public void LinkPolicy(int policyId)
{
if (Policies.IsNullOrEmpty())
{
Policies = new List <SecurityGroupPolicy>();
}
var exist = Policies.Any(p => p.PolicyId == policyId);
if (exist)
{
throw new BusinessException($"Policy already linked for this security group.");
}
var sgPolicy = new SecurityGroupPolicy {
SecurityGroup = this, PolicyId = policyId
};
Policies.Add(sgPolicy);
}
/// <summary>
/// Generate and return a new X509 certificate.
/// </summary>
/// <returns></returns>
public X509Certificate2 Generate()
{
var generator = new X509V3CertificateGenerator();
// RFC 5280 section 4.1.2.2. Serial Number
generator.SetSerialNumber(SerialNumber);
// RFC 5280 section 4.1.2.4. Issuer
generator.SetIssuerDN(IssuerDN);
// RFC 5280 section 4.1.2.5. Validity
if (!IsSelfSigned && NotBefore < Issuer.NotBefore)
{
NotBefore = Issuer.NotBefore;
}
if (!IsSelfSigned && Issuer.NotAfter < NotAfter)
{
NotAfter = Issuer.NotAfter;
}
generator.SetNotBefore(NotBefore);
generator.SetNotAfter(NotAfter);
// RFC 5280 section 4.1.2.6. Subject; also see Direct Project 1.2 section 4.1.1.2.
generator.SetSubjectDN(SubjectDN);
// RFC 5280 section 4.1.2.7. Subject Public Key Info
generator.SetPublicKey(SubjectKeyPair.Public);
// RFC 5280 section 4.2.1.1. Authority Key Identifier
if (IsSelfSigned)
{
var authorityKeyIdentifier = new AuthorityKeyIdentifier(
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(SubjectKeyPair.Public),
new GeneralNames(new GeneralName(SubjectDN)),
SerialNumber);
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
}
else
{
generator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(Issuer));
}
// RFC 5280 section 4.2.1.2. Subject Key Identifier
var subjectKeyIdentifier = new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(SubjectKeyPair.Public));
generator.AddExtension(X509Extensions.SubjectKeyIdentifier.Id, false, subjectKeyIdentifier);
// RFC 5280 section 4.2.1.3. Key Usage
generator.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage((int)KeyUsage));
// RFC 5280 section 4.2.1.4. Certificate Policies
if (Policies.Any())
{
var policies = Policies.Select(x => new PolicyInformation(new DerObjectIdentifier(x))).ToArray();
generator.AddExtension(X509Extensions.CertificatePolicies, false, new CertificatePolicies(policies));
}
// RFC 5280 section 4.2.1.6. Subject Alternative Name; also see Direct Project 1.2 section 4.1.1.1.
generator.AddExtension(X509Extensions.SubjectAlternativeName, false, SubjectAlternativeName);
// RFC 5280 section 4.2.1.9. Basic Constraints
generator.AddExtension(X509Extensions.BasicConstraints, true, BasicConstraints);
// RFC 5280 section 4.2.1.12. Extended Key Usage
generator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPEmailProtection));
// RFC 5280 section 4.2.1.13. CRL Distribution Points
var crlDistPoint = GetCrlDistributionPoints();
if (crlDistPoint != null)
{
generator.AddExtension(X509Extensions.CrlDistributionPoints, false, crlDistPoint);
}
// RFC 5280 section 4.2.2.1. Authority Information Access
var authorityInfoAccess = GetAuthorityInfoAccessEncoded();
if (authorityInfoAccess != null)
{
generator.AddExtension(X509Extensions.AuthorityInfoAccess, false, authorityInfoAccess);
}
// Generate a new certificate.
var certificate = generator.Generate(new Asn1SignatureFactory(SignatureAlgorithmName, (IssuerKeyPair ?? SubjectKeyPair).Private, SecureRandom));
// Create a PKCS12 store (a.PFX file) in memory, and add the public and private key to that.
var store = new Pkcs12Store();
var certificateEntry = new X509CertificateEntry(certificate);
string friendlyName = certificate.SubjectDN.ToString();
store.SetCertificateEntry(friendlyName, certificateEntry);
store.SetKeyEntry(friendlyName, new AsymmetricKeyEntry(SubjectKeyPair.Private), new[] { certificateEntry });
using (var stream = new MemoryStream())
{
// The password is required by the API, but will not be used beyond this scope.
const string password = "******";
store.Save(stream, password.ToCharArray(), SecureRandom);
return(new X509Certificate2(
stream.ToArray(),
password,
X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable));
}
}
/// <summary>
/// Criando regras iniciais e de testes
/// </summary>
private void Seed_Security()
{
if (!Groups.Any())
{
var groups = new Group[]
{
new Group {
Name = "Security"
},
new Group {
Name = "Management"
},
new Group {
Name = "Configuration"
},
new Group {
Name = "Sales"
},
new Group {
Name = "Operation"
}
};
Groups.AddRange(groups);
foreach (var enterprise in Enterprises)
{
var name = enterprise.Name.EndsWith('s')
? enterprise.Name + "\'s"
: enterprise.Name;
var group = new Group
{
Name = $"{name} User",
Enterprise = enterprise
};
Groups.Add(group);
}
SaveChanges();
}
if (IsTest)
{
if (!Users.Any())
{
{
var enterprise = Enterprises
.Single(e => e.Name == "Enterprise Test");
var email = $"user@{enterprise.Name}.com".Replace(" ", "").ToLower();
var user = new User
{
Name = "User",
PublicId = CryptoHelper.Guid("U$1"),
PrivateId = CryptoHelper.Guid("U$1"),
Email = email,
Password = CryptoHelper.Guid("user2019"),
Enterprise = enterprise
};
Users.Add(user);
}
foreach (var group in Groups
.Where(e => e.EnterpriseId == null))
{
foreach (var enterprise in Enterprises)
{
var email = $"{group.Name}@{enterprise.Name}.com".Replace(" ", "").ToLower();
var user = new User
{
Name = group.Name,
PublicId = CryptoHelper.Guid(group.Name + "#" + enterprise.Name),
PrivateId = CryptoHelper.Guid(group.Name + "$" + enterprise.Name),
Email = email,
Password = CryptoHelper.Guid(group.Name.ToLower()),
Enterprise = enterprise
};
Users.Add(user);
var userGroup = new UserGroup
{
User = user,
Group = group
};
UserGroups.AddRange(userGroup);
}
}
SaveChanges();
}
}
if (!Areas.Any())
{
var areas = new Area[]
{
new Area {
Id = (int)AreaEnum.User,
Name = "User"
},
new Area {
Id = (int)AreaEnum.Group,
Name = "Group"
},
new Area {
Id = (int)AreaEnum.Customer,
Name = "Customer"
}
};
Areas.AddRange(areas);
SaveChanges();
}
if (IsTest)
{
if (!AreaAccess.Any())
{
// Sales tem acesso de leitura e escrita no CRM
{
var area = Areas
.Find((int)AreaEnum.Customer);
var group = Groups
.First(e => e.Name == "Sales");
var areaAccess = new AreaAccess
{
Area = area,
Group = group,
CanCreate = true,
CanDelete = false,
CanModify = true,
CanRead = true
};
AreaAccess.Add(areaAccess);
}
// Management tem acesso completo ao CRM
{
var area = Areas
.Find((int)AreaEnum.Customer);
var group = Groups
.First(e => e.Name == "Management");
var areaAccess = new AreaAccess
{
Area = area,
Group = group,
CanCreate = true,
CanDelete = true,
CanModify = true,
CanRead = true
};
AreaAccess.Add(areaAccess);
}
// Operation só pode consultar o CRM
{
var area = Areas
.Find((int)AreaEnum.Customer);
var group = Groups
.First(e => e.Name == "Operation");
var areaAccess = new AreaAccess
{
Area = area,
Group = group,
CanCreate = false,
CanDelete = false,
CanModify = false,
CanRead = true
};
AreaAccess.Add(areaAccess);
}
// Segurança pode criar novos grupos
{
var area = Areas
.Find((int)AreaEnum.Group);
var group = Groups
.First(e => e.Name == "Security");
var areaAccess = new AreaAccess
{
Area = area,
Group = group,
CanCreate = true,
CanDelete = true,
CanModify = true,
CanRead = true
};
AreaAccess.Add(areaAccess);
}
// Segurança pode criar novos usuários
{
var area = Areas
.Find((int)AreaEnum.User);
var group = Groups
.First(e => e.Name == "Security");
var areaAccess = new AreaAccess
{
Area = area,
Group = group,
CanCreate = true,
CanDelete = true,
CanModify = true,
CanRead = true
};
AreaAccess.Add(areaAccess);
}
SaveChanges();
}
}
if (!Policies.Any())
{
var area = Areas
.Find((int)AreaEnum.User);
var policies = new Policy[]
{
new Policy {
Id = (int)PolicyEnum.User_ChangePassword,
Area = area,
Name = "Change Password"
},
new Policy {
Id = (int)PolicyEnum.User_ChangeEmail,
Area = area,
Name = "Change Email"
}
};
Policies.AddRange(policies);
SaveChanges();
}
if (IsTest)
{
if (!PolicyAccess.Any())
{
// Segurança tem acesso às políticas de segurança
{
var area = Areas
.Find((int)AreaEnum.User);
var group = Groups
.First(e => e.Name == "Security");
foreach (var policy in Policies
.Where(e => e.AreaId == area.Id))
{
var policyAccess = new PolicyAccess
{
Group = group,
Policy = policy
};
PolicyAccess.AddRange(policyAccess);
}
}
SaveChanges();
}
}
}
