/// <summary>
/// Get or create Cosmos permission (resource tokens) base on role (AD group)
/// It will create Cosmos permision if does not exist
/// </summary>
/// <param name="rolePermission">The role permission record</param>
/// <returns>A permission class or null</returns>
private async Task <PermissionProperties> GetOrCreatePermission(CosmosRolePermission rolePermission)
{
// get cosmos permission by id: role_name/table_name
var permission = await CosmosService.Instance.GetPermission(Name, rolePermission.Table);
if (permission == null)
{
// create permission if not exist
var newPermission = await rolePermission.CreateCosmosPermission(Name, rolePermission.Table);
if (newPermission != null)
{
return(newPermission);
}
else
{
Logger.Log?.LogWarning($"error create permission ${Name} ${rolePermission.Table}");
}
}
else
{
if ((rolePermission.Permission.EqualsIgnoreCase("read") && permission.PermissionMode != PermissionMode.Read) ||
(rolePermission.Permission.EqualsIgnoreCase("read-write") && permission.PermissionMode != PermissionMode.All))
{
// rolePermission is changed, need to update in cosmos
var updatedPermission = await CosmosService.Instance.ReplacePermission(Name, rolePermission.Table,
rolePermission.Permission.EqualsIgnoreCase("read"), rolePermission.Table);
if (updatedPermission != null)
{
return(updatedPermission);
}
else
{
Logger.Log?.LogWarning($"error update permission ${Name} ${rolePermission.Table}");
}
}
else
{
return(permission);
}
}
return(null);
}
/// <summary>
/// Get or create Cosmos permission for a user
/// </summary>
/// <param name="rolePermission">The role permission record</param>
/// <returns>A permission class or null</returns>
private async Task <PermissionProperties> GetOrCreateUserPermissions(CosmosRolePermission rolePermission)
{
var permission = await CosmosService.Instance.GetPermission(ObjectId, rolePermission.Table);
if (permission == null)
{
// create permission if not exist
var newPermission = await rolePermission.CreateCosmosPermission(ObjectId, rolePermission.Table, ObjectId);
if (newPermission != null)
{
return(newPermission);
}
else
{
Logger.Log?.LogError($"error create permission ${ObjectId} ${rolePermission.Table}");
}
}
else
{
if ((rolePermission.Permission.EqualsIgnoreCase("id-read") && permission.PermissionMode == PermissionMode.All) ||
(rolePermission.Permission.EqualsIgnoreCase("id-read-write") && permission.PermissionMode == PermissionMode.Read))
{
// rolePermission is changed, need to update in cosmos
var updatedPermission = await CosmosService.Instance.ReplacePermission(ObjectId, rolePermission.Table,
rolePermission.Permission.EqualsIgnoreCase("id-read"), rolePermission.Table, partition : ObjectId);
if (updatedPermission != null)
{
return(updatedPermission);
}
else
{
Logger.Log?.LogError($"error update permission ${ObjectId} ${rolePermission.Table}");
}
}
else
{
return(permission);
}
}
return(null);
}
/// <summary>
/// Get or create Cosmos permission for an admin user
/// </summary>
/// <param name="rolePermission">The role permission record</param>
/// <returns>A permission class or null</returns>
private async Task <PermissionProperties> GetOrCreateAdminPermissions(CosmosRolePermission rolePermission)
{
var adminPermission = await CosmosService.Instance.GetPermission(ObjectId, rolePermission.Table);
if (adminPermission == null)
{
// create permission if not exist
var newPermission = await CosmosService.Instance.CreatePermission(ObjectId, rolePermission.Table, false, rolePermission.Table, ObjectId);
if (newPermission != null)
{
return(newPermission);
}
else
{
Logger.Log?.LogWarning($"error create admin permission ${ObjectId} ${rolePermission.Table}");
}
}
return(adminPermission);
}
/// <summary>
/// Get cosmos permission of this user
/// </summary>
/// <returns>List of permissions</returns>
public async Task <List <PermissionProperties> > GetPermissions(string groupName)
{
var result = new List <PermissionProperties>();
// create user if needed
await CosmosService.Instance.CreateUser(ObjectId);
var rolePermissions = await CosmosRolePermission.QueryByIdPermissions();
List <Task <PermissionProperties> > tasks = new List <Task <PermissionProperties> >();
foreach (var rolePermission in rolePermissions)
{
// admin will have id-read-write permission for all tables
if ("admin".EqualsIgnoreCase(groupName))
{
tasks.Add(GetOrCreateAdminPermissions(rolePermission));
continue;
}
// only check for current group that user belongs
if (!groupName.EqualsIgnoreCase(rolePermission.Role))
{
continue;
}
tasks.Add(GetOrCreateUserPermissions(rolePermission));
}
// add shared permission
if (!Configurations.Cosmos.IgnoreConnectionPermission)
{
var connections = await Connection.QueryByShareUser(ObjectId);
foreach (var connection in connections)
{
// only process the accepted connection
if (!"accepted".EqualsIgnoreCase(connection.Status))
{
continue;
}
tasks.Add(GetOrCreateSharePermissions(connection));
// add shared profile permission
if (connection.Profiles != null && connection.Profiles.Count > 0)
{
tasks.Add(GetOrCreateShareProfilePermissions(connection));
}
}
}
await Task.WhenAll(tasks);
foreach (var task in tasks)
{
if (task.Result != null)
{
var data = task.Result;
result.Add(data);
}
}
// remove duplicated
result = result.GroupBy(p => new { p.ETag, p.Id, p.ResourceUri, p.LastModified, p.PermissionMode, p.SelfLink })
.Select(g => g.First()).ToList();
return(result);
}
/// <summary>
/// Get cosmos permissions of group
/// If the permission list is in the cache, then return it. Otherwise refresh cache and return
/// </summary>
/// <returns>List of permissions</returns>
public async Task <List <PermissionProperties> > GetPermissions()
{
var result = new List <PermissionProperties>();
if (string.IsNullOrWhiteSpace(Name))
{
return(result);
}
var cacheKey = $"groupPermission{Name}";
var cacheItems = cacheStore.GetCacheItem(cacheKey);
if (cacheItems != null)
{
return((List <PermissionProperties>)cacheItems.Value);
}
// create user if needed
await CosmosService.Instance.CreateUser(Name);
// admin should have read-write permission for all except tables that have id-read or id-read-write
if (Name.EqualsIgnoreCase("admin"))
{
List <Task <PermissionProperties> > adminTasks = new List <Task <PermissionProperties> >();
var tables = await CosmosRolePermission.GetAllTables();
foreach (var table in tables)
{
var rolePermisisons = await CosmosRolePermission.QueryByTable(table);
if (rolePermisisons != null)
{
var containsIdPermission = rolePermisisons.Exists(e => e.Permission.EqualsIgnoreCase("id-read") ||
e.Permission.EqualsIgnoreCase("id-read-write"));
if (containsIdPermission)
{
continue;
}
}
adminTasks.Add(GetOrCreateAdminPermission(table));
}
await Task.WhenAll(adminTasks);
foreach (var task in adminTasks)
{
if (task.Result != null)
{
var data = task.Result;
result.Add(data);
}
}
cacheStore.Set(cacheKey, result, new CacheItemPolicy {
SlidingExpiration = TimeSpan.FromMinutes(20)
});
return(result);
}
List <Task <PermissionProperties> > tasks = new List <Task <PermissionProperties> >();
var rolePermissions = await CosmosRolePermission.QueryByRole(Name);
foreach (var rolePermission in rolePermissions)
{
// don't return none, id-read, id-read-write permission in that group
if (rolePermission.Permission.EqualsIgnoreCase("none") ||
rolePermission.Permission.EqualsIgnoreCase("id-read") ||
rolePermission.Permission.EqualsIgnoreCase("id-read-write"))
{
continue;
}
tasks.Add(GetOrCreatePermission(rolePermission));
}
await Task.WhenAll(tasks);
foreach (var task in tasks)
{
if (task.Result != null)
{
var data = task.Result;
result.Add(data);
}
}
cacheStore.Set(cacheKey, result, new CacheItemPolicy {
SlidingExpiration = TimeSpan.FromMinutes(20)
});
return(result);
}
