Beispiel #1
0
        private static ResourceInfo PopulateResourceInfo(Expense item)
        {
            var resourceInfo = new ResourceInfo($"/ExpensePortal/Orgs/{item.Org}/Categories/{item.Category}");

            resourceInfo.AddAttribute(Resource.AttributeName.OwnerOrg, item.Org);
            resourceInfo.AddAttribute(Resource.AttributeName.OwnerAlias, item.Owner);
            resourceInfo.AddAttribute(Resource.AttributeName.Amount, item.Amount);
            resourceInfo.AddAttribute(Resource.AttributeName.Category, item.Category);
            return(resourceInfo);
        }
        public async Task <bool> CheckAccess(ResourceInfo resourceInfo, ActionInfo actionInfo, bool pullAttributeAssignments, bool pullReportingChain)
        {
            // Impersonation Access Check
            var impersonationUser = GetImpersonationUser(this.httpContext);

            if (!string.IsNullOrEmpty(impersonationUser))
            {
                // If attempting to impersonate but has no access to do so
                if (!this.ImpersonationCheckAccessResult)
                {
                    return(false);
                }
                // If attempting to impersonate and has access and the action being checked is impersonation
                else if (actionInfo.Id == ImpersonationActionId)
                {
                    return(true);
                }
            }

            var subjectInfo = new SubjectInfo();

            this.AddUserMetadataToSubjectInfo(subjectInfo, this.CurrentUser);

            if (pullAttributeAssignments)
            {
                if (this.CurrentUserAttributeAssignments != null)
                {
                    foreach (var attributeAssignment in this.CurrentUserAttributeAssignments)
                    {
                        // Special cases
                        if (attributeAssignment.Name == ExpensePortalConstant.Subject.AttributeName.SafeLimit)
                        {
                            // Add as integer
                            var safeLimit = int.Parse(attributeAssignment.Values.First());
                            subjectInfo.AddAttribute(attributeAssignment.Name, safeLimit);
                        }
                        else if (attributeAssignment.Name == ExpensePortalConstant.Subject.AttributeName.Org)
                        {
                            // Append * to the end for wild card comparison
                            subjectInfo.AddAttribute(attributeAssignment.Name, $"{attributeAssignment.Values.First()}*");
                        }
                        else
                        {
                            attributeAssignment.Values.Where(v => !string.IsNullOrEmpty(v)).ToList().ForEach(v => subjectInfo.AddAttribute(attributeAssignment.Name, v));
                        }
                    }
                }
            }

            if (pullReportingChain)
            {
                List <string> managers;
                lock (this.memoryCache)
                {
                    managers = this.memoryCache.Get(this.CurrentUser.UserPrincipalName) as List <string>;
                    if (managers == null)
                    {
                        // Note: Use .Result for now as await can't be used inside a lock
                        managers = this.userMetadataService.GetUserReportingChain(this.CurrentUser.UserPrincipalName).Result;
                        this.memoryCache.Set(this.CurrentUser.UserPrincipalName, managers);
                    }
                }

                foreach (var manager in managers)
                {
                    subjectInfo.AddAttribute(ExpensePortalConstant.Subject.AttributeName.ReportingChain, manager);
                }

                var owner = resourceInfo.GetAttribute(ExpensePortalConstant.Resource.AttributeName.OwnerAlias).First().ToString();
                if (string.IsNullOrEmpty(owner))
                {
                    throw new ArgumentException("Resource.OwnerAlias is required when pulling reporting chain.");
                }

                List <string> ownerManagers;
                lock (this.memoryCache)
                {
                    ownerManagers = this.memoryCache.Get($"{owner}@{this.expenseDemoOptions.ClientOptions.TenantName}") as List <string>;
                    if (ownerManagers == null)
                    {
                        // Note: Use .Result for now as await can't be used inside a lock
                        ownerManagers = this.userMetadataService.GetUserReportingChain($"{owner}@{this.expenseDemoOptions.ClientOptions.TenantName}").Result;
                        this.memoryCache.Set($"{owner}@{this.expenseDemoOptions.ClientOptions.TenantName}", ownerManagers);
                    }
                }

                foreach (var manager in ownerManagers)
                {
                    resourceInfo.AddAttribute(ExpensePortalConstant.Resource.AttributeName.OwnerReportingChain, manager);
                }
                ;
            }

            return(await this.policyDecisionPoint.CheckAccess(new CheckAccessRequest(subjectInfo, resourceInfo, actionInfo, null, this.authorizationClientOptions.MiddlewareOptions.GetMemberGroups)).ConfigureAwait(false));
        }