Changeset 6463 for branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4

Timestamp:

06/21/11 16:51:03 (13 years ago)

Author:

cneumuel

Message:

#1233

• created user interface for experiment sharing
• created UserManager which provides access to the users
• inserted a lot of security and authorization checks serverside
• minor fixes in experiment manager

Location:

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4

Files:

• AuthenticationManager.cs (deleted)
• AuthorizationManager.cs (deleted)
• HeartbeatManager.cs (deleted)
• HeuristicLab.Services.Hive-3.4.csproj (modified) (1 diff)
• HiveService.cs (modified) (34 diffs)
• Interfaces/IAuthorizationManager.cs (modified) (1 diff)
• Interfaces/IServiceLocator.cs (modified) (1 diff)
• Interfaces/IUserManager.cs (added)
• LifecycleManager.cs (deleted)
• Manager (added)
• Manager/AuthenticationManager.cs (added)
• Manager/AuthorizationManager.cs (added)
• Manager/HeartbeatManager.cs (added)
• Manager/LifecycleManager.cs (added)
• Manager/UserManager.cs (added)
• ServiceLocator.cs (modified) (1 diff)

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/HeuristicLab.Services.Hive-3.4.csproj

@@ -103 +103 @@
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="Interfaces\IUserManager.cs" />
+    <Compile Include="Manager\UserManager.cs" />
     <None Include="HeuristicLabServicesHivePlugin.cs.frame" />
     <None Include="Properties\AssemblyInfo.cs.frame" />
-    <Compile Include="AuthenticationManager.cs" />
-    <Compile Include="HeartbeatManager.cs" />
+    <Compile Include="Manager\AuthenticationManager.cs" />
+    <Compile Include="Manager\HeartbeatManager.cs" />
     <Compile Include="Interfaces\IAuthenticationManager.cs" />
     <Compile Include="Interfaces\ILifecycleManager.cs" />
     <Compile Include="Interfaces\IServiceLocator.cs" />
-    <Compile Include="AuthorizationManager.cs" />
+    <Compile Include="Manager\AuthorizationManager.cs" />
     <Compile Include="HeuristicLabServicesHivePlugin.cs" />
-    <Compile Include="LifecycleManager.cs" />
+    <Compile Include="Manager\LifecycleManager.cs" />
     <Compile Include="HiveRoles.cs" />
     <Compile Include="HiveService.cs" />

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/HiveService.cs

@@ -51 +51 @@
       get { return ServiceLocator.Instance.LifecycleManager; }
     }
+    private IUserManager userManager {
+      get { return ServiceLocator.Instance.UserManager; }
+    }
     private HeartbeatManager heartbeatManager {
       get { return ServiceLocator.Instance.HeartbeatManager; }
@@ -66 +69 @@
         }
         dao.AddJobData(jobData);
-        dao.UpdateJobState(job.Id, JobState.Waiting, null, author.UserId, null);
+        dao.UpdateJobState(job.Id, JobState.Waiting, null, userManager.CurrentUserId, null);
         return jobData.JobId;
       }, false, true);
@@ -81 +84 @@
     public Job GetJob(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Read);
       return dao.GetJob(jobId);
     }
@@ -86 +90 @@
     public IEnumerable<Job> GetJobs() {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      return dao.GetJobs(x => true);
+      var jobs = dao.GetJobs(x => true);
+      foreach (var job in jobs)
+        author.AuthorizeForJob(job.Id, Permission.Read);
+      return jobs;
     }
 
     public IEnumerable<LightweightJob> GetLightweightJobs(IEnumerable<Guid> jobIds) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      return dao.GetJobs(x => jobIds.Contains(x.JobId)).Select(x => new LightweightJob(x)).ToArray();
+      var jobs = dao.GetJobs(x => jobIds.Contains(x.JobId)).Select(x => new LightweightJob(x)).ToArray();
+      foreach (var job in jobs)
+        author.AuthorizeForJob(job.Id, Permission.Read);
+      return jobs;
     }
 
     public IEnumerable<LightweightJob> GetLightweightChildJobs(Guid? parentJobId, bool recursive, bool includeParent) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      return GetChildJobs(parentJobId, recursive, includeParent).Select(x => new LightweightJob(x)).ToArray();
+      var jobs = GetChildJobs(parentJobId, recursive, includeParent).Select(x => new LightweightJob(x)).ToArray();
+      foreach (var job in jobs)
+        author.AuthorizeForJob(job.Id, Permission.Read);
+      return jobs;
     }
 
     public IEnumerable<LightweightJob> GetLightweightExperimentJobs(Guid experimentId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      author.AuthorizeForExperiment(experimentId, Permission.Read);
       return dao.GetJobs(x => x.HiveExperimentId == experimentId).Select(x => new LightweightJob(x)).ToArray();
     }
@@ -106 +120 @@
     public JobData GetJobData(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Read);
       return dao.GetJobData(jobId);
     }
@@ -111 +126 @@
     public void UpdateJob(Job job) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(job.Id, Permission.Full);
       trans.UseTransaction(() => {
         dao.UpdateJob(job);
@@ -118 +134 @@
     public void UpdateJobData(Job job, JobData jobData) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(job.Id, Permission.Full);
+      author.AuthorizeForJob(jobData.JobId, Permission.Full);
       //trans.UseTransaction(() => { // cneumuel: try without transaction
       jobData.LastUpdate = DateTime.Now;
@@ -127 +145 @@
     public void DeleteJob(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Full);
       trans.UseTransaction(() => {
         dao.DeleteJob(jobId);
@@ -134 +153 @@
     public void DeleteChildJobs(Guid parentJobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(parentJobId, Permission.Full);
       trans.UseTransaction(() => {
         var jobs = GetChildJobs(parentJobId, true, false);
@@ -145 +165 @@
     public Job UpdateJobState(Guid jobId, JobState jobState, Guid? slaveId, Guid? userId, string exception) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Full);
       return trans.UseTransaction(() => {
         Job job = dao.UpdateJobState(jobId, jobState, slaveId, userId, exception);
@@ -166 +187 @@
     public IEnumerable<Job> GetJobsByResourceId(Guid resourceId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator);
-      return trans.UseTransaction(() => dao.GetJobsByResourceId(resourceId));
+      var jobs = trans.UseTransaction(() => dao.GetJobsByResourceId(resourceId));
+      foreach(var job in jobs)
+        author.AuthorizeForJob(job.Id, Permission.Read);
+      return jobs;
     }
     #endregion
@@ -173 +197 @@
     public void StopJob(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Full);
       trans.UseTransaction(() => {
         var job = dao.GetJob(jobId);
@@ -188 +213 @@
     public void PauseJob(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
+      author.AuthorizeForJob(jobId, Permission.Full);
       trans.UseTransaction(() => {
         var job = dao.GetJob(jobId);
@@ -201 +227 @@
     public void RestartJob(Guid jobId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
-      trans.UseTransaction(() => {
-        Job job = dao.UpdateJobState(jobId, JobState.Waiting, null, author.UserId, string.Empty);
+      author.AuthorizeForJob(jobId, Permission.Full);
+      trans.UseTransaction(() => {
+        Job job = dao.UpdateJobState(jobId, JobState.Waiting, null, userManager.CurrentUserId, string.Empty);
         job.Command = null;
         dao.UpdateJob(job);
@@ -212 +239 @@
     public HiveExperiment GetHiveExperiment(Guid id) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      author.AuthorizeForExperiment(id, Permission.Read);
       var hiveExperiment = dao.GetHiveExperiments(x =>
             x.HiveExperimentId == id
-            && (x.OwnerUserId == author.UserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == author.UserId) > 0)
+            && (x.OwnerUserId == userManager.CurrentUserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == userManager.CurrentUserId) > 0)
           ).FirstOrDefault();
-      if (hiveExperiment != null) hiveExperiment.Permission = dao.GetPermissionForExperiment(hiveExperiment.Id, author.UserId);
+      if (hiveExperiment != null) hiveExperiment.Permission = dao.GetPermissionForExperiment(hiveExperiment.Id, userManager.CurrentUserId);
       return hiveExperiment;
     }
@@ -222 +250 @@
     public IEnumerable<HiveExperiment> GetHiveExperiments() {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
-      var hiveExperiments = dao.GetHiveExperiments(x => x.OwnerUserId == author.UserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == author.UserId) > 0);
-      foreach (var he in hiveExperiments)
-        he.Permission = dao.GetPermissionForExperiment(he.Id, author.UserId);
+      var hiveExperiments = dao.GetHiveExperiments(x => x.OwnerUserId == userManager.CurrentUserId || x.HiveExperimentPermissions.Count(hep => hep.Permission != Permission.NotAllowed && hep.GrantedUserId == userManager.CurrentUserId) > 0);
+      foreach (var he in hiveExperiments) {
+        author.AuthorizeForExperiment(he.Id, Permission.Read);
+        he.Permission = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
+      }
       return hiveExperiments;
     }
@@ -231 +261 @@
       authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       var hiveExperiments = dao.GetHiveExperiments(x => true);
-      foreach (var he in hiveExperiments)
-        he.Permission = dao.GetPermissionForExperiment(he.Id, author.UserId);
+      foreach (var he in hiveExperiments) // no authorization here, since this method is admin-only! (admin is allowed to read all jobs)
+        he.Permission = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
       return hiveExperiments;
     }
@@ -239 +269 @@
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
       return trans.UseTransaction(() => {
-        hiveExperimentDto.OwnerUserId = author.UserId;
+        hiveExperimentDto.OwnerUserId = userManager.CurrentUserId;
         hiveExperimentDto.DateCreated = DateTime.Now;
         return dao.AddHiveExperiment(hiveExperimentDto);
@@ -247 +277 @@
     public void UpdateHiveExperiment(HiveExperiment hiveExperimentDto) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      author.AuthorizeForExperiment(hiveExperimentDto.Id, Permission.Full);
       trans.UseTransaction(() => {
         dao.UpdateHiveExperiment(hiveExperimentDto);
@@ -254 +285 @@
     public void DeleteHiveExperiment(Guid hiveExperimentId) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      author.AuthorizeForExperiment(hiveExperimentId, Permission.Full);
       trans.UseTransaction(() => {
         HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
@@ -267 +299 @@
         HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
         if (he == null) throw new FaultException<FaultReason>(new FaultReason("Could not find hiveExperiment with id " + hiveExperimentId));
-        Permission perm = dao.GetPermissionForExperiment(he.Id, author.UserId);
+        Permission perm = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
         if (perm != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to grant permissions for this experiment"));
-        dao.SetHiveExperimentPermission(hiveExperimentId, author.UserId, grantedUserId, permission);
+        dao.SetHiveExperimentPermission(hiveExperimentId, userManager.CurrentUserId, grantedUserId, permission);
       });
     }
@@ -278 +310 @@
         HiveExperiment he = dao.GetHiveExperiment(hiveExperimentId);
         if (he == null) throw new FaultException<FaultReason>(new FaultReason("Could not find hiveExperiment with id " + hiveExperimentId));
-        Permission perm = dao.GetPermissionForExperiment(he.Id, author.UserId);
+        Permission perm = dao.GetPermissionForExperiment(he.Id, userManager.CurrentUserId);
         if (perm != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to grant permissions for this experiment"));
-        dao.SetHiveExperimentPermission(hiveExperimentId, author.UserId, grantedUserId, Permission.NotAllowed);
+        dao.SetHiveExperimentPermission(hiveExperimentId, userManager.CurrentUserId, grantedUserId, Permission.NotAllowed);
+      });
+    }
+    public IEnumerable<HiveExperimentPermission> GetHiveExperimentPermissions(Guid hiveExperimentId) {
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      return trans.UseTransaction(() => {
+        Permission currentUserPermission = dao.GetPermissionForExperiment(hiveExperimentId, userManager.CurrentUserId);
+        if (currentUserPermission != Permission.Full) throw new FaultException<FaultReason>(new FaultReason("Not allowed to list permissions for this experiment"));
+        return dao.GetHiveExperimentPermissions(x => x.HiveExperimentId == hiveExperimentId);
       });
     }
@@ -341 +381 @@
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
       return trans.UseTransaction(() => {
-        plugin.UserId = author.UserId;
+        plugin.UserId = userManager.CurrentUserId;
         plugin.DateCreated = DateTime.Now;
 
@@ -369 +409 @@
     }
 
+    // note: this is a possible security problem, since a client is able to download all plugins, which may contain proprietary code (which can be disassembled)
+    //       change so that only with GetPluginByHash it is possible to download plugins
     public IEnumerable<Plugin> GetPlugins() {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
@@ -376 +418 @@
     public IEnumerable<PluginData> GetPluginDatas(List<Guid> pluginIds) {
       authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client, HiveRoles.Slave);
-      List<PluginData> pluginDatas = new List<PluginData>();
-
+      var pluginDatas = new List<PluginData>();
       return trans.UseTransaction(() => {
         foreach (Guid guid in pluginIds) {
@@ -394 +435 @@
     #region Slave Methods
     public Guid AddSlave(Slave slave) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return trans.UseTransaction(() => dao.AddSlave(slave));
     }
 
     public Guid AddSlaveGroup(SlaveGroup slaveGroup) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return trans.UseTransaction(() => dao.AddSlaveGroup(slaveGroup));
     }
 
     public Slave GetSlave(Guid slaveId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return dao.GetSlave(slaveId);
     }
 
     public SlaveGroup GetSlaveGroup(Guid slaveGroupId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return dao.GetSlaveGroup(slaveGroupId);
     }
 
     public IEnumerable<Slave> GetSlaves() {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return dao.GetSlaves(x => true);
     }
 
     public IEnumerable<SlaveGroup> GetSlaveGroups() {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return dao.GetSlaveGroups(x => true);
     }
 
     public void UpdateSlave(Slave slave) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         dao.UpdateSlave(slave);
@@ -431 +472 @@
 
     public void UpdateSlaveGroup(SlaveGroup slaveGroup) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         dao.UpdateSlaveGroup(slaveGroup);
@@ -438 +479 @@
 
     public void DeleteSlave(Guid slaveId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         dao.DeleteSlave(slaveId);
@@ -445 +486 @@
 
     public void DeleteSlaveGroup(Guid slaveGroupId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         dao.DeleteSlaveGroup(slaveGroupId);
@@ -452 +493 @@
 
     public void AddResourceToGroup(Guid slaveGroupId, Guid resourceId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         var resource = dao.GetResource(resourceId);
@@ -461 +502 @@
 
     public void RemoveResourceFromGroup(Guid slaveGroupId, Guid resourceId) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       trans.UseTransaction(() => {
         var resource = dao.GetResource(resourceId);
@@ -470 +511 @@
 
     public Guid GetResourceId(string resourceName) {
-      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator);
       return trans.UseTransaction(() => {
         var resource = dao.GetResources(x => x.Name == resourceName).FirstOrDefault();
@@ -482 +523 @@
 
     public void TriggerLifecycle(bool force) {
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Slave);
       // use a serializable transaction here to ensure not two threads execute this simultaniously (mutex-lock would not work since IIS may use multiple AppDomains)
       trans.UseTransaction(() => {
@@ -519 +561 @@
     #endregion
 
+    #region User Methods
+    public string GetUsernameByUserId(Guid userId) {
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      var user = ServiceLocator.Instance.UserManager.GetUserById(userId);
+      if (user != null)
+        return user.UserName;
+      else
+        return null;
+    }
+
+    public Guid GetUserIdByUsername(string username) {
+      authen.AuthenticateForAnyRole(HiveRoles.Administrator, HiveRoles.Client);
+      var user = ServiceLocator.Instance.UserManager.GetUserByName(username);
+      return user != null ? (Guid)user.ProviderUserKey : Guid.Empty;
+    }
+    #endregion
+
     #region Helper Methods
     private IEnumerable<Job> GetChildJobs(Guid? parentJobId, bool recursive, bool includeParent) {

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/Interfaces/IAuthorizationManager.cs

@@ -21 +21 @@
 
 using System;
+using HeuristicLab.Services.Hive.Common.DataTransfer;
 namespace HeuristicLab.Services.Hive {
   public interface IAuthorizationManager {
-    /// <summary>
-    /// Returns the UserId of the currently authenticated user
-    /// </summary>
-    Guid UserId { get; }
-
     /// <summary>
     /// Compares the current UserId with the given userId and takes appropriate actions if the mismatch
     /// </summary>
     void Authorize(Guid userId);
+
+    void AuthorizeForJob(Guid jobId, Permission requiredPermission);
+
+    void AuthorizeForExperiment(Guid experimentId, Permission requiredPermission);
   }
 }

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/Interfaces/IServiceLocator.cs

@@ -29 +29 @@
     ILifecycleManager LifecycleManager { get; }
     ITransactionManager TransactionManager { get; }
+    IUserManager UserManager { get; }
     HeartbeatManager HeartbeatManager { get; }
   }

branches/HeuristicLab.Hive-3.4/sources/HeuristicLab.Services.Hive/3.4/ServiceLocator.cs

@@ -74 +74 @@
     }
 
+    private IUserManager userManager;
+    public IUserManager UserManager {
+      get {
+        if (userManager == null) userManager = new UserManager();
+        return userManager;
+      }
+    }
+
     private HeartbeatManager heartbeatManager;
     public HeartbeatManager HeartbeatManager {