Ejemplo n.º 1
0
        /// <summary>
        /// Generate the query SQL. Do not actually run it.
        /// </summary>
        /// <param name="query">The structured query object to convert.</param>
        /// <param name="settings">Build-time settings for the conversion.</param>
        /// <returns>An object structure containing SQL, and other discovered information.</returns>
        public QueryBuild BuildSql(StructuredQuery query, QuerySqlBuilderSettings settings)
        {
            if (query == null)
            {
                throw new ArgumentNullException("query");
            }

            // Initialise settings
            if (settings == null)
            {
                settings = new QuerySqlBuilderSettings( );
            }

            // Optimise tree
            StructuredQuery optimisedQuery = StructuredQueryHelper.PruneQueryTree(query);

            // Generate SQL
            QueryBuilder queryBuilder = new QueryBuilder(optimisedQuery, settings);
            QueryBuild   result       = queryBuilder.GetSqlInternal( );

            // Logging
            using (MessageContext msg = new MessageContext("Reports"))
            {
                msg.Append(() => new string( '-', 50 ));
                msg.Append(() => "Final structured query:\n" + StructuredQueryHelper.ToXml(optimisedQuery));
                msg.Append(() => new string( '-', 50 ));
                msg.Append(() => "SQL:\n" + result.Sql);
                msg.Append(() => new string( '-', 50 ));
            }

            // Note: identify cache dependencies after getting SQL, so that any calculations are resolved into the structured query.
            IdentifyCacheDependencies(optimisedQuery, settings);

            return(result);
        }
Ejemplo n.º 2
0
        public void Test_Append_TwoLevels()
        {
            const string testName  = "a";
            const string testLine1 = "Line 1";
            const string testLine2 = "Line 2";
            const string testLine3 = "Line 3";

            using (MessageContext outerMessageContext = new MessageContext(testName, MessageContextBehavior.Capturing))
            {
                outerMessageContext.Append(() => testLine1);
                Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1),
                            "Incorrect out message after first append");
                using (MessageContext innerMessageContext = new MessageContext(testName, MessageContextBehavior.Capturing))
                {
                    innerMessageContext.Append(() => testLine2);
                    Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1 + Environment.NewLine + MessageContext.Indent + testLine2),
                                "Incorrect outer message after second append");
                    Assert.That(innerMessageContext.GetMessage(), Is.EqualTo(testLine2),
                                "Incorrect inner message after second append");
                }

                Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1 + Environment.NewLine + MessageContext.Indent + testLine2),
                            "Incorrect outer message after inner dispose");

                outerMessageContext.Append(() => testLine3);
                Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1 + Environment.NewLine + MessageContext.Indent + testLine2 + Environment.NewLine + testLine3),
                            "Incorrect outer message after third append");
            }
        }
Ejemplo n.º 3
0
        public void Test_Sample()
        {
            const string testName = "a";

            using (
                MessageContext messageContext1 = new MessageContext(testName,
                                                                    MessageContextBehavior.Capturing | MessageContextBehavior.New))
            {
                messageContext1.Append(() => "Start:");
                using (MessageContext messageContext2 = new MessageContext(testName))
                {
                    messageContext2.Append(() => "Addends:");
                    using (MessageContext messageContext3 = new MessageContext(testName))
                    {
                        messageContext3.Append(() => "Addend 1: 2");
                        messageContext3.Append(() => "Addend 2: 3");
                    }

                    messageContext2.Append(() => "Result:");
                    using (MessageContext messageContext4 = new MessageContext(testName))
                    {
                        messageContext4.Append(() => "Sum: 5");
                    }
                }

                Assert.That(messageContext1.GetMessage(),
                            Is.EqualTo(string.Format(
                                           @"Start:
{0}Addends:
{0}{0}Addend 1: 2
{0}{0}Addend 2: 3
{0}Result:
{0}{0}Sum: 5", MessageContext.Indent)));
            }
        }
Ejemplo n.º 4
0
 private void LogMessage(CachingEntityAccessControlCheckerResult result)
 {
     // Force an indent by using two message contexts
     using (MessageContext outermessageContext = new MessageContext(EntityAccessControlService.MessageName))
     {
         outermessageContext.Append(() => string.Format("Cache '{0}' results:", CacheName));
         using (MessageContext innerMessageContext = new MessageContext(EntityAccessControlService.MessageName))
         {
             if (result.CacheResult.Count > 0)
             {
                 innerMessageContext.Append(() => string.Format(
                                                "Allowed: {0}",
                                                string.Join(", ",
                                                            result.CacheResult.Where(kvp => kvp.Value)
                                                            .Select(kvp => kvp.Key))));
                 innerMessageContext.Append(() => string.Format(
                                                "Denied: {0}",
                                                string.Join(", ",
                                                            result.CacheResult.Where(kvp => !kvp.Value)
                                                            .Select(kvp => kvp.Key))));
             }
             else
             {
                 innerMessageContext.Append(() => "No results found in the cache.");
             }
         }
     }
 }
        /// <summary>
        /// Is there an access rule for the specified type(s) that includes the requested permission? E.g. create.
        /// </summary>
        /// <param name="entityType">
        /// The <see cref="EntityType"/> to check. This cannot be null.
        /// </param>
        /// <param name="permission">The permission being sought.</param>
        /// <param name="user"> The user requesting access. This cannot be null. </param>
        /// <returns>
        /// True if the user can create entities of that type, false if not.
        /// </returns>
        private bool CheckTypeAccess(EntityType entityType, EntityRef permission, EntityRef user)
        {
            if (user == null)
            {
                throw new ArgumentNullException(nameof(user));
            }
            if (entityType == null)
            {
                throw new ArgumentNullException(nameof(entityType));
            }

            List <EntityType> entityTypesToCheck;
            bool result;

            using (new SecurityBypassContext())
                using (Profiler.MeasureAndSuppress("SecuresFlagEntityAccessControlChecker.CheckTypeAccess"))
                {
                    // Check if the type itself can be created
                    using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
                    {
                        messageContext.Append(() => "Checking access rules first:");

                        IDictionary <long, bool> resultAsDict     = null;
                        List <EntityType>        entityTypeAsList = new List <EntityType> {
                            entityType
                        };
                        SecurityBypassContext.RunAsUser(() =>
                                                        resultAsDict = Checker.CheckTypeAccess(entityTypeAsList, permission, user));

                        result = resultAsDict [entityType.Id];

                        if (result)
                        {
                            return(result);
                        }
                    }

                    // Walk graph to get list of types to check
                    entityTypesToCheck = ReachableTypes(entityType.ToEnumerable( ), true, false)
                                         .Select(walkStep => walkStep.Node)
                                         .Where(et => et != entityType) // skip root type.
                                         .ToList( );

                    result = CheckTypeAccessRelatedTypesImpl(entityType, permission, user, entityTypesToCheck);
                    if (!result)
                    {
                        return(false);
                    }

                    // Register cache invalidations
                    using (CacheContext cacheContext = CacheContext.GetContext( ))
                    {
                        cacheContext.EntityTypes.Add(WellKnownAliases.CurrentTenant.Relationship);
                        cacheContext.FieldTypes.Add(WellKnownAliases.CurrentTenant.SecuresFrom, WellKnownAliases.CurrentTenant.SecuresTo, WellKnownAliases.CurrentTenant.SecuresFromReadOnly, WellKnownAliases.CurrentTenant.SecuresToReadOnly);
                    }
                }

            return(result);
        }
 /// <summary>
 /// Record reason for not caching
 /// </summary>
 private static void LogReasonForNonCaching(string reason)
 {
     using (MessageContext msg = new MessageContext("Reports"))
     {
         msg.Append(() => "Query is uncacheable: " + reason);
     }
     EventLog.Application.WriteTrace("Query is uncacheable: " + reason);
 }
Ejemplo n.º 7
0
        /// <summary>
        /// Convert a <see cref="Report" /> to a <see cref="StructuredQuery" />.
        /// </summary>
        /// <param name="report">The <see cref="Report" /> to convert. This cannot be null.</param>
        /// <param name="settings"></param>
        /// <returns>
        /// The converted report.
        /// </returns>
        /// <exception cref="System.ArgumentNullException">report</exception>
        public StructuredQuery Convert(Report report, ReportToQueryConverterSettings settings)
        {
            if (report == null)
            {
                throw new ArgumentNullException("report");
            }
            if (settings == null)
            {
                settings = ReportToQueryConverterSettings.Default;
            }

            StructuredQuery result;
            CachingReportToQueryConverterValue cacheValue;

            CachingReportToQueryConverterKey key = new CachingReportToQueryConverterKey(report, settings);

            using (MessageContext msg = new MessageContext("Reports"))
            {
                // Check cache
                bool doConvert = !TryGetValue(key, msg, out cacheValue);

                // Check for force recalculation
                if (settings.RefreshCachedStructuredQuery)
                {
                    msg.Append(() => "CachingReportToQueryConverter refreshed forced");
                    doConvert = true;
                }

                if (doConvert)
                {
                    lock (_syncRoot)
                    {
                        using (CacheContext cacheContext = new CacheContext( ))
                        {
                            result     = Converter.Convert(report, settings);
                            cacheValue = new CachingReportToQueryConverterValue(result);

                            Cache.Add(key, cacheValue);

                            // Add the cache context entries to the appropriate CacheInvalidator
                            _cacheInvalidator.AddInvalidations(cacheContext, key);
                        }
                    }
                }
                else if (CacheContext.IsSet( ))
                {
                    // Add the already stored changes that should invalidate this cache
                    // entry to any outer or containing cache contexts.
                    using (CacheContext cacheContext = CacheContext.GetContext( ))
                    {
                        cacheContext.AddInvalidationsFor(_cacheInvalidator, key);
                    }
                }
            }

            result = cacheValue.StructuredQuery;
            return(result);
        }
Ejemplo n.º 8
0
        public void Test_Append_SingleLevel()
        {
            const string testName  = "a";
            const string testLine1 = "Line 1";
            const string testLine2 = "Line 2";

            using (MessageContext messageContext = new MessageContext(testName, MessageContextBehavior.Capturing))
            {
                Assert.That(messageContext.GetMessage(), Is.Empty,
                            "Incorrect message before first append line");
                messageContext.Append(() => testLine1);
                Assert.That(messageContext.GetMessage(), Is.EqualTo(testLine1),
                            "Incorrect message after first append line");
                messageContext.Append(() => testLine2);
                Assert.That(messageContext.GetMessage(), Is.EqualTo(testLine1 + Environment.NewLine + testLine2),
                            "Incorrect message after second append line");
            }
        }
Ejemplo n.º 9
0
        /// <summary>
        /// Create a human readable descriptio0n of the result of the security check.
        /// </summary>
        /// <param name="result"></param>
        /// <param name="messageContext"></param>
        /// <returns></returns>
        internal void WriteFooterMessage(IDictionary <long, bool> result, MessageContext messageContext)
        {
            if (messageContext == null)
            {
                throw new ArgumentNullException("messageContext");
            }

            messageContext.Append(() => "Result:");
            using (MessageContext innerMessageContext = new MessageContext(MessageName))
            {
                innerMessageContext.Append(() => string.Format("Allowed: {0}",
                                                               string.Join(", ", result.Where(kvp => kvp.Value)
                                                                           .Select(kvp => kvp.Key))));
                innerMessageContext.Append(() => string.Format("Denied: {0}",
                                                               string.Join(", ", result.Where(kvp => !kvp.Value)
                                                                           .Select(kvp => kvp.Key))));
            }
        }
Ejemplo n.º 10
0
        /// <summary>
        /// Check the cache.
        /// Run the continuation callback if necessary.
        /// Apply presentation formatting.
        /// Store result in cache if possible.
        /// </summary>
        /// <typeparam name="T">Type of result after presentation formatting.</typeparam>
        /// <param name="reportCompletionData">The completion process for a partially processed report.</param>
        /// <param name="presentationCallback">Presentation formatting, such as conversion to webapi message.</param>
        /// <returns></returns>
        public string GetReportResult(ReportCompletionData reportCompletionData, Func <ServiceResult.ReportResult, string> presentationCallback)
        {
            if (reportCompletionData == null)
            {
                return(null);
            }

            ReportResultCacheKey cacheKey;
            string result;

            using (MessageContext msg = new MessageContext("Reports"))
            {
                cacheKey = reportCompletionData.ResultCacheKey;

                // A null cacheKey indicates that the report is uncacheable
                if (cacheKey == null)
                {
                    msg.Append(() => "ReportResultCache received no cache key");

                    // Invoke callback
                    ServiceResult.ReportResult serviceResult = reportCompletionData.PerformRun( );

                    // And format it
                    result = presentationCallback(serviceResult);
                }
                else
                {
                    // Check cache
                    bool fromCache = TryGetOrAdd(cacheKey, msg, out result, key1 =>
                    {
                        string formattedResult;

                        using (CacheContext cacheContext = new CacheContext( ))
                        {
                            // Call completion callback to run report
                            ServiceResult.ReportResult serviceResult = reportCompletionData.PerformRun( );

                            // Format result
                            formattedResult = presentationCallback(serviceResult);

                            // Add the cache context entries to the appropriate CacheInvalidator
                            _cacheInvalidator.AddInvalidations(cacheContext, cacheKey);

                            if (reportCompletionData.CacheContextDuringPreparation != null)
                            {
                                _cacheInvalidator.AddInvalidations(reportCompletionData.CacheContextDuringPreparation, cacheKey);
                            }
                        }
                        return(formattedResult);
                    });

                    // Note: No call to AddInvalidationsFor because no-one is listening.
                }
            }

            return(result);
        }
        private bool CheckTypeAccessRelatedTypesImpl(EntityType entityType, EntityRef permission, EntityRef user, List <EntityType> entityTypesToCheck)
        {
            bool result = false;

            using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
            {
                IDictionary <long, bool> canAccessTypes;
                string message;

                // Allow access if the user has access to any of the related types
                if (entityTypesToCheck.Count == 0)
                {
                    messageContext.Append(() => "No entity types found to check.");
                    return(false);
                }

                // Check whether the user has access to the given types
                canAccessTypes = null;
                SecurityBypassContext.RunAsUser(() =>
                                                canAccessTypes = Checker.CheckTypeAccess(
                                                    entityTypesToCheck.ToList( ),
                                                    permission,
                                                    user));

                message = string.Format(
                    "Checking security relationship(s) to see whether user can create entities of type '{0}': ",
                    entityType.Name ?? entityType.Id.ToString( ));

                if (canAccessTypes.Any(kvp => kvp.Value))
                {
                    messageContext.Append(() => string.Format(
                                              "{0} Allowed due to create access to entity type(s) '{1}'",
                                              message,
                                              canAccessTypes.Select(kvp => entityTypesToCheck.First(et => et.Id == kvp.Key).Name ?? kvp.Key.ToString( ))));

                    result = true;
                }
                else
                {
                    messageContext.Append(() => $"{message} Denied");
                }
            }
            return(result);
        }
Ejemplo n.º 12
0
        /// <summary>
        /// Pre-load report entities.
        /// </summary>
        /// <param name="reportId">The ID of the report to preload.</param>
        public static void PreloadReport(EntityRef reportId)
        {
            using (MessageContext messageContext = new MessageContext("Reports"))
            {
                messageContext.Append(() => string.Format("Preload report {0}", reportId));

                var rq = new EntityRequest(reportId, ReportPreloaderQuery, "Preload report " + reportId.ToString( ));
                BulkPreloader.Preload(rq);
            }
        }
Ejemplo n.º 13
0
        /// <summary>
        /// Try to get the value from cache, with logging.
        /// </summary>
        private bool TryGetOrAdd(CachingQueryRunnerKey key, MessageContext msg, out CachingQueryRunnerValue result, Func <CachingQueryRunnerKey, CachingQueryRunnerValue> valueFactory)
        {
            bool foundValue;

            foundValue = Cache.TryGetOrAdd(key, out result, valueFactory);

            msg.Append(() => "CachingQueryRunner key:" + key);
            if (foundValue)
            {
                var cacheValue = result;
                msg.Append(() => "CachingQueryRunner cache hit");
                msg.Append(() => $"Entry originally cached at {cacheValue.CacheTime}");
            }
            else
            {
                msg.Append(() => "CachingQueryRunner cache miss");
            }

            return(foundValue);
        }
Ejemplo n.º 14
0
        /// <summary>
        /// Try to get the value from cache, with logging.
        /// </summary>
        private bool TryGetOrAdd(ReportResultCacheKey key, MessageContext msg, out string result, Func <ReportResultCacheKey, string> valueFactory)
        {
            bool foundValue;

            foundValue = Cache.TryGetOrAdd(key, out result, valueFactory);

            msg.Append(() => "ReportResultCache key:" + key.ToString( ));
            if (foundValue)
            {
                var cacheValue = result;
                msg.Append(() => "ReportResultCache cache hit");
                //msg.Append( ( ) => string.Format( "Entry originally cached at {0}", cacheValue.CacheTime ) );
            }
            else
            {
                msg.Append(() => "ReportResultCache cache miss");
            }

            return(foundValue);
        }
Ejemplo n.º 15
0
        /// <summary>
        /// Try to get the value from cache, with logging.
        /// </summary>
        private bool TryGetValue(CachingReportToQueryConverterKey key, MessageContext msg, out CachingReportToQueryConverterValue result)
        {
            msg.Append(() => "CachingReportToQueryConverter key:" + key);

            CachingReportToQueryConverterValue cacheValue;
            bool foundValue;

            if (Cache.TryGetValue(key, out cacheValue))
            {
                msg.Append(() => "CachingReportToQueryConverter cache hit");
                msg.Append(() => $"Entry originally cached at {cacheValue.CacheTime}");
                result     = cacheValue;
                foundValue = true;
            }
            else
            {
                msg.Append(() => "CachingReportToQueryConverter cache miss");
                result     = null;
                foundValue = false;
            }

            return(foundValue);
        }
        /// <summary>
        /// Check whether the specified <paramref name="permission"/> exists between the <paramref name="subjectId"/>
        /// and the <paramref name="entities"/> using just a relationship. Used for create permission.
        /// </summary>
        /// <param name="subjectId">
        /// The ID of the subject (user or role).
        /// </param>
        /// <param name="permission">
        /// The permission (operation). This cannot be null.
        /// </param>
        /// <param name="entityType">
        /// The type of the checked entities.
        /// </param>
        /// <param name="entities">
        /// The checked entities. This cannot be null or contain null.
        /// </param>
        /// <param name="result">
        /// The map of entity IDs to whether the relationship exists.
        /// </param>
        /// <exception cref="ArgumentNullException">
        /// No argument can be null.
        /// </exception>
        /// <exception cref="ArgumentException">
        /// <paramref name="entities"/> cannot contain null.
        /// </exception>
        internal void CheckAccessControlByRelationship(long subjectId, EntityRef permission,
                                                       long entityType, IList <EntityRef> entities, IDictionary <long, bool> result)
        {
            if (permission == null)
            {
                throw new ArgumentNullException("permission");
            }
            if (entities == null)
            {
                throw new ArgumentNullException("entities");
            }
            if (entities.Contains(null))
            {
                throw new ArgumentException(@"Entities cannot contain null", "entities");
            }
            if (result == null)
            {
                throw new ArgumentNullException("result");
            }

            Subject            subject;
            IEnumerable <long> allowedEntityTypes;

            bool containType;

            using (new SecurityBypassContext())
            {
                subject            = Entity.Get <Subject>(new EntityRef(subjectId));
                allowedEntityTypes = AllowedEntityTypes(permission, subject);

                containType = allowedEntityTypes.Contains(entityType);
            }

            if (containType)
            {
                foreach (EntityRef entity in entities)
                {
                    result[entity.Id] = true;
                }

                using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
                {
                    messageContext.Append(() => string.Format(
                                              "'{0}' access to entities '{1}' allowed",
                                              Permissions.GetPermissionByAlias(permission),
                                              string.Join(", ", entities.Select(x => x.ToString()))));
                }
            }
        }
Ejemplo n.º 17
0
 public void Append(StringBuilder sb)
 {
     if (Context == null)
     {
         sb.Append(Reason);
     }
     else
     {
         Context.Append(sb);
     }
     if (DependsOn != null)
     {
         sb.Append(" -> ");
         DependsOn.Append(sb);
     }
 }
        /// <summary>
        /// Write the entity member request structure to the security trace.
        /// </summary>
        /// <param name="entityMemberRequest">
        /// The <see cref="EntityMemberRequest"/> to write out the structure for. This cannot be null.
        /// </param>
        /// <param name="visited">
        /// (Optional) The set of already traced <see cref="EntityMemberRequest"/>s.
        /// </param>
        /// <exception cref="ArgumentNullException">
        /// <paramref name="entityMemberRequest"/> cannot be null.
        /// </exception>
        internal void TraceEntityMemberRequest(EntityMemberRequest entityMemberRequest, ISet <EntityMemberRequest> visited = null)
        {
            if (entityMemberRequest == null)
            {
                throw new ArgumentNullException("entityMemberRequest");
            }

            if (visited == null)
            {
                visited = new HashSet <EntityMemberRequest>();
            }
            visited.Add(entityMemberRequest);

            using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
            {
                foreach (RelationshipRequest relationshipRequest in entityMemberRequest.Relationships)
                {
                    // ReSharper disable AccessToForEachVariableInClosure
                    messageContext.Append(() =>
                    {
                        Relationship relationship;
                        EntityType target;
                        EntityType source;

                        relationship = Entity.Get <Relationship>(relationshipRequest.RelationshipTypeId.Id);
                        source       = relationshipRequest.IsReverse ? relationship.ToType : relationship.FromType;
                        target       = relationshipRequest.IsReverse ? relationship.FromType : relationship.ToType;
                        return(string.Format("-> from type '{0}' ({1}) via '{2}' ({3}) to type '{4}' ({5}){6}{7}",
                                             source.Name,
                                             source.Id,
                                             relationship.Name,
                                             relationship.Id,
                                             target.Name,
                                             target.Id,
                                             relationshipRequest.IsReverse ? " (Reverse) " : string.Empty,
                                             visited.Contains(relationshipRequest.RequestedMembers) ? " (Already listed, see above for relationships from this type)" : string.Empty));
                    });
                    // ReSharper restore AccessToForEachVariableInClosure
                    if (!visited.Contains(relationshipRequest.RequestedMembers))
                    {
                        TraceEntityMemberRequest(relationshipRequest.RequestedMembers, visited);
                    }
                }
            }
        }
Ejemplo n.º 19
0
        public void Test_Append_NotCapturing()
        {
            const string testName1 = "a";
            const string testLine1 = "Line 1";
            bool         called;

            called = false;
            using (MessageContext messageContext = new MessageContext(testName1, MessageContextBehavior.Default))
            {
                messageContext.Append(() =>
                {
                    called = true;
                    return(testLine1);
                });
                Assert.That(called, Is.False, "Called");
                Assert.That(messageContext.GetMessage(), Is.Empty,
                            "Message is not empty");
            }
        }
Ejemplo n.º 20
0
        /// <summary>
        /// Write out the diagnostic messages when a structured query execution fails.
        /// </summary>
        /// <param name="structuredQuery">
        /// The <see cref="StructuredQuery"/> that failed. This cannot be null.
        /// </param>
        /// <param name="messageContext">
        /// (Optional) The <see cref="MessageContext"/> to write the details to.
        /// </param>
        /// <param name="ex">
        /// The exception thrown when the query ran, or null if no exception was thrown.
        /// </param>
        /// <exception cref="ArgumentNullException">
        /// <paramref name="structuredQuery"/> cannot be null.
        /// </exception>
        public static void WriteInvalidSecurityReportMessage(StructuredQuery structuredQuery, MessageContext messageContext = null, Exception ex = null)
        {
            if (structuredQuery == null)
            {
                throw new ArgumentNullException("structuredQuery");
            }

            EventLog.Application.WriteWarning(
                "{0} ignored due to errors when running the report{1}",
                GetAccessRuleName(structuredQuery),
                ex == null ? string.Empty : ": " + ex.ToString());

            if (messageContext != null)
            {
                messageContext.Append(
                    () => string.Format(
                        "{0} ignored due to errors when running the report",
                        GetAccessRuleName(structuredQuery)));
            }
        }
Ejemplo n.º 21
0
        public void Test_Append_OuterCapturingOnly()
        {
            const string testName1 = "a";
            const string testLine1 = "Line 1";
            const string testLine2 = "Line 2";

            using (MessageContext outerMessageContext = new MessageContext(testName1, MessageContextBehavior.Capturing))
            {
                outerMessageContext.Append(() => testLine1);
                Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1),
                            "Incorrect outer message after first append");

                using (MessageContext innerMessageContext = new MessageContext(testName1))
                {
                    innerMessageContext.Append(() => testLine2);
                    Assert.That(innerMessageContext.GetMessage(), Is.Empty,
                                "Incorrect inner message after second append");
                    Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1 + Environment.NewLine + MessageContext.Indent + testLine2),
                                "Incorrect outer message after second append");
                }
            }
        }
        /// <summary>
        /// Get the subjects for a user.
        /// </summary>
        /// <param name="user">
        /// The user to check. This cannot be null.
        /// </param>
        /// <returns>
        /// The subjects (i.e. user and roles).
        /// </returns>
        private ISet <long> GetSubjects(EntityRef user)
        {
            if (user == null)
            {
                throw new ArgumentNullException("user");
            }

            ISet <long> subjectIds;

            subjectIds = new HashSet <long>(RoleRepository.GetUserRoles(user.Id));
            using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
            {
                messageContext.Append(() => string.Format(
                                          "Checking access for user '{0}' ({1}) in roles '{2}'",
                                          Entity.Get <UserAccount>(user).Name,
                                          user.Id,
                                          string.Join(", ", subjectIds.ToList().Select(id => string.Format("'{0}' ({1})", Entity.Get <Subject>(id).Name, id)))));
            }
            subjectIds.Add(user.Id);

            return(subjectIds);
        }
Ejemplo n.º 23
0
        public void Test_NewContext()
        {
            const string testName1 = "a";
            const string testLine1 = "Line 1";
            const string testLine2 = "Line 2";

            using (MessageContext outerMessageContext = new MessageContext(testName1, MessageContextBehavior.Capturing))
            {
                outerMessageContext.Append(() => testLine1);
                Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1),
                            "Incorrect outer message after first append");

                using (MessageContext innerMessageContext = new MessageContext(testName1, MessageContextBehavior.Capturing | MessageContextBehavior.New))
                {
                    innerMessageContext.Append(() => testLine2);
                    Assert.That(outerMessageContext.GetMessage(), Is.EqualTo(testLine1),
                                "Incorrect outer message after second append");
                    Assert.That(innerMessageContext.GetMessage(), Is.EqualTo(testLine2),
                                "Incorrect inner message after second append");
                }
            }
        }
Ejemplo n.º 24
0
        /// <summary>
        /// Create a human readable description of the security check.
        /// </summary>
        /// <param name="entities"></param>
        /// <param name="permissions"></param>
        /// <param name="messageContext"></param>
        /// <returns></returns>
        internal void WriteHeaderMessage(IList <EntityRef> entities, IList <EntityRef> permissions, MessageContext messageContext)
        {
            if (messageContext == null)
            {
                throw new ArgumentNullException("messageContext");
            }

            messageContext.Append(
                () => string.Format(
                    "Access control check: Does user '{0}' have '{1}' access to entity(ies) '{2}'?",
                    RequestContext.GetContext().Identity.Name ?? "(null)",
                    permissions != null ? string.Join(", ", permissions.Select(Permissions.GetPermissionByAlias)) : "(null)",
                    entities != null ? string.Join(", ", entities) : "(null)"));

            // Problem: Need a way to get names without loading the entities. Otherwise, it creates an infinite loop.
            //messageContext.Append(
            //    () =>
            //    {
            //        IList<Resource> entitiesToCheck;

            //        using (new SecurityBypassContext())
            //        {
            //            entitiesToCheck = Entity.Get<Resource>(entities, new EntityRef("core:name")).ToList();
            //        }

            //        return string.Format(
            //            "Access control check: Does user '{0}' have '{1}' access to entity(ies) '{2}'?",
            //            RequestContext.GetContext().Identity.Name ?? "(null)",
            //            permissions != null
            //                ? string.Join(", ", permissions.Select(Permissions.GetPermissionAlias))
            //                : "(null)",
            //            entities != null
            //                ? string.Join(", ",
            //                    entitiesToCheck.Select(e => string.Format("'{0}' ({1})", e.Name, e.Id)))
            //                : "(null)");
            //    });
        }
Ejemplo n.º 25
0
        /// <summary>
        /// Get the structured query, possibly from cache.
        /// </summary>
        /// <param name="report">The report to convert.</param>
        /// <param name="settings">The report run settings.</param>
        /// <param name="suppressPreload">True if we should suppress preloading.</param>
        /// <returns>The structured query.</returns>
        private StructuredQuery GetStructuredQuery(Model.Report report, ReportSettings settings, bool suppressPreload)
        {
            using (MessageContext msg = new MessageContext("Reports"))
            {
                StructuredQuery immutableStructuredQuery;
                StructuredQuery structuredQuery;

                bool useStructuredQueryCache = settings.UseStructuredQueryCache;

                ReportToQueryConverterSettings converterSettings = new ReportToQueryConverterSettings
                {
                    SuppressPreload = suppressPreload,
                    RefreshCachedStructuredQuery = settings.RefreshCachedStructuredQuery,
                    SchemaOnly = settings.RequireSchemaMetadata
                };

                if (settings != null && settings.UseStructuredQueryCache)
                {
                    // don't allow mutations of cached copy
                    immutableStructuredQuery = CachedReportToQueryConverter.Convert(report, converterSettings);
                }
                else
                {
                    // don't allow mutations, just so we can log it correctly
                    immutableStructuredQuery = NonCachedReportToQueryConverter.Convert(report, converterSettings);
                }

                structuredQuery = immutableStructuredQuery.DeepCopy( ); // so we can mutate it (in case we need to)

                // Logging
                msg.Append(() => new String('-', 50));
                msg.Append(() => "GetStructuredQuery");
                msg.Append(() => "suppressPreload = " + suppressPreload);
                msg.Append(() => "useStructuredQueryCache = " + useStructuredQueryCache);
                msg.Append(() => "Structured Query:\n" + StructuredQueryHelper.ToXml(immutableStructuredQuery));
                msg.Append(() => new String('-', 50));

                return(structuredQuery);
            }
        }
        /// <summary>
        /// Check whether the user has access to the entities by following relationships where the
        /// <see cref="Relationship"/> type has the <see cref="Relationship.SecuresTo"/> or
        /// <see cref="Relationship.SecuresFrom"/> flag set.
        /// </summary>
        /// <param name="permissions">
        /// The permissions to check for. This cannot be null or contain null.
        /// </param>
        /// <param name="user">
        /// The user to do the check access for. This cannot be null.
        /// </param>
        /// <param name="entitiesToCheck">
        /// The entities to check. This cannot be null or contain null.
        /// </param>
        /// <exception cref="ArgumentNullException">
        /// No argument can be null.
        /// </exception>
        internal ISet <EntityRef> CheckAccessControlByRelationship(IList <EntityRef> permissions, EntityRef user,
                                                                   ISet <EntityRef> entitiesToCheck)
        {
            if (permissions == null)
            {
                throw new ArgumentNullException("permissions");
            }
            if (permissions.Contains(null))
            {
                throw new ArgumentNullException("permissions", "Cannot contain null");
            }
            if (user == null)
            {
                throw new ArgumentNullException("user");
            }
            if (entitiesToCheck == null)
            {
                throw new ArgumentNullException("entitiesToCheck");
            }

            EntityMemberRequest entityMemberRequest;
            IDictionary <long, ISet <EntityRef> > entityTypes;
            IEnumerable <EntityData> entitiesData;
            IDictionary <long, bool> accessToRelatedEntities;
            HashSet <EntityRef>      result;
            IList <long>             relatedAccessibleEntities;
            EntityType entityType;

            using (Profiler.MeasureAndSuppress("SecuresFlagEntityAccessControlChecker.CheckAccessControlByRelationship"))
            {
                result = new HashSet <EntityRef>(EntityRefComparer.Instance);

                entityTypes = TypeRepository.GetEntityTypes(entitiesToCheck);
                using (MessageContext outerMessageContext = new MessageContext(EntityAccessControlService.MessageName))
                    foreach (KeyValuePair <long, ISet <EntityRef> > entitiesType in entityTypes)
                    {
                        outerMessageContext.Append(() =>
                                                   string.Format(
                                                       "Checking relationships for entity(ies) \"{0}\" of type \"{1}\":",
                                                       string.Join(", ", entitiesType.Value.Select(er => string.Format("'{0}' ({1})", er.Entity.As <Resource>().Name, er.Id))),
                                                       string.Join(", ", string.Format("'{0}' ({1})", Entity.Get <Resource>(entitiesType.Key).Name, entitiesType.Key))));

                        using (MessageContext innerMessageContext = new MessageContext(EntityAccessControlService.MessageName))
                        {
                            entityType = Entity.Get <EntityType>(entitiesType.Key);
                            if (entityType != null)
                            {
                                entityMemberRequest = EntityMemberRequestFactory.BuildEntityMemberRequest(entityType, permissions);
                                if (entityMemberRequest.Relationships.Count > 0)
                                {
                                    IList <EntityRef> relatedEntitiesToCheck;

                                    innerMessageContext.Append(() => string.Format("Security relationship structure for entity type '{0}':", entityType.Id));
                                    TraceEntityMemberRequest(entityMemberRequest);

                                    // Get the IDs of entities to check security for
                                    EntityRequest request = new EntityRequest
                                    {
                                        Entities          = entitiesType.Value,
                                        Request           = entityMemberRequest,
                                        IgnoreResultCache = true    // security engine does its own result caching
                                    };
                                    entitiesData = BulkRequestRunner.GetEntitiesData(request).ToList( );

                                    // Do a single security check for all entities related to
                                    // the entities passed in, excluding the original entities
                                    // that failed the security check.
                                    relatedEntitiesToCheck = Delegates
                                                             .WalkGraph(
                                        entitiesData,
                                        entityData =>
                                        entityData.Relationships.SelectMany(relType => relType.Entities))
                                                             .Select(ed => ed.Id)
                                                             .Where(er => !entitiesType.Value.Contains(er, EntityRefComparer.Instance))
                                                             .ToList();
                                    if (relatedEntitiesToCheck.Count > 0)
                                    {
                                        // Add the relationship types to watch for cache invalidations
                                        using (CacheContext cacheContext = CacheContext.GetContext())
                                        {
                                            IList <long> relationshipTypes = Delegates
                                                                             .WalkGraph(entityMemberRequest.Relationships,
                                                                                        rr => rr.RequestedMembers.Relationships)
                                                                             .Select(rr => rr.RelationshipTypeId.Id)
                                                                             .ToList();

                                            cacheContext.RelationshipTypes.Add(relationshipTypes);
                                        }

                                        // ReSharper disable AccessToModifiedClosure
                                        // Do a single access check for all entities for efficiency, then pick the
                                        // important ones for each requested entity below.
                                        accessToRelatedEntities = null;
                                        innerMessageContext.Append(
                                            () => string.Format(
                                                "Checking related entities '{0}':",
                                                string.Join(", ", relatedEntitiesToCheck.Select(er => er.Id))));
                                        SecurityBypassContext.RunAsUser(
                                            () =>
                                            accessToRelatedEntities =
                                                Checker.CheckAccess(relatedEntitiesToCheck, permissions, user));
                                        // ReSharper restore AccessToModifiedClosure

                                        foreach (EntityData entityData in entitiesData)
                                        {
                                            // Get the related entities to check
                                            relatedEntitiesToCheck = Delegates.WalkGraph(
                                                entityData,
                                                ed => ed.Relationships.SelectMany(relType => relType.Entities))
                                                                     .Select(ed => ed.Id)
                                                                     .ToList();

                                            // Remove the start entity for the query, since security has
                                            // already been checked on it.
                                            relatedEntitiesToCheck.Remove(entityData.Id);

                                            // Get the related entities the user has access to
                                            relatedAccessibleEntities = accessToRelatedEntities
                                                                        .Where(kvp => kvp.Value && relatedEntitiesToCheck.Contains(kvp.Key, EntityRefComparer.Instance))
                                                                        .Select(kvp => kvp.Key)
                                                                        .ToList();

                                            // Grant access if the user has access to ANY of the related
                                            // entities.
                                            if (relatedEntitiesToCheck.Count > 0 &&
                                                relatedAccessibleEntities.Count > 0)
                                            {
                                                result.Add(entityData.Id);

                                                // ReSharper disable AccessToModifiedClosure
                                                innerMessageContext.Append(
                                                    () => string.Format(
                                                        "Access to '{0}' granted due to corresponding access to '{1}'",
                                                        string.Join(", ", relatedEntitiesToCheck.Select(id => string.Format("'{0}' ({1})", Entity.Get <Resource>(id).Name, id))),
                                                        string.Join(", ", relatedAccessibleEntities.Select(id => string.Format("'{0}' ({1})", Entity.Get <Resource>(id).Name, id)))));
                                                // ReSharper restore AccessToModifiedClosure
                                            }
                                        }
                                    }
                                }
                                else
                                {
                                    innerMessageContext.Append(() => string.Format("No relationships found to check for entity type '{0}'.", entityType.Id));
                                }
                            }
                            else
                            {
                                EventLog.Application.WriteWarning("Type ID {0} for entities '{1}' is not a type",
                                                                  entitiesType.Key, string.Join(", ", entitiesType.Value));
                            }
                        }
                    }
            }

            return(result);
        }
Ejemplo n.º 27
0
        /// <summary>
        /// Build the SQL, or collect it from cache.
        /// </summary>
        /// <param name="query"></param>
        /// <param name="settings"></param>
        /// <returns></returns>
        public QueryBuild BuildSql(StructuredQuery query, QuerySqlBuilderSettings settings)
        {
            // Validate
            if (query == null)
            {
                throw new ArgumentNullException("query");
            }
            if (QuerySqlBuilder == null)
            {
                throw new InvalidOperationException("QuerySqlBuilder not set.");
            }
            if (settings == null)
            {
                settings = new QuerySqlBuilderSettings( );
            }

            // Check if query can even participate in cache
            if (!CachingQuerySqlBuilderKey.DoesRequestAllowForCaching(query, settings))
            {
                return(BuildSqlImpl(query, settings));
            }

            // Get a user-set key
            // (Users may share the same report SQL if they have the same set of read-rules)
            UserRuleSet userRuleSet = null;

            if (settings.RunAsUser != 0)
            {
                userRuleSet = UserRuleSetProvider.GetUserRuleSet(settings.RunAsUser, Permissions.Read);
                if (userRuleSet == null)
                {
                    throw new InvalidOperationException("Expected userRuleSet");   // Assert false
                }
            }

            // Create cache key
            CachingQuerySqlBuilderKey   key = new CachingQuerySqlBuilderKey(query, settings, userRuleSet);
            CachingQuerySqlBuilderValue cacheValue;

            using (MessageContext msg = new MessageContext("Reports"))
            {
                // Check for force recalculation
                if (settings.RefreshCachedSql)
                {
                    msg.Append(() => "CachingQuerySqlBuilder refreshed forced");
                    _cacheInvalidator.DebugInvalidations.Add(key);
                    Cache.Remove(key);
                }

                // In some circumstances, a result will be uncacheable, so we just return 'null' in the delegate instead.
                // However, on the first access, we will still be doing the calculation, so store it here.
                CachingQuerySqlBuilderValue calculatedOnThisAccess = null;

                // Check cache
                bool fromCache = TryGetOrAdd(key, msg, out cacheValue, callbackKey =>
                {
                    // This callback is called if we have a cache miss

                    using (CacheContext cacheContext = new CacheContext( ))
                    {
                        QueryBuild queryResult = BuildSqlImpl(query, settings);
                        cacheValue             = new CachingQuerySqlBuilderValue(query, queryResult);
                        calculatedOnThisAccess = cacheValue;

                        if (queryResult.SqlIsUncacheable)
                        {
                            return(null);
                        }
                        else
                        {
                            // Add the cache context entries to the appropriate CacheInvalidator
                            _cacheInvalidator.AddInvalidations(cacheContext, callbackKey);
                            return(cacheValue);
                        }
                    }
                });

                // cacheValue will be null if the result was uncacheable
                if (cacheValue == null)
                {
                    if (calculatedOnThisAccess != null)
                    {
                        // In this path, the result was uncacheable, so the cache returned a 'null',
                        // but it was the initial calculation run anyway, so we can get the value from callbackValue.
                        cacheValue = calculatedOnThisAccess;
                    }
                    else
                    {
                        // In this path, the result was uncacheable, but someone had asked previously, and stored
                        // the null, so we need to actually build the SQL again for this scenario.
                        // Note: don't need to do anything with cache context, because this cache is not participating.
                        // And if there's a parent context set, then the call to BuildSqlImpl will just talk directly to that context.
                        QueryBuild queryResult = BuildSqlImpl(query, settings);
                        cacheValue = new CachingQuerySqlBuilderValue(query, queryResult);
                    }
                }
                else if (fromCache && CacheContext.IsSet( ))
                {
                    // Add the already stored changes that should invalidate this cache
                    // entry to any outer or containing cache contexts.
                    using (CacheContext cacheContext = CacheContext.GetContext( ))
                    {
                        cacheContext.AddInvalidationsFor(_cacheInvalidator, key);
                    }
                }
            }

            if (cacheValue == null)
            {
                throw new Exception("Assert false");
            }

            // Mutate returned result to be suitable for current query
            QueryBuild result;

            if (cacheValue.OriginalQuery == query)
            {
                result = cacheValue.QueryResult;
            }
            else
            {
                result = MutateResultToMatchCurrentQuery(cacheValue, query);
            }

            return(result);
        }
        /// <summary>
        /// Check whether the user has all the specified
        /// <paramref name="permissions">access</paramref> to the specified <paramref name="entities"/>.
        /// </summary>
        /// <param name="entities">
        ///     The entities to check. This cannot be null or contain null.
        /// </param>
        /// <param name="permissions">
        ///     The permissions or operations to check. This cannot be null or contain null.
        /// </param>
        /// <param name="user">
        ///     The user requesting access. This cannot be null.
        /// </param>
        /// <returns>
        /// A mapping of each entity ID to whether the user has access (true) or not (false).
        /// </returns>
        /// <exception cref="ArgumentNullException">
        /// No argument can be null.
        /// </exception>
        /// <exception cref="ArgumentException">
        /// Neither <paramref name="entities"/> nor <paramref name="permissions"/> can contain null.
        /// </exception>
        public IDictionary <long, bool> CheckAccess(IList <EntityRef> entities, IList <EntityRef> permissions, EntityRef user)
        {
            if (entities == null)
            {
                throw new ArgumentNullException("entities");
            }
            if (permissions == null)
            {
                throw new ArgumentNullException("permissions");
            }
            if (user == null)
            {
                throw new ArgumentNullException("user");
            }

            IDictionary <long, bool> result;
            ISet <long> subjects;
            IDictionary <long, ISet <EntityRef> >        entityTypes;
            Dictionary <long, IDictionary <long, bool> > permissionToAccess;
            // Dictionary keyed off report id to entities
            Dictionary <long, ISet <long> > queryResultsCache;
            ISet <long> allEntities;

            if (SkipCheck(user))
            {
                result = SetAll(entities.Select(e => e.Id), true);
            }
            else if (entities.Count == 0)
            {
                result = new Dictionary <long, bool>();
            }
            else
            {
                using (new SecurityBypassContext())
                {
                    subjects = GetSubjects(user);

                    using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
                    {
                        messageContext.Append(() => "Checking access rules:");

                        entityTypes        = null;
                        permissionToAccess = new Dictionary <long, IDictionary <long, bool> >();
                        queryResultsCache  = new Dictionary <long, ISet <long> >();
                        allEntities        = null;

                        foreach (EntityRef permission in permissions)
                        {
                            permissionToAccess[permission.Id] = SetAll(entities.Select(e => e.Id), false);

                            if (allEntities == null &&
                                !permission.Equals(Permissions.Create))
                            {
                                // Add all the entities to a set
                                allEntities = new HashSet <long>(entities.Select(e => e.Id));
                            }

                            foreach (long subject in subjects)
                            {
                                if (entityTypes == null)
                                {
                                    entityTypes = EntityTypeRepository.GetEntityTypes(entities);
                                }

                                bool accessGrantedToAll = false;

                                // entityType maps a sorted list of type ids to instance entity Refs
                                foreach (KeyValuePair <long, ISet <EntityRef> > entityType in entityTypes)
                                {
                                    using (MessageContext perTypeMessageContext = new MessageContext(EntityAccessControlService.MessageName))
                                    {
                                        perTypeMessageContext.Append(() =>
                                                                     ConstructCheckMessage(entities, subjects, entityTypes, subject, entityType));

                                        using (new MessageContext(EntityAccessControlService.MessageName))
                                        {
                                            // Automatically allow read access (only) to fields, relationships and types
                                            CheckAutomaticAccess(permission, entityType, permissionToAccess);

                                            if (EntityRefComparer.Instance.Equals(permission, Permissions.Create))
                                            {
                                                CheckAccessControlByRelationship(
                                                    subject,
                                                    permission,
                                                    entityType.Key,
                                                    entityType.Value.ToList(),
                                                    permissionToAccess[permission.Id]);
                                            }
                                            else
                                            {
                                                CheckAccessControlByQuery(
                                                    subject,
                                                    permission,
                                                    entityType.Key,
                                                    entityType.Value.ToList(),
                                                    allEntities, queryResultsCache,
                                                    permissionToAccess[permission.Id]);
                                            }

                                            // Skip remaining checks if access is granted to all requested entities
                                            // for the current permission.
                                            if (permissionToAccess[permission.Id].All(kvp => kvp.Value))
                                            {
                                                messageContext.Append(
                                                    () => "Access granted to all entities. Not checking additional access rules.");
                                                accessGrantedToAll = true;
                                                break;
                                            }
                                        }
                                    }
                                }

                                // Skip remaining checks if access is granted to all requested entities
                                // for the current permission.
                                if (accessGrantedToAll || permissionToAccess[permission.Id].All(kvp => kvp.Value))
                                {
                                    if (!accessGrantedToAll)
                                    {
                                        messageContext.Append(() => "Access granted to all entities. Not checking additional access rules.");
                                    }
                                    break;
                                }
                            }
                        }

                        result = CollateAccess(entities, permissionToAccess);
                        result = AllowAccessToTypelessIds(result, entityTypes);

                        // Add all the containing roles to the cache so a role change invalidates this
                        // user's security cache entries.
                        using (CacheContext cacheContext = CacheContext.GetContext())
                        {
                            cacheContext.Entities.Add(subjects);
                        }
                    }
                }
            }

            return(result);
        }
        /// <summary>
        /// Check whether the queries for the specified <paramref name="permission"/> allow the <paramref name="subjectId"/>
        /// access to <paramref name="entities"/> using the related security queries. Used for read, modify and delete
        /// permissions.
        /// </summary>
        /// <param name="subjectId">
        /// The ID of the subject (user or role).
        /// </param>
        /// <param name="permission">
        /// The permission (operation). This cannot be null.
        /// </param>
        /// <param name="entityType">
        /// The type ID of the entities to check. This cannot be null.
        /// </param>
        /// <param name="entities">
        /// The entities to check. This cannot be null or contain null.
        /// </param>
        /// <param name="allEntities">
        /// All entities.
        /// </param>
        /// <param name="queryResultsCache">
        /// The query results cache.
        /// </param>
        /// <param name="result">
        /// The map of entity IDs to whether the relationship exists.
        /// </param>
        /// <exception cref="ArgumentNullException">
        /// No argument can be null.
        /// </exception>
        internal void CheckAccessControlByQuery(long subjectId, EntityRef permission,
                                                long entityType, IList <EntityRef> entities, ISet <long> allEntities,
                                                IDictionary <long, ISet <long> > queryResultsCache, IDictionary <long, bool> result)
        {
            using (Profiler.MeasureAndSuppress("CheckAccessControlByQuery"))
            {
                if (permission == null)
                {
                    throw new ArgumentNullException("permission");
                }
                if (result == null)
                {
                    throw new ArgumentNullException("result");
                }
                if (entities == null)
                {
                    throw new ArgumentNullException("entities");
                }
                if (allEntities == null)
                {
                    throw new ArgumentNullException("allEntities");
                }
                if (queryResultsCache == null)
                {
                    throw new ArgumentNullException("queryResultsCache");
                }
                if (entities.Contains(null))
                {
                    throw new ArgumentException("Cannot check access for null entities", "entities");
                }

                IEnumerable <AccessRuleQuery> queries;

                // Allow access to temporary IDs
                if (AllowAccessToTemporaryIds(result))
                {
                    return;
                }

                using (MessageContext messageContext = new MessageContext(EntityAccessControlService.MessageName))
                {
                    queries = QueryRepository.GetQueries(subjectId, permission, new[] { entityType });
                    QueryResult queryResult;

                    // Check if any queries grant access to all instances of the type
                    StructuredQuery shortCircuitQuery = CheckIfAnyQueryProvideAccessToAllInstancesOfType(entityType, queries, entities, result);
                    if (shortCircuitQuery != null)
                    {
                        messageContext.Append(
                            () => string.Format(
                                "{0} allowed '{1}' access to entities '{2}' because it allows access to all instances of the type.",
                                AccessControlDiagnosticsHelper.GetAccessRuleName(shortCircuitQuery),
                                Permissions.GetPermissionByAlias(permission),
                                string.Join(", ", entities.Select(x => x.ToString()))));
                        return;
                    }

                    long securityOwnerRelId = WellKnownAliases.CurrentTenant.SecurityOwner;

                    foreach (AccessRuleQuery accessRuleQuery in queries)
                    {
                        StructuredQuery structuredQuery = accessRuleQuery.Query;
                        var             allowedEntities = new HashSet <long>();
                        ISet <long>     queryResultSet;

                        if (!queryResultsCache.TryGetValue(accessRuleQuery.ReportId, out queryResultSet))
                        {
                            var querySettings = new QuerySettings
                            {
                                SecureQuery = false,
                                Hint        = "security - " + Name
                            };

                            bool filtered = false;

                            if (allEntities.Count <= MaximumNumberOfFilteredEntities)
                            {
                                filtered = true;
                                querySettings.SupportRootIdFilter = true;
                                querySettings.RootIdFilterList    = allEntities;
                            }

                            queryResult = null;
                            try
                            {
                                using (MessageContext msg = new MessageContext("Reports", MessageContextBehavior.New))
                                {
                                    queryResult = Factory.QueryRunner.ExecuteQuery(structuredQuery, querySettings);
                                }
                            }
                            catch (Exception ex)
                            {
                                AccessControlDiagnosticsHelper.WriteInvalidSecurityReportMessage(structuredQuery, messageContext, ex);
                            }

                            queryResultSet = new HashSet <long>();

                            if (queryResult != null && QueryInspector.IsQueryUndamaged(structuredQuery))
                            {
                                foreach (DataRow dataRow in queryResult.DataTable.Rows)
                                {
                                    var id = dataRow.Field <long>(0);
                                    if (filtered || allEntities.Contains(id))
                                    {
                                        queryResultSet.Add(id);
                                    }
                                }
                            }
                            else
                            {
                                if (queryResult != null)
                                {
                                    AccessControlDiagnosticsHelper.WriteInvalidSecurityReportMessage(structuredQuery, messageContext);
                                }
                            }

                            queryResultsCache[accessRuleQuery.ReportId] = queryResultSet;
                        }

                        foreach (EntityRef entityRef in entities)
                        {
                            if (queryResultSet.Contains(entityRef.Id) &&
                                result.ContainsKey(entityRef.Id))
                            {
                                allowedEntities.Add(entityRef.Id);
                                result[entityRef.Id] = true;
                            }
                        }

                        // ReSharper disable AccessToForEachVariableInClosure
                        // ReSharper disable SpecifyACultureInStringConversionExplicitly
                        if (allowedEntities.Count > 0)
                        {
                            messageContext.Append(
                                () => string.Format(
                                    "{0} allowed '{1}' access to entities '{2}' out of '{3}'",
                                    AccessControlDiagnosticsHelper.GetAccessRuleName(structuredQuery),
                                    Permissions.GetPermissionByAlias(permission),
                                    string.Join(", ",
                                                allowedEntities.Select(x => x.ToString())),
                                    string.Join(", ", entities.Select(x => x.ToString()))));
                        }
                        else
                        {
                            messageContext.Append(
                                () => string.Format(
                                    "{0} returned no results for '{1}' access to entities '{2}'",
                                    AccessControlDiagnosticsHelper.GetAccessRuleName(structuredQuery),
                                    Permissions.GetPermissionByAlias(permission),
                                    string.Join(", ", entities.Select(x => x.ToString()))));
                        }
                        // ReSharper restore AccessToForEachVariableInClosure
                        // ReSharper restore SpecifyACultureInStringConversionExplicitly

                        // Set the cache invalidation information
                        using (CacheContext cacheContext = CacheContext.GetContext())
                        {
                            // ******************* TEMPORARY WORKAROUND ***********************
                            // Until we properly implement filtering the invalidating relationships and fields by type
                            // we will ignore invalidating on the security owner relationship

                            cacheContext.RelationshipTypes.Add(
                                StructuredQueryHelper.GetReferencedRelationships(structuredQuery).Where(er => er.Id != securityOwnerRelId).Select(er => er.Id));
                            cacheContext.FieldTypes.Add(
                                StructuredQueryHelper.GetReferencedFields(structuredQuery, true, true).Select(er => er.Id));
                        }
                    }
                }
            }
        }
Ejemplo n.º 30
0
        /// <summary>
        /// Build the SQL, or collect it from cache.
        /// </summary>
        /// <param name="query"></param>
        /// <param name="settings"></param>
        /// <returns></returns>
        public QueryResult ExecuteQuery(StructuredQuery query, QuerySettings settings)
        {
            // Validate
            if (query == null)
            {
                throw new ArgumentNullException("query");
            }
            if (QueryRunner == null)
            {
                throw new InvalidOperationException("QueryRunner not set.");
            }
            if (settings == null)
            {
                settings = new QuerySettings( );
            }

            // Determine if we should cache .. and the cache key
            QueryBuild            builtQuery;
            CachingQueryRunnerKey key;
            CacheContext          queryBuilderCacheContext;

            using (queryBuilderCacheContext = new CacheContext())
            {
                key = CreateCacheKeyAndQuery(query, settings, out builtQuery);
            }

            // A null key means that the ersult should not participate in caching
            if (key == null)
            {
                return(RunQueryImpl(query, settings, builtQuery));
            }

            CachingQueryRunnerValue cacheValue;

            using (MessageContext msg = new MessageContext("Reports"))
            {
                // Check for force recalculation
                if (settings.RefreshCachedResult)
                {
                    msg.Append(() => "CachingQueryRunner refreshed forced");
                    Cache.Remove(key);
                }

                // Run query
                bool fromCache = TryGetOrAdd(key, msg, out cacheValue, callbackKey =>
                {
                    using (CacheContext cacheContext = new CacheContext( ))
                    {
                        QueryResult queryResult = RunQueryImpl(query, settings, builtQuery);
                        cacheValue = new CachingQueryRunnerValue(query, queryResult);

                        // Add the cache context entries to the appropriate CacheInvalidator
                        _cacheInvalidator.AddInvalidations(cacheContext, callbackKey);
                        _cacheInvalidator.AddInvalidations(queryBuilderCacheContext, callbackKey);
                    }

                    return(cacheValue);
                });

                if (fromCache && CacheContext.IsSet())
                {
                    using (CacheContext cacheContext = CacheContext.GetContext( ))
                    {
                        // Add the already stored changes that should invalidate this cache
                        // entry to any outer or containing cache contexts.
                        cacheContext.AddInvalidationsFor(_cacheInvalidator, key);
                    }
                }
            }

            if (cacheValue == null)
            {
                throw new Exception("Assert false");
            }

            // Mutate returned result to be suitable for current query
            QueryResult result;

            if (cacheValue.OriginalQuery == query)
            {
                result = cacheValue.QueryResult;
            }
            else
            {
                result = MutateResultToMatchCurrentQuery(cacheValue, query);
            }

            return(result);
        }