private void CheckPermissions(UtilityRow existingRow, ChangeDescription changeDescription)
{
string partitionKey = null;
string rowKey = null;
if (existingRow != null)
{
partitionKey = existingRow.PartitionKey;
rowKey = existingRow.RowKey;
}
else
{
partitionKey = ((UtilityRow)changeDescription.Row).PartitionKey;
rowKey = ((UtilityRow)changeDescription.Row).RowKey;
}
this.CheckPermission(this.m_currentResourceContainer.Name, false, false, changeDescription.UpdateType);
XfeTableSASAuthorizationManager.CheckSignedAccessKeyBoundary(this.SignedAccountIdentifier, partitionKey, rowKey);
}
internal void CheckPermission(string userTableName, bool isUtilityTableCommand, bool shouldCheckGet, UpdateKind commandKind)
{
PermissionLevel permissionLevel;
if (this.SignedAccountIdentifier != null)
{
IStringDataEventStream verboseDebug = Logger <IRestProtocolHeadLogger> .Instance.VerboseDebug;
object[] tableName = new object[] { this.SignedAccountIdentifier.TableName, this.SignedAccountIdentifier.StartingPartitionKey, this.SignedAccountIdentifier.StartingRowKey, this.SignedAccountIdentifier.EndingPartitionKey, this.SignedAccountIdentifier.EndingRowKey };
verboseDebug.Log("Sas tn={0} spk={1} srk={2} epk={3} erk={4}", tableName);
}
List <SASPermission> sASPermissions = new List <SASPermission>();
if (!shouldCheckGet)
{
switch (commandKind)
{
case UpdateKind.Insert:
{
if (!isUtilityTableCommand)
{
sASPermissions.Add(SASPermission.Add);
}
else
{
sASPermissions.Add(SASPermission.Create);
sASPermissions.Add(SASPermission.Write);
}
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
case UpdateKind.Delete:
{
sASPermissions.Add(SASPermission.Delete);
permissionLevel = PermissionLevel.Delete;
this.CheckAnalyticsPermissions(userTableName, new bool?(isUtilityTableCommand));
goto Label0;
}
case UpdateKind.Replace:
case UpdateKind.Merge:
{
sASPermissions.Add(SASPermission.Update);
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
case UpdateKind.InsertOrMerge:
case UpdateKind.InsertOrReplace:
{
sASPermissions.Add(SASPermission.Add | SASPermission.Update);
permissionLevel = PermissionLevel.Write;
this.CheckAnalyticsPermissions(userTableName, null);
goto Label0;
}
}
CultureInfo invariantCulture = CultureInfo.InvariantCulture;
object[] accountName = new object[] { this.AccountName, commandKind, this.m_currentResourceContainer.Name };
throw new NephosUnauthorizedAccessException(string.Format(invariantCulture, "Account {0} is not authorized to perform operation {1} on table {2}.", accountName));
}
else
{
if (!isUtilityTableCommand)
{
sASPermissions.Add(SASPermission.Read);
}
else
{
sASPermissions.Add(SASPermission.List);
}
permissionLevel = PermissionLevel.Read;
}
Label0:
this.CheckPermissionCallback(permissionLevel);
if (this.SignedAccountIdentifier != null)
{
SASPermission item = SASPermission.None;
if (sASPermissions.Count > 0)
{
item = sASPermissions[0];
}
XfeTableSASAuthorizationManager.AuthorizeSASRequest(this.SignedAccountIdentifier, PermissionLevel.Write, item, userTableName, isUtilityTableCommand);
return;
}
if (this.AccountIdentifier is AccountSasAccessIdentifier)
{
string lower = userTableName.ToLower();
if (isUtilityTableCommand)
{
lower = "Tables";
}
if (!string.Equals(this.m_currentResourceContainer.Name, lower, StringComparison.OrdinalIgnoreCase))
{
throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", AuthorizationFailureReason.InvalidOperationSAS);
}
AccountSasAccessIdentifier accountIdentifier = this.AccountIdentifier as AccountSasAccessIdentifier;
AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.UnauthorizedAccountSasRequest);
SASAuthorizationParameters sASAuthorizationParameter = new SASAuthorizationParameters()
{
SignedResourceType = (isUtilityTableCommand ? SasResourceType.Container : SasResourceType.Object),
SupportedSasTypes = SasType.AccountSas
};
SASAuthorizationParameters item1 = sASAuthorizationParameter;
for (int i = 0; !authorizationResult.Authorized && i < sASPermissions.Count; i++)
{
item1.SignedPermission = sASPermissions[i];
authorizationResult = AuthorizationManager.AuthorizeAccountSignedAccessRequest(accountIdentifier, this.AccountName, item1);
}
if (!authorizationResult.Authorized)
{
throw new NephosUnauthorizedAccessException("Signed access insufficient permission", authorizationResult.FailureReason);
}
}
}
