private DenyResult[] GetDenyActions(ISubject subject, IAction[] actions, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { var denyActions = new List<DenyResult>(); if (actions == null) actions = new IAction[0]; if (subject == null) { denyActions = actions.Select(a => new DenyResult(a, null, null)).ToList(); } else if (subject is ISystemAccount && subject.ID == Constants.CoreSystem.ID) { // allow all } else { ISubject denySubject = null; IAction denyAction = null; foreach (var action in actions) { var allow = azManager.CheckPermission(subject, action, objectId, securityObjProvider, out denySubject, out denyAction); if (!allow) { denyActions.Add(new DenyResult(action, denySubject, denyAction)); break; } } } return denyActions.ToArray(); }
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) { return; } SecurityContext.DemandPermissions(objectId, securityObjProvider, actions); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) { return(true); } return(SecurityContext.CheckPermissions(objectId, securityObjProvider, actions)); }
public IEnumerable<Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (subject == null) throw new ArgumentNullException("subject"); if (action == null) throw new ArgumentNullException("action"); return CoreContext.AuthorizationManager .GetAcesWithInherits(subject.ID, action.ID, objectId, secObjProvider) .Select(r => new Ace(r.ActionId, r.Reaction)); }
public bool CheckPermission(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, out ISubject denySubject, out IAction denyAction) { if (subject == null) throw new ArgumentNullException("subject"); if (action == null) throw new ArgumentNullException("action"); var acl = GetAzManagerAcl(subject, action, objectId, securityObjProvider); denySubject = acl.DenySubject; denyAction = acl.DenyAction; return acl.IsAllow; }
public bool NextInherit() { if (currSecObjProvider == null || !currSecObjProvider.InheritSupported) return false; currObjId = currSecObjProvider.InheritFrom(currObjId); if (currObjId == null) return false; if (currObjIdAsProvider) { currSecObjProvider = currObjId as ISecurityObjectProvider; } callContext.ObjectsStack.Insert(0, CurrentObjectId); return currSecObjProvider != null; }
public void Demand(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider); if (0 < denyActions.Length) { throw new AuthorizingException( subject, Array.ConvertAll(denyActions, r => r.TargetAction), Array.ConvertAll(denyActions, r => r.DenySubject), Array.ConvertAll(denyActions, r => r.DenyAction)); } }
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { currObjIdAsProvider = false; CurrentObjectId = objectId ?? throw new ArgumentNullException(nameof(objectId)); currSecObjProvider = secObjProvider; if (currSecObjProvider == null && CurrentObjectId is ISecurityObjectProvider) { currObjIdAsProvider = true; currSecObjProvider = (ISecurityObjectProvider)CurrentObjectId; } callContext = new SecurityCallContext(); }
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (objectId == null) throw new ArgumentNullException("objectId"); currObjIdAsProvider = false; currObjId = objectId; currSecObjProvider = secObjProvider; if (currSecObjProvider == null && currObjId is ISecurityObjectProvider) { currObjIdAsProvider = true; currSecObjProvider = (ISecurityObjectProvider) currObjId; } callContext = new SecurityCallContext(); }
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (objectId == null) { throw new ArgumentNullException("objectId"); } currObjIdAsProvider = false; currObjId = objectId; currSecObjProvider = secObjProvider; if (currSecObjProvider == null && currObjId is ISecurityObjectProvider) { currObjIdAsProvider = true; currSecObjProvider = (ISecurityObjectProvider)currObjId; } callContext = new SecurityCallContext(); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) return true; if (IsOutsider()) { var actionArray = actions ?? new IAction[0]; var containsReadAction = false; foreach (var action in actionArray) { containsReadAction = action.ID.Equals(new Guid("{E0759A42-47F0-4763-A26A-D5AA665BEC35}"));//"Read forum post action" } if (!containsReadAction) return false; } return SecurityContext.CheckPermissions(objectId, securityObjProvider, actions); }
public bool NextInherit() { if (currSecObjProvider == null || !currSecObjProvider.InheritSupported) { return(false); } currObjId = currSecObjProvider.InheritFrom(currObjId); if (currObjId == null) { return(false); } if (currObjIdAsProvider) { currSecObjProvider = currObjId as ISecurityObjectProvider; } callContext.ObjectsStack.Insert(0, CurrentObjectId); return(currSecObjProvider != null); }
public bool CheckPermission(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, out ISubject denySubject, out IAction denyAction) { if (subject == null) { throw new ArgumentNullException("subject"); } if (action == null) { throw new ArgumentNullException("action"); } var acl = GetAzManagerAcl(subject, action, objectId, securityObjProvider); denySubject = acl.DenySubject; denyAction = acl.DenyAction; return(acl.IsAllow); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) { return(true); } if (IsOutsider()) { var actionArray = actions ?? new IAction[0]; var containsReadAction = false; foreach (var action in actionArray) { containsReadAction = action.ID.Equals(new Guid("{E0759A42-47F0-4763-A26A-D5AA665BEC35}"));//"Read forum post action" } if (!containsReadAction) { return(false); } } return(SecurityContext.CheckPermissions(objectId, securityObjProvider, actions)); }
internal IEnumerable<ISubject> GetSubjects(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { var subjects = new List<ISubject>(); subjects.Add(subject); subjects.AddRange( roleProvider.GetRoles(subject) .ConvertAll(r => { return (ISubject)r; }) ); if (objectId != null) { var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, securityObjProvider); do { if (!secObjProviderHelper.ObjectRolesSupported) continue; foreach (IRole role in secObjProviderHelper.GetObjectRoles(subject)) { if (!subjects.Contains(role)) subjects.Add(role); } } while (secObjProviderHelper.NextInherit()); } return subjects; }
public IEnumerable<AzRecord> GetAcesWithInherits(Guid subjectId, Guid actionId, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (objectId == null) { return GetAces(subjectId, actionId, null); } var result = new List<AzRecord>(); var aces = service.GetAces(CoreContext.TenantManager.GetCurrentTenant().TenantId, default(DateTime)); result.AddRange(FilterAces(aces, subjectId, actionId, objectId)); var inherits = new List<AzRecord>(); var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider); while (secObjProviderHelper.NextInherit()) { inherits.AddRange(FilterAces(aces, subjectId, actionId, secObjProviderHelper.CurrentObjectId)); } inherits.AddRange(FilterAces(aces, subjectId, actionId, null)); result.AddRange(DistinctAces(inherits)); return result; }
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { if (action.AdministratorAlwaysAllow && (Constants.Admin.ID == subject.ID || roleProvider.IsSubjectInRole(subject, Constants.Admin))) { return AzManagerAcl.Allow; } var acl = AzManagerAcl.Default; var exit = false; foreach (var s in GetSubjects(subject, objectId, securityObjProvider)) { var aceList = permissionProvider.GetAcl(s, action, objectId, securityObjProvider); foreach (var ace in aceList) { if (ace.Reaction == AceType.Deny && !exit) { acl.IsAllow = false; acl.DenySubject = s; acl.DenyAction = action; exit = true; } if (ace.Reaction == AceType.Allow && !exit) { acl.IsAllow = true; if (!action.Conjunction) { // disjunction: first allow and exit exit = true; } } if (exit) break; } if (exit) break; } return acl; }
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { PermissionResolver.Demand(CurrentAccount, objectId, securityObjProvider, actions); }
public bool Check(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider); return denyActions.Length == 0; }
public IEnumerable<AzRecord> GetAcesWithInherits(Guid subjectId, Guid actionId, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (objectId == null) { return GetAces(subjectId, actionId, null); } var result = new List<AzRecord>(); var aces = service.GetAces(TenantManager.GetCurrentTenant().TenantId, default); result.AddRange(FilterAces(aces, subjectId, actionId, objectId)); var inherits = new List<AzRecord>(); var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider); while (secObjProviderHelper.NextInherit()) { inherits.AddRange(FilterAces(aces, subjectId, actionId, secObjProviderHelper.CurrentObjectId)); } inherits.AddRange(FilterAces(aces, subjectId, actionId, null)); result.AddRange(DistinctAces(inherits)); return result; }
public IEnumerable <Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (subject == null) { throw new ArgumentNullException("subject"); } if (action == null) { throw new ArgumentNullException("action"); } if (objectId == null) { throw new ArgumentNullException("objectId"); } var allAces = new List <Ace>(); var fullObjectId = AzObjectIdHelper.GetFullObjectId(objectId); allAces.AddRange(GetAcl(subject, action, fullObjectId)); bool inherit = GetObjectAcesInheritance(objectId); if (inherit) { var providerHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider); while (providerHelper.NextInherit()) { allAces.AddRange(GetAcl(subject, action, AzObjectIdHelper.GetFullObjectId(providerHelper.CurrentObjectId))); } allAces.AddRange(GetAcl(subject, action)); } var aces = new List <Ace>(); var aclKeys = new List <string>(); foreach (var ace in allAces) { var key = string.Format("{0}{1:D}", ace.ActionId, ace.Reaction); if (!aclKeys.Contains(key)) { aces.Add(ace); aclKeys.Add(key); } } return(aces); }
public bool Check(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider); return(denyActions.Length == 0); }
internal IEnumerable <ISubject> GetSubjects(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { var subjects = new List <ISubject>(); subjects.Add(subject); subjects.AddRange( roleProvider.GetRoles(subject) .ConvertAll(r => { return((ISubject)r); }) ); if (objectId != null) { var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, securityObjProvider); do { if (!secObjProviderHelper.ObjectRolesSupported) { continue; } foreach (IRole role in secObjProviderHelper.GetObjectRoles(subject)) { if (!subjects.Contains(role)) { subjects.Add(role); } } } while (secObjProviderHelper.NextInherit()); } return(subjects); }
public IEnumerable <Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider) { if (subject == null) { throw new ArgumentNullException("subject"); } if (action == null) { throw new ArgumentNullException("action"); } return(CoreContext.AuthorizationManager .GetAcesWithInherits(subject.ID, action.ID, objectId, secObjProvider) .Select(r => new Ace(r.ActionId, r.Reaction))); }
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) return; SecurityContext.DemandPermissions(objectId, securityObjProvider, actions); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { if (IsAdministrator()) return true; return SecurityContext.CheckPermissions(objectId, securityObjProvider, actions); }
private DenyResult[] GetDenyActions(ISubject subject, IAction[] actions, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { var denyActions = new List <DenyResult>(); if (actions == null) { actions = new IAction[0]; } if (subject == null) { denyActions = actions.Select(a => new DenyResult(a, null, null)).ToList(); } else if (subject is ISystemAccount && subject.ID == Constants.CoreSystem.ID) { // allow all } else { ISubject denySubject = null; IAction denyAction = null; foreach (var action in actions) { var allow = azManager.CheckPermission(subject, action, objectId, securityObjProvider, out denySubject, out denyAction); if (!allow) { denyActions.Add(new DenyResult(action, denySubject, denyAction)); break; } } } return(denyActions.ToArray()); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { return PermissionResolver.Check(CurrentAccount, objectId, securityObjProvider, actions); }
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { return(PermissionResolver.Check(CurrentAccount, objectId, securityObjProvider, actions)); }
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider) { if (action.AdministratorAlwaysAllow && (Constants.Admin.ID == subject.ID || roleProvider.IsSubjectInRole(subject, Constants.Admin))) { return(AzManagerAcl.Allow); } var acl = AzManagerAcl.Default; var exit = false; foreach (var s in GetSubjects(subject, objectId, securityObjProvider)) { var aceList = permissionProvider.GetAcl(s, action, objectId, securityObjProvider); foreach (var ace in aceList) { if (ace.Reaction == AceType.Deny && !exit) { acl.IsAllow = false; acl.DenySubject = s; acl.DenyAction = action; exit = true; } if (ace.Reaction == AceType.Allow && !exit) { acl.IsAllow = true; if (!action.Conjunction) { // disjunction: first allow and exit exit = true; } } if (exit) { break; } } if (exit) { break; } } return(acl); }