Beispiel #1
0
        public void AddMatchingAceAndIsInMatchingAcesTest()
        {
            AccessTypeStatistics accessTypeStatistics = new AccessTypeStatistics();
            var ace  = _testHelper.CreateAceWithAbstractRole();
            var ace2 = _testHelper.CreateAceWithoutGroupCondition();

            Assert.That(accessTypeStatistics.IsInMatchingAces(ace), Is.False);
            Assert.That(accessTypeStatistics.IsInMatchingAces(ace2), Is.False);

            accessTypeStatistics.AddMatchingAce(ace);
            Assert.That(accessTypeStatistics.IsInMatchingAces(ace), Is.True);
            Assert.That(accessTypeStatistics.IsInMatchingAces(ace2), Is.False);

            accessTypeStatistics.AddMatchingAce(ace2);
            Assert.That(accessTypeStatistics.IsInMatchingAces(ace), Is.True);
            Assert.That(accessTypeStatistics.IsInMatchingAces(ace2), Is.True);
        }
Beispiel #2
0
        public virtual AclExpansionEntryCreator_GetAccessTypesResult GetAccessTypes(UserRoleAclAceCombination userRoleAclAce)
        {
            if (ClientTransaction.Current == null)
            {
                throw new InvalidOperationException("No ClientTransaction has been associated with the current thread.");
            }

            var aclProbe = AclProbe.CreateAclProbe(userRoleAclAce.User, userRoleAclAce.Role, userRoleAclAce.Ace);

            // Note: The aclProbe created above will NOT always match the ACE it was designed to probe; the reason for this
            // is that its SecurityToken created by the AclProbe is only designed to match the non-decideable access conditions
            // (e.g. abstract role, owning tenant, owning group, etc) of the ACE. If this were not the case, then the AclProbe would need
            // to reproduce code from the SecurityManager, to be able to decide beforehand, whether decideable access condtions
            // (e.g. specific tenant, specific user) will match or not.
            //
            // The "non-decideable" here refers to the information context of the AclExpander, which is lacking some information
            // available during normal SecurityManager access rights querying.
            // For decideable access conditons (e.g. specific tenant or specific group), the created SecurityToken
            // is not guaranteed to match, therefore the AccessTypeStatistics returned by Acl.GetAccessTypes are used to filter out these cases.
            //
            // One could also try to remove these entries by removing all AclExpansionEntry|s which are identical to another AclExpansionEntry,
            // apart from having more restrictive AccessConditions; note however that such "double" entries can also come from ACEs which are
            // being shadowed by a 2nd, less restrictive ACE.
            //
            // Note also that it does not suffice to get the access types for the current ACE only, since these rights might be denied
            // by another matching ACE in the current ACL (deny rights always win).
            var accessTypeStatistics = new AccessTypeStatistics();

            var roles = aclProbe.SecurityToken.Principal.Roles;

            Assertion.IsTrue(roles.Count == 1);
            Assertion.IsTrue(object.ReferenceEquals(roles[0].Position.GetObjectReference(), userRoleAclAce.Role.Position));
            Assertion.IsTrue(object.ReferenceEquals(roles[0].Group.GetObjectReference(), userRoleAclAce.Role.Group));

            AccessInformation accessInformation = userRoleAclAce.Acl.GetAccessTypes(aclProbe.SecurityToken, accessTypeStatistics);

            return(new AclExpansionEntryCreator_GetAccessTypesResult(accessInformation, aclProbe, accessTypeStatistics));
        }
Beispiel #3
0
        public AccessInformation GetAccessTypes(SecurityToken token, AccessTypeStatistics accessTypeStatistics)
        {
            ArgumentUtility.CheckNotNull("token", token);

            var allowedAccessTypesResult = new HashSet <AccessTypeDefinition> ();
            var deniedAccessTypesResult  = new HashSet <AccessTypeDefinition> ();

            foreach (var ace in FindMatchingEntries(token))
            {
                var allowedAccesTypesForCurrentAce = ace.GetAllowedAccessTypes();
                var deniedAccessTypesForCurrentAce = ace.GetDeniedAccessTypes();

                // Add allowed/denied access types of ACE to result
                allowedAccessTypesResult.UnionWith(allowedAccesTypesForCurrentAce);
                deniedAccessTypesResult.UnionWith(deniedAccessTypesForCurrentAce);

                // Record the ACEs that contribute to the resulting AccessTypeDefinition-array.
                // The recorded information allows deduction of whether the probing ACE was matched for ACL-expansion code
                // (see AclExpander.AddAclExpansionEntry).
                if (accessTypeStatistics != null)
                {
                    accessTypeStatistics.AddMatchingAce(ace);
                    if (allowedAccesTypesForCurrentAce.Length > 0 || deniedAccessTypesForCurrentAce.Length > 0)
                    {
                        accessTypeStatistics.AddAccessTypesContributingAce(ace);
                    }
                }
            }

            // Deny always wins => Remove allowed access types which are also denied from result.
            foreach (var deniedAccessType in deniedAccessTypesResult)
            {
                allowedAccessTypesResult.Remove(deniedAccessType);
            }

            return(new AccessInformation(allowedAccessTypesResult.ToArray(), deniedAccessTypesResult.ToArray()));
        }
Beispiel #4
0
 public AclExpansionEntryCreator_GetAccessTypesResult(AccessInformation accessInformation, AclProbe aclProbe, AccessTypeStatistics accessTypeStatistics)
 {
     AclProbe             = aclProbe;
     AccessTypeStatistics = accessTypeStatistics;
     AccessInformation    = accessInformation;
 }