public static AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, SASAuthorizationParameters requestedSasParameters)
{
AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure);
if (string.IsNullOrEmpty(resourceAccount) || !resourceAccount.Equals(signedRequestor.AccountName, StringComparison.OrdinalIgnoreCase))
{
authorizationResult.FailureReason = AuthorizationFailureReason.UnauthorizedAccountSasRequest;
authorizationResult.Authorized = false;
return(authorizationResult);
}
if ((requestedSasParameters.SignedResourceType & signedRequestor.SignedResourceType) != requestedSasParameters.SignedResourceType)
{
authorizationResult.FailureReason = AuthorizationFailureReason.ResourceTypeMismatch;
authorizationResult.Authorized = false;
return(authorizationResult);
}
if ((requestedSasParameters.SignedPermission & signedRequestor.SignedAccessPermission) != requestedSasParameters.SignedPermission)
{
authorizationResult.FailureReason = AuthorizationFailureReason.PermissionMismatch;
authorizationResult.Authorized = false;
return(authorizationResult);
}
authorizationResult.FailureReason = AuthorizationFailureReason.NotApplicable;
authorizationResult.Authorized = true;
return(authorizationResult);
}
public static AuthorizationResult PreAuthorizeRequest(IAccountIdentifier requestor, RequestContext requestContext)
{
AuthorizationResult authorizationResult = new AuthorizationResult(true, AuthorizationFailureReason.NotApplicable);
if (requestor is SignedAccessAccountIdentifier)
{
SignedAccessAccountIdentifier signedAccessAccountIdentifier = requestor as SignedAccessAccountIdentifier;
authorizationResult = AuthorizationManager.AuthorizeSourceIp(signedAccessAccountIdentifier.SignedIP, requestContext);
if (!authorizationResult.Authorized)
{
return(authorizationResult);
}
authorizationResult = AuthorizationManager.AuthorizeProtocol(signedAccessAccountIdentifier.SignedProtocol, requestContext);
if (!authorizationResult.Authorized)
{
return(authorizationResult);
}
}
else if (requestor is AccountSasAccessIdentifier)
{
AccountSasAccessIdentifier accountSasAccessIdentifier = requestor as AccountSasAccessIdentifier;
authorizationResult = AuthorizationManager.AuthorizeSourceIp(accountSasAccessIdentifier.SignedIP, requestContext);
if (!authorizationResult.Authorized)
{
return(authorizationResult);
}
authorizationResult = AuthorizationManager.AuthorizeProtocol(accountSasAccessIdentifier.SignedProtocol, requestContext);
if (!authorizationResult.Authorized)
{
return(authorizationResult);
}
authorizationResult = AuthorizationManager.AuthorizeSignedService(accountSasAccessIdentifier.SignedService, requestContext);
if (!authorizationResult.Authorized)
{
return(authorizationResult);
}
}
authorizationResult.FailureReason = AuthorizationFailureReason.NotApplicable;
authorizationResult.Authorized = true;
return(authorizationResult);
}
protected internal override AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASAuthorizationParameters requestedSasParameters)
{
AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.AccessPermissionFailure);
return(base.AuthorizeAccountSignedAccessRequest(signedRequestor, resourceAccount, resourceContainer, resourceIdentifier, requestedPermission, requestedSasParameters));
}
protected internal virtual AuthorizationResult AuthorizeAccountSignedAccessRequest(AccountSasAccessIdentifier signedRequestor, string resourceAccount, string resourceContainer, string resourceIdentifier, PermissionLevel requestedPermission, SASAuthorizationParameters requestedSasParameters)
{
return(AuthorizationManager.AuthorizeAccountSignedAccessRequest(signedRequestor, resourceAccount, requestedSasParameters));
}
internal void CheckPermission(string userTableName, bool isUtilityTableCommand, bool shouldCheckGet, UpdateKind commandKind)
{
PermissionLevel permissionLevel;
if (this.SignedAccountIdentifier != null)
{
IStringDataEventStream verboseDebug = Logger <IRestProtocolHeadLogger> .Instance.VerboseDebug;
object[] tableName = new object[] { this.SignedAccountIdentifier.TableName, this.SignedAccountIdentifier.StartingPartitionKey, this.SignedAccountIdentifier.StartingRowKey, this.SignedAccountIdentifier.EndingPartitionKey, this.SignedAccountIdentifier.EndingRowKey };
verboseDebug.Log("Sas tn={0} spk={1} srk={2} epk={3} erk={4}", tableName);
}
List <SASPermission> sASPermissions = new List <SASPermission>();
if (!shouldCheckGet)
{
switch (commandKind)
{
case UpdateKind.Insert:
{
if (!isUtilityTableCommand)
{
sASPermissions.Add(SASPermission.Add);
}
else
{
sASPermissions.Add(SASPermission.Create);
sASPermissions.Add(SASPermission.Write);
}
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
case UpdateKind.Delete:
{
sASPermissions.Add(SASPermission.Delete);
permissionLevel = PermissionLevel.Delete;
this.CheckAnalyticsPermissions(userTableName, new bool?(isUtilityTableCommand));
goto Label0;
}
case UpdateKind.Replace:
case UpdateKind.Merge:
{
sASPermissions.Add(SASPermission.Update);
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
case UpdateKind.InsertOrMerge:
case UpdateKind.InsertOrReplace:
{
sASPermissions.Add(SASPermission.Add | SASPermission.Update);
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
}
CultureInfo invariantCulture = CultureInfo.InvariantCulture;
object[] accountName = new object[] { this.AccountName, commandKind, this.m_currentResourceContainer.Name };
throw new NephosUnauthorizedAccessException(string.Format(invariantCulture, "Account {0} is not authorized to perform operation {1} on table {2}.", accountName));
}
else
{
if (!isUtilityTableCommand)
{
sASPermissions.Add(SASPermission.Read);
}
else
{
sASPermissions.Add(SASPermission.List);
}
permissionLevel = PermissionLevel.Read;
}
Label0:
this.CheckPermissionCallback(permissionLevel);
if (this.SignedAccountIdentifier != null)
{
SASPermission item = SASPermission.None;
if (sASPermissions.Count > 0)
{
item = sASPermissions[0];
}
XfeTableSASAuthorizationManager.AuthorizeSASRequest(this.SignedAccountIdentifier, PermissionLevel.Write, item, userTableName, isUtilityTableCommand);
return;
}
if (this.AccountIdentifier is AccountSasAccessIdentifier)
{
string lower = userTableName.ToLower();
if (isUtilityTableCommand)
{
lower = "Tables";
}
if (!string.Equals(this.m_currentResourceContainer.Name, lower, StringComparison.OrdinalIgnoreCase))
{
throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", AuthorizationFailureReason.InvalidOperationSAS);
}
AccountSasAccessIdentifier accountIdentifier = this.AccountIdentifier as AccountSasAccessIdentifier;
AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.UnauthorizedAccountSasRequest);
SASAuthorizationParameters sASAuthorizationParameter = new SASAuthorizationParameters()
{
SignedResourceType = (isUtilityTableCommand ? SasResourceType.Container : SasResourceType.Object),
SupportedSasTypes = SasType.AccountSas
};
SASAuthorizationParameters item1 = sASAuthorizationParameter;
for (int i = 0; !authorizationResult.Authorized && i < sASPermissions.Count; i++)
{
item1.SignedPermission = sASPermissions[i];
authorizationResult = AuthorizationManager.AuthorizeAccountSignedAccessRequest(accountIdentifier, this.AccountName, item1);
}
if (!authorizationResult.Authorized)
{
throw new NephosUnauthorizedAccessException("Signed access insufficient permission", authorizationResult.FailureReason);
}
}
}
