public static void AuthorizeSASRequest(TableSignedAccessAccountIdentifier sasAccountIdentifier, PermissionLevel permissionLevel, SASPermission sasPermissionsRequired, string userTableName, bool isUtilityTableCommand) { if (sasAccountIdentifier == null) { return; } SASPermission signedAccessPermission = sasAccountIdentifier.SignedAccessPermission; if (isUtilityTableCommand) { throw new NephosUnauthorizedAccessException("Signed access not supported for this request.", sasAccountIdentifier.AccountName, sasAccountIdentifier.TableName, null, sasAccountIdentifier, permissionLevel, signedAccessPermission, AuthorizationFailureReason.InvalidOperationSAS); } if ((sasPermissionsRequired & ~45) != SASPermission.None) { NephosAssertionException.Fail(string.Format("Signed permission is not well formed. Signed permission: {0}", sasPermissionsRequired)); } if (!string.Equals(sasAccountIdentifier.TableName, userTableName.ToLower(), StringComparison.Ordinal)) { throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", sasAccountIdentifier.AccountName, sasAccountIdentifier.TableName, null, sasAccountIdentifier, permissionLevel, signedAccessPermission, AuthorizationFailureReason.InvalidOperationSAS); } if ((sasPermissionsRequired & signedAccessPermission) != sasPermissionsRequired) { throw new NephosUnauthorizedAccessException("Signed access insufficient permission", sasAccountIdentifier.AccountName, sasAccountIdentifier.TableName, null, sasAccountIdentifier, permissionLevel, signedAccessPermission, AuthorizationFailureReason.PermissionMismatch); } }
public ContainerUnauthorizedException(string message, string resourceAccount, string resourceContainer, string resourceIdentifier, IAccountIdentifier requestor, Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel permissionLevel, SASPermission signedPermission, Exception innerException) : base(message, innerException) { this.requestor = requestor; this.resourceAccount = resourceAccount; this.resourceContainer = resourceContainer; this.resourceIdentifier = resourceIdentifier; this.permissionLevel = permissionLevel; this.signedPermission = signedPermission; }
private static SASPermission ValidateAndAddPermission(SASPermission currPermissions, SASPermission newPermission, int position) { if ((currPermissions & newPermission) == newPermission) { object[] objArray = new object[] { "Invalid duplicate permission. Error at index ", position, " of ", currPermissions }; throw new FormatException(string.Concat(objArray)); } currPermissions |= newPermission; return(currPermissions); }
protected ContainerUnauthorizedException(SerializationInfo info, StreamingContext context) : base(info, context) { if (info == null) { throw new ArgumentNullException("info"); } this.requestor = (IAccountIdentifier)info.GetValue("this.requestor", typeof(IAccountIdentifier)); this.resourceAccount = info.GetString("this.resourceAccount"); this.resourceContainer = info.GetString("this.resourceContainer"); this.resourceIdentifier = info.GetString("this.resourceIdentifier"); this.permissionLevel = (Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel)info.GetValue("this.permissionLevel", typeof(Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel)); this.signedPermission = (SASPermission)info.GetValue("this.signedPermission", typeof(SASPermission)); }
public ContainerUnauthorizedException(string message, string resourceAccount, string resourceContainer, string resourceIdentifier, IAccountIdentifier requestor, Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel permissionLevel, SASPermission signedPermission) : this(message, resourceAccount, resourceContainer, resourceIdentifier, requestor, permissionLevel, signedPermission, null) { }
public ContainerUnauthorizedException(string resourceAccount, string resourceContainer, string resourceIdentifier, IAccountIdentifier requestor, Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel permissionLevel, SASPermission signedPermission, Exception innerException) : this(string.Format(CultureInfo.InvariantCulture, "{0} does not have {1} access to resource {2}", new object[] { requestor.AccountName, permissionLevel, RealServiceManager.GetResourceString(resourceAccount, resourceContainer, resourceIdentifier) }), resourceAccount, resourceContainer, resourceIdentifier, requestor, permissionLevel, signedPermission, innerException) { }
protected internal override AuthorizationResult AuthorizeResourceSignedAccessRequest(SignedAccessAccountIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASPermission requestedSignedPermission) { AuthorizationResult authorizationResult; AuthorizationResult authorizationResult1 = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure); if ((requestedSignedPermission & (SASPermission.Update | SASPermission.Process)) != SASPermission.None) { throw new ArgumentException(string.Format("Signed permission is not well formed. Signed permission: {0}", requestedSignedPermission), "signedPermission"); } if ((requestedSignedPermission & signedRequestor.SignedAccessPermission) != requestedSignedPermission) { authorizationResult1.FailureReason = AuthorizationFailureReason.PermissionMismatch; authorizationResult1.Authorized = false; return(authorizationResult1); } List <SASAccessRestriction> .Enumerator enumerator = signedRequestor.SignedAccessRestrictions.GetEnumerator(); try { while (enumerator.MoveNext()) { SASAccessRestriction current = enumerator.Current; if (string.IsNullOrEmpty(resourceAccount) || !resourceAccount.Equals(current.AccessPath.AccountName, StringComparison.OrdinalIgnoreCase) || string.IsNullOrEmpty(resourceContainer) || !resourceContainer.Equals(current.AccessPath.ContainerName, StringComparison.OrdinalIgnoreCase)) { continue; } if (current.AccessLevel != SASAccessLevel.Container) { if (string.IsNullOrEmpty(resourceIdentifier) || !resourceIdentifier.Equals(current.AccessPath.RemainingPart, StringComparison.OrdinalIgnoreCase)) { continue; } authorizationResult1.FailureReason = AuthorizationFailureReason.NotApplicable; authorizationResult1.Authorized = true; authorizationResult = authorizationResult1; return(authorizationResult); } else { authorizationResult1.FailureReason = AuthorizationFailureReason.NotApplicable; authorizationResult1.Authorized = true; authorizationResult = authorizationResult1; return(authorizationResult); } } authorizationResult1.FailureReason = AuthorizationFailureReason.AccessPermissionFailureSAS; authorizationResult1.Authorized = false; return(authorizationResult1); } finally { ((IDisposable)enumerator).Dispose(); } return(authorizationResult); }
protected internal abstract AuthorizationResult AuthorizeResourceSignedAccessRequest(SignedAccessAccountIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASPermission requestedSignedPermission);
public static SASPermission ParseSASPermission(string text) { SASPermission sASPermission = SASPermission.None; string str = text; int num = 0; while (true) { if (num >= str.Length) { return(sASPermission); } char chr = str[num]; if (chr > 'l') { switch (chr) { case 'p': { sASPermission |= SASPermission.Process; break; } case 'q': { throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); } case 'r': { sASPermission |= SASPermission.Read; break; } default: { switch (chr) { case 'u': { sASPermission |= SASPermission.Update; break; } case 'v': { throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); } case 'w': { sASPermission |= SASPermission.Write; break; } default: { throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); } } break; } } } else { switch (chr) { case 'a': { sASPermission |= SASPermission.Add; break; } case 'b': { throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); } case 'c': { sASPermission |= SASPermission.Create; break; } case 'd': { sASPermission |= SASPermission.Delete; break; } default: { if (chr == 'l') { sASPermission |= SASPermission.List; break; } else { throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); } } } } num++; } throw new FormatException(string.Concat("Invalid signed permission. permission = ", text)); }
public static SASPermission ParsePermissionsForAccountSas(string permission) { if (string.IsNullOrEmpty(permission)) { throw new ArgumentException(permission); } SASPermission sASPermission = SASPermission.None; int num = 0; while (true) { if (num >= permission.Length) { return(sASPermission); } char chr = permission[num]; if (chr > 'l') { switch (chr) { case 'p': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Process, num); break; } case 'q': { throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); } case 'r': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Read, num); break; } default: { switch (chr) { case 'u': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Update, num); break; } case 'v': { throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); } case 'w': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Write, num); break; } default: { throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); } } break; } } } else { switch (chr) { case 'a': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Add, num); break; } case 'b': { throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); } case 'c': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Create, num); break; } case 'd': { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.Delete, num); break; } default: { if (chr == 'l') { sASPermission = AccountSasHelper.ValidateAndAddPermission(sASPermission, SASPermission.List, num); break; } else { throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); } } } } num++; } throw new FormatException(string.Concat("Unexpected character ", permission[num], " in permission")); }
internal void CheckPermission(string userTableName, bool isUtilityTableCommand, bool shouldCheckGet, UpdateKind commandKind) { PermissionLevel permissionLevel; if (this.SignedAccountIdentifier != null) { IStringDataEventStream verboseDebug = Logger <IRestProtocolHeadLogger> .Instance.VerboseDebug; object[] tableName = new object[] { this.SignedAccountIdentifier.TableName, this.SignedAccountIdentifier.StartingPartitionKey, this.SignedAccountIdentifier.StartingRowKey, this.SignedAccountIdentifier.EndingPartitionKey, this.SignedAccountIdentifier.EndingRowKey }; verboseDebug.Log("Sas tn={0} spk={1} srk={2} epk={3} erk={4}", tableName); } List <SASPermission> sASPermissions = new List <SASPermission>(); if (!shouldCheckGet) { switch (commandKind) { case UpdateKind.Insert: { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Add); } else { sASPermissions.Add(SASPermission.Create); sASPermissions.Add(SASPermission.Write); } permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.Delete: { sASPermissions.Add(SASPermission.Delete); permissionLevel = PermissionLevel.Delete; this.CheckAnalyticsPermissions(userTableName, new bool?(isUtilityTableCommand)); goto Label0; } case UpdateKind.Replace: case UpdateKind.Merge: { sASPermissions.Add(SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.InsertOrMerge: case UpdateKind.InsertOrReplace: { sASPermissions.Add(SASPermission.Add | SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } } CultureInfo invariantCulture = CultureInfo.InvariantCulture; object[] accountName = new object[] { this.AccountName, commandKind, this.m_currentResourceContainer.Name }; throw new NephosUnauthorizedAccessException(string.Format(invariantCulture, "Account {0} is not authorized to perform operation {1} on table {2}.", accountName)); } else { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Read); } else { sASPermissions.Add(SASPermission.List); } permissionLevel = PermissionLevel.Read; } Label0: this.CheckPermissionCallback(permissionLevel); if (this.SignedAccountIdentifier != null) { SASPermission item = SASPermission.None; if (sASPermissions.Count > 0) { item = sASPermissions[0]; } XfeTableSASAuthorizationManager.AuthorizeSASRequest(this.SignedAccountIdentifier, PermissionLevel.Write, item, userTableName, isUtilityTableCommand); return; } if (this.AccountIdentifier is AccountSasAccessIdentifier) { string lower = userTableName.ToLower(); if (isUtilityTableCommand) { lower = "Tables"; } if (!string.Equals(this.m_currentResourceContainer.Name, lower, StringComparison.OrdinalIgnoreCase)) { throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", AuthorizationFailureReason.InvalidOperationSAS); } AccountSasAccessIdentifier accountIdentifier = this.AccountIdentifier as AccountSasAccessIdentifier; AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.UnauthorizedAccountSasRequest); SASAuthorizationParameters sASAuthorizationParameter = new SASAuthorizationParameters() { SignedResourceType = (isUtilityTableCommand ? SasResourceType.Container : SasResourceType.Object), SupportedSasTypes = SasType.AccountSas }; SASAuthorizationParameters item1 = sASAuthorizationParameter; for (int i = 0; !authorizationResult.Authorized && i < sASPermissions.Count; i++) { item1.SignedPermission = sASPermissions[i]; authorizationResult = AuthorizationManager.AuthorizeAccountSignedAccessRequest(accountIdentifier, this.AccountName, item1); } if (!authorizationResult.Authorized) { throw new NephosUnauthorizedAccessException("Signed access insufficient permission", authorizationResult.FailureReason); } } }
public SASAccessPolicy(DateTime signedStart, DateTime signedExpiry, SASPermission signedPermission) { this.SignedStart = new DateTime?(signedStart); this.SignedExpiry = new DateTime?(signedExpiry); this.SignedPermission = new SASPermission?(signedPermission); }
public NephosUnauthorizedAccessException(string resourceAccount, string resourceContainer, string resourceIdentifier, IAccountIdentifier requestor, Microsoft.Cis.Services.Nephos.Common.Authorization.PermissionLevel permissionLevel, SASPermission signedPermission, AuthorizationFailureReason failureReason) : this(resourceAccount, resourceContainer, resourceIdentifier, requestor, permissionLevel, signedPermission, failureReason, null) { }
protected internal override AuthorizationResult AuthorizeResourceSignedAccessRequest(SignedAccessAccountIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASPermission requestedSignedPermission) { throw new NotSupportedException("Signed access not supported"); }
public static void ValidatePermissionOrdering(string permission, SASPermission validPermissions) { char chr; if (string.IsNullOrEmpty(permission)) { throw new ArgumentException(permission); } SASPermission sASPermission = SASPermission.None; int num = 0; string str = permission; int num1 = 0; while (true) { if (num1 >= str.Length) { return; } chr = str[num1]; char chr1 = chr; if (chr1 > 'l') { switch (chr1) { case 'p': { if ((sASPermission & SASPermission.Process) == SASPermission.Process) { object[] objArray = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray)); } sASPermission |= SASPermission.Process; break; } case 'q': { throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); } case 'r': { if ((sASPermission & SASPermission.Read) == SASPermission.Read || (sASPermission & (SASPermission.Write | SASPermission.Add | SASPermission.Update | SASPermission.Process | SASPermission.Delete | SASPermission.List | SASPermission.Create)) != SASPermission.None) { object[] objArray1 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray1)); } sASPermission |= SASPermission.Read; break; } default: { switch (chr1) { case 'u': { if ((sASPermission & SASPermission.Update) == SASPermission.Update || (sASPermission & (SASPermission.Process | SASPermission.Delete | SASPermission.List)) != SASPermission.None) { object[] objArray2 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray2)); } sASPermission |= SASPermission.Update; break; } case 'v': { throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); } case 'w': { if ((sASPermission & SASPermission.Write) == SASPermission.Write || (sASPermission & (SASPermission.Update | SASPermission.Process | SASPermission.Delete | SASPermission.List)) != SASPermission.None) { object[] objArray3 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray3)); } sASPermission |= SASPermission.Write; break; } default: { throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); } } break; } } } else { switch (chr1) { case 'a': { if ((sASPermission & SASPermission.Add) == SASPermission.Add || (sASPermission & (SASPermission.Write | SASPermission.Update | SASPermission.Process | SASPermission.Delete | SASPermission.List | SASPermission.Create)) != SASPermission.None) { object[] objArray4 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray4)); } sASPermission |= SASPermission.Add; break; } case 'b': { throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); } case 'c': { if ((sASPermission & SASPermission.Create) == SASPermission.Create || (sASPermission & (SASPermission.Update | SASPermission.Process | SASPermission.Delete | SASPermission.List)) != SASPermission.None) { object[] objArray5 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray5)); } sASPermission |= SASPermission.Create; break; } case 'd': { if ((sASPermission & SASPermission.Delete) == SASPermission.Delete || (sASPermission & SASPermission.List) != SASPermission.None) { object[] objArray6 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray6)); } sASPermission |= SASPermission.Delete; break; } default: { if (chr1 == 'l') { if ((sASPermission & SASPermission.List) == SASPermission.List) { object[] objArray7 = new object[] { "Invalid order of permission. Error at index ", num, " of ", permission }; throw new FormatException(string.Concat(objArray7)); } sASPermission |= SASPermission.List; break; } else { throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); } } } } if ((sASPermission & ~validPermissions) != SASPermission.None) { object[] objArray8 = new object[] { "Character ", chr, " is an invalid permission for ", validPermissions }; throw new FormatException(string.Concat(objArray8)); } num++; num1++; } throw new FormatException(string.Concat("Unexpected character ", chr, " in permission")); }
protected internal override AuthorizationResult AuthorizeResourceSignedAccessRequest(SignedAccessAccountIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASPermission requestedSignedPermission) { AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure); if ((requestedSignedPermission & ~29) != SASPermission.None) { throw new ArgumentException(string.Format("Signed permission is not well formed. Signed permission: {0}", requestedSignedPermission), "signedPermission"); } if ((requestedSignedPermission & signedRequestor.SignedAccessPermission) != requestedSignedPermission) { authorizationResult.FailureReason = AuthorizationFailureReason.PermissionMismatch; authorizationResult.Authorized = false; return(authorizationResult); } authorizationResult.FailureReason = AuthorizationFailureReason.NotApplicable; authorizationResult.Authorized = true; return(authorizationResult); }
public SignedAccessAccountIdentifier(string accountName, bool accountIsAdmin, AccountPermissions accountPermissions, SASPermission signedAccessPermission, List <SASAccessRestriction> signedAccessRestrictions) : base(accountName, accountIsAdmin, accountPermissions) { this.SignedAccessPermission = signedAccessPermission; this.SignedAccessRestrictions = signedAccessRestrictions; this.SignedProtocol = SasProtocol.All; }
public SASIdentifier(string id, DateTime signedStart, DateTime signedExpiry, SASPermission signedPermission) { this.Id = id; this.AccessPolicy = new SASAccessPolicy(signedStart, signedExpiry, signedPermission); }
public static string EncodeSASPermissionWithOrder(SASPermission permission) { string[] strArrays = new string[] { ((permission & SASPermission.Read) == SASPermission.Read ? "r" : ""), ((permission & SASPermission.Add) == SASPermission.Add ? "a" : ""), ((permission & SASPermission.Create) == SASPermission.Create ? "c" : ""), ((permission & SASPermission.Update) == SASPermission.Update ? "u" : ""), ((permission & SASPermission.Write) == SASPermission.Write ? "w" : ""), ((permission & SASPermission.Process) == SASPermission.Process ? "p" : ""), ((permission & SASPermission.Delete) == SASPermission.Delete ? "d" : ""), ((permission & SASPermission.List) == SASPermission.List ? "l" : "") }; return(string.Concat(strArrays)); }