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
    279311        if (he == null) throw new FaultException<FaultReason>(new FaultReason("Could not find hiveExperiment with id " + hiveExperimentId));
    280         Permission perm = dao.GetPermissionForExperiment(he.Id, author.UserId);
     312        Permission perm = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
    281313        if (perm != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to grant permissions for this experiment"));
    282         dao.SetHiveExperimentPermission(hiveExperimentId, author.UserId, grantedUserId, Permission.NotAllowed);
     314        dao.SetHiveExperimentPermission(hiveExperimentId, userManager.CurrentUserId, grantedUserId, Permission.NotAllowed);
     315      });
     316    }
     317    public IEnumerable<HiveExperimentPermission> GetHiveExperimentPermissions(Guid hiveExperimentId) {
     318      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     319      return trans.UseTransaction(() => {
     320        Permission currentUserPermission = dao.GetPermissionForExperiment(hiveExperimentId, userManager.CurrentUserId);
     321        if (currentUserPermission != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to list permissions for this experiment"));
     322        return dao.GetHiveExperimentPermissions(x => x.HiveExperimentId == hiveExperimentId);
    283323      });
    284324    }
     
    341381      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
    342382      return trans.UseTransaction(() => {
    343         plugin.UserId = author.UserId;
     383        plugin.UserId = userManager.CurrentUserId;
    344384        plugin.DateCreated = DateTime.Now;
    345385
     
    369409    }
    370410
     411    // note: this is a possible security problem, since a client is able to download all plugins, which may contain proprietary code (which can be disassembled)
     412    //       change so that only with GetPluginByHash it is possible to download plugins
    371413    public IEnumerable<Plugin> GetPlugins() {
    372414      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
     
    376418    public IEnumerable<PluginData> GetPluginDatas(List<Guid> pluginIds) {
    377419      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
    378       List<PluginData> pluginDatas = new List<PluginData>();
    379 
     420      var pluginDatas = new List<PluginData>();
    380421      return trans.UseTransaction(() => {
    381422        foreach (Guid guid in pluginIds) {
     
    394435    #region Slave Methods
    395436    public Guid AddSlave(Slave slave) {
    396       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     437      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    397438      return trans.UseTransaction(() => dao.AddSlave(slave));
    398439    }
    399440
    400441    public Guid AddSlaveGroup(SlaveGroup slaveGroup) {
    401       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     442      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    402443      return trans.UseTransaction(() => dao.AddSlaveGroup(slaveGroup));
    403444    }
    404445
    405446    public Slave GetSlave(Guid slaveId) {
    406       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     447      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    407448      return dao.GetSlave(slaveId);
    408449    }
    409450
    410451    public SlaveGroup GetSlaveGroup(Guid slaveGroupId) {
    411       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     452      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    412453      return dao.GetSlaveGroup(slaveGroupId);
    413454    }
    414455
    415456    public IEnumerable<Slave> GetSlaves() {
    416       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     457      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    417458      return dao.GetSlaves(x => true);
    418459    }
    419460
    420461    public IEnumerable<SlaveGroup> GetSlaveGroups() {
    421       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     462      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    422463      return dao.GetSlaveGroups(x => true);
    423464    }
    424465
    425466    public void UpdateSlave(Slave slave) {
    426       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     467      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    427468      trans.UseTransaction(() => {
    428469        dao.UpdateSlave(slave);
     
    431472
    432473    public void UpdateSlaveGroup(SlaveGroup slaveGroup) {
    433       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     474      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    434475      trans.UseTransaction(() => {
    435476        dao.UpdateSlaveGroup(slaveGroup);
     
    438479
    439480    public void DeleteSlave(Guid slaveId) {
    440       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     481      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    441482      trans.UseTransaction(() => {
    442483        dao.DeleteSlave(slaveId);
     
    445486
    446487    public void DeleteSlaveGroup(Guid slaveGroupId) {
    447       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     488      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    448489      trans.UseTransaction(() => {
    449490        dao.DeleteSlaveGroup(slaveGroupId);
     
    452493
    453494    public void AddResourceToGroup(Guid slaveGroupId, Guid resourceId) {
    454       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     495      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    455496      trans.UseTransaction(() => {
    456497        var resource = dao.GetResource(resourceId);
     
    461502
    462503    public void RemoveResourceFromGroup(Guid slaveGroupId, Guid resourceId) {
    463       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     504      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    464505      trans.UseTransaction(() => {
    465506        var resource = dao.GetResource(resourceId);
     
    470511
    471512    public Guid GetResourceId(string resourceName) {
    472       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     513      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
    473514      return trans.UseTransaction(() => {
    474515        var resource = dao.GetResources(x => x.Name == resourceName).FirstOrDefault();
     
    482523
    483524    public void TriggerLifecycle(bool force) {
     525      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Slave);
    484526      // use a serializable transaction here to ensure not two threads execute this simultaniously (mutex-lock would not work since IIS may use multiple AppDomains)
    485527      trans.UseTransaction(() => {
     
    519561    #endregion
    520562
     563    #region User Methods
     564    public string GetUsernameByUserId(Guid userId) {
     565      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     566      var user = ServiceLocator.Instance.UserManager.GetUserById(userId);
     567      if (user != null)
     568        return user.UserName;
     569      else
     570        return null;
     571    }
     572
     573    public Guid GetUserIdByUsername(string username) {
     574      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
     575      var user = ServiceLocator.Instance.UserManager.GetUserByName(username);
     576      return user != null ? (Guid)user.ProviderUserKey : Guid.Empty;
     577    }
     578    #endregion
     579
    521580    #region Helper Methods
    522581    private IEnumerable<Job> GetChildJobs(Guid? parentJobId, bool recursive, bool includeParent) {
  • branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/Interfaces/IAuthorizationManager.cs

    r6372 r6463  
    2121
    2222using System;
     23using HeuristicLab.Services.Hive.Common.DataTransfer;
    2324namespace HeuristicLab.Services.Hive {
    2425  public interface IAuthorizationManager {
    25     /// <summary>
    26     /// Returns the UserId of the currently authenticated user
    27     /// </summary>
    28     Guid UserId { get; }
    29 
    3026    /// <summary>
    3127    /// Compares the current UserId with the given userId and takes appropriate actions if the mismatch
    3228    /// </summary>
    3329    void Authorize(Guid userId);
     30
     31    void AuthorizeForJob(Guid jobId, Permission requiredPermission);
     32
     33    void AuthorizeForExperiment(Guid experimentId, Permission requiredPermission);
    3434  }
    3535}
  • branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/Interfaces/IServiceLocator.cs

    r6452 r6463  
    2929    ILifecycleManager LifecycleManager { get; }
    3030    ITransactionManager TransactionManager { get; }
     31    IUserManager UserManager { get; }
    3132    HeartbeatManager HeartbeatManager { get; }
    3233  }
  • branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/ServiceLocator.cs

    r6452 r6463  
    7474    }
    7575
     76    private IUserManager userManager;
     77    public IUserManager UserManager {
     78      get {
     79        if (userManager == null) userManager = new UserManager();
     80        return userManager;
     81      }
     82    }
     83
    7684    private HeartbeatManager heartbeatManager;
    7785    public HeartbeatManager HeartbeatManager {
Note: See TracChangeset for help on using the changeset viewer.