Example #1
0
        public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
        {
            var grain         = resolutionRequest.Grain;
            var securableItem = resolutionRequest.SecurableItem;
            var groupNames    = resolutionRequest.UserGroups.ToList();

            var roles = (await _roleService.GetRoles(grain, securableItem)).ToList();

            var allowedPermissions = new List <ResolvedPermission>();
            var deniedPermissions  = new List <ResolvedPermission>();

            foreach (var role in roles)
            {
                if (BypassRoleEvaluation(role, groupNames, resolutionRequest))
                {
                    continue;
                }

                var resolvedPermissions = role.Permissions
                                          .Where(
                    p => IsActiveGrainAndSecurableItemMatch(p, grain, securableItem))
                                          .Select(p => p.ToResolvedPermission(ResolvedPermission.Allow))
                                          .ToList();

                AddResolvedPermissions(allowedPermissions, resolvedPermissions, role);

                resolvedPermissions = role.DeniedPermissions
                                      .Select(p =>
                                              p.ToResolvedPermission(ResolvedPermission.Deny))
                                      .ToList();

                AddResolvedPermissions(deniedPermissions, resolvedPermissions, role);

                // add permissions from parent roles
                var ancestorRoles = _roleService.GetRoleHierarchy(role, roles);
                foreach (var ancestorRole in ancestorRoles)
                {
                    resolvedPermissions = ancestorRole.Permissions
                                          .Where(
                        p => IsActiveGrainAndSecurableItemMatch(p, grain, securableItem))
                                          .Select(p => p.ToResolvedPermission(ResolvedPermission.Allow))
                                          .ToList();

                    AddResolvedPermissions(allowedPermissions, resolvedPermissions, ancestorRole);

                    resolvedPermissions = ancestorRole.DeniedPermissions
                                          .Select(p =>
                                                  p.ToResolvedPermission(ResolvedPermission.Deny))
                                          .ToList();

                    AddResolvedPermissions(deniedPermissions, resolvedPermissions, ancestorRole);
                }
            }

            return(new PermissionResolutionResult
            {
                AllowedPermissions = allowedPermissions.Distinct(),
                DeniedPermissions = deniedPermissions.Distinct()
            });
        }
        public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
        {
            var subjectId        = resolutionRequest.SubjectId;
            var identityProvider = resolutionRequest.IdentityProvider;

            if (string.IsNullOrWhiteSpace(subjectId) || string.IsNullOrWhiteSpace(identityProvider))
            {
                _logger.Debug($"Attempted to resolve granular permissions without a complete user ID (subjectId = {subjectId}, identityProvider = {identityProvider}");
                return(new PermissionResolutionResult());
            }
            try
            {
                var granularPermissions =
                    await _permissionService.GetUserGranularPermissions($"{subjectId}:{identityProvider}");

                granularPermissions = await HydrateGranularPermissionDocuments(granularPermissions, resolutionRequest);

                return(new PermissionResolutionResult
                {
                    AllowedPermissions = granularPermissions.AdditionalPermissions?.Select(p => p.ToResolvedPermission(ResolvedPermission.Allow)),
                    DeniedPermissions = granularPermissions.DeniedPermissions?.Select(p => p.ToResolvedPermission(ResolvedPermission.Deny))
                });
            }
            catch (NotFoundException <GranularPermission> )
            {
                _logger.Debug($"No granular permissions found for user {subjectId}:{identityProvider}");
            }

            return(new PermissionResolutionResult());
        }
Example #3
0
        public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
        {
            var allowedPermissions = new List <ResolvedPermission>();
            var deniedPermissions  = new List <ResolvedPermission>();

            foreach (var permissionResolverService in PermissionResolverServices)
            {
                var permissionResolutionResult = await permissionResolverService.Resolve(resolutionRequest);

                allowedPermissions.AddRange(permissionResolutionResult.AllowedPermissions);
                deniedPermissions.AddRange(permissionResolutionResult.DeniedPermissions);
            }

            return(new PermissionResolutionResult
            {
                AllowedPermissions = allowedPermissions,
                DeniedPermissions = deniedPermissions
            });
        }
        public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
        {
            if (!resolutionRequest.IncludeSharedPermissions)
            {
                return(new PermissionResolutionResult());
            }

            var sharedGrains = await _grainService.GetSharedGrains();

            var permissionResolutionResult = new PermissionResolutionResult();

            foreach (var sharedGrain in sharedGrains)
            {
                foreach (var securableItem in sharedGrain.SecurableItems)
                {
                    // the current instance of SharedGrainPermissionResolverService will be in the _permissionResolverServices
                    // collection, but because the PermissionResolutionRequest is being created with IncludeSharedPermissions = false,
                    // infinite recursion will not happen
                    foreach (var permissionResolverService in _permissionResolverServices)
                    {
                        var result = await permissionResolverService.Resolve(new PermissionResolutionRequest
                        {
                            Grain                    = sharedGrain.Name,
                            SecurableItem            = securableItem.Name,
                            IdentityProvider         = resolutionRequest.IdentityProvider,
                            SubjectId                = resolutionRequest.SubjectId,
                            UserGroups               = resolutionRequest.UserGroups,
                            IncludeSharedPermissions = false
                        });

                        permissionResolutionResult.AllowedPermissions =
                            permissionResolutionResult.AllowedPermissions.Concat(result.AllowedPermissions);

                        permissionResolutionResult.DeniedPermissions =
                            permissionResolutionResult.DeniedPermissions.Concat(result.DeniedPermissions);
                    }
                }
            }

            return(permissionResolutionResult);
        }
Example #5
0
 private static bool BypassRoleEvaluation(Role role, List <string> groupNames, PermissionResolutionRequest permissionResolutionRequest)
 {
     return(!(role.Groups.Any(g => groupNames.Contains(g, StringComparer.OrdinalIgnoreCase)) || role.Users.Any(
                  u => u.SubjectId.Equals(permissionResolutionRequest.SubjectId,
                                          StringComparison.OrdinalIgnoreCase) &&
                  u.IdentityProvider.Equals(permissionResolutionRequest.IdentityProvider,
                                            StringComparison.OrdinalIgnoreCase))) || role.IsDeleted ||
            role.Permissions == null || role.Permissions.Count == 0);
 }
Example #6
0
 private static bool BypassRoleEvaluation(Role role, IReadOnlyCollection <Group> groups, PermissionResolutionRequest permissionResolutionRequest)
 {
     return(!(role.Groups.Any(g => groups.Select(g1 => g1.GroupIdentifier).Contains(g.GroupIdentifier, new GroupIdentifierComparer())) ||
              role.Users.Any(u =>
                             u.SubjectId.Equals(permissionResolutionRequest.SubjectId, StringComparison.OrdinalIgnoreCase) &&
                             u.IdentityProvider.Equals(permissionResolutionRequest.IdentityProvider,
                                                       StringComparison.OrdinalIgnoreCase)) ||
              role.IsDeleted ||
              role.Permissions == null ||
              role.Permissions.Count == 0));
 }
        private async Task <GranularPermission> HydrateGranularPermissionDocuments(GranularPermission granularPermissions, PermissionResolutionRequest resolutionRequest)
        {
            // retrieve all Permission documents that match the request's grain + securable item
            var sourcePermissionDocuments =
                (await _permissionService.GetPermissions(resolutionRequest.Grain, resolutionRequest.SecurableItem)).ToList();

            granularPermissions.AdditionalPermissions =
                sourcePermissionDocuments.Intersect(granularPermissions.AdditionalPermissions);

            granularPermissions.DeniedPermissions =
                sourcePermissionDocuments.Intersect(granularPermissions.DeniedPermissions);

            return(granularPermissions);
        }