public void AutomaticCleanup_WhenDomainObjectCtorThrows_DoesNotRequireDeletePermissions()
{
_securityProviderStub.Stub(mock => mock.GetAccess(_securityContextStub, _securityPrincipalStub)).Return(new AccessType[0]);
_functionalSecurityStrategyStub
.Stub(
mock => mock.HasAccess(
Arg.Is(typeof(SecurableObject)),
Arg.Is(_securityProviderStub),
Arg.Is(_securityPrincipalStub),
Arg <IReadOnlyList <AccessType> > .List.Equal(new[] { AccessType.Get(GeneralAccessTypes.Create) })))
.Return(true);
var exception = new Exception("Test.");
SecurableObject throwingObject = null;
Assert.That(
() => CreateSecurableObject(
_securityContextFactoryStub,
action: obj =>
{
throwingObject = obj;
throw exception;
}),
Throws.Exception.SameAs(exception));
Assert.That(_clientTransaction.IsEnlisted(throwingObject), Is.False);
}
private SecurableObject CreateSecurableObject(ISecurityContextFactory securityContextFactory, ClientTransaction clientTransaction = null, Action <SecurableObject> action = null)
{
return(SecurableObject.NewObject(
clientTransaction ?? _clientTransaction,
ObjectSecurityStrategy.Create(securityContextFactory, InvalidationToken.Create()),
action));
}
public void Test_ManySideRemove_AccessedViaDomainObject()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
SecurableObject oldObject = _testHelper.CreateSecurableObject();
var childrenPropertyInfo = typeof(SecurableObject).GetProperty("Children");
_testHelper.Transaction.ExecuteInScope(() => securableObject.Children.Add(oldObject));
_testHelper.AddExtension(_extension);
using (_testHelper.Ordered())
{
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(MethodInfoAdapter.Create(childrenPropertyInfo.GetGetMethod()), TestAccessTypes.First);
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, TestAccessTypes.First, true);
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(_setMethodInformation, TestAccessTypes.Second);
_testHelper.ExpectObjectSecurityStrategyHasAccess(oldObject, TestAccessTypes.Second, true);
var childrenSetMethodInformation = new NullMethodInformation();
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(childrenSetMethodInformation, GeneralAccessTypes.Edit);
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, GeneralAccessTypes.Edit, true);
}
_testHelper.ReplayAll();
_testHelper.Transaction.ExecuteInScope(() => securableObject.Children.Remove(oldObject));
_testHelper.VerifyAll();
}
private void SetInheritance(SecurableObject objectToSecure, SecureObjectCreator definition)
{
if (definition.BreakInheritance)
{
objectToSecure.BreakRoleInheritance(definition.CopyExisting, definition.ResetChildPermissions);
}
}
private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
//context.Load(securableObject);
//context.ExecuteQueryWithTrace();
if (!securableObject.IsPropertyAvailable("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
context.ExecuteQueryWithTrace();
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
context.Load(securableObject.RoleAssignments);
context.ExecuteQueryWithTrace();
while (securableObject.RoleAssignments.Count > 0)
securableObject.RoleAssignments[0].DeleteObject();
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
public void Test_ManySide_RecursiveSecurity_ChecksAccessOnNestedCall()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
SecurableObject otherObject = _testHelper.CreateSecurableObject();
_testHelper.Transaction.ExecuteInScope(() => securableObject.OtherChildren.Add(_testHelper.CreateSecurableObject()));
var setMethodInformation = MethodInfoAdapter.Create(typeof(SecurableObject).GetProperty("Children").GetGetMethod());
var securableEndPointDefintion = securableObject.ID.ClassDefinition.GetRelationEndPointDefinition(typeof(SecurableObject).FullName + ".Children");
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(setMethodInformation, TestAccessTypes.First);
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(setMethodInformation, TestAccessTypes.First);
HasAccessDelegate hasAccess = delegate
{
_extension.RelationReading(_testHelper.Transaction, otherObject, securableEndPointDefintion, ValueAccess.Current);
return(true);
};
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, TestAccessTypes.First, hasAccess);
_testHelper.ExpectObjectSecurityStrategyHasAccess(otherObject, TestAccessTypes.First, true);
_testHelper.ReplayAll();
_extension.RelationReading(_testHelper.Transaction, securableObject, securableEndPointDefintion, ValueAccess.Current);
_testHelper.VerifyAll();
}
/// <summary>
/// Export the properties of a securable objet to CSV
/// </summary>
/// <param name="securableObject">Securable object</param>
private void WriteCsv(SecurableObject securableObject)
{
LoadSecurableObject(securableObject);
SecurableObjectInfo securableObjectInfo = null;
foreach (RoleAssignment roleAssignment in securableObject.RoleAssignments)
{
switch (securableObject)
{
case Web web:
securableObjectInfo = new SecurableObjectInfo(web, roleAssignment);
break;
case List list:
securableObjectInfo = new SecurableObjectInfo(list, roleAssignment);
break;
case ListItem listItem:
securableObjectInfo = new SecurableObjectInfo(listItem, roleAssignment);
break;
}
// Write CSV
permissionsFileWriter.WriteRecord(securableObjectInfo);
if (roleAssignment.Member.PrincipalType == PrincipalType.SharePointGroup && !groupIds.Contains(roleAssignment.Member.Id))
{
groupIds.Add(roleAssignment.Member.Id);
}
}
}
void WritePermissionsForObject(ClientContext clientContext, User user, SecurableObject so)
{
if (!so.HasUniqueRoleAssignments)
{
return;
}
HashSet <string> permissionLevels = new HashSet <string>();
clientContext.Load(so.RoleAssignments, rac => rac.Where(ra => ra.Member.LoginName == user.LoginName));
clientContext.ExecuteQuery();
foreach (var ra in so.RoleAssignments)
{
clientContext.Load(ra.Member);
clientContext.Load(ra.RoleDefinitionBindings);
clientContext.ExecuteQuery();
foreach (var definition in ra.RoleDefinitionBindings)
{
clientContext.Load(definition);
clientContext.ExecuteQuery();
permissionLevels.Add(definition.Name);
}
}
if (permissionLevels.Count > 0)
{
AddToPermFile(user, so, GetUrlOfObject(clientContext, so), permissionLevels);
}
}
private void ProcessRoleAssignments(SecurableObject securableObject, ClientContext clientContext)
{
clientContext.Load(securableObject, x => x.HasUniqueRoleAssignments);
clientContext.ExecuteQuery();
if (!securableObject.HasUniqueRoleAssignments)
{
outPutText += "Same perms as parent" + "<br/>";
}
else
{
RoleAssignmentCollection roleAssignments = securableObject.RoleAssignments;
clientContext.Load <RoleAssignmentCollection>(roleAssignments);
clientContext.ExecuteQuery();
foreach (RoleAssignment roleAssignment in roleAssignments)
{
Principal member = roleAssignment.Member;
RoleDefinitionBindingCollection roleDef = roleAssignment.RoleDefinitionBindings;
clientContext.Load(member);
clientContext.Load <RoleDefinitionBindingCollection>(roleDef);
clientContext.ExecuteQuery();
foreach (var binding in roleDef)
{
outPutText += string.Format("[{0}]{1}: {2}<br/>", member.PrincipalType, member.LoginName, binding.Name);
}
}
}
}
/// <summary>
/// Assigns item level permission
/// </summary>
/// <param name="clientContext">Client context object</param>
/// <param name="listName">List name</param>
/// <param name="listItemId">List item id</param>
internal static void AssignItemPermission(ClientContext clientContext, string listName, int listItemId)
{
try
{
if (null != clientContext && !string.IsNullOrEmpty(listName))
{
ListItem listItem = clientContext.Web.Lists.GetByTitle(listName).GetItemById(listItemId);
clientContext.Load(listItem, item => item.HasUniqueRoleAssignments);
clientContext.ExecuteQuery();
if (listItem.HasUniqueRoleAssignments)
{
SecurableObject listItemObject = listItem;
ClientRuntimeContext clientRuntimeContext = clientContext;
// get the user object
Principal userPrincipal = clientContext.Web.AssociatedOwnerGroup;
string roleName = ConfigurationManager.AppSettings["Role"];
RoleDefinition roleDefinition = clientContext.Web.RoleDefinitions.GetByName(roleName);
// create the role definition binding collection
RoleDefinitionBindingCollection roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(clientRuntimeContext);
// add the role definition to the collection
roleDefinitionBindingCollection.Add(roleDefinition);
// create a RoleAssigment with the user and role definition
listItemObject.RoleAssignments.Add(userPrincipal, roleDefinitionBindingCollection);
clientRuntimeContext.ExecuteQuery();
}
}
}
catch (Exception exception)
{
ErrorLogger.DisplayErrorMessage(string.Format(CultureInfo.InvariantCulture, Constants.AssigningPermissionsExceptionMessage, Constants.SettingsPage, exception.Message));
}
}
public static Web GetAssociatedWeb(this SecurableObject securable)
{
if (securable is Web)
{
return((Web)securable);
}
if (securable is List)
{
var list = (List)securable;
var web = list.ParentWeb;
securable.Context.Load(web);
securable.Context.ExecuteQueryRetry();
return(web);
}
if (securable is ListItem)
{
var listItem = (ListItem)securable;
var web = listItem.ParentList.ParentWeb;
securable.Context.Load(web);
securable.Context.ExecuteQueryRetry();
return(web);
}
throw new Exception("Only Web, List, ListItem supported as SecurableObjects");
}
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security)
{
//using (var scope = new PnPMonitoredScope("Set Security"))
//{
var context = securable.Context as ClientContext;
var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName));
var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions);
context.ExecuteQueryRetry();
securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes);
foreach (var roleAssignment in security.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignment.Principal);
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
}
context.ExecuteQueryRetry();
//}
}
private NullSecurityClientTestHelper()
{
_mocks = new MockRepository();
_mockObjectSecurityStrategy = _mocks.StrictMock <IObjectSecurityStrategy>();
_securableObject = new SecurableObject(_mockObjectSecurityStrategy);
}
public void Test_RecursiveSecurity_ChecksAccessOnNestedCall()
{
SecurableObject allowedObject = _testHelper.CreateSecurableObject();
SecurableObject deniedObject = _testHelper.CreateSecurableObject();
IQuery nestedQuery = _testHelper.CreateSecurableObjectQuery();
var nestedQueryResult = new QueryResult <DomainObject> (nestedQuery, new DomainObject[] { allowedObject, deniedObject });
HasAccessDelegate hasAccess = delegate
{
var filteredResult = _extension.FilterQueryResult(_testHelper.Transaction, nestedQueryResult);
Assert.That(filteredResult.ToArray(), Is.EqualTo(new[] { allowedObject }));
return(true);
};
_testHelper.ExpectObjectSecurityStrategyHasAccess(allowedObject, GeneralAccessTypes.Find, true);
_testHelper.ExpectObjectSecurityStrategyHasAccess(deniedObject, GeneralAccessTypes.Find, false);
SecurableObject securableObject = _testHelper.CreateSecurableObject();
IQuery query = _testHelper.CreateSecurableObjectQuery();
var queryResult = new QueryResult <DomainObject> (query, new DomainObject[] { securableObject });
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, GeneralAccessTypes.Find, hasAccess);
_testHelper.ReplayAll();
var finalResult = _extension.FilterQueryResult(_testHelper.Transaction, queryResult);
_testHelper.VerifyAll();
Assert.That(finalResult.ToArray(), Is.EqualTo(new[] { securableObject }));
}
private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
if (!securableObject.IsObjectPropertyInstantiated("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
context.ExecuteQueryWithTrace();
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
context.Load(securableObject.RoleAssignments);
context.ExecuteQueryWithTrace();
while (securableObject.RoleAssignments.Count > 0)
{
securableObject.RoleAssignments[0].DeleteObject();
}
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
private static void ApplySecurity(SecurableObject securable, TokenParser parser, ClientContext context, IEnumerable <Microsoft.SharePoint.Client.Group> groups, IEnumerable <Microsoft.SharePoint.Client.RoleDefinition> webRoleDefinitions, IEnumerable <Microsoft.SharePoint.Client.RoleAssignment> securableRoleAssignments, IEnumerable <Model.RoleAssignment> roleAssignmentsToHandle)
{
foreach (var roleAssignment in roleAssignmentsToHandle)
{
if (!roleAssignment.Remove)
{
var roleAssignmentPrincipal = parser.ParseString(roleAssignment.Principal);
Principal principal = TryGetGroupPrincipal(groups, roleAssignmentPrincipal);
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignmentPrincipal);
}
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
var roleAssignmentRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignmentRoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
}
}
}
else
{
var roleAssignmentPrincipal = parser.ParseString(roleAssignment.Principal);
Principal principal = TryGetGroupPrincipal(groups, roleAssignmentPrincipal);
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignmentPrincipal);
}
principal.EnsureProperty(p => p.Id);
if (principal != null)
{
var assignmentsForPrincipal = securableRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var roleAssignmentRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == roleAssignmentRoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
context.ExecuteQueryRetry();
break;
}
}
}
}
}
}
public static PermissionCollection GetPermissions(this SecurableObject secObj)
{
Type secType = secObj.GetType();
string name = secType.Name.Equals("ListItem") ? "DisplayName" : "Title";
secObj.Context.Load(secObj, s => s.HasUniqueRoleAssignments, s => s.RoleAssignments);
try
{
secObj.Context.ExecuteQuery();
}
catch (ServerException)
{
return(null);
}
bool?check = secObj.IsPropertyAvailable("HasUniqueRoleAssignments")
? (bool?)secObj.HasUniqueRoleAssignments
: null;
if (!check.HasValue)
{
return(null);
}
//if (!(secObj is Web))
//{
// MethodInfo genMeth = typeof(ClientObjectExtensions)
// .GetMethod("GetClientObjectExpression", BindingFlags.Static | BindingFlags.NonPublic)
// .MakeGenericMethod(secType);
// object nameExpression = genMeth.Invoke(null, new object[]
// {
// secObj, name
// });
// object idExpression = genMeth.Invoke(null, new object[]
// {
// secObj, "Id"
// });
// MethodInfo genLoad = typeof(ClientObjectExtensions)
// .GetMethod("SpecialLoad", BindingFlags.NonPublic | BindingFlags.Static)
// .MakeGenericMethod(secType);
// genLoad.Invoke(secObj, new object[]
// {
// secObj, nameExpression
// });
// genLoad.Invoke(secObj, new object[]
// {
// secObj, idExpression
// });
// secObj.Context.ExecuteQuery();
//}
PermissionCollection permissions = PermissionCollection.ResolvePermissions(secObj);
//ValueTuple<string, object> tuple = GetNameAndIdValue(secObj, name);
return(permissions);
}
public void ExpectObjectSecurityStrategyHasAccessWithMatchingScope(SecurableObject securableObject, ClientTransactionScope expectedScope)
{
IObjectSecurityStrategy objectSecurityStrategy = securableObject.GetSecurityStrategy();
Expect.Call(objectSecurityStrategy.HasAccess(null, null, null))
.IgnoreArguments()
.WhenCalled(mi => CheckScope(expectedScope))
.Return(true);
}
private void AddSecuringObject(SecurableObject secObj)
{
if (this.InnerList.Count > 0)
{
this.InnerList.ForEach((a) =>
{
a.SecuringObject = secObj;
});
}
}
public static bool HasClearSubscopes(this SecurableObject secObject)
{
if (!secObject.IsPropertyAvailable("RoleAssignments"))
{
secObject.Context.Load(secObject, s => s.RoleAssignments);
secObject.Context.ExecuteQuery();
}
return(secObject.RoleAssignments.Count == 0);
}
public void Test_WithNewObject_DoesNotPerformSecurityCheck()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
_testHelper.ReplayAll();
_extension.ObjectDeleting(_testHelper.Transaction, securableObject);
_testHelper.VerifyAll();
}
private static ValueTuple <string, object> GetNameAndIdValue(SecurableObject secObj, string nameProperty)
{
Type objType = secObj.GetType();
PropertyInfo namePi = objType.GetProperty(nameProperty, BindingFlags.Instance | BindingFlags.Public);
PropertyInfo idPi = objType.GetProperty("Id", BindingFlags.Instance | BindingFlags.Public);
string nameVal = namePi.GetValue(secObj) as string;
object idVal = idPi.GetValue(secObj);
return(new ValueTuple <string, object>(nameVal, idVal));
}
public void Test_AccessDenied_ThrowsPermissionDeniedException()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
_testHelper.Transaction.Commit();
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, GeneralAccessTypes.Delete, false);
_testHelper.ReplayAll();
_extension.ObjectDeleting(_testHelper.Transaction, securableObject);
}
public void Test_AccessDenied_ThrowsPermissionDeniedException()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(_getMethodInformation, TestAccessTypes.First);
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, TestAccessTypes.First, false);
_testHelper.ReplayAll();
_extension.PropertyValueReading(_testHelper.Transaction, securableObject, _stringPropertyDefinition, ValueAccess.Current);
}
public void Test_ID_DoesNotPerformSecurityCheck()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
_testHelper.AddExtension(_extension);
_testHelper.ReplayAll();
Dev.Null = _testHelper.Transaction.ExecuteInScope(() => securableObject.ID);
_testHelper.VerifyAll();
}
public void CheckAccess_AccessDenied()
{
ExpectObjectSecurityStrategyHasAccessForSecurableObject(GeneralAccessTypes.Read, false);
SecurableObject thisObject = new SecurableObject(_mockObjectSecurityStrategy);
TestFunctionWithPermissionsFromInstanceMethod function = new TestFunctionWithPermissionsFromInstanceMethod(thisObject);
function.ThisObject = thisObject; // Required because in this test the WxeFunction has not started executing.
_mocks.ReplayAll();
_securityAdapter.CheckAccess(function);
}
/// <summary>
/// Adds the specified securable object,inserts the ISecurableObject object.
/// </summary>
/// <param name="securableObject">The securable object.</param>
public void Add(ISecurableObject securableObject)
{
SecurableObject obj = new SecurableObject()
{
Application = securableObject.Application,
SecurableObjectType = securableObject.SecurableObjectType,
Guid = securableObject.SecurableObjectGuid
};
this.securableObjectDao.Add(obj);
}
public void BreakRoleInheritance(bool copyRoleAssignments, object clearSubscopes)
{
if (clearSubscopes == Undefined.Value || clearSubscopes == Null.Value || clearSubscopes == null)
{
SecurableObject.BreakRoleInheritance(copyRoleAssignments);
}
else
{
SecurableObject.BreakRoleInheritance(copyRoleAssignments, TypeConverter.ToBoolean(clearSubscopes));
}
}
public void Test_AccessedViaDomainObject()
{
IObjectSecurityStrategy objectSecurityStrategy = _testHelper.CreateObjectSecurityStrategy();
_testHelper.AddExtension(_extension);
_testHelper.ExpectFunctionalSecurityStrategyHasAccess(typeof(SecurableObject), GeneralAccessTypes.Create, true);
_testHelper.ReplayAll();
SecurableObject.NewObject(_testHelper.Transaction, objectSecurityStrategy);
_testHelper.VerifyAll();
}
public void Test_AccessGranted_DowsNotThrow()
{
SecurableObject securableObject = _testHelper.CreateSecurableObject();
_testHelper.ExpectPermissionReflectorGetRequiredMethodPermissions(_setMethodInformation, TestAccessTypes.First);
_testHelper.ExpectObjectSecurityStrategyHasAccess(securableObject, TestAccessTypes.First, true);
_testHelper.ReplayAll();
_extension.PropertyValueChanging(_testHelper.Transaction, securableObject, _stringPropertyDefinition, "old", "new");
_testHelper.VerifyAll();
}
private static IEnumerable <RoleAssignment> RoleAssignmentsLoadQuery(SecurableObject obj, ClientContext clientContext)
{
IEnumerable <RoleAssignment> listRoles = clientContext.LoadQuery(
obj.RoleAssignments.Include(
roleAsg => roleAsg.Member,
roleAsg => roleAsg.RoleDefinitionBindings.Include(
roleDef => roleDef.Id,
roleDef => roleDef.Name,
roleDef => roleDef.Description)));
return(listRoles);
}
public void ExpectObjectSecurityStrategyHasAccess(SecurableObject securableObject, Enum accessTypeEnum, HasAccessDelegate doDelegate)
{
IObjectSecurityStrategy objectSecurityStrategy = securableObject.GetSecurityStrategy();
Expect.Call(
objectSecurityStrategy.HasAccess(
Arg.Is(_mockSecurityProvider),
Arg.Is(_stubUser),
Arg <IReadOnlyList <AccessType> > .List.Equal(new[] { AccessType.Get(accessTypeEnum) })))
.WhenCalled(mi => CheckTransaction())
.Do(doDelegate);
}
protected Web ExtractWeb(SecurableObject securableObject)
{
if (securableObject is Web)
return securableObject as Web;
if (securableObject is List)
return (securableObject as List).ParentWeb;
if (securableObject is ListItem)
return (securableObject as ListItem).ParentList.ParentWeb;
throw new Exception(string.Format("Can't extract SPWeb for securableObject of type: [{0}]", securableObject.GetType()));
}
public static SPDGRoleAssignment GetRoleAssignmentByPrincipal(SecurableObject securableObject, ClientContext context, SPDGPrincipal principal)
{
var principalId = principal.ID;
var roleAss = securableObject.RoleAssignments.Where(x => x.PrincipalId == principalId).Include(x => x.RoleDefinitionBindings, x => x.Member, x => x.PrincipalId);
var results = context.LoadQuery(roleAss);
context.ExecuteQuery();
if (results.Any())
{
return new SPDGClientRoleAssignment(results.First(), principal, results.First().RoleDefinitionBindings.Select(x => new SPDGClientRoleDefinition(x)));
}
else
{
return null;
}
}
public static void AddRoleAssignment(SecurableObject securableObject, ClientContext context, SPDGPrincipal principal, IEnumerable<SPDGRoleDefinition> roleDefinitions)
{
Principal p;
if (principal is SPDGClientUser)
{
p = ((SPDGClientUser)principal).User;
}
else
{
p = ((SPDGClientGroup)principal).Group;
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
foreach (var spdgRoleDefinition in roleDefinitions)
{
roleDefinitionBindingCollection.Add(((SPDGClientRoleDefinition)spdgRoleDefinition).Definition);
}
securableObject.RoleAssignments.Add(p, roleDefinitionBindingCollection);
context.ExecuteQuery();
}
private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, ResetRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
if (!securableObject.IsObjectPropertyInstantiated("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall, "HasUniqueRoleAssignments is TRUE. Resetting role inheritance", null);
securableObject.ResetRoleInheritance();
context.ExecuteQueryWithTrace();
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
/// <summary>
/// Saves the specified securable object,inserts the ISecurableObject object into the system .
/// </summary>
/// <param name="securableObject">The securable object.</param>
public void Save(SecurableObject securableObject)
{
//securableObject.SecurableObjectGuid = this.GetNewSecurableObjectGuid();
this.securableObjectDao.Add(securableObject);
}
public void Add(Guid? securableParentUid, SecurableObject securableObject)
{
Guid permissionSourceObject;
if (securableParentUid == null || securableObject.BreaksInheritance)
{
/// This means it's a domain object or has broken inheritance.
permissionSourceObject = securableObject.SecurableObjectUid;
}
else
{
/// Assume inheritance as we were only given a GUID.
permissionSourceObject = securableParentUid.Value;
}
/// We can now call the other overloaded version. As we have filled in the securableParentUid field,
/// this will be what is used to store our SecurableObjectUid against.
Add(permissionSourceObject, securableObject.SecurableObjectUid);
}
private bool CheckPermissionOnPrinciple(SecurableObject securableObject, Principal principle, string roleDefinitionName)
{
//Get Roles for the User
RoleDefinitionBindingCollection roleDefinitionBindingCollection =
securableObject.RoleAssignments.GetByPrincipal(principle).RoleDefinitionBindings;
securableObject.Context.Load(roleDefinitionBindingCollection);
securableObject.Context.ExecuteQueryRetry();
//Check if assigned role is found
bool roleExists = false;
foreach (RoleDefinition rd in roleDefinitionBindingCollection)
{
if (rd.Name == roleDefinitionName)
{
roleExists = true;
}
}
return roleExists;
}
private void ProcessRoleAssignments(SecurableObject securableObject, ClientContext clientContext)
{
clientContext.Load(securableObject, x => x.HasUniqueRoleAssignments);
clientContext.ExecuteQuery();
if (!securableObject.HasUniqueRoleAssignments)
{
outPutText += "Same perms as parent" + "<br/>";
}
else
{
RoleAssignmentCollection roleAssignments = securableObject.RoleAssignments;
clientContext.Load<RoleAssignmentCollection>(roleAssignments);
clientContext.ExecuteQuery();
foreach (RoleAssignment roleAssignment in roleAssignments)
{
Principal member = roleAssignment.Member;
RoleDefinitionBindingCollection roleDef = roleAssignment.RoleDefinitionBindings;
clientContext.Load(member);
clientContext.Load<RoleDefinitionBindingCollection>(roleDef);
clientContext.ExecuteQuery();
foreach (var binding in roleDef)
{
outPutText += string.Format("[{0}]{1}: {2}<br/>", member.PrincipalType, member.LoginName, binding.Name);
}
}
}
}
/// <summary>
/// Load properties of the current securable object and get child securable objects with unique role assignments if any.
/// </summary>
/// <param name="obj">The current securable object.</param>
/// <param name="leafBreadthLimit">Skip further visiting on this branch if the number of child items or documents with unique role assignments exceeded leafBreadthLimit.</param>
/// <returns>The child securable objects.</returns>
internal static IEnumerable<SecurableObject> Preload(this SecurableObject obj, int leafBreadthLimit)
{
var context = obj.Context;
IEnumerable<SecurableObject> subObjects = new SecurableObject[] { };
if (obj is Web)
{
var web = obj as Web;
context.Load(web, w => w.Url, w => w.HasUniqueRoleAssignments);
context.ExecuteQueryRetry();
if (web.HasUniqueRoleAssignments)
{
context.Load(web.RoleAssignments);
context.Load(web.RoleAssignments.Groups);
context.ExecuteQueryRetry();
}
var lists = context.LoadQuery(web.Lists.Where(l => l.BaseType == BaseType.DocumentLibrary));
var webs = context.LoadQuery(web.Webs);
context.ExecuteQueryRetry();
subObjects = lists.Select(l => l as SecurableObject).Union(webs.Select(w => w as SecurableObject));
}
else if (obj is List)
{
var list = obj as List;
context.Load(list, l => l.ItemCount, l => l.DefaultViewUrl, l => l.HasUniqueRoleAssignments);
context.ExecuteQueryRetry();
if (list.ItemCount <= 0 || Constants.SkipPathes.Any(p => list.DefaultViewUrl.IndexOf(p) != -1))
return null;
if (list.HasUniqueRoleAssignments)
{
context.Load(list.RoleAssignments);
context.Load(list.RoleAssignments.Groups);
context.ExecuteQueryRetry();
}
if (leafBreadthLimit > 0 && list.ItemCount > 0)
{
var query = new CamlQuery();
query.ViewXml = String.Format(Constants.AllItemCamlQuery, Constants.ListItemDirField, Constants.ListItemFileNameField);
var items = context.LoadQuery(list.GetItems(query).Where(i => i.HasUniqueRoleAssignments));
context.ExecuteQueryRetry();
if (items.Count() <= leafBreadthLimit)
{
subObjects = items;
}
else
{
Trace.TraceWarning(CoreResources.SecurityExtensions_Warning_SkipFurtherVisitingForTooManyChildObjects, obj.GetPath(), list.ItemCount, leafBreadthLimit);
}
}
}
else if (obj is ListItem)
{
var item = obj as ListItem;
context.Load(item.RoleAssignments);
context.Load(item.RoleAssignments.Groups);
context.ExecuteQueryRetry();
}
return subObjects;
}
/// <summary>
/// Deletes the specified securable object.
/// </summary>
/// <param name="securableObject">The securable object.</param>
public void Delete(SecurableObject securableObject)
{
this.securableObjectDao.Delete(securableObject);
}
/// <summary>
/// Ensure all users of a given SharePoint group has been cached.
/// </summary>
/// <param name="obj">The current securable object.</param>
/// <param name="groupLoginName">The group login name.</param>
private static void EnsureGroupCache(SecurableObject obj, string groupLoginName)
{
var context = obj.Context;
if (!MockupGroupCache.ContainsKey(groupLoginName))
{
var users = context.LoadQuery(obj.RoleAssignments.Groups.First(g => g.LoginName == groupLoginName).Users);
context.ExecuteQueryRetry();
MockupGroupCache[groupLoginName] = (from u in users select new UserEntity()
{
Title = u.Title,
Email = u.Email,
LoginName = u.LoginName
}).ToArray();
}
}
/// <summary>
/// Adds the specified securable object,inserts the ISecurableObject object.
/// </summary>
/// <param name="securableObject">The securable object.</param>
public void Add(SecurableObject securableObject)
{
this.securableObjectDao.Add(securableObject);
}
internal SecurableObject CreateSecurableObject(bool breaksInheritance)
{
SecurableObject createdSecurableObject = null;
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (IGlymaSession glymaSession = new WebAppSPGlymaSession(Context.WebUrl))
{
using (IDbConnectionAbstraction connectionAbstraction = glymaSession.ConnectionFactory.CreateSecurityDbConnection())
{
using (SecurityServiceDataContext dataContext = new SecurityServiceDataContext(connectionAbstraction.Connection))
{
SecurableObject securableObject = new SecurableObject();
securableObject.SecurableObjectUid = SecurableObject.SecurableObjectUid;
securableObject.BreaksInheritance = breaksInheritance;
securableObject.SecurableContextId = SecurableContextId;
dataContext.SecurableObjects.InsertOnSubmit(securableObject);
dataContext.SubmitChanges();
// Return the group that was created
securableObject = (from so in dataContext.SecurableObjects
where so.SecurableObjectUid == SecurableObject.SecurableObjectUid &&
so.SecurableContextId == SecurableContextId
select so).First();
createdSecurableObject = securableObject;
}
}
}
});
return createdSecurableObject;
}
