/// <summary>
/// Called if a Group comes up more than once in provisioning (e.g. multiple wildcard matches)
/// If so, then we consider promoting the group to the higer of the two roles
/// </summary>
/// <param name="suggestedMode"></param>
/// <param name="suggestedSiteRole"></param>
public bool ConsiderGrantLicenseRoleUpgrade(ProvisioningGroup.GrantLicenseMode suggestedMode, string suggestedSiteRole)
{
string currentRole = _grantLicenseRole;
var currentMode = _grantLicenseInstructions;
//-------------------------------------------------------------------------
//See if the suggested state is once that we need to act on.
//-------------------------------------------------------------------------
switch (suggestedMode)
{
case ProvisioningGroup.GrantLicenseMode.Ignore:
return(false); //Do nothing
case ProvisioningGroup.GrantLicenseMode.None:
return(false); //Do nothing
case ProvisioningGroup.GrantLicenseMode.OnLogin:
break; //Advance onward....
default: //Degenerate case
IwsDiagnostics.Assert(false, "1021-106: Unknown grant license mode, " + suggestedMode.ToString());
throw new Exception("1021-106: Unknown grant license mode, " + suggestedMode.ToString());
}
//-------------------------------------------------------------------------
//Based on the current state, take the approprate action
//-------------------------------------------------------------------------
switch (currentMode)
{
case ProvisioningGroup.GrantLicenseMode.Ignore:
//Apply the new mode
_grantLicenseInstructions = suggestedMode;
_grantLicenseRole = suggestedSiteRole;
return(true);
case ProvisioningGroup.GrantLicenseMode.None:
//Apply the new mode
_grantLicenseInstructions = suggestedMode;
_grantLicenseRole = suggestedSiteRole;
return(true);
case ProvisioningGroup.GrantLicenseMode.OnLogin:
//Apply the new mode if it ranks higher
if (ProvisioningUser.CalculateRoleRank(currentRole) >=
ProvisioningUser.CalculateRoleRank(suggestedSiteRole))
{
//The current role ranks above/same as the suggested role. Do nothing
return(false);
}
else
{
//Apply the new mode
_grantLicenseInstructions = suggestedMode;
_grantLicenseRole = suggestedSiteRole;
return(true);
}
default: //Degenerate case
IwsDiagnostics.Assert(false, "1021-113: Unknown grant license mode, " + currentMode.ToString());
throw new Exception("1021-113: Unknown grant license mode, " + currentMode.ToString());
}
}
/// <summary>
/// Handle the provisioning for a single user
/// </summary>
/// <param name="userToProvision"></param>
/// <param name="siteSignIn"></param>
/// <param name="workingListUnexaminedUsers"></param>
private void Execute_ProvisionUsers_SingleUser(
ProvisioningUser userToProvision,
TableauServerSignIn siteSignIn,
WorkingListSiteUsers workingListUnexaminedUsers,
WorkingListSiteUsers workingList_allKnownUsers)
{
//See if a user with this name already exists
var foundExistingUser = workingListUnexaminedUsers.FindUserByName(userToProvision.UserName);
ProvisionUserInstructions.MissingUserAction missingUserAction;
ProvisionUserInstructions.UnexpectedUserAction unexpectedUserAction;
//Get the instructions based on the desired Auth model for the user we are provisioning
switch (userToProvision.UserAuthenticationParsed)
{
case SiteUserAuth.Default:
missingUserAction = _provisionInstructions.ActionForMissingDefaultAuthUsers;
unexpectedUserAction = _provisionInstructions.ActionForUnexpectedDefaultAuthUsers;
break;
case SiteUserAuth.SAML:
missingUserAction = _provisionInstructions.ActionForMissingSamlUsers;
unexpectedUserAction = _provisionInstructions.ActionForUnexpectedSamlUsers;
break;
case SiteUserAuth.OpenID:
missingUserAction = _provisionInstructions.ActionForMissingOpenIdUsers;
unexpectedUserAction = _provisionInstructions.ActionForUnexpectedOpenIdUsers;
break;
default:
var unknownAuthType = userToProvision.UserAuthentication;
if (unknownAuthType == null)
{
unknownAuthType = "";
}
IwsDiagnostics.Assert(false, "814-1204: Unknown auth type, " + unknownAuthType);
throw new Exception("814-1204: Unknown auth type, " + unknownAuthType);
}
//===============================================================================================
//CASE 1: The user does NOT exist. So add them
//===============================================================================================
if (foundExistingUser == null)
{
Execute_ProvisionUsers_SingleUser_AddUser(siteSignIn, userToProvision, missingUserAction, workingList_allKnownUsers);
return;
}
//===============================================================================================
//CASE 2a: The user EXISTS but is not the right AUTH; update them
//===============================================================================================
if (string.Compare(foundExistingUser.SiteAuthentication, userToProvision.UserAuthentication, true) != 0)
{
//Update the user
Execute_ProvisionUsers_SingleUser_ModifyUser(siteSignIn, userToProvision, foundExistingUser);
return;
}
//===============================================================================================
//CASE 2b: The user EXISTS but is not the right ROLE; update them
//===============================================================================================
else if (string.Compare(foundExistingUser.SiteRole, userToProvision.UserRole, true) != 0)
{
//==================================================================================================================================================================
//CASE 2b: Special case (to support Grant License on Sign In: If the user provisioning insturctions ALLOW
//NOTE: If the authentication schemes do not match, then move foward with modifying the user -- this is a more fundamental change, and we should honor it explicitly
//==================================================================================================================================================================
if (userToProvision.AllowPromotedRole)
{
var existingUserRoleRank = ProvisioningUser.CalculateRoleRank(foundExistingUser.SiteRole);
if (existingUserRoleRank > userToProvision.RoleRank)
{
_statusLogs.AddStatus("No action: Provisioning rule for this user allow keeping existing higher ranked role. User: "******", " + foundExistingUser.SiteRole);
return;
}
}
//CASE 2c: Update the user because the provisioning Role differs from the existing user's Role
Execute_ProvisionUsers_SingleUser_ModifyUser(siteSignIn, userToProvision, foundExistingUser);
return;
}
//===============================================================================================
//CASE 3: The user exists and does NOT need to be modified
//===============================================================================================
_statusLogs.AddStatus("No action: User exists and has expected role and authentication. User: " + userToProvision.UserName);
}