public async Task <AuthorizationResult> AuthorizeAsync(IResourceDescription resourceDescription, string username)
{
var user = await userCollection.Find(x => x.UserName == username).FirstOrDefaultAsync();
if (user == null)
{
return(AuthorizationResult.Denied());
}
return(await AuthorizeAsync(resourceDescription, user));
}
private async Task <AuthorizationResult> AuthorizeAsync(IResourceDescription resourceDescription, User user)
{
// Strategy: Explicitly grant, otherwise deny
if (user.Roles.Contains(Role.Admin))
{
return(AuthorizationResult.Granted(user));
}
switch (resourceDescription.Type)
{
case ResourceType.SubmitData:
case ResourceType.GetData:
case ResourceType.DeleteData:
case ResourceType.Search:
case ResourceType.CreateView:
case ResourceType.GetView:
case ResourceType.DeleteView:
case ResourceType.AddValidator:
case ResourceType.GetValidator:
case ResourceType.SubscribeToData:
case ResourceType.ViewCollectionInformation:
return(await AuthorizeDataAccess((IDataResourceDescription)resourceDescription, user));
case ResourceType.ManageValidators:
if (resourceDescription is ManageValidatorsResourceDescription manageValidatorsResourceDescription)
{
switch (manageValidatorsResourceDescription.Action)
{
case ValidatorManagementAction.Approve:
case ValidatorManagementAction.Delete:
return(await AuthorizeDataAccess((IDataResourceDescription)resourceDescription, user));
case ValidatorManagementAction.ListAll:
// Only admins can list all validators
break;
default:
throw new ArgumentOutOfRangeException();
}
}
break;
case ResourceType.ManageUser:
if (resourceDescription is ManageUserResourceDescription manageUserResourceDescription)
{
var userToManage = manageUserResourceDescription.UserToManage;
switch (manageUserResourceDescription.ActionType)
{
case UserManagementActionType.ChangePassword:
if (user.Roles.Contains(Role.UserManager))
{
return(AuthorizationResult.Granted(user));
}
if (user.UserName == userToManage)
{
return(AuthorizationResult.Granted(user));
}
break;
case UserManagementActionType.AssignRole:
if (user.Roles.Contains(Role.UserManager) && userToManage != user.UserName)
{
return(AuthorizationResult.Granted(user));
}
break;
case UserManagementActionType.Delete:
if (user.Roles.Contains(Role.UserManager))
{
return(AuthorizationResult.Granted(user));
}
if (user.UserName == userToManage)
{
return(AuthorizationResult.Granted(user));
}
break;
default:
throw new ArgumentOutOfRangeException();
}
}
break;
case ResourceType.GetCollectionPermissions:
if (user.Roles.Intersect(new [] { Role.UserManager }).Any())
{
return(AuthorizationResult.Granted(user));
}
break;
case ResourceType.GetGlobalRoles:
if (user.Roles.Intersect(new [] { Role.UserManager }).Any())
{
return(AuthorizationResult.Granted(user));
}
if (resourceDescription is GetGlobalRolesResourceDescription getGlobalRolesResourceDescription)
{
if (user.UserName == getGlobalRolesResourceDescription.Username)
{
return(AuthorizationResult.Granted(user));
}
}
break;
case ResourceType.ViewUserProfiles:
if (user.Roles.Intersect(new [] { Role.Viewer, Role.Analyst, Role.UserManager }).Any())
{
return(AuthorizationResult.Granted(user));
}
break;
case ResourceType.ProtectCollection:
// Only admins can protect collections
break;
case ResourceType.SetDataRedirection:
// Only admins can set redirections
break;
case ResourceType.SetCollectionOptions:
// Only admins can set collection options
break;
case ResourceType.DeleteNotification:
if (resourceDescription is DeleteNotificationResourceDescription deleteNotificationResourceDescription)
{
if (user.UserName == deleteNotificationResourceDescription.NotificationUsername)
{
return(AuthorizationResult.Granted(user));
}
}
break;
case ResourceType.ReportData: // All users can report data
return(AuthorizationResult.Granted(user));
case ResourceType.ListCollections:
if (user.Roles.Any())
{
return(AuthorizationResult.Granted(user)); // Grant listing of collections to all with at least one role
}
break;
case ResourceType.ListSubscriptions:
return(AuthorizationResult.Granted(user)); // All users can list their subscriptions
case ResourceType.Unsubscribe:
if (resourceDescription is UnsubscribeResourceDescription unsubscribeResourceDescription)
{
if (user.UserName == unsubscribeResourceDescription.SubscriptionUsername)
{
return(AuthorizationResult.Granted(user));
}
}
else if (resourceDescription is UnsubscribeAllResourceDescription)
{
return(AuthorizationResult.Granted(user)); // Allow all users to clear their subscriptions. See SECURITY NOTE in SubscriptionManager.UnsubscribeAll
}
break;
default:
throw new ArgumentOutOfRangeException();
}
return(AuthorizationResult.Denied());
}