async Task <bool> ExistsDatabase()
{
string baseUri = $"{_EndpointUrl}dbs/{_DatabaseId}";
using (var _httpClient = new HttpClient())
{
_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
_httpClient.DefaultRequestHeaders.Add("x-ms-date", utc_date);
_httpClient.DefaultRequestHeaders.Add("x-ms-version", "2015-08-06");
string verb = "GET";
string resourceType = "dbs";
string resourceLink = "dbs/" + _DatabaseId;
string authHeader = DocumentAuthorization.GenerateMasterKeyAuthorizationSignature(verb, resourceLink, resourceType, _Key, "master", "1.0", utc_date);
_httpClient.DefaultRequestHeaders.Remove("authorization");
_httpClient.DefaultRequestHeaders.Add("authorization", authHeader);
var response = await _httpClient.GetAsync(new Uri(baseUri));
if (response.StatusCode == System.Net.HttpStatusCode.OK)
{
return(true);
}
}
return(false);
}
async Task CreateDocument(string collectionName, string content)
{
Thread.Sleep(500); // Try to avoid error 429 (Too Many Requests) without increasing the pricing tier. Don´t do this in a real app.
string uri = $"{_EndpointUrl}dbs/{_DatabaseId}/colls/{collectionName}/docs";
using (var _httpClient = new HttpClient())
{
_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
_httpClient.DefaultRequestHeaders.Add("x-ms-date", utc_date);
_httpClient.DefaultRequestHeaders.Add("x-ms-version", "2015-08-06");
string verb = "POST";
string resourceType = "docs";
string resourceLink = $"dbs/{_DatabaseId}/colls/{collectionName}";
string authHeader = DocumentAuthorization.GenerateMasterKeyAuthorizationSignature(verb, resourceLink, resourceType, _Key, "master", "1.0", utc_date);
_httpClient.DefaultRequestHeaders.Remove("authorization");
_httpClient.DefaultRequestHeaders.Add("authorization", authHeader);
var response = await _httpClient.PostAsync(new Uri(uri), new StringContent(content, Encoding.UTF8, "application/json"));
response.EnsureSuccessStatusCode();
}
}
async Task CreateCollection(string collectionName)
{
string uri = $"{_EndpointUrl}dbs/{_DatabaseId}/colls";
using (var _httpClient = new HttpClient())
{
_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
_httpClient.DefaultRequestHeaders.Add("x-ms-date", utc_date);
_httpClient.DefaultRequestHeaders.Add("x-ms-version", "2015-08-06");
string verb = "POST";
string resourceType = "colls";
string resourceLink = $"dbs/{_DatabaseId}/colls";
string resourceId = $"dbs/{_DatabaseId}";
string authHeader = DocumentAuthorization.GenerateMasterKeyAuthorizationSignature(verb, resourceId, resourceType, _Key, "master", "1.0", utc_date);
_httpClient.DefaultRequestHeaders.Remove("authorization");
_httpClient.DefaultRequestHeaders.Add("authorization", authHeader);
var content = JsonConvert.SerializeObject(new { id = collectionName });
var response = await _httpClient.PostAsync(uri, new StringContent(content, Encoding.UTF8, "application/json"));
response.EnsureSuccessStatusCode();
}
}
public void DocumentWithoutPermissionWillBeFilteredOutSilentlyWithStreaming()
{
var rhinosCompany = new Company
{
Name = "Hibernating Rhinos"
};
var secretCompany = new Company
{
Name = "Secret Co."
};
var authorizationUser = new AuthorizationUser
{
Id = UserId,
Name = "Ayende Rahien",
};
var operation = "Company/Bid";
using (var s = store.OpenSession())
{
s.Store(authorizationUser);
s.Store(rhinosCompany);
s.Store(secretCompany);
var documentAuthorization = new DocumentAuthorization();
documentAuthorization.Permissions.Add(new DocumentPermission()
{
Allow = true,
Operation = operation,
User = UserId
});
s.SetAuthorizationFor(rhinosCompany, documentAuthorization); // allow Ayende Rahien
s.SetAuthorizationFor(secretCompany, new DocumentAuthorization()); // deny everyone
s.SaveChanges();
}
using (var s = store.OpenSession())
{
s.SecureFor(UserId, operation);
var results = 0;
using (var it = s.Advanced.Stream <Company>("companies/"))
{
while (it.MoveNext())
{
results++;
}
}
Assert.Equal(2, results);
}
}
public void DocumentWithoutPermissionWillBeFilteredOutSilentlyWithQueryStreaming()
{
new CompanyIndex().Execute(store);
var rhinosCompany = new Company
{
Name = "Hibernating Rhinos"
};
var secretCompany = new Company
{
Name = "Secret Co."
};
var authorizationUser = new AuthorizationUser
{
Id = UserId,
Name = "Ayende Rahien",
};
var operation = "Company/Bid";
using (var s = store.OpenSession())
{
s.Store(authorizationUser);
s.Store(rhinosCompany);
s.Store(secretCompany);
var documentAuthorization = new DocumentAuthorization();
documentAuthorization.Permissions.Add(new DocumentPermission()
{
Allow = true,
Operation = operation,
User = UserId
});
s.SetAuthorizationFor(rhinosCompany, documentAuthorization); // allow Ayende Rahien
s.SetAuthorizationFor(secretCompany, new DocumentAuthorization()); // deny everyone
s.SaveChanges();
}
WaitForIndexing(store);
using (var s = store.OpenSession())
{
s.SecureFor(UserId, operation);
var expected = s.Advanced.LuceneQuery <Company, CompanyIndex>().ToList().Count();
var results = QueryExtensions.StreamAllFrom(s.Advanced.LuceneQuery <Company, CompanyIndex>(), s);
Assert.Equal(expected, results.Count());
}
}
public void SecureForCausesHighCpu()
{
User user = new User {
Name = "Mr. Test"
};
Content contentWithoutPermission = new Content {
Title = "Content Without Permission"
};
Content contentWithPermission = new Content {
Title = "Content With Permission"
};
using (IDocumentSession session = store.OpenSession())
{
session.Store(user);
session.Store(contentWithoutPermission);
session.Store(contentWithPermission);
DocumentAuthorization authorization = session.GetAuthorizationFor(contentWithoutPermission) ??
new DocumentAuthorization();
authorization.Permissions.Add(new DocumentPermission {
Allow = false, Operation = Operation, User = user.Id
});
session.SetAuthorizationFor(contentWithoutPermission, authorization);
authorization = session.GetAuthorizationFor(contentWithPermission) ?? new DocumentAuthorization();
authorization.Permissions.Add(new DocumentPermission {
Allow = true, Operation = Operation, User = user.Id
});
session.SetAuthorizationFor(contentWithPermission, authorization);
session.SaveChanges();
}
while (store.DatabaseCommands.GetStatistics().StaleIndexes.Length > 0)
{
Thread.Sleep(10);
}
for (int i = 0; i < 5; i++)
{
using (IDocumentSession session = store.OpenSession())
{
session.SecureFor(user.Id, Operation);
Content contentY = session.Query <Content>().FirstOrDefault();
Assert.NotNull(contentY);
Assert.Equal(contentWithPermission.Id, contentY.Id);
}
}
}
private static void ExplainWhyUserCantAccessTheDocument(Action <string> logger, string documentId, string userId, AuthorizationUser user, DocumentAuthorization documentAuthorization, string operation)
{
var sb = new StringBuilder("Could not find any permissions for operation: ")
.Append(operation)
.Append(" on ")
.Append(documentId)
.Append(" for user ")
.Append(userId)
.Append(".");
if (user.Roles.Count > 0)
{
sb.Append(" or the user's roles: [")
.Append(string.Join(", ", user.Roles))
.Append("]");
}
sb.AppendLine();
if (documentAuthorization.Permissions.Count(x => x.Operation.Equals(operation, StringComparison.InvariantCultureIgnoreCase)) == 0)
{
sb.Append("No one may perform operation ")
.Append(operation)
.Append(" on ")
.Append(documentId);
}
else
{
sb.Append("Only the following may perform operation ")
.Append(operation)
.Append(" on ")
.Append(documentId)
.AppendLine(":");
foreach (var documentPermission in documentAuthorization.Permissions)
{
sb.Append("\t")
.Append(documentPermission.Explain)
.AppendLine();
}
}
logger(sb.ToString());
}
public static void SetAuthorizationFor(this IDocumentSession session, object entity, DocumentAuthorization documentAuthorization)
{
var metadata = session.Advanced.GetMetadataFor(entity);
var jsonSerializer = JsonExtensions.CreateDefaultJsonSerializer();
jsonSerializer.ContractResolver = session.Advanced.DocumentStore.Conventions.JsonContractResolver;
metadata[RavenDocumentAuthorization] = RavenJObject.FromObject(documentAuthorization, jsonSerializer);
}
public static void SetAuthorizationFor(this IDocumentSession session, object entity, DocumentAuthorization documentAuthorization)
{
var metadata = session.Advanced.GetMetadataFor(entity);
metadata[RavenDocumentAuthorization] = RavenJObject.FromObject(documentAuthorization, new JsonSerializer
{
ContractResolver = session.Advanced.Conventions.JsonContractResolver,
});
}
