public IAuthorizationProvider Build()
        {
            var policy          = new Policy("Legacy", 1, DateTimeOffset.MinValue);
            var streamAssertion = new LegacyStreamPermissionAssertion(_mainQueue);

            policy.AllowAnonymous(Operations.Node.Redirect);
            policy.AllowAnonymous(Operations.Node.StaticContent);
            policy.AllowAnonymous(Operations.Node.Ping);
            policy.AllowAnonymous(Operations.Node.Options);

            policy.AllowAnonymous(Operations.Node.Information.Read);
            policy.AddMatchAnyAssertion(Operations.Node.Information.Subsystems, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.Information.Histogram, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.Information.Options, Grant.Allow, OperationsOrAdmins);

            policy.AllowAnonymous(Operations.Node.Statistics.Read);
            policy.AllowAnonymous(Operations.Node.Statistics.Replication);
            policy.AllowAnonymous(Operations.Node.Statistics.Tcp);
            policy.AllowAnonymous(Operations.Node.Statistics.Custom);

            var isSystem = new MultipleClaimMatchAssertion(Grant.Allow, MultipleMatchMode.All, SystemAccounts.System.Claims.ToArray());

            policy.Add(Operations.Node.Elections.Prepare, isSystem);
            policy.Add(Operations.Node.Elections.PrepareOk, isSystem);
            policy.Add(Operations.Node.Elections.ViewChange, isSystem);
            policy.Add(Operations.Node.Elections.ViewChangeProof, isSystem);
            policy.Add(Operations.Node.Elections.Proposal, isSystem);
            policy.Add(Operations.Node.Elections.Accept, isSystem);
            policy.Add(Operations.Node.Elections.LeaderIsResigning, isSystem);
            policy.Add(Operations.Node.Elections.LeaderIsResigningOk, isSystem);

            policy.AllowAnonymous(Operations.Node.Gossip.Read);
            policy.AllowAnonymous(Operations.Node.Gossip.ClientRead);
            policy.Add(Operations.Node.Gossip.Update, isSystem);

            policy.AddMatchAnyAssertion(Operations.Node.Shutdown, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.MergeIndexes, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.SetPriority, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.Resign, Grant.Allow, OperationsOrAdmins);
            policy.RequireAuthenticated(Operations.Node.Login);
            policy.AddMatchAnyAssertion(Operations.Node.Scavenge.Start, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Node.Scavenge.Stop, Grant.Allow, OperationsOrAdmins);

            var subscriptionAccess =
                new AndAssertion(
                    new RequireAuthenticatedAssertion(),
                    new RequireStreamReadAssertion(streamAssertion));

            policy.RequireAuthenticated(Operations.Subscriptions.Statistics);
            policy.AddMatchAnyAssertion(Operations.Subscriptions.Create, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Subscriptions.Update, Grant.Allow, OperationsOrAdmins);
            policy.AddMatchAnyAssertion(Operations.Subscriptions.Delete, Grant.Allow, OperationsOrAdmins);
            policy.Add(Operations.Subscriptions.ProcessMessages, subscriptionAccess);
            policy.AddMatchAnyAssertion(Operations.Subscriptions.ReplayParked, Grant.Allow, OperationsOrAdmins);

            policy.Add(Operations.Streams.Read, streamAssertion);
            policy.Add(Operations.Streams.Write, streamAssertion);
            policy.Add(Operations.Streams.Delete, streamAssertion);
            policy.Add(Operations.Streams.MetadataRead, streamAssertion);
            policy.Add(Operations.Streams.MetadataWrite, streamAssertion);

            var matchUsername = new ClaimValueMatchesParameterValueAssertion(ClaimTypes.Name,
                                                                             Operations.Users.Parameters.UserParameterName, Grant.Allow);
            var isAdmin = new MultipleClaimMatchAssertion(Grant.Allow, MultipleMatchMode.Any, Admins);

            policy.Add(Operations.Users.List, isAdmin);
            policy.Add(Operations.Users.Create, isAdmin);
            policy.Add(Operations.Users.Delete, isAdmin);
            policy.Add(Operations.Users.Update, isAdmin);
            policy.Add(Operations.Users.Enable, isAdmin);
            policy.Add(Operations.Users.Disable, isAdmin);
            policy.Add(Operations.Users.ResetPassword, isAdmin);
            policy.RequireAuthenticated(Operations.Users.CurrentUser);
            policy.Add(Operations.Users.Read, new OrAssertion(isAdmin, matchUsername));
            policy.Add(Operations.Users.ChangePassword, matchUsername);


            policy.RequireAuthenticated(Operations.Projections.List);

            policy.RequireAuthenticated(Operations.Projections.Abort);
            policy.RequireAuthenticated(Operations.Projections.Create);
            policy.RequireAuthenticated(Operations.Projections.DebugProjection);
            policy.AddMatchAnyAssertion(Operations.Projections.Delete, Grant.Allow, OperationsOrAdmins);
            policy.RequireAuthenticated(Operations.Projections.Disable);
            policy.RequireAuthenticated(Operations.Projections.Enable);
            policy.RequireAuthenticated(Operations.Projections.Read);
            policy.AddMatchAnyAssertion(Operations.Projections.ReadConfiguration, Grant.Allow, OperationsOrAdmins);
            policy.RequireAuthenticated(Operations.Projections.Reset);
            policy.RequireAuthenticated(Operations.Projections.Update);
            policy.AddMatchAnyAssertion(Operations.Projections.UpdateConfiguration, Grant.Allow, OperationsOrAdmins);
            policy.RequireAuthenticated(Operations.Projections.State);
            policy.RequireAuthenticated(Operations.Projections.Status);
            policy.RequireAuthenticated(Operations.Projections.Statistics);
            policy.AddMatchAnyAssertion(Operations.Projections.Restart, Grant.Allow, OperationsOrAdmins);

            return(new PolicyAuthorizationProvider(new PolicyEvaluator(policy.AsReadOnly()),
                                                   Log.ForContext <PolicyEvaluator>(), true, false));
        }
Beispiel #2
0
        public void AddMatchAnyAssertion(OperationDefinition operation, Grant grant, params Claim[] claims)
        {
            var assertion = new MultipleClaimMatchAssertion(grant, MultipleMatchMode.Any, claims);

            Add(operation, assertion);
        }