/// <summary>
/// Replaces the given <paramref name="rule" /> on the specified object with the <paramref name="newTrustee" />.
/// </summary>
/// <param name="objectType">The type of the shared object to be found.</param>
/// <param name="objectId">The primary key for the shared object to be found.</param>
/// <param name="rule">The ACE (Access Control Entry) to replace.</param>
/// <param name="newTrustee">The new ACE (Access Control Entry) to set.</param>
/// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param>
/// <returns>
/// A task that represents the asynchronous operation.
/// </returns>
public virtual async Task <ValidationResult> ReplaceAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, AccessRuleItem newTrustee, CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
ThrowIfDisposed();
if (rule == null)
{
throw new ArgumentNullException(nameof(rule));
}
if (newTrustee == null)
{
throw new ArgumentNullException(nameof(newTrustee));
}
var userId = rule.User?.Id;
var aceEntity = await AccessRules.SingleOrDefaultAsync(p => p.ObjectType == objectType && p.ObjectId == objectId && p.UserId == userId, cancellationToken);
if (aceEntity == null)
{
throw new InvalidOperationException("ACE does not exist.");
}
aceEntity.Permission = newTrustee.Permission;
aceEntity.Visibility = newTrustee.Visibility;
await SaveChangesAsync(cancellationToken);
return(ValidationResult.Success);
}
/// <summary>
/// Inserts a list of <see cref="AccessRuleItem" />s to the specified <paramref name="item" />.
/// </summary>
/// <param name="objectType">The type of the shared object to be inserted.</param>
/// <param name="objectId">The primary key for the shared object to be inserted.</param>
/// <param name="rule">The ACEs (Access Control Entries) to insert.</param>
/// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param>
/// <returns>
/// A task that represents the asynchronous operation.
/// </returns>
public virtual async Task <ValidationResult> AddAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
ThrowIfDisposed();
if (rule == null)
{
throw new ArgumentNullException(nameof(rule));
}
if (await AccessRules.Where(objectType, objectId, rule.User?.Id).AnyAsync(cancellationToken))
{
return(ValidationResult.Failed("Duplicated ACE entry."));
}
AccessRules.Add(new SecurityAccessRule
{
ObjectType = objectType,
ObjectId = objectId,
UserId = rule.User?.Id,
Permission = rule.Permission,
Visibility = rule.Visibility
});
await SaveChangesAsync(cancellationToken);
return(ValidationResult.Success);
}
/// <summary>
/// Adds the rule.
/// </summary>
/// <param name="accessRule">The access rule.</param>
public virtual void AddRule(IAccessRule accessRule)
{
if (AccessRules == null)
{
AccessRules = new List <AccessRule>();
}
AccessRules.Add((AccessRule)accessRule);
}
/// <summary>
/// Retrieves the <see cref="AccessRuleItem" /> associated with the key, as an asynchronous operation.
/// </summary>
/// <param name="objectType">The type of the shared object to be found.</param>
/// <param name="objectId">The primary key of the shared object to be found.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken" /> used to propagate notifications that the operation should be canceled.</param>
/// <returns>
/// The <see cref="Task" /> for the asynchronous operation, containing the contact, if any which matched the specified key.
/// </returns>
public virtual Task <AccessRuleItem> GetAccessRuleAsync(AccessObjectType objectType, int objectId, CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
ThrowIfDisposed();
return(AccessRules
.Where(objectType, objectId, null)
.Select(ace => new AccessRuleItem
{
Permission = ace.Permission,
Visibility = ace.Visibility
})
.SingleOrDefaultAsync(cancellationToken));
}
/// <summary>
/// Retrieves the <see cref="AccessRuleItem" /> associated with the key, as an asynchronous operation.
/// </summary>
/// <param name="objectType">The type of the shared object to be found.</param>
/// <param name="objectId">The primary key of the shared object to be found.</param>
/// <param name="userId">The primary key of the user to be found.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken" /> used to propagate notifications that the operation should be canceled.</param>
/// <returns>
/// The <see cref="Task" /> for the asynchronous operation, containing the contact, if any which matched the specified key.
/// </returns>
public virtual Task <AccessRuleItem> GetAccessRuleByUserAsync(AccessObjectType objectType, int objectId, int userId, CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
ThrowIfDisposed();
return(AccessRules.Where(objectType, objectId, userId).Select(ace => new AccessRuleItem
{
Permission = ace.Permission,
Visibility = ace.Visibility,
User = new AccountItem
{
Id = ace.User.Id,
Email = ace.User.Email,
FirstName = ace.User.FirstName,
LastName = ace.User.LastName,
Gender = ace.User.Gender,
Birthday = ace.User.Birthday
}
}).SingleOrDefaultAsync(cancellationToken));
}
/// <summary>
/// Deletes a list of <see cref="AccessRuleItem" />s from the specified <paramref name="item" />.
/// </summary>
/// <param name="objectType">The type of the shared object to be removed.</param>
/// <param name="objectId">The primary key for the shared object to be removed.</param>
/// <param name="rule">The ACEs (Access Control Entries) to delete.</param>
/// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param>
/// <returns>
/// A task that represents the asynchronous operation.
/// </returns>
public virtual async Task <ValidationResult> RemoveAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, CancellationToken cancellationToken)
{
cancellationToken.ThrowIfCancellationRequested();
ThrowIfDisposed();
if (rule == null)
{
throw new ArgumentNullException(nameof(rule));
}
var aceEntity = await AccessRules.Where(objectType, objectId, rule.User?.Id).SingleOrDefaultAsync(cancellationToken);
if (aceEntity == null)
{
throw new InvalidOperationException("ACE does not exist.");
}
Context.Remove(aceEntity);
await SaveChangesAsync(cancellationToken);
return(ValidationResult.Success);
}
public FileSystemRights GetEffectiveRights(UserGroup user)
{
var userSids = new List <string> {
user.Sid
};
userSids.AddRange(user.Groups);
FileSystemRights inheritedDenyRights = 0, denyRights = 0;
FileSystemRights inheritedAllowRights = 0, allowRights = 0;
foreach (FileSystemAccessRuleForUI Rule in AccessRules.Where(x => userSids.Contains(x.IdentityReference)))
{
if (Rule.AccessControlType == AccessControlType.Deny)
{
if (Rule.IsInherited)
{
inheritedDenyRights |= Rule.FileSystemRights;
}
else
{
denyRights |= Rule.FileSystemRights;
}
}
else if (Rule.AccessControlType == AccessControlType.Allow)
{
if (Rule.IsInherited)
{
inheritedAllowRights |= Rule.FileSystemRights;
}
else
{
allowRights |= Rule.FileSystemRights;
}
}
}
return((inheritedAllowRights & ~inheritedDenyRights) | (allowRights & ~denyRights));
}
private void GetAccessRules()
{
try
{
ActiveDirectorySecurity Sec = DirEntry.ObjectSecurity;
foreach (ActiveDirectoryAccessRule ADRule in Sec.GetAccessRules(true, true, typeof(NTAccount)))
{
ADCertificateTemplateAccessRule CurrRule = new ADCertificateTemplateAccessRule(ADRule);
if (AccessRules.FirstOrDefault(p => p.Identity.Matches(CurrRule.Identity)) == null)
{
AccessRules.Add(CurrRule);
}
else
{
AccessRules.ForEach(p => p.MergeIf(CurrRule));
}
}
}
catch (Exception ex)
{
throw new CertificateTemplateAccessRuleException(this, ex);
}
}
/// <summary>
/// Determines if the <paramref name="user"/> is permitted to
/// access the resource associated with this ruleset. To pass the
/// check the user must match any of the <see cref="AccessRules"/>.
/// If there are no access rules, then the resource is public and
/// the check passes.
/// </summary>
/// <param name="user">The user to check; cannot be null.</param>
/// <returns>true if the user is authorized to access this resource; otherwise false.</returns>
public bool IsAuthorized(IUserContext user)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (EnumerableHelper.IsNullOrEmpty(AccessRules))
{
return(true);
}
if (!user.IsSignedIn())
{
return(false);
}
// if logged in, the user should always be assigned a user area
EntityInvalidOperationException.ThrowIfNull(user, u => u.UserArea);
return(AccessRules
.Any(r => r.UserAreaCode == user.UserArea.UserAreaCode &&
(!r.RoleId.HasValue || r.RoleId == user.RoleId)));
}
public Ace(AccessRules type)
{
Type = type;
}
/// <summary>
/// Add a new rule to the request
/// </summary>
/// <param name="rule">The rule to add to the request</param>
public void AddRule(AccessRight rule)
{
AccessRules.Add(rule);
}
public static bool IsAllowed(string resource, string verb, params string[] subjects)
{
OrderedList <string, AccessRule> acls = new OrderedList <string, AccessRule>(new ReverseComparer <string>());
//OrderedList<string, Acl> denied = new OrderedList<string, Acl>(new ReverseComparer<string>());
List <string> subjectList = new List <string>();
foreach (string subject in subjects)
{
subjectList.Add(subject.ToLower());
}
resource = resource.ToLower();
verb = verb.ToLower();
foreach (AccessRule acl in DefaultProvider.GetAcls(resource, verb))
{
acls.Add(acl.Resource, acl);
}
bool isExplicit = false;
AccessRules aclType = AccessRules.Deny;
bool set = false;
string mostAppropriateResourcePath = resource;
bool isFirst = true;
foreach (AccessRule acl in acls)
{
if (isFirst)
{
mostAppropriateResourcePath = acl.Resource;
isFirst = false;
}
if (set && mostAppropriateResourcePath != acl.Resource)
{
return(aclType == AccessRules.Allow);
}
if (acl.Subject == "*")
{
set = true;
aclType = acl.Type;
}
if (subjectList.Contains(acl.Subject))
{
set = true;
isExplicit = true;
aclType = acl.Type;
}
if (isExplicit)
{
return(aclType == AccessRules.Allow);
}
}
return(aclType == AccessRules.Allow);
// Search for explicit rule or inherit for parent at each level
// If two explicit rules are found, Deny has the priority
//bool isDenied = false;
//while (resource != string.Empty)
//{
// //foreach (string verb in verbs)
// //{
// if (denied.ContainsKey(resource))
// {
// foreach (Acl acl in denied[resource])
// {
// if (verbList.Contains(acl.verb))
// return false;
// }
// // if global rule, allow only if there is a specific user's rule for the current path
// if (denied[resource].Contains(new Deny(resource, "*")))
// isDenied = allowed.ContainsKey(resource) && allowed[resource].Contains(verb);
// }
// if (allowed.ContainsKey(resource) && (allowed[resource].Contains(verb) || (!isDenied && allowed[resource].Contains("*"))))
// return true;
//}
//if (isDenied)
// return false;
//if (resource == ROOT)
// return false;
//resource = resource.LastIndexOf(ROOT) <= 0 ? ROOT : resource.Substring(0, resource.LastIndexOf(ROOT));
//return false;
}
/// <summary>
/// Removes the rule.
/// </summary>
/// <param name="accessRule">The access rule.</param>
public virtual void RemoveRule(IAccessRule accessRule)
{
AccessRules.Remove((AccessRule)accessRule);
}
