private static void ValidateRole(List <Role> existingRoles, IRoleDefinition roleDefinition) { if (string.IsNullOrWhiteSpace(roleDefinition.Title)) { throw new PropertyValidationException("Role title cannot be empty", nameof(IRoleDefinition.Title)); } if (string.IsNullOrWhiteSpace(roleDefinition.RoleCode)) { throw new PropertyValidationException("Role RoleCode cannot be empty", nameof(IRoleDefinition.RoleCode)); } if (roleDefinition.RoleCode.Length != 3) { throw new PropertyValidationException("Role RoleCode must be 3 characters in length", nameof(IRoleDefinition.RoleCode)); } if (existingRoles .Any(r => r.Title.Equals(roleDefinition.Title?.Trim(), StringComparison.OrdinalIgnoreCase) && r.UserAreaCode == roleDefinition.UserAreaCode) ) { throw new UniqueConstraintViolationException($"A role with the title '{ roleDefinition.Title }' already exists", nameof(Role.Title)); } }
/// <summary> /// Creates an instance of a role initializer for the specified role /// definition if one has been implemented; otherwise returns null /// </summary> /// <param name="roleDefinition">The role to find an initializer for</typeparam> /// <returns>IRoleInitializer if one has been implemented; otherwise null</returns> public IRoleInitializer Create(IRoleDefinition roleDefinition) { Condition.Requires(roleDefinition).IsNotNull(); // Never add permission to the super admin role if (roleDefinition is SuperAdminRole) { return(null); } var type = typeof(IRoleInitializer <>).MakeGenericType(roleDefinition.GetType()); if (_resolutionContext.IsRegistered(type)) { return((IRoleInitializer)_resolutionContext.Resolve(type)); } else if (roleDefinition is AnonymousRole) { // We use a default initializer just for the anonymous role // as it's the only built in role with permissions return(new DefaultAnonymousRoleInitializer()); } return(null); }
public async Task CreateWebRoleDefinition() { //TestCommon.Instance.Mocking = false; using (var context = await TestCommon.Instance.GetContextAsync(TestCommon.TestSite)) { context.Web.Load(w => w.RoleDefinitions); IRoleDefinition roleDefinition = null; try { // get existing role def var adminRoleDef = context.Web.RoleDefinitions.AsEnumerable().Where(r => r.Name == "Administrator"); Assert.IsNotNull(adminRoleDef); roleDefinition = await context.Web.RoleDefinitions.AddAsync("Test RoleDef 2", Model.SharePoint.RoleType.Administrator, new Model.SharePoint.PermissionKind[] { Model.SharePoint.PermissionKind.AddAndCustomizePages }, "", false, 0); Assert.IsTrue(roleDefinition.Requested); } finally { if (roleDefinition != null) { await roleDefinition.DeleteAsync(); } } } }
/// <summary> /// Creates an instance of a role initializer for the specified role /// definition if one has been implemented; otherwise returns null /// </summary> /// <param name="roleDefinition">The role to find an initializer for</typeparam> /// <returns>IRoleInitializer if one has been implemented; otherwise null</returns> public IRoleInitializer Create(IRoleDefinition roleDefinition) { if (roleDefinition == null) { throw new ArgumentNullException(nameof(roleDefinition)); } // Never add permission to the super admin role if (roleDefinition is SuperAdminRole) { return(null); } var roleInitializerType = typeof(IRoleInitializer <>).MakeGenericType(roleDefinition.GetType()); var roleInitializer = _serviceProvider.GetService(roleInitializerType); if (roleInitializer != null) { return((IRoleInitializer)roleInitializer); } else if (roleDefinition is AnonymousRole) { // We use a default initializer just for the anonymous role // as it's the only built in role with permissions return(new DefaultAnonymousRoleInitializer()); } return(null); }
public RoleDefinitionRolePermissionInitializer(IRoleDefinition roleDefinition) { if (roleDefinition == null) { throw new ArgumentNullException(nameof(roleDefinition)); } _roleDefinition = roleDefinition; }
/// <summary> /// Consructs a new instance of InvalidRoleDefinitionException. /// </summary> /// <param name="message">The exception message.</param> /// <param name="invalidDefinition">The role definition that caused the exception.</param> /// <param name="allDefinitions">Optional collection of all the role definitions when available.</param> public InvalidRoleDefinitionException( string message, IRoleDefinition invalidDefinition, IEnumerable <IRoleDefinition> allDefinitions = null ) : base(message) { InvalidDefinition = invalidDefinition; AllDefinitions = allDefinitions?.ToArray(); }
private Role MapAndAddRole(IRoleDefinition roleDefinition) { var dbRole = new Role(); dbRole.Title = roleDefinition.Title.Trim(); dbRole.UserAreaCode = roleDefinition.UserAreaCode; dbRole.RoleCode = roleDefinition.RoleCode; _dbContext.Roles.Add(dbRole); return(dbRole); }
public IRolePermissionInitializer Create(IRoleDefinition roleDefinition) { if (roleDefinition is AnonymousRole) { return(new AnonymousRolePermissionInitializer(_serviceProvider)); } else { return(new RoleDefinitionRolePermissionInitializer(roleDefinition)); } }
private static void ValidateRole(List <Role> existingRoles, IRoleDefinition roleDefinition) { if (existingRoles .Any(r => r.Title.Equals(roleDefinition.Title?.Trim(), StringComparison.OrdinalIgnoreCase) && r.UserAreaCode == roleDefinition.UserAreaCode) ) { throw new UniqueConstraintViolationException($"A role with the title '{ roleDefinition.Title }' already exists", nameof(Role.Title)); } }
public async Task CreateUpdateDeleteWebRoleDefinitionBatch() { //TestCommon.Instance.Mocking = false; using (var context = await TestCommon.Instance.GetContextAsync(TestCommon.TestSite)) { context.Web.Load(w => w.RoleDefinitions); IRoleDefinition roleDefinition = null; try { // get existing role def var adminRoleDef = context.Web.RoleDefinitions.AsEnumerable().Where(r => r.Name == "Administrator"); Assert.IsNotNull(adminRoleDef); // Add new one roleDefinition = await context.Web.RoleDefinitions.AddBatchAsync("Test RoleDef 2", Model.SharePoint.RoleType.Administrator, new Model.SharePoint.PermissionKind[] { Model.SharePoint.PermissionKind.AddAndCustomizePages }, "", false, 0); await context.ExecuteAsync(); Assert.IsTrue(roleDefinition.Requested); // grab added role def again from server var addedRoleDefinition = await context.Web.RoleDefinitions.FirstOrDefaultAsync(d => d.Name == "Test RoleDef 2"); // Remove AddAndCustomizePages role, add other + set description addedRoleDefinition.BasePermissions.Clear(Model.SharePoint.PermissionKind.AddAndCustomizePages); addedRoleDefinition.BasePermissions.Set(Model.SharePoint.PermissionKind.AddListItems); addedRoleDefinition.Description = "hi new role"; await addedRoleDefinition.UpdateBatchAsync(); await context.ExecuteAsync(); // read again from server addedRoleDefinition = await context.Web.RoleDefinitions.FirstOrDefaultAsync(d => d.Name == "Test RoleDef 2"); // Verify Assert.IsTrue(addedRoleDefinition.Description == "hi new role"); Assert.IsTrue(addedRoleDefinition.BasePermissions.Has(Model.SharePoint.PermissionKind.AddListItems)); Assert.IsFalse(addedRoleDefinition.BasePermissions.Has(Model.SharePoint.PermissionKind.AddAndCustomizePages)); } finally { if (roleDefinition != null) { await roleDefinition.DeleteBatchAsync(); await context.ExecuteAsync(); } } } }
/// <summary> /// Removes RBAC role assignments for the service principal exposed by IdProvider. /// </summary> /// <param name="cancellationToken"></param> /// <returns></returns> private async Task RemoveRbacRoleAssignmentsAsync(CancellationToken cancellationToken = default(CancellationToken)) { if (!this.roleAssignmentIdsToRemove.Any() && !this.roleAssignmentsToRemove.Any()) { return; } else { try { // Delete using role assignment Ids // await Task.WhenAll(roleAssignmentIdsToRemove.Select(async(id) => { await this.rbacManager .RoleAssignments .DeleteByIdAsync(id, cancellationToken); })); // Delete using role assignment scope and role // await Task.WhenAll(roleAssignmentsToRemove.Select(r => r.Value).Select(async(scopeAndRole) => { var scope = scopeAndRole.Item1; var role = scopeAndRole.Item2; IRoleDefinition roleDefinition = await this.rbacManager.RoleDefinitions.GetByScopeAndRoleNameAsync(scope, role.ToString(), cancellationToken); if (roleDefinition != null) { var roleAssignments = await this.rbacManager .RoleAssignments .ListByScopeAsync(scope, cancellationToken); var roleAssignment = roleAssignments .FirstOrDefault(r => r.RoleDefinitionId.Equals(roleDefinition.Id, StringComparison.OrdinalIgnoreCase) && r.PrincipalId.Equals(this.idProvider.PrincipalId, StringComparison.OrdinalIgnoreCase)); if (roleAssignment != null) { await this.rbacManager .RoleAssignments .DeleteByIdAsync(roleAssignment.Id, cancellationToken); } } })); } finally { roleAssignmentIdsToRemove.Clear(); roleAssignmentsToRemove.Clear(); } } }
public CircularDependencyGuard(IRoleDefinition roleDefinition) { baseRoleType = roleDefinition.GetType(); _executingRoles.Add(baseRoleType); }
/** * Azure Users, Groups and Roles sample. * - Create a user * - Assign role to AD user * - Revoke role from AD user * - Get role by scope and role name * - Create service principal * - Assign role to service principal * - Create 2 Active Directory groups * - Add the user, the service principal, and the 1st group as members of the 2nd group */ public static void RunSample(Azure.IAuthenticated authenticated) { string userEmail = Utilities.CreateRandomName("test"); string userName = userEmail.Replace("test", "Test "); string spName = Utilities.CreateRandomName("sp"); string raName1 = SdkContext.RandomGuid(); string raName2 = SdkContext.RandomGuid(); string groupEmail1 = Utilities.CreateRandomName("group1"); string groupEmail2 = Utilities.CreateRandomName("group2"); string groupName1 = groupEmail1.Replace("group1", "Group "); string groupName2 = groupEmail2.Replace("group2", "Group "); String spId = ""; string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId; Utilities.Log("Selected subscription: " + subscriptionId); // ============================================================ // Create a user Utilities.Log("Creating an Active Directory user " + userName + "..."); var user = authenticated.ActiveDirectoryUsers .Define(userName) .WithEmailAlias(userEmail) .WithPassword("StrongPass!12") .Create(); Utilities.Log("Created Active Directory user " + userName); Utilities.Print(user); // ============================================================ // Assign role to AD user IRoleAssignment roleAssignment1 = authenticated.RoleAssignments .Define(raName1) .ForUser(user) .WithBuiltInRole(BuiltInRole.DnsZoneContributor) .WithSubscriptionScope(subscriptionId) .Create(); Utilities.Log("Created Role Assignment:"); Utilities.Print(roleAssignment1); // ============================================================ // Revoke role from AD user authenticated.RoleAssignments.DeleteById(roleAssignment1.Id); Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id); // ============================================================ // Get role by scope and role name IRoleDefinition roleDefinition = authenticated.RoleDefinitions .GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor"); Utilities.Print(roleDefinition); // ============================================================ // Create Service Principal IServicePrincipal sp = authenticated.ServicePrincipals.Define(spName) .WithNewApplication("http://" + spName) .Create(); // wait till service principal created and propagated SdkContext.DelayProvider.Delay(15000); Utilities.Log("Created Service Principal:"); Utilities.Print(sp); spId = sp.Id; // ============================================================ // Assign role to Service Principal string defaultSubscription = authenticated.Subscriptions.List().First().SubscriptionId; IRoleAssignment roleAssignment2 = authenticated.RoleAssignments .Define(raName2) .ForServicePrincipal(sp) .WithBuiltInRole(BuiltInRole.Contributor) .WithSubscriptionScope(defaultSubscription) .Create(); Utilities.Log("Created Role Assignment:"); Utilities.Print(roleAssignment2); // ============================================================ // Create Active Directory groups Utilities.Log("Creating Active Directory group " + groupName1 + "..."); var group1 = authenticated.ActiveDirectoryGroups .Define(groupName1) .WithEmailAlias(groupEmail1) .Create(); Utilities.Log("Created Active Directory group " + groupName1); Utilities.Print(group1); var group2 = authenticated.ActiveDirectoryGroups .Define(groupName2) .WithEmailAlias(groupEmail2) .Create(); Utilities.Log("Created Active Directory group " + groupName2); Utilities.Print(group2); Utilities.Log("Adding group members to group " + groupName2 + "..."); group2.Update() .WithMember(user) .WithMember(sp) .WithMember(group1) .Apply(); Utilities.Log("Group members added to group " + groupName2); Utilities.Print(group2); }
private async Task UpdatePermissions( Role dbRole, IRoleDefinition roleDefinition, RegisterDefinedRolesCommand command, IEnumerable <IPermission> allPermissions, List <Permission> allDbPermissions ) { var roleInitializer = _roleInitializerFactory.Create(roleDefinition); if (roleInitializer == null) { return; } var permissionsToInclude = roleInitializer .GetPermissions(allPermissions) .ToList(); // Remove permissions if (command.UpdateExistingRoles) { var permissionsToRemove = dbRole .RolePermissions .Where(p => !permissionsToInclude.Any(i => i.GetUniqueCode() == p.Permission.GetUniqueCode())) .ToList(); foreach (var permissonToRemove in permissionsToRemove) { dbRole.RolePermissions.Remove(permissonToRemove); } } if (!permissionsToInclude.Any()) { return; } ValidatePermissions(permissionsToInclude); // add new permissions IEnumerable <IPermission> permissionsToAdd; if (dbRole.RolePermissions.Count == 0) { permissionsToAdd = permissionsToInclude; } else { permissionsToAdd = permissionsToInclude .Where(i => !dbRole.RolePermissions.Any(p => p.Permission.GetUniqueCode() == i.GetUniqueCode())); } foreach (var permissionToAdd in permissionsToAdd) { var uniquePermissionCode = permissionToAdd.GetUniqueCode(); var dbPermission = allDbPermissions .Where(p => uniquePermissionCode == p.GetUniqueCode()) .SingleOrDefault(); // Create if not exists if (dbPermission == null) { dbPermission = new Permission(); dbPermission.PermissionCode = permissionToAdd.PermissionType.Code; if (permissionToAdd is IEntityPermission) { var definitionCode = ((IEntityPermission)permissionToAdd).EntityDefinition.EntityDefinitionCode; await _commandExecutor.ExecuteAsync(new EnsureEntityDefinitionExistsCommand(definitionCode)); dbPermission.EntityDefinitionCode = definitionCode; } allDbPermissions.Add(dbPermission); _dbContext.Permissions.Add(dbPermission); } var rolePermission = new RolePermission(); rolePermission.Permission = dbPermission; dbRole.RolePermissions.Add(rolePermission); } }
private void UpdatePermissions( Role dbRole, IRoleDefinition roleDefinition, IEnumerable <IPermission> codePermissions, Dictionary <string, Permission> dbPermissions, Dictionary <string, EntityDefinition> dbEntityDefinitions, bool allowDeletions ) { var roleInitializer = _roleInitializerFactory.Create(roleDefinition); if (roleInitializer == null) { return; } var permissionsToInclude = roleInitializer .GetPermissions(codePermissions) .ToList(); // Remove permissions if (allowDeletions) { var permissionsToRemove = dbRole .RolePermissions .Where(p => !permissionsToInclude.Any(i => i.GetUniqueCode() == p.Permission.GetUniqueCode())) .ToList(); foreach (var permissonToRemove in permissionsToRemove) { dbRole.RolePermissions.Remove(permissonToRemove); } } if (!permissionsToInclude.Any()) { return; } ValidatePermissions(dbRole.RolePermissions, permissionsToInclude); // add new permissions IEnumerable <IPermission> permissionsToAdd; if (dbRole.RolePermissions.Count == 0) { permissionsToAdd = permissionsToInclude; } else { permissionsToAdd = permissionsToInclude .Where(i => !dbRole.RolePermissions.Any(p => p.Permission.GetUniqueCode() == i.GetUniqueCode())); } foreach (var permissionToAdd in permissionsToAdd) { var uniquePermissionCode = permissionToAdd.GetUniqueCode(); var dbPermission = dbPermissions.GetOrDefault(uniquePermissionCode); if (dbPermission == null) { throw new Exception("dbPermissions lookup does not contain the specified permission, but was expected: " + uniquePermissionCode); } var rolePermission = new RolePermission(); rolePermission.Permission = dbPermission; dbRole.RolePermissions.Add(rolePermission); } }
/** * Azure Users, Groups and Roles sample. * - List users * - Get user by email * - Assign role to AD user * - Revoke role from AD user * - Get role by scope and role name * - List roles * - List Active Directory groups. */ public static void RunSample(Azure.IAuthenticated authenticated) { string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId; Utilities.Log("Selected subscription: " + subscriptionId); string raName1 = SdkContext.RandomGuid(); // ============================================================ // List users var users = authenticated.ActiveDirectoryUsers.List(); Utilities.Log("Active Directory Users:"); foreach (var user in users) { Utilities.Print(user); } // ============================================================ // Get user by email IActiveDirectoryUser adUser = authenticated.ActiveDirectoryUsers.GetByName("*****@*****.**"); Utilities.Log("Found User with email \"[email protected]\": "); Utilities.Print(adUser); // ============================================================ // Assign role to AD user IRoleAssignment roleAssignment1 = authenticated.RoleAssignments .Define(raName1) .ForUser(adUser) .WithBuiltInRole(BuiltInRole.DnsZoneContributor) .WithSubscriptionScope(subscriptionId) .Create(); Utilities.Log("Created Role Assignment:"); Utilities.Print(roleAssignment1); // ============================================================ // Revoke role from AD user authenticated.RoleAssignments.DeleteById(roleAssignment1.Id); Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id); // ============================================================ // Get role by scope and role name IRoleDefinition roleDefinition = authenticated.RoleDefinitions .GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor"); Utilities.Print(roleDefinition); // ============================================================ // List roles var roles = authenticated.RoleDefinitions .ListByScope("subscriptions/" + subscriptionId); Utilities.Log("Roles: "); foreach (var role in roles) { Utilities.Print(role); } // ============================================================ // List Active Directory groups var groups = authenticated.ActiveDirectoryGroups.List(); Utilities.Log("Active Directory Groups:"); foreach (var group in groups) { Utilities.Print(group); } }