/// <summary> /// Replaces the given <paramref name="rule" /> on the specified object with the <paramref name="newTrustee" />. /// </summary> /// <param name="objectType">The type of the shared object to be found.</param> /// <param name="objectId">The primary key for the shared object to be found.</param> /// <param name="rule">The ACE (Access Control Entry) to replace.</param> /// <param name="newTrustee">The new ACE (Access Control Entry) to set.</param> /// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param> /// <returns> /// A task that represents the asynchronous operation. /// </returns> public virtual async Task <ValidationResult> ReplaceAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, AccessRuleItem newTrustee, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); ThrowIfDisposed(); if (rule == null) { throw new ArgumentNullException(nameof(rule)); } if (newTrustee == null) { throw new ArgumentNullException(nameof(newTrustee)); } var userId = rule.User?.Id; var aceEntity = await AccessRules.SingleOrDefaultAsync(p => p.ObjectType == objectType && p.ObjectId == objectId && p.UserId == userId, cancellationToken); if (aceEntity == null) { throw new InvalidOperationException("ACE does not exist."); } aceEntity.Permission = newTrustee.Permission; aceEntity.Visibility = newTrustee.Visibility; await SaveChangesAsync(cancellationToken); return(ValidationResult.Success); }
/// <summary> /// Inserts a list of <see cref="AccessRuleItem" />s to the specified <paramref name="item" />. /// </summary> /// <param name="objectType">The type of the shared object to be inserted.</param> /// <param name="objectId">The primary key for the shared object to be inserted.</param> /// <param name="rule">The ACEs (Access Control Entries) to insert.</param> /// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param> /// <returns> /// A task that represents the asynchronous operation. /// </returns> public virtual async Task <ValidationResult> AddAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); ThrowIfDisposed(); if (rule == null) { throw new ArgumentNullException(nameof(rule)); } if (await AccessRules.Where(objectType, objectId, rule.User?.Id).AnyAsync(cancellationToken)) { return(ValidationResult.Failed("Duplicated ACE entry.")); } AccessRules.Add(new SecurityAccessRule { ObjectType = objectType, ObjectId = objectId, UserId = rule.User?.Id, Permission = rule.Permission, Visibility = rule.Visibility }); await SaveChangesAsync(cancellationToken); return(ValidationResult.Success); }
/// <summary> /// Adds the rule. /// </summary> /// <param name="accessRule">The access rule.</param> public virtual void AddRule(IAccessRule accessRule) { if (AccessRules == null) { AccessRules = new List <AccessRule>(); } AccessRules.Add((AccessRule)accessRule); }
/// <summary> /// Retrieves the <see cref="AccessRuleItem" /> associated with the key, as an asynchronous operation. /// </summary> /// <param name="objectType">The type of the shared object to be found.</param> /// <param name="objectId">The primary key of the shared object to be found.</param> /// <param name="cancellationToken">The <see cref="CancellationToken" /> used to propagate notifications that the operation should be canceled.</param> /// <returns> /// The <see cref="Task" /> for the asynchronous operation, containing the contact, if any which matched the specified key. /// </returns> public virtual Task <AccessRuleItem> GetAccessRuleAsync(AccessObjectType objectType, int objectId, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); ThrowIfDisposed(); return(AccessRules .Where(objectType, objectId, null) .Select(ace => new AccessRuleItem { Permission = ace.Permission, Visibility = ace.Visibility }) .SingleOrDefaultAsync(cancellationToken)); }
/// <summary> /// Retrieves the <see cref="AccessRuleItem" /> associated with the key, as an asynchronous operation. /// </summary> /// <param name="objectType">The type of the shared object to be found.</param> /// <param name="objectId">The primary key of the shared object to be found.</param> /// <param name="userId">The primary key of the user to be found.</param> /// <param name="cancellationToken">The <see cref="CancellationToken" /> used to propagate notifications that the operation should be canceled.</param> /// <returns> /// The <see cref="Task" /> for the asynchronous operation, containing the contact, if any which matched the specified key. /// </returns> public virtual Task <AccessRuleItem> GetAccessRuleByUserAsync(AccessObjectType objectType, int objectId, int userId, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); ThrowIfDisposed(); return(AccessRules.Where(objectType, objectId, userId).Select(ace => new AccessRuleItem { Permission = ace.Permission, Visibility = ace.Visibility, User = new AccountItem { Id = ace.User.Id, Email = ace.User.Email, FirstName = ace.User.FirstName, LastName = ace.User.LastName, Gender = ace.User.Gender, Birthday = ace.User.Birthday } }).SingleOrDefaultAsync(cancellationToken)); }
/// <summary> /// Deletes a list of <see cref="AccessRuleItem" />s from the specified <paramref name="item" />. /// </summary> /// <param name="objectType">The type of the shared object to be removed.</param> /// <param name="objectId">The primary key for the shared object to be removed.</param> /// <param name="rule">The ACEs (Access Control Entries) to delete.</param> /// <param name="cancellationToken">A token to observe while waiting for the task to complete.</param> /// <returns> /// A task that represents the asynchronous operation. /// </returns> public virtual async Task <ValidationResult> RemoveAccessRuleAsync(AccessObjectType objectType, int objectId, AccessRuleItem rule, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); ThrowIfDisposed(); if (rule == null) { throw new ArgumentNullException(nameof(rule)); } var aceEntity = await AccessRules.Where(objectType, objectId, rule.User?.Id).SingleOrDefaultAsync(cancellationToken); if (aceEntity == null) { throw new InvalidOperationException("ACE does not exist."); } Context.Remove(aceEntity); await SaveChangesAsync(cancellationToken); return(ValidationResult.Success); }
public FileSystemRights GetEffectiveRights(UserGroup user) { var userSids = new List <string> { user.Sid }; userSids.AddRange(user.Groups); FileSystemRights inheritedDenyRights = 0, denyRights = 0; FileSystemRights inheritedAllowRights = 0, allowRights = 0; foreach (FileSystemAccessRuleForUI Rule in AccessRules.Where(x => userSids.Contains(x.IdentityReference))) { if (Rule.AccessControlType == AccessControlType.Deny) { if (Rule.IsInherited) { inheritedDenyRights |= Rule.FileSystemRights; } else { denyRights |= Rule.FileSystemRights; } } else if (Rule.AccessControlType == AccessControlType.Allow) { if (Rule.IsInherited) { inheritedAllowRights |= Rule.FileSystemRights; } else { allowRights |= Rule.FileSystemRights; } } } return((inheritedAllowRights & ~inheritedDenyRights) | (allowRights & ~denyRights)); }
private void GetAccessRules() { try { ActiveDirectorySecurity Sec = DirEntry.ObjectSecurity; foreach (ActiveDirectoryAccessRule ADRule in Sec.GetAccessRules(true, true, typeof(NTAccount))) { ADCertificateTemplateAccessRule CurrRule = new ADCertificateTemplateAccessRule(ADRule); if (AccessRules.FirstOrDefault(p => p.Identity.Matches(CurrRule.Identity)) == null) { AccessRules.Add(CurrRule); } else { AccessRules.ForEach(p => p.MergeIf(CurrRule)); } } } catch (Exception ex) { throw new CertificateTemplateAccessRuleException(this, ex); } }
/// <summary> /// Determines if the <paramref name="user"/> is permitted to /// access the resource associated with this ruleset. To pass the /// check the user must match any of the <see cref="AccessRules"/>. /// If there are no access rules, then the resource is public and /// the check passes. /// </summary> /// <param name="user">The user to check; cannot be null.</param> /// <returns>true if the user is authorized to access this resource; otherwise false.</returns> public bool IsAuthorized(IUserContext user) { if (user == null) { throw new ArgumentNullException(nameof(user)); } if (EnumerableHelper.IsNullOrEmpty(AccessRules)) { return(true); } if (!user.IsSignedIn()) { return(false); } // if logged in, the user should always be assigned a user area EntityInvalidOperationException.ThrowIfNull(user, u => u.UserArea); return(AccessRules .Any(r => r.UserAreaCode == user.UserArea.UserAreaCode && (!r.RoleId.HasValue || r.RoleId == user.RoleId))); }
public Ace(AccessRules type) { Type = type; }
/// <summary> /// Add a new rule to the request /// </summary> /// <param name="rule">The rule to add to the request</param> public void AddRule(AccessRight rule) { AccessRules.Add(rule); }
public static bool IsAllowed(string resource, string verb, params string[] subjects) { OrderedList <string, AccessRule> acls = new OrderedList <string, AccessRule>(new ReverseComparer <string>()); //OrderedList<string, Acl> denied = new OrderedList<string, Acl>(new ReverseComparer<string>()); List <string> subjectList = new List <string>(); foreach (string subject in subjects) { subjectList.Add(subject.ToLower()); } resource = resource.ToLower(); verb = verb.ToLower(); foreach (AccessRule acl in DefaultProvider.GetAcls(resource, verb)) { acls.Add(acl.Resource, acl); } bool isExplicit = false; AccessRules aclType = AccessRules.Deny; bool set = false; string mostAppropriateResourcePath = resource; bool isFirst = true; foreach (AccessRule acl in acls) { if (isFirst) { mostAppropriateResourcePath = acl.Resource; isFirst = false; } if (set && mostAppropriateResourcePath != acl.Resource) { return(aclType == AccessRules.Allow); } if (acl.Subject == "*") { set = true; aclType = acl.Type; } if (subjectList.Contains(acl.Subject)) { set = true; isExplicit = true; aclType = acl.Type; } if (isExplicit) { return(aclType == AccessRules.Allow); } } return(aclType == AccessRules.Allow); // Search for explicit rule or inherit for parent at each level // If two explicit rules are found, Deny has the priority //bool isDenied = false; //while (resource != string.Empty) //{ // //foreach (string verb in verbs) // //{ // if (denied.ContainsKey(resource)) // { // foreach (Acl acl in denied[resource]) // { // if (verbList.Contains(acl.verb)) // return false; // } // // if global rule, allow only if there is a specific user's rule for the current path // if (denied[resource].Contains(new Deny(resource, "*"))) // isDenied = allowed.ContainsKey(resource) && allowed[resource].Contains(verb); // } // if (allowed.ContainsKey(resource) && (allowed[resource].Contains(verb) || (!isDenied && allowed[resource].Contains("*")))) // return true; //} //if (isDenied) // return false; //if (resource == ROOT) // return false; //resource = resource.LastIndexOf(ROOT) <= 0 ? ROOT : resource.Substring(0, resource.LastIndexOf(ROOT)); //return false; }
/// <summary> /// Removes the rule. /// </summary> /// <param name="accessRule">The access rule.</param> public virtual void RemoveRule(IAccessRule accessRule) { AccessRules.Remove((AccessRule)accessRule); }