Beispiel #1
0
        private PrincipalWithDatabaseAccess UpdateUserPrincipal(IHttpContext ctx, List <DatabaseAccess> databaseAccessLists)
        {
            var access = ctx.User as PrincipalWithDatabaseAccess;

            if (access != null)
            {
                return(access);
            }

            var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)ctx.User);

            foreach (var databaseAccess in databaseAccessLists)
            {
                if (databaseAccess.Admin)
                {
                    user.AdminDatabases.Add(databaseAccess.TenantId);
                }
                else if (databaseAccess.ReadOnly)
                {
                    user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
                }
                else
                {
                    user.ReadWriteDatabases.Add(databaseAccess.TenantId);
                }
            }

            ctx.User = user;
            return(user);
        }
        private PrincipalWithDatabaseAccess UpdateUserPrincipal(RavenBaseApiController controller, List <ResourceAccess> databaseAccessLists)
        {
            var access = controller.User as PrincipalWithDatabaseAccess;

            if (access != null)
            {
                return(access);
            }

            var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)controller.User);

            foreach (var databaseAccess in databaseAccessLists)
            {
                if (databaseAccess.Admin)
                {
                    user.AdminDatabases.Add(databaseAccess.TenantId);
                }
                else if (databaseAccess.ReadOnly)
                {
                    user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
                }
                else
                {
                    user.ReadWriteDatabases.Add(databaseAccess.TenantId);
                }
            }

            controller.User         = user;
            Thread.CurrentPrincipal = user;

            return(user);
        }
        public override bool Authorize(IHttpContext ctx)
        {
            Action onRejectingRequest;
            var    userCreated = TryCreateUser(ctx, out onRejectingRequest);

            if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
            {
                onRejectingRequest();
                return(false);
            }

            PrincipalWithDatabaseAccess user = null;

            if (userCreated)
            {
                user = (PrincipalWithDatabaseAccess)ctx.User;
            }
            var databaseName = database().Name ?? string.Empty;

            if (userCreated && (user.Principal.IsAdministrator() || user.AdminDatabases.Contains(databaseName)))
            {
                return(true);
            }

            var httpRequest = ctx.Request;

            if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.Get &&
                userCreated &&
                user.ReadWriteDatabases.Contains(databaseName) == false &&
                IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath) == false)
            {
                onRejectingRequest();
                return(false);
            }

            if (IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath) &&
                userCreated &&
                (user.ReadOnlyDatabases.Contains(databaseName) || user.ReadWriteDatabases.Contains(databaseName)))
            {
                return(true);
            }

            if (userCreated)
            {
                CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = ctx.User.Identity.Name;
                CurrentOperationContext.User.Value = ctx.User;
            }

            return(true);
        }
        private PrincipalWithDatabaseAccess UpdateUserPrincipal(IHttpContext ctx, Dictionary <string, List <DatabaseAccess> > databaseAccessLists)
        {
            if (ctx.User is PrincipalWithDatabaseAccess)
            {
                return((PrincipalWithDatabaseAccess)ctx.User);
            }

            var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)ctx.User);

            List <DatabaseAccess> list;

            if (databaseAccessLists.TryGetValue(ctx.User.Identity.Name, out list) == false)
            {
                ctx.User = user;
                user.ExplicitlyConfigured = false;
                return(user);
            }
            user.ExplicitlyConfigured = true;

            foreach (var databaseAccess in list)
            {
                if (databaseAccess.Admin)
                {
                    user.AdminDatabases.Add(databaseAccess.TenantId);
                }
                else if (databaseAccess.ReadOnly)
                {
                    user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
                }
                else
                {
                    user.ReadWriteDatabases.Add(databaseAccess.TenantId);
                }
            }

            ctx.User = user;
            return(user);
        }
Beispiel #5
0
        public bool Authorize(IHttpContext ctx, bool ignoreDb)
        {
            Action onRejectingRequest;
            var    databaseName = database().Name ?? Constants.SystemDatabase;
            var    userCreated  = TryCreateUser(ctx, databaseName, out onRejectingRequest);

            if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
            {
                onRejectingRequest();
                return(false);
            }

            PrincipalWithDatabaseAccess user = null;

            if (userCreated)
            {
                user = (PrincipalWithDatabaseAccess)ctx.User;
                CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = ctx.User.Identity.Name;
                CurrentOperationContext.User.Value = ctx.User;

                // admins always go through
                if (user.Principal.IsAdministrator(server.SystemConfiguration.AnonymousUserAccessMode))
                {
                    return(true);
                }
            }


            var  httpRequest  = ctx.Request;
            bool isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath);

            switch (server.SystemConfiguration.AnonymousUserAccessMode)
            {
            case AnonymousUserAccessMode.Admin:
            case AnonymousUserAccessMode.All:
                return(true);                        // if we have, doesn't matter if we have / don't have the user

            case AnonymousUserAccessMode.Get:
                if (isGetRequest)
                {
                    return(true);
                }
                goto case AnonymousUserAccessMode.None;

            case AnonymousUserAccessMode.None:
                if (userCreated)
                {
                    if (user.AdminDatabases.Contains(databaseName) || ignoreDb)
                    {
                        return(true);
                    }
                    if (user.ReadWriteDatabases.Contains(databaseName))
                    {
                        return(true);
                    }
                    if (isGetRequest && user.ReadOnlyDatabases.Contains(databaseName))
                    {
                        return(true);
                    }
                }

                onRejectingRequest();
                return(false);

            default:
                throw new ArgumentOutOfRangeException();
            }
        }
Beispiel #6
0
        public bool TryAuthorize(RavenBaseApiController controller, bool ignoreDb, out HttpResponseMessage msg)
        {
            Func <HttpResponseMessage> onRejectingRequest;
            var tenantId    = controller.TenantName ?? Constants.SystemDatabase;
            var userCreated = TryCreateUser(controller, tenantId, out onRejectingRequest);

            if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
            {
                msg = onRejectingRequest();
                return(false);
            }

            PrincipalWithDatabaseAccess user = null;

            if (userCreated)
            {
                user = (PrincipalWithDatabaseAccess)controller.User;
                CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = controller.User.Identity.Name;
                CurrentOperationContext.User.Value = controller.User;

                // admins always go through
                if (user.Principal.IsAdministrator(server.SystemConfiguration.AnonymousUserAccessMode))
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }

                // backup operators can go through
                if (user.Principal.IsBackupOperator(server.SystemConfiguration.AnonymousUserAccessMode))
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }
            }

            bool isGetRequest = IsGetRequest(controller.InnerRequest.Method.Method, controller.InnerRequest.RequestUri.AbsolutePath);

            switch (server.SystemConfiguration.AnonymousUserAccessMode)
            {
            case AnonymousUserAccessMode.Admin:
            case AnonymousUserAccessMode.All:
                msg = controller.GetEmptyMessage();
                return(true);                        // if we have, doesn't matter if we have / don't have the user

            case AnonymousUserAccessMode.Get:
                if (isGetRequest)
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }
                goto case AnonymousUserAccessMode.None;

            case AnonymousUserAccessMode.None:
                if (userCreated)
                {
                    if (string.IsNullOrEmpty(tenantId) || tenantId.StartsWith("fs/") == false)
                    {
                        if (user.AdminDatabases.Contains(tenantId) ||
                            user.AdminDatabases.Contains("*") || ignoreDb)
                        {
                            msg = controller.GetEmptyMessage();
                            return(true);
                        }
                        if (user.ReadWriteDatabases.Contains(tenantId) ||
                            user.ReadWriteDatabases.Contains("*"))
                        {
                            msg = controller.GetEmptyMessage();
                            return(true);
                        }
                        if (isGetRequest && (user.ReadOnlyDatabases.Contains(tenantId) ||
                                             user.ReadOnlyDatabases.Contains("*")))
                        {
                            msg = controller.GetEmptyMessage();
                            return(true);
                        }
                    }
                    else if (tenantId.StartsWith("fs/"))
                    {
                        tenantId = tenantId.Substring(3, tenantId.Length - "fs/".Length);

                        if (user.ReadWriteFileSystems.Contains(tenantId) ||
                            user.ReadWriteFileSystems.Contains("*"))
                        {
                            msg = controller.GetEmptyMessage();
                            return(true);
                        }
                        if (isGetRequest && (user.ReadOnlyFileSystems.Contains(tenantId) ||
                                             user.ReadOnlyFileSystems.Contains("*")))
                        {
                            msg = controller.GetEmptyMessage();
                            return(true);
                        }
                    }
                    else
                    {
                        throw new ArgumentOutOfRangeException("tenantId", "We don't know how to authorize unknown tenant id: " + tenantId);
                    }
                }

                msg = onRejectingRequest();
                return(false);

            default:
                throw new ArgumentOutOfRangeException();
            }
        }
        public bool TryAuthorize(RavenBaseApiController controller, bool ignoreDb, out HttpResponseMessage msg)
        {
            Func <HttpResponseMessage> onRejectingRequest;
            var tenantId    = controller.ResourceName ?? Constants.SystemDatabase;
            var userCreated = TryCreateUser(controller, tenantId, out onRejectingRequest);

            if (server.SystemConfiguration.Core.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
            {
                msg = onRejectingRequest();
                return(false);
            }

            PrincipalWithDatabaseAccess user = null;

            if (userCreated)
            {
                user = (PrincipalWithDatabaseAccess)controller.User;
                CurrentOperationContext.User.Value = controller.User;

                // admins always go through
                if (user.Principal.IsAdministrator(server.SystemConfiguration.Core.AnonymousUserAccessMode))
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }

                // backup operators can go through
                if (user.Principal.IsBackupOperator(server.SystemConfiguration.Core.AnonymousUserAccessMode))
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }
            }

            bool isGetRequest = IsGetRequest(controller);

            switch (server.SystemConfiguration.Core.AnonymousUserAccessMode)
            {
            case AnonymousUserAccessMode.Admin:
            case AnonymousUserAccessMode.All:
                msg = controller.GetEmptyMessage();
                return(true);    // if we have, doesn't matter if we have / don't have the user

            case AnonymousUserAccessMode.Get:
                if (isGetRequest)
                {
                    msg = controller.GetEmptyMessage();
                    return(true);
                }
                goto case AnonymousUserAccessMode.None;

            case AnonymousUserAccessMode.None:
                if (userCreated)
                {
                    if (string.IsNullOrEmpty(tenantId) == false &&
                        (tenantId.StartsWith("fs/", StringComparison.OrdinalIgnoreCase) ||
                         tenantId.StartsWith("cs/", StringComparison.OrdinalIgnoreCase) ||
                         tenantId.StartsWith("ts/", StringComparison.OrdinalIgnoreCase)))
                    {
                        tenantId = tenantId.Substring(3);
                    }

                    if (user.AdminDatabases.Contains(tenantId) ||
                        user.AdminDatabases.Contains("*") || ignoreDb)
                    {
                        msg = controller.GetEmptyMessage();
                        return(true);
                    }
                    if (user.ReadWriteDatabases.Contains(tenantId) ||
                        user.ReadWriteDatabases.Contains("*"))
                    {
                        msg = controller.GetEmptyMessage();
                        return(true);
                    }
                    if (isGetRequest && (user.ReadOnlyDatabases.Contains(tenantId) ||
                                         user.ReadOnlyDatabases.Contains("*")))
                    {
                        msg = controller.GetEmptyMessage();
                        return(true);
                    }
                }

                msg = onRejectingRequest();
                return(false);

            default:
                throw new ArgumentOutOfRangeException();
            }
        }