public bool CanViewPrivateKey(ICertificatePasswordEntity certificate, ClaimsPrincipal user)
{
if (certificate == null || certificate.Acl == null)
{
return(false);
}
if (user.GetUserId() == LocalIdentityProviderLogic.SystemUid)
{
return(true);
}
if (user == null)
{
return(false);
}
if (!certificate.Acl.Any())
{
return(false);
}
bool isAuthorized = false;
var roles = user.Claims.Where(claim => claim.Type == WellKnownClaim.Role);
var upn = user.Claims.Where(claim => claim.Type == WellKnownClaim.Name).FirstOrDefault();
var uid = user.Claims.Where(claim => claim.Type == WellKnownClaim.Uid).FirstOrDefault();
foreach (AccessControlEntry ace in certificate.Acl)
{
//If the ACE is expired, just ignore the ace
if (ace.Expires < DateTime.Now)
{
continue;
}
if (ace.IdentityType == IdentityType.Role)
{
foreach (var role in roles)
{
if (role.Value == ace.Identity & ace.AceType == AceType.Deny)
{
return(false);
}
else if (role.Value == ace.Identity & ace.AceType == AceType.Allow)
{
isAuthorized = true;
}
}
}
if (ace.IdentityType == IdentityType.User)
{
if (ace.Identity == uid.Value & ace.AceType == AceType.Deny)
{
return(false);
}
else if (ace.Identity == uid.Value & ace.AceType == AceType.Allow)
{
isAuthorized = true;
}
}
}
return(isAuthorized);
}
public bool CanViewPrivateKey(ICertificatePasswordEntity certificate, ClaimsPrincipal user)
{
return(true);
}