public static AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, SASAuthorizationParameters requestedSasParameters) { AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure); if (string.IsNullOrEmpty(resourceAccount) || !resourceAccount.Equals(signedRequestor.AccountName, StringComparison.OrdinalIgnoreCase)) { authorizationResult.FailureReason = AuthorizationFailureReason.UnauthorizedAccountSasRequest; authorizationResult.Authorized = false; return(authorizationResult); } if ((requestedSasParameters.SignedResourceType & signedRequestor.SignedResourceType) != requestedSasParameters.SignedResourceType) { authorizationResult.FailureReason = AuthorizationFailureReason.ResourceTypeMismatch; authorizationResult.Authorized = false; return(authorizationResult); } if ((requestedSasParameters.SignedPermission & signedRequestor.SignedAccessPermission) != requestedSasParameters.SignedPermission) { authorizationResult.FailureReason = AuthorizationFailureReason.PermissionMismatch; authorizationResult.Authorized = false; return(authorizationResult); } authorizationResult.FailureReason = AuthorizationFailureReason.NotApplicable; authorizationResult.Authorized = true; return(authorizationResult); }
public static AuthorizationResult PreAuthorizeRequest(IAccountIdentifier requestor, RequestContext requestContext) { AuthorizationResult authorizationResult = new AuthorizationResult(true, AuthorizationFailureReason.NotApplicable); if (requestor is SignedAccessAccountIdentifier) { SignedAccessAccountIdentifier signedAccessAccountIdentifier = requestor as SignedAccessAccountIdentifier; authorizationResult = AuthorizationManager.AuthorizeSourceIp(signedAccessAccountIdentifier.SignedIP, requestContext); if (!authorizationResult.Authorized) { return(authorizationResult); } authorizationResult = AuthorizationManager.AuthorizeProtocol(signedAccessAccountIdentifier.SignedProtocol, requestContext); if (!authorizationResult.Authorized) { return(authorizationResult); } } else if (requestor is AccountSasAccessIdentifier) { AccountSasAccessIdentifier accountSasAccessIdentifier = requestor as AccountSasAccessIdentifier; authorizationResult = AuthorizationManager.AuthorizeSourceIp(accountSasAccessIdentifier.SignedIP, requestContext); if (!authorizationResult.Authorized) { return(authorizationResult); } authorizationResult = AuthorizationManager.AuthorizeProtocol(accountSasAccessIdentifier.SignedProtocol, requestContext); if (!authorizationResult.Authorized) { return(authorizationResult); } authorizationResult = AuthorizationManager.AuthorizeSignedService(accountSasAccessIdentifier.SignedService, requestContext); if (!authorizationResult.Authorized) { return(authorizationResult); } } authorizationResult.FailureReason = AuthorizationFailureReason.NotApplicable; authorizationResult.Authorized = true; return(authorizationResult); }
protected internal override AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASAuthorizationParameters requestedSasParameters) { AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure); return(base.AuthorizeAccountSignedAccessRequest(signedRequestor, resourceAccount, resourceContainer, resourceIdentifier, requestedPermission, requestedSasParameters)); }
protected internal virtual AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASAuthorizationParameters requestedSasParameters) { return(AuthorizationManager.AuthorizeAccountSignedAccessRequest(signedRequestor, resourceAccount, requestedSasParameters)); }
internal void CheckPermission(string userTableName, bool isUtilityTableCommand, bool shouldCheckGet, UpdateKind commandKind) { PermissionLevel permissionLevel; if (this.SignedAccountIdentifier != null) { IStringDataEventStream verboseDebug = Logger <IRestProtocolHeadLogger> .Instance.VerboseDebug; object[] tableName = new object[] { this.SignedAccountIdentifier.TableName, this.SignedAccountIdentifier.StartingPartitionKey, this.SignedAccountIdentifier.StartingRowKey, this.SignedAccountIdentifier.EndingPartitionKey, this.SignedAccountIdentifier.EndingRowKey }; verboseDebug.Log("Sas tn={0} spk={1} srk={2} epk={3} erk={4}", tableName); } List <SASPermission> sASPermissions = new List <SASPermission>(); if (!shouldCheckGet) { switch (commandKind) { case UpdateKind.Insert: { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Add); } else { sASPermissions.Add(SASPermission.Create); sASPermissions.Add(SASPermission.Write); } permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.Delete: { sASPermissions.Add(SASPermission.Delete); permissionLevel = PermissionLevel.Delete; this.CheckAnalyticsPermissions(userTableName, new bool?(isUtilityTableCommand)); goto Label0; } case UpdateKind.Replace: case UpdateKind.Merge: { sASPermissions.Add(SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.InsertOrMerge: case UpdateKind.InsertOrReplace: { sASPermissions.Add(SASPermission.Add | SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } } CultureInfo invariantCulture = CultureInfo.InvariantCulture; object[] accountName = new object[] { this.AccountName, commandKind, this.m_currentResourceContainer.Name }; throw new NephosUnauthorizedAccessException(string.Format(invariantCulture, "Account {0} is not authorized to perform operation {1} on table {2}.", accountName)); } else { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Read); } else { sASPermissions.Add(SASPermission.List); } permissionLevel = PermissionLevel.Read; } Label0: this.CheckPermissionCallback(permissionLevel); if (this.SignedAccountIdentifier != null) { SASPermission item = SASPermission.None; if (sASPermissions.Count > 0) { item = sASPermissions[0]; } XfeTableSASAuthorizationManager.AuthorizeSASRequest(this.SignedAccountIdentifier, PermissionLevel.Write, item, userTableName, isUtilityTableCommand); return; } if (this.AccountIdentifier is AccountSasAccessIdentifier) { string lower = userTableName.ToLower(); if (isUtilityTableCommand) { lower = "Tables"; } if (!string.Equals(this.m_currentResourceContainer.Name, lower, StringComparison.OrdinalIgnoreCase)) { throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", AuthorizationFailureReason.InvalidOperationSAS); } AccountSasAccessIdentifier accountIdentifier = this.AccountIdentifier as AccountSasAccessIdentifier; AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.UnauthorizedAccountSasRequest); SASAuthorizationParameters sASAuthorizationParameter = new SASAuthorizationParameters() { SignedResourceType = (isUtilityTableCommand ? SasResourceType.Container : SasResourceType.Object), SupportedSasTypes = SasType.AccountSas }; SASAuthorizationParameters item1 = sASAuthorizationParameter; for (int i = 0; !authorizationResult.Authorized && i < sASPermissions.Count; i++) { item1.SignedPermission = sASPermissions[i]; authorizationResult = AuthorizationManager.AuthorizeAccountSignedAccessRequest(accountIdentifier, this.AccountName, item1); } if (!authorizationResult.Authorized) { throw new NephosUnauthorizedAccessException("Signed access insufficient permission", authorizationResult.FailureReason); } } }