public override bool CheckAccess(OperationContext operationContext, ref Message message)
{
// Open the request message using an xml reader
XmlReader xr = OperationContext.Current.IncomingMessageHeaders.GetReaderAtHeader(0);
// Split the URL at the API name--Parameters junction indicated by the '?' character - taking the first string will ignore all parameters
string[] urlSplit = xr.ReadElementContentAsString().Split('/');
// Extract just the API name and rest of the URL, which will be the last item in the split using '/'
string[] apiSplit = urlSplit[3].Split('?');
// Logging the username and API name
Tracer.WriteUserLog(apiSplit[0] + " request from user: "******"CheckAccess: Authorized");
return(true);
}
else
{
Tracer.WriteUserLog("CheckAccess: NOT Authorized");
return(false);
}
}
// Returns the most privileged role this user belongs to
static internal authorizationRole GetCurrentUserMostPrivilegedRole()
{
try
{
ServiceSecurityContext context = OperationContext.Current.ServiceSecurityContext;
WindowsIdentity windowsIdentity = context.WindowsIdentity;
var principal = new WindowsPrincipal(windowsIdentity);
// Extract domain + role names to check for access privilege
// The first item before '\' is the domain name - extract it
string[] usernameSplit = windowsIdentity.Name.Split('\\');
// Apend role names after the domain name
string wcscmadminRole = usernameSplit[0] + "\\" + "WcsCmAdmin";
string wcscmoperatorRole = usernameSplit[0] + "\\" + "WcsCmOperator";
string wcscmuserRole = usernameSplit[0] + "\\" + "WcsCmUser";
if (principal.IsInRole("Administrators"))
{
Tracer.WriteUserLog("User({0}) belongs to Administrators group and hence belongs to WcsCmAdmin privilege role", windowsIdentity.Name);
return(authorizationRole.WcsCmAdmin);
}
// Is user in local WcsCmAdmin group or domain's WcsCmAdmin group?
if (principal.IsInRole("WcsCmAdmin") || principal.IsInRole(wcscmadminRole))
{
Tracer.WriteUserLog("User({0}) belongs to WcsCmAdmin privilege role", windowsIdentity.Name);
return(authorizationRole.WcsCmAdmin);
}
// Is user in local WcsCmOperator group or domain's WcsCmOperator group?
if (principal.IsInRole("WcsCmOperator") || principal.IsInRole(wcscmoperatorRole))
{
Tracer.WriteUserLog("User({0}) belongs to WcsCmOperator privilege role", windowsIdentity.Name);
return(authorizationRole.WcsCmOperator);
}
// Is user in local WcsCmUser group or domain's WcsCmUser group?
if (principal.IsInRole("WcsCmUser") || principal.IsInRole(wcscmuserRole))
{
Tracer.WriteUserLog("User({0}) belongs to WcsCmUser privilege role", windowsIdentity.Name);
return(authorizationRole.WcsCmUser);
}
// User not mapped to any standard roles
Tracer.WriteWarning("GetCurrentUserMostPrivilegedRole: Current user({0}) not mapped to the standard WCS roles", windowsIdentity.Name);
Tracer.WriteUserLog("GetCurrentUserMostPrivilegedRole: Current user({0}) not mapped to the standard WCS roles", windowsIdentity.Name);
}
catch (Exception ex)
{
Tracer.WriteError("User Authorization check exception was thrown: " + ex);
}
// Return as unauthorized if the user do not belong to any of the category or if there is an exception
return(authorizationRole.WcsCmUnAuthorized);
}
public Contracts.ChassisResponse StopSerialPortConsole(int portID, string sessionToken, bool forceKillExistingSession = false)
{
Contracts.ChassisResponse response = new Contracts.ChassisResponse();
response.completionCode = Contracts.CompletionCode.Failure;
this.portId = portID;
Tracer.WriteInfo("Received StopSerialPortConsole({0}) with sessionToken({1}) and forcekill({2})", this.portId, sessionToken, forceKillExistingSession);
Tracer.WriteUserLog("Received StopSerialPortConsole({0}) with sessionToken({1}) and forcekill({2})", this.portId, sessionToken, forceKillExistingSession);
int currPort = this.portId;
// If there is NOT an already existing serial session (indicated by an invalid sessionToken), return failure with appropriate completion code
if (CompareAndSwapMetadata(ConfigLoaded.InactiveSerialPortSessionToken, ConfigLoaded.InactiveSerialPortSessionToken) == CompletionCode.Success)
{
Tracer.WriteError("StopSerialPortConsole({0}): Stop failed because of no active session.", portID);
response.completionCode = Contracts.CompletionCode.NoActiveSerialSession;
return(response);
}
if (!forceKillExistingSession)
{
// If this do not currently hold the serial session, return failure
if (CompareAndSwapMetadata(sessionToken, sessionToken) != CompletionCode.Success)
{
response.completionCode = Contracts.CompletionCode.SerialSessionActive;
return(response);
} // else proceed further to stop the session
}
else
{
// else force kill the current session
}
// Ipmi command to indicate end of serial session
if (!ResetMetadata())
{
Tracer.WriteError("StopSerialPortConsole({0}): Unable to reset metadata", this.portId);
}
SerialPortConsole currConsole = new SerialPortConsole((byte)currPort);
SerialStatusPacket serialStatus = new SerialStatusPacket();
serialStatus = currConsole.closeSerialPortConsole();
if (serialStatus.completionCode != CompletionCode.Success)
{
Tracer.WriteError("StopSerialConsolePort({0}): Error in closeserialportconsole()", currPort);
return(response);
}
response.completionCode = Contracts.CompletionCode.Success;
return(response);
}
public override bool CheckAccess(OperationContext operationContext, ref Message message)
{
// Open the request message using an xml reader
XmlReader xr = OperationContext.Current.IncomingMessageHeaders.GetReaderAtHeader(0);
// Split the URL at the API name--Parameters junction indicated by the '?' character - taking the first string will ignore all parameters
string[] urlSplit = xr.ReadElementContentAsString().Split('/');
// Extract just the API name and rest of the URL, which will be the last item in the split using '/'
string[] apiSplit = urlSplit[3].Split('?');
// Logging the username and API name
Tracer.WriteUserLog(apiSplit[0] + " request from user: "******"Client IP address : " + ip);
}
// If the most-privileged-role that this user belongs has access to this api, then allow access, otherwise deny access
// Returning true will allow the user to execute the actual API function; Returning false will deny access to the user
// TODO: May be we should send back a HTTP error code; will include this after shivi checks in her code
if (ChassisManagerSecurity.GetCurrentUserMostPrivilegedRole() <= ChassisManagerSecurity.GetCurrentApiLeastPrivilegedRole(apiSplit[0]))
{
Tracer.WriteUserLog("CheckAccess: Authorized");
return(true);
}
else
{
Tracer.WriteUserLog("CheckAccess: NOT Authorized");
return(false);
}
}