private PrincipalWithDatabaseAccess UpdateUserPrincipal(IHttpContext ctx, List <DatabaseAccess> databaseAccessLists)
{
var access = ctx.User as PrincipalWithDatabaseAccess;
if (access != null)
{
return(access);
}
var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)ctx.User);
foreach (var databaseAccess in databaseAccessLists)
{
if (databaseAccess.Admin)
{
user.AdminDatabases.Add(databaseAccess.TenantId);
}
else if (databaseAccess.ReadOnly)
{
user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
}
else
{
user.ReadWriteDatabases.Add(databaseAccess.TenantId);
}
}
ctx.User = user;
return(user);
}
private PrincipalWithDatabaseAccess UpdateUserPrincipal(RavenBaseApiController controller, List <ResourceAccess> databaseAccessLists)
{
var access = controller.User as PrincipalWithDatabaseAccess;
if (access != null)
{
return(access);
}
var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)controller.User);
foreach (var databaseAccess in databaseAccessLists)
{
if (databaseAccess.Admin)
{
user.AdminDatabases.Add(databaseAccess.TenantId);
}
else if (databaseAccess.ReadOnly)
{
user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
}
else
{
user.ReadWriteDatabases.Add(databaseAccess.TenantId);
}
}
controller.User = user;
Thread.CurrentPrincipal = user;
return(user);
}
public override bool Authorize(IHttpContext ctx)
{
Action onRejectingRequest;
var userCreated = TryCreateUser(ctx, out onRejectingRequest);
if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
{
onRejectingRequest();
return(false);
}
PrincipalWithDatabaseAccess user = null;
if (userCreated)
{
user = (PrincipalWithDatabaseAccess)ctx.User;
}
var databaseName = database().Name ?? string.Empty;
if (userCreated && (user.Principal.IsAdministrator() || user.AdminDatabases.Contains(databaseName)))
{
return(true);
}
var httpRequest = ctx.Request;
if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.Get &&
userCreated &&
user.ReadWriteDatabases.Contains(databaseName) == false &&
IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath) == false)
{
onRejectingRequest();
return(false);
}
if (IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath) &&
userCreated &&
(user.ReadOnlyDatabases.Contains(databaseName) || user.ReadWriteDatabases.Contains(databaseName)))
{
return(true);
}
if (userCreated)
{
CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = ctx.User.Identity.Name;
CurrentOperationContext.User.Value = ctx.User;
}
return(true);
}
private PrincipalWithDatabaseAccess UpdateUserPrincipal(IHttpContext ctx, Dictionary <string, List <DatabaseAccess> > databaseAccessLists)
{
if (ctx.User is PrincipalWithDatabaseAccess)
{
return((PrincipalWithDatabaseAccess)ctx.User);
}
var user = new PrincipalWithDatabaseAccess((WindowsPrincipal)ctx.User);
List <DatabaseAccess> list;
if (databaseAccessLists.TryGetValue(ctx.User.Identity.Name, out list) == false)
{
ctx.User = user;
user.ExplicitlyConfigured = false;
return(user);
}
user.ExplicitlyConfigured = true;
foreach (var databaseAccess in list)
{
if (databaseAccess.Admin)
{
user.AdminDatabases.Add(databaseAccess.TenantId);
}
else if (databaseAccess.ReadOnly)
{
user.ReadOnlyDatabases.Add(databaseAccess.TenantId);
}
else
{
user.ReadWriteDatabases.Add(databaseAccess.TenantId);
}
}
ctx.User = user;
return(user);
}
public bool Authorize(IHttpContext ctx, bool ignoreDb)
{
Action onRejectingRequest;
var databaseName = database().Name ?? Constants.SystemDatabase;
var userCreated = TryCreateUser(ctx, databaseName, out onRejectingRequest);
if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
{
onRejectingRequest();
return(false);
}
PrincipalWithDatabaseAccess user = null;
if (userCreated)
{
user = (PrincipalWithDatabaseAccess)ctx.User;
CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = ctx.User.Identity.Name;
CurrentOperationContext.User.Value = ctx.User;
// admins always go through
if (user.Principal.IsAdministrator(server.SystemConfiguration.AnonymousUserAccessMode))
{
return(true);
}
}
var httpRequest = ctx.Request;
bool isGetRequest = IsGetRequest(httpRequest.HttpMethod, httpRequest.Url.AbsolutePath);
switch (server.SystemConfiguration.AnonymousUserAccessMode)
{
case AnonymousUserAccessMode.Admin:
case AnonymousUserAccessMode.All:
return(true); // if we have, doesn't matter if we have / don't have the user
case AnonymousUserAccessMode.Get:
if (isGetRequest)
{
return(true);
}
goto case AnonymousUserAccessMode.None;
case AnonymousUserAccessMode.None:
if (userCreated)
{
if (user.AdminDatabases.Contains(databaseName) || ignoreDb)
{
return(true);
}
if (user.ReadWriteDatabases.Contains(databaseName))
{
return(true);
}
if (isGetRequest && user.ReadOnlyDatabases.Contains(databaseName))
{
return(true);
}
}
onRejectingRequest();
return(false);
default:
throw new ArgumentOutOfRangeException();
}
}
public bool TryAuthorize(RavenBaseApiController controller, bool ignoreDb, out HttpResponseMessage msg)
{
Func <HttpResponseMessage> onRejectingRequest;
var tenantId = controller.TenantName ?? Constants.SystemDatabase;
var userCreated = TryCreateUser(controller, tenantId, out onRejectingRequest);
if (server.SystemConfiguration.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
{
msg = onRejectingRequest();
return(false);
}
PrincipalWithDatabaseAccess user = null;
if (userCreated)
{
user = (PrincipalWithDatabaseAccess)controller.User;
CurrentOperationContext.Headers.Value[Constants.RavenAuthenticatedUser] = controller.User.Identity.Name;
CurrentOperationContext.User.Value = controller.User;
// admins always go through
if (user.Principal.IsAdministrator(server.SystemConfiguration.AnonymousUserAccessMode))
{
msg = controller.GetEmptyMessage();
return(true);
}
// backup operators can go through
if (user.Principal.IsBackupOperator(server.SystemConfiguration.AnonymousUserAccessMode))
{
msg = controller.GetEmptyMessage();
return(true);
}
}
bool isGetRequest = IsGetRequest(controller.InnerRequest.Method.Method, controller.InnerRequest.RequestUri.AbsolutePath);
switch (server.SystemConfiguration.AnonymousUserAccessMode)
{
case AnonymousUserAccessMode.Admin:
case AnonymousUserAccessMode.All:
msg = controller.GetEmptyMessage();
return(true); // if we have, doesn't matter if we have / don't have the user
case AnonymousUserAccessMode.Get:
if (isGetRequest)
{
msg = controller.GetEmptyMessage();
return(true);
}
goto case AnonymousUserAccessMode.None;
case AnonymousUserAccessMode.None:
if (userCreated)
{
if (string.IsNullOrEmpty(tenantId) || tenantId.StartsWith("fs/") == false)
{
if (user.AdminDatabases.Contains(tenantId) ||
user.AdminDatabases.Contains("*") || ignoreDb)
{
msg = controller.GetEmptyMessage();
return(true);
}
if (user.ReadWriteDatabases.Contains(tenantId) ||
user.ReadWriteDatabases.Contains("*"))
{
msg = controller.GetEmptyMessage();
return(true);
}
if (isGetRequest && (user.ReadOnlyDatabases.Contains(tenantId) ||
user.ReadOnlyDatabases.Contains("*")))
{
msg = controller.GetEmptyMessage();
return(true);
}
}
else if (tenantId.StartsWith("fs/"))
{
tenantId = tenantId.Substring(3, tenantId.Length - "fs/".Length);
if (user.ReadWriteFileSystems.Contains(tenantId) ||
user.ReadWriteFileSystems.Contains("*"))
{
msg = controller.GetEmptyMessage();
return(true);
}
if (isGetRequest && (user.ReadOnlyFileSystems.Contains(tenantId) ||
user.ReadOnlyFileSystems.Contains("*")))
{
msg = controller.GetEmptyMessage();
return(true);
}
}
else
{
throw new ArgumentOutOfRangeException("tenantId", "We don't know how to authorize unknown tenant id: " + tenantId);
}
}
msg = onRejectingRequest();
return(false);
default:
throw new ArgumentOutOfRangeException();
}
}
public bool TryAuthorize(RavenBaseApiController controller, bool ignoreDb, out HttpResponseMessage msg)
{
Func <HttpResponseMessage> onRejectingRequest;
var tenantId = controller.ResourceName ?? Constants.SystemDatabase;
var userCreated = TryCreateUser(controller, tenantId, out onRejectingRequest);
if (server.SystemConfiguration.Core.AnonymousUserAccessMode == AnonymousUserAccessMode.None && userCreated == false)
{
msg = onRejectingRequest();
return(false);
}
PrincipalWithDatabaseAccess user = null;
if (userCreated)
{
user = (PrincipalWithDatabaseAccess)controller.User;
CurrentOperationContext.User.Value = controller.User;
// admins always go through
if (user.Principal.IsAdministrator(server.SystemConfiguration.Core.AnonymousUserAccessMode))
{
msg = controller.GetEmptyMessage();
return(true);
}
// backup operators can go through
if (user.Principal.IsBackupOperator(server.SystemConfiguration.Core.AnonymousUserAccessMode))
{
msg = controller.GetEmptyMessage();
return(true);
}
}
bool isGetRequest = IsGetRequest(controller);
switch (server.SystemConfiguration.Core.AnonymousUserAccessMode)
{
case AnonymousUserAccessMode.Admin:
case AnonymousUserAccessMode.All:
msg = controller.GetEmptyMessage();
return(true); // if we have, doesn't matter if we have / don't have the user
case AnonymousUserAccessMode.Get:
if (isGetRequest)
{
msg = controller.GetEmptyMessage();
return(true);
}
goto case AnonymousUserAccessMode.None;
case AnonymousUserAccessMode.None:
if (userCreated)
{
if (string.IsNullOrEmpty(tenantId) == false &&
(tenantId.StartsWith("fs/", StringComparison.OrdinalIgnoreCase) ||
tenantId.StartsWith("cs/", StringComparison.OrdinalIgnoreCase) ||
tenantId.StartsWith("ts/", StringComparison.OrdinalIgnoreCase)))
{
tenantId = tenantId.Substring(3);
}
if (user.AdminDatabases.Contains(tenantId) ||
user.AdminDatabases.Contains("*") || ignoreDb)
{
msg = controller.GetEmptyMessage();
return(true);
}
if (user.ReadWriteDatabases.Contains(tenantId) ||
user.ReadWriteDatabases.Contains("*"))
{
msg = controller.GetEmptyMessage();
return(true);
}
if (isGetRequest && (user.ReadOnlyDatabases.Contains(tenantId) ||
user.ReadOnlyDatabases.Contains("*")))
{
msg = controller.GetEmptyMessage();
return(true);
}
}
msg = onRejectingRequest();
return(false);
default:
throw new ArgumentOutOfRangeException();
}
}