private Principal CreatePrincipal(ISecurityPrincipal principal)
{
if (principal.IsNull)
{
return(Principal.Null);
}
if (string.IsNullOrEmpty(principal.User))
{
throw CreateAccessControlException("No principal was provided.");
}
if (string.IsNullOrEmpty(principal.SubstitutedUser) && principal.SubstitutedRole != null)
{
throw CreateAccessControlException("A substituted role was specified without a substituted user.");
}
User user = _securityPrincipalRepository.GetUser(principal.User);
lock (user.RootTransaction)
{
Tenant principalTenant = user.Tenant;
User principalUser;
IEnumerable <Role> principalRoles;
if (principal.SubstitutedUser != null)
{
Substitution substitution = GetSubstitution(principal, user);
if (substitution == null)
{
principalUser = null;
principalRoles = new Role[0];
}
else if (principal.SubstitutedRole != null)
{
principalUser = null;
principalRoles = EnumerableUtility.Singleton(substitution.SubstitutedRole);
}
else
{
principalUser = substitution.SubstitutedUser;
principalRoles = substitution.SubstitutedUser.Roles;
}
}
else
{
principalUser = user;
principalRoles = user.Roles;
if (principal.Role != null)
{
principalRoles = principalRoles.Where(r => IsRoleMatchingPrincipalRole(r, principal.Role));
}
}
return(new Principal(
principalTenant.GetHandle(),
principalUser.GetSafeHandle(),
principalRoles.Select(r => new PrincipalRole(r.Position.GetHandle(), r.Group.GetHandle()))));
}
}
public void CheckMethodAccess(ISecurableObject securableObject, IMethodInformation methodInformation, ISecurityPrincipal principal)
{
ArgumentUtility.DebugCheckNotNull("securableObject", securableObject);
ArgumentUtility.DebugCheckNotNull("methodInformation", methodInformation);
ArgumentUtility.DebugCheckNotNull("principal", principal);
if (!HasMethodAccess(securableObject, methodInformation, principal))
{
ArgumentUtility.CheckNotNull("securableObject", securableObject);
ArgumentUtility.CheckNotNull("methodInformation", methodInformation);
throw CreatePermissionDeniedException(
"Access to method '{0}' on type '{1}' has been denied.",
methodInformation.Name,
securableObject.GetSecurableType().FullName);
}
}
public void SetUp()
{
_principal = new NullSecurityPrincipal();
}
public bool HasStatelessAccess(Type securableClass, ISecurityPrincipal principal, params AccessType[] requiredAccessTypes)
{
return(HasStatelessAccess(securableClass, principal, (IReadOnlyList <AccessType>)requiredAccessTypes));
}
public bool HasMethodAccess(ISecurableObject securableObject, MethodInfo methodInfo, ISecurityPrincipal principal)
{
ArgumentUtility.CheckNotNull("securableObject", securableObject);
ArgumentUtility.CheckNotNull("methodInfo", methodInfo);
ArgumentUtility.DebugCheckNotNull("principal", principal);
var methodInformation = _memberResolver.GetMethodInformation(securableObject.GetSecurableType(), methodInfo, MemberAffiliation.Instance);
return(HasMethodAccess(securableObject, methodInformation, principal));
}
private SecurityDescriptorTarget CreateTarget(AccessMask allowed, AccessMask denied, string ou, ISecurityPrincipal trustee)
{
return(new SecurityDescriptorTarget
{
AuthorizationMode = AuthorizationMode.SecurityDescriptor,
Id = Guid.NewGuid().ToString(),
Target = ou,
Type = TargetType.Container,
SecurityDescriptor = this.CreateSecurityDescriptor(trustee, allowed, denied)
});
}
public bool HasAccess(ISecurableObject securableObject, ISecurityPrincipal principal, params AccessType[] requiredAccessTypes)
{
return(HasAccess(securableObject, principal, (IReadOnlyList <AccessType>)requiredAccessTypes));
}
public bool TryGetPrincipal(string name, out ISecurityPrincipal principal)
{
return(DirectoryExtensions.TryGet(() => this.GetPrincipal(name), out principal));
}
public bool TryGetPrincipal(SecurityIdentifier sid, out ISecurityPrincipal principal)
{
return(DirectoryExtensions.TryGet(() => this.GetPrincipal(sid), out principal));
}
public IEnumerable <SecurityIdentifier> GetTokenGroups(ISecurityPrincipal principal)
{
return(this.GetTokenGroups(principal, null));
}
public IEnumerable <SecurityIdentifier> GetTokenGroups(ISecurityPrincipal principal, SecurityIdentifier targetDomainSid)
{
return(NativeMethods.GetTokenGroups(principal.Sid, targetDomainSid));
}
public bool IsSidInPrincipalToken(SecurityIdentifier sidToFindInToken, ISecurityPrincipal principal, SecurityIdentifier targetDomainSid)
{
return(NativeMethods.CheckForSidInToken(principal.Sid, sidToFindInToken, targetDomainSid));
}
public bool IsSidInPrincipalToken(SecurityIdentifier sidToFindInToken, ISecurityPrincipal principal)
{
return(this.IsSidInPrincipalToken(sidToFindInToken, principal, principal.Sid.AccountDomainSid));
}
private ISecurityProvider CreateSecurityProviderStub(Type securableClassType, ISecurityPrincipal principal, Enum[] returnedAccessTypes)
{
var securityProviderStub = MockRepository.GenerateStub <ISecurityProvider>();
securityProviderStub.Stub(
stub => stub.GetAccess(
Arg <ISecurityContext> .Matches(sc => TypeUtility.GetType(sc.Class, true) == securableClassType),
Arg.Is(principal)))
.Return(returnedAccessTypes.Select(accessType => AccessType.Get(accessType)).ToArray());
return(securityProviderStub);
}
private IOptionsSnapshot <AuthorizationOptions> SetupOptionsForOUTarget(AccessMask allowed, AccessMask denied, string ou, ISecurityPrincipal trustee)
{
return(SetupOptions(CreateTarget(allowed, denied, ou, trustee)));
}
private void SetupResultSecurityProviderGetAccessForPosition(Delegation delegation, ISecurityPrincipal principal, params Enum[] returnedAccessTypeEnums)
{
Type classType = typeof(Position);
string owner = string.Empty;
string owningGroup = string.Empty;
string owningTenant = string.Empty;
Dictionary <string, Enum> states = new Dictionary <string, Enum>();
states.Add("Delegation", delegation);
List <Enum> abstractRoles = new List <Enum>();
SecurityContext securityContext = SecurityContext.Create(classType, owner, owningGroup, owningTenant, states, abstractRoles);
AccessType[] returnedAccessTypes = Array.ConvertAll(returnedAccessTypeEnums, AccessType.Get);
SetupResult.For(_mockSecurityProvider.GetAccess(securityContext, principal)).Return(returnedAccessTypes);
}
private IOptionsSnapshot <AuthorizationOptions> SetupOptionsForComputerTarget(AccessMask allowed, AccessMask denied, IComputer computer, ISecurityPrincipal trustee)
{
return(SetupOptions(CreateTarget(allowed, denied, computer, trustee)));
}
public void AddMember(ISecurityPrincipal principal, TimeSpan ttl)
{
de.Properties["member"].Add($"<TTL={ttl.TotalSeconds},<SID={principal.Sid}>>");
de.CommitChanges();
}
private SecurityDescriptorTarget CreateTarget(AccessMask allowed, AccessMask denied, ISecurityPrincipal principal, ISecurityPrincipal trustee)
{
return(new SecurityDescriptorTarget
{
AuthorizationMode = AuthorizationMode.SecurityDescriptor,
Id = Guid.NewGuid().ToString(),
Target = principal.Sid.ToString(),
Type = principal switch
{
IGroup _ => TargetType.Group,
IComputer _ => TargetType.Computer,
_ => throw new NotImplementedException(),
},
public void RemoveMember(ISecurityPrincipal principal)
{
de.Properties["member"].Remove($"<SID={principal.Sid}>");
de.CommitChanges();
}
public void CheckAccess(ISecurableObject securableObject, ISecurityPrincipal principal, params AccessType[] requiredAccessTypes)
{
CheckAccess(securableObject, principal, (IReadOnlyList <AccessType>)requiredAccessTypes);
}
public abstract bool HasAccess(ISecurityProvider securityService, ISecurityPrincipal principal, AccessType[] requiredAccessTypes);
public void CheckStatelessAccess(Type securableClass, ISecurityPrincipal principal, params AccessType[] requiredAccessTypes)
{
CheckStatelessAccess(securableClass, principal, (IReadOnlyList <AccessType>)requiredAccessTypes);
}
public abstract bool HasAccess(ISecurityProvider securityService, ISecurityPrincipal principal, IReadOnlyList <AccessType> requiredAccessTypes);
public virtual bool HasMethodAccess(ISecurableObject securableObject, IMethodInformation methodInformation, ISecurityPrincipal principal)
{
ArgumentUtility.CheckNotNull("securableObject", securableObject);
ArgumentUtility.CheckNotNull("methodInformation", methodInformation);
ArgumentUtility.DebugCheckNotNull("principal", principal);
var requiredAccessTypeEnums = _permissionProvider.GetRequiredMethodPermissions(securableObject.GetSecurableType(), methodInformation);
Assertion.DebugIsNotNull(requiredAccessTypeEnums, "IPermissionProvider.GetRequiredMethodPermissions evaluated and returned null.");
return(HasAccess(securableObject, methodInformation, requiredAccessTypeEnums, principal));
}
protected virtual bool AccessAllowed(ISecurityPrincipal user)
{
return(actions.All(user.Can));
}
protected virtual bool AccessAllowed(ISecurityPrincipal user)
{
return actions.Any(user.Can);
}
public bool HasAccess(ISecurityProvider securityProvider, ISecurityPrincipal principal, IReadOnlyList <AccessType> requiredAccessTypes)
{
return(true);
}
