public IActionResult Get()
{
// somehow determine what the resource, action and schema are
var resource = CRN.FromValue("crn:farm/1");
var action = ResourceAction.FromValue("iam:owner");
var schema = CSN.FromValue("csn:ag-data:farm");
// validate permissions
var permissionsValid = this.ValidatePermissions(resource, action, schema);
if (!permissionsValid)
{
return(Forbid());
}
var rng = new Random();
return(Ok(Enumerable.Range(1, 5).Select(index => new WeatherForecast
{
Date = DateTime.Now.AddDays(index),
TemperatureC = rng.Next(-20, 55),
Summary = Summaries[rng.Next(Summaries.Length)]
})
.ToArray()));
}
public CRNData(CRN crn)
{
this.colFirst = crn.colFirst;
this.colLast = crn.colLast;
this.rw = crn.rw;
this.oper = crn.oper;
}
public static IEnumerable <object[]> PartiallyValidPermissions()
{
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Data.Read,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/*:*")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Data.Read,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/*")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Data.Read,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/1234:herd/*")
}
});
}
public void Revoke(CRN resource, CPN principal, CSN schema = null)
{
var found = this.storage.FindBy(it =>
it.Principal == principal &&
it.Resources.Any(r =>
{
if (resource.IncludesWildcard)
{
return(resource.IsWildcardMatch(r.Identifier));
}
return(r.Identifier == resource);
}));
if (schema != default(CSN))
{
found = found.Where(f => f.Resources.Any(r => r.Schema == schema));
}
var keys = found.Select(f => f.GetHash());
foreach (var k in keys)
{
this.storage.Remove(k);
}
}
private Resource ToModel(Persistance.Models.Resource resource)
{
var identifier = CRN.FromValue(resource.CanonicalName);
var actions = resource.Actions.Select(a => ResourceAction.FromValue(a.Action.CanonicalName)).ToArray();
return(Resource.FromIdentifier(identifier).WithActions(actions));
}
private IEnumerable <Resource> Find(CRN resource, IEnumerable <Resource> resources)
{
if (resource.IncludesWildcard)
{
return(resources.Where(r => resource.IsWildcardMatch(r.Identifier)));
}
return(resources.Where(r => r.Identifier == resource));
}
public IEnumerable <DataProvider> All()
{
return(this.context.DataProviders.Include(p => p.Principal).ToList().Select(p => new DataProvider()
{
Principal = CPN.FromValue(p.Principal.CanonicalName),
Identifier = CRN.FromValue(p.CanonicalName),
Name = p.Name
}));
}
public static IEnumerable <object[]> InvalidPermissions()
{
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Identified.Individual,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/88756")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Iam.Owner,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/8876:*")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Iam.Delegated,
Principal = Identities.Admin,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/88756")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Iam.Delegated,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/88756")
}
});
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Iam.Owner,
Principal = Identities.DanielB,
Schema = Schemas.NumbersOnProperty,
Resource = CRN.FromValue("crn:farm/*:herd/88756")
}
});
}
public void Remove(CRN identifier)
{
var found = this.context.DataProviders.FirstOrDefault(p => p.CanonicalName == identifier.ToString());
if (found == null)
{
return;
}
this.context.Remove(found);
this.context.SaveChanges();
}
private PermissionGrant ToModel(Persistance.Models.PermissionGrant entity)
{
return(new PermissionGrant()
{
Id = entity.PermissionGrantId,
Principal = CPN.FromValue(entity.Principal.CanonicalName),
Schema = CSN.FromValue(entity.Schema.CanonicalName),
Actions = entity.Actions.Select(a => ResourceAction.FromValue(a.Action.CanonicalName)).ToList(),
Resource = entity.Resources.Select(r => CRN.FromValue(r.Resource.CanonicalName)).ToList()
});
}
public void AllActionsValidForResources(CRN resource, ResourceAction action)
{
// Arrange
var storage = new MockResourceStorage().Setup();
var resourceValidator = new ResourceValidator(storage);
// Act
var result = resourceValidator.Validate(resource, action);
// Assert
result.IsValid.Should().BeTrue();
}
public void AllResourcesAreInvalid(CRN resource)
{
// Arrange
var storage = new MockResourceStorage().Setup();
var resourceValidator = new ResourceValidator(storage);
// Act
var result = resourceValidator.Validate(resource);
// Assert
result.IsValid.Should().BeFalse();
}
public void FindSpecificResource(CRN rn)
{
// Arrange
var storage = new MockResourceStorage().Setup();
var resourceFinder = new ResourceFinder(storage);
// Act
var result = resourceFinder.Find(rn);
// Assert
result.Should().ContainSingle(r => r.Identifier == rn);
}
public void ResourceNotFound(CRN rn)
{
// Arrange
var storage = new MockResourceStorage().Setup();
var resourceFinder = new ResourceFinder(storage);
// Act
var result = resourceFinder.Find(rn);
// Assert
result.Should().BeEmpty();
}
public void FindResourcesByWildcard(CRN resource, IEnumerable <Resource> expectedResources)
{
// Arrange
var storage = new MockResourceStorage().Setup();
var resourceFinder = new ResourceFinder(storage);
// Act
var result = resourceFinder.Find(resource);
// Assert
result.Should().BeEquivalentTo(expectedResources);
}
public IEnumerable <DataSource> GetSources(CRN identifier)
{
return(this.context.DataSources
.Include(x => x.Provider)
.Where(s => s.Provider.CanonicalName == identifier.ToString())
.ToList()
.Select(s => new DataSource()
{
Identifier = CRN.FromValue(s.CanonicalName),
Provider = CRN.FromValue(s.Provider.CanonicalName)
}));
}
public override Resource ReadJson(JsonReader reader, Type objectType, Resource existingValue, bool hasExistingValue,
JsonSerializer serializer)
{
var token = JToken.Load(reader);
if (token.Type == JTokenType.Object)
{
CRN identifier = null;
ResourceAction[] actions = null;
foreach (var t in token.Children())
{
if (t.Path == "identifier")
{
identifier = CRN.FromValue(t.First.Value <string>());
continue;
}
if (t.Path == "action")
{
var values = t.Values();
actions = values.Select(v => ResourceAction.FromValue(v.Value <string>())).ToArray();
continue;
}
}
if (actions != null)
{
return(Resource.FromIdentifier(identifier).WithActions(actions));
}
return(Resource.FromIdentifier(identifier));
}
if (token.Type == JTokenType.String)
{
var value = serializer.Deserialize <CRN>(token.CreateReader());
return(Resource.FromIdentifier(value));
}
try
{
if (token.Value <CRN>() == default)
{
return(null);
}
var value = serializer.Deserialize <CRN>(reader);
return(Resource.FromIdentifier(value));
}
catch
{
return(null);
}
}
public IActionResult Delete(string resource)
{
var resourceName = CRN.FromValue(HttpUtility.UrlDecode(resource));
var found = this.storage.FindByIdentifier(resourceName).FirstOrDefault();
if (found == null)
{
return(NotFound());
}
this.storage.Remove(found);
return(Ok(resource));
}
public static IEnumerable <object[]> ValidPermissions()
{
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Data.Read,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/*:herd/88756")
}
});
//yield return new object[]
//{
// new PermissionTicketRequest()
// {
// Action = ResourceActions.Data.Read,
// Principal = Identities.DanielB,
// Schema = Schemas.MilkPickup,
// Resource = CRN.FromValue("crn:farm/*:herd/88756:*")
// }
//};
yield return(new object[]
{
new PermissionTicketRequest()
{
Action = ResourceActions.Data.Read,
Principal = Identities.DanielB,
Schema = Schemas.MilkPickup,
Resource = CRN.FromValue("crn:farm/1234:herd/88756")
}
});
//yield return new object[]
//{
// new PermissionTicketRequest()
// {
// Action = ResourceActions.Data.Read,
// Principal = Identities.DanielB,
// Schema = Schemas.MilkPickup,
// Resource = CRN.FromValue("crn:farm/1234:herd/88756:*")
// }
//};
}
public static bool ValidatePermissions <T>(
this T controller,
CRN resource,
ResourceAction action,
CSN schema)
where T : ControllerBase
{
var principal = controller.User;
// parse out resources
var resourceClaims = principal.Claims.Where(c => c.Type.StartsWith("resource"));
var resourcesAllowed = resourceClaims.Select(c =>
{
var base64 = c.Value;
var json = base64.FromBase64Encoded();
return(JsonConvert.DeserializeObject <PermissionTicketResource>(json));
});
// find resources matching schema
var forSchema = resourcesAllowed.Where(r => r.Schema == schema).ToList();
if (!forSchema.Any())
{
return(false);
}
// find resources matching either wildcard or direct match
var matching = forSchema.Where(r =>
{
if (resource.IncludesWildcard)
{
return(resource.IsWildcardMatch(r.Identifier));
}
return(resource == r.Identifier);
}).ToList();
if (!matching.Any())
{
return(false);
}
// find resources matching required action
var withAction = matching.Where(r => r.Actions.Contains(action));
return(withAction.Any());
}
public ValidationResult <CRN> Validate(CRN resource)
{
if (!resource.IsValid)
{
return(ValidationResult <CRN> .Invalid(resource, InvalidResourceName));
}
if (resource.Parts.Any(p => p.Contains("*")))
{
return(ValidationResult <CRN> .Invalid(resource, ResourceNameCannotContainAny));
}
var exists = this.storage.FindByIdentifier(resource);
if (exists?.Any() == true)
{
return(ValidationResult <CRN> .Valid(resource));
}
return(ValidationResult <CRN> .Invalid(resource, ResourceDoesNotExist));
}
public void RemovePolicy(CRN identifier, CSN schema)
{
var provider = this.context.DataProviders.FirstOrDefault(p => p.CanonicalName == identifier.ToString());
var foundSchema = this.context.Schemas.FirstOrDefault(s => s.CanonicalName == schema.ToString());
if (provider == null || foundSchema == null)
{
return;
}
var found = this.context.DataProviderPolicies.FirstOrDefault(p =>
p.DataProviderId == provider.DataProviderId && p.SchemaId == foundSchema.SchemaId);
if (found == null)
{
return;
}
this.context.Remove(found);
this.context.SaveChanges();
}
public IEnumerable <DataProviderPolicy> GetPoliciesForSchema(CSN schema)
{
return(this.context.DataProviderPolicies
.Include(p => p.Provider)
.Include(p => p.Schema)
.Include(p => p.PolicyItems)
.ThenInclude(i => i.Principal)
.Where(p => p.Schema.CanonicalName == schema.ToString())
.ToList()
.Select(p => new DataProviderPolicy()
{
Provider = CRN.FromValue(p.Provider.CanonicalName),
Schema = CSN.FromValue(p.Schema.CanonicalName),
Rule = p.PolicyItems.Select(i => new DataProviderPolicyRule()
{
Principal = CPN.FromValue(i.Principal.CanonicalName),
Allow = i.Allow,
Deny = i.Deny
}).ToList()
}));
}
public void TicketIsRevoked()
{
// Arrange
var resourceMask = CRN.FromParts("farm/*", "herd/*");
var ticket = this.manager.Request(new PermissionTicketRequest()
{
Schema = Schemas.MilkPickup,
Action = ResourceActions.Iam.Owner,
Principal = Identities.DanielB,
Resource = resourceMask
});
var ticketHash = ticket.GetHash();
// Act
this.manager.Revoke(resourceMask, Identities.DanielB);
// Assert
var validationResult = this.manager.Validate(ticket);
var existing = this.storage.Find(ticketHash);
validationResult.Should().BeFalse();
existing.Should().BeNull();
}
public ValidationResult <CRN, ResourceAction> Validate(CRN resource, ResourceAction action)
{
var resourceValid = Validate(resource);
if (!resourceValid.IsValid)
{
return(ValidationResult <CRN, ResourceAction> .Invalid(resource, action, resourceValid.Reason));
}
var found = this.storage.FindByIdentifier(resource).FirstOrDefault();
if (found == null)
{
return(ValidationResult <CRN, ResourceAction> .Invalid(resource, action, ResourceDoesNotExist));
}
if (!found.ValidActions.Contains(action))
{
return(ValidationResult <CRN, ResourceAction> .Invalid(resource, action, ActionInvalidForResource));
}
return(ValidationResult <CRN, ResourceAction> .Valid(resource, action));
}
public static DataProviderPolicy ForProvider(CRN provider) => new DataProviderPolicy()
{
Provider = provider
};
public IEnumerable <DataProviderPolicy> GetPolicies(CRN identifier) => this.policies.Where(p => p.Provider == identifier);
public IEnumerable <DataSource> GetSources(CRN identifier) => this.sources.Where(s => s.Provider == identifier);
public void RemovePolicy(CRN identifier, CSN schema) => this.policies.RemoveAll(p => p.Provider == identifier && p.Schema == schema);
public void Remove(CRN identifier) => this.providers.RemoveAll(p => p.Identifier == identifier);
