public AuthorizationResponse CheckUserAuthorization(string action)
{
var authorizationResponse = new AuthorizationResponse();
var role = _securityACLProvider.GetCurrentUserRole();
var actions = _securityPermissionProvider.GetActionsForRole(role);
authorizationResponse.IsAuthorized = actions.Contains(action);
if (!authorizationResponse.IsAuthorized)
{
authorizationResponse.AuthorizationMessage = string.Format("Current User with Role {0} does not have permission to perform Action {1}!", role, action);
}
return authorizationResponse;
}
public AuthorizationResponse CheckObjectAuthorization(object securedObject, object originalObject, string action)
{
var authorizationResponse = new AuthorizationResponse();
var role = _securityACLProvider.GetCurrentUserRoleForObject(securedObject);
var actions = _securityPermissionProvider.GetActionsForRole(role);
authorizationResponse.IsAuthorized = actions.Contains(action);
if (!authorizationResponse.IsAuthorized)
{
authorizationResponse.AuthorizationMessage = string.Format("Current User with Role {0} for Object does not have permission to perform Action {1} for current Object!", role, action);
}
if (_securityContext.EnableFieldLevelSecurity)
{
var fieldLevelAuthorizationResponse = ProcessObjectFieldSecurity(securedObject, originalObject, action, role);
authorizationResponse.SecuredObject = fieldLevelAuthorizationResponse.SecuredObject;
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, fieldLevelAuthorizationResponse.AuthorizationMessage);
}
return authorizationResponse;
}
public AuthorizationResponse GetAuthorizationForAccessToken(string accessToken)
{
var user = _securityAccessTokenProvider.GetUserFromAccessToken(accessToken);
var authorizationResponse = new AuthorizationResponse();
authorizationResponse.IsAuthorized = user != null;
if (user != null)
{
authorizationResponse.UserId = user.Id;
}
if (!authorizationResponse.IsAuthorized)
{
authorizationResponse.AuthorizationMessage = string.Format("Session Has Expired Or User is Not Logged In!");
}
return authorizationResponse;
}
private AuthorizationResponse ProcessObjectFieldSecurity(object securedObject, object originalObject, string action, string role, int depth = 0)
{
var authorizationResponse = new AuthorizationResponse();
if (securedObject == null)
{
return authorizationResponse;
}
if (originalObject == null)
{
throw new SecurityException("No Secure State of Object Exists!");
}
var authorizationFailureMessages = new List<string>();
var securedType = securedObject.GetType();
var securedProperties = securedType.GetProperties();
var originalType = originalObject.GetType();
var originalProperties = originalType.GetProperties();
for (var i = 0; i < securedProperties.Length; i++)
{
var securedPropertyInfo = securedProperties[i];
var securedPropertyType = securedPropertyInfo.PropertyType;
var originalPropertyInfo = originalProperties[i];
var securedPropertyInfoCustomAttributes = securedPropertyInfo.CustomAttributes;
var securedValue = securedPropertyInfo.GetValue(securedObject, null);
if (securedValue != null)
{
var originalValue = originalPropertyInfo.GetValue(originalObject, null);
CustomAttributeData secureAttribute;
if (action != "Read")
{
secureAttribute = securedPropertyInfoCustomAttributes.FirstOrDefault(x => x.AttributeType == typeof (SecureWritePropertyAttribute));
}
else
{
secureAttribute = securedPropertyInfoCustomAttributes.FirstOrDefault(x => x.AttributeType == typeof (SecureReadPropertyAttribute));
}
if (securedPropertyType.FullName != "System.String" && securedPropertyType.GetInterface("IEnumerable") != null)
{
var recursiveAuthorizationResponse = ProcessEnumerable(securedPropertyType, securedObject, originalObject, securedPropertyInfo, originalPropertyInfo, action, role, depth);
securedPropertyInfo.SetValue(securedObject, recursiveAuthorizationResponse.SecuredObject);
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, recursiveAuthorizationResponse.AuthorizationMessage);
}
if (!(securedPropertyType.IsPrimitive || securedPropertyType.IsValueType || (securedPropertyType == typeof (string)) || securedPropertyType.GetInterface("IEnumerable") != null) && depth < _securityContext.FieldLevelSecurityEvaulationDepth)
{
var recursiveAuthorizationResponse = ProcessObjectFieldSecurity(securedValue, originalValue, action, role, depth++);
securedPropertyInfo.SetValue(securedObject, recursiveAuthorizationResponse.SecuredObject);
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, recursiveAuthorizationResponse.AuthorizationMessage);
}
if (secureAttribute != null)
{
var securedPropertyName = secureAttribute.NamedArguments.FirstOrDefault(x => x.MemberName == "PropertyName").TypedValue.Value as string;
if (securedPropertyName == null)
{
securedPropertyName = string.Format("{0}.{1}", securedType.FullName, securedPropertyInfo.Name);
}
if (securedValue != originalValue && !_securityPermissionProvider.CanPerformActionOnProperty(role, action, securedPropertyName))
{
authorizationFailureMessages.Add(string.Format("Current User with Role {0} Does Not Have Permission to Perform Action {1} on Property {2}", role, action, securedPropertyName));
securedValue = originalValue;
}
securedPropertyInfo.SetValue(securedObject, securedValue);
}
}
}
authorizationResponse.SecuredObject = securedObject;
var authorizationMessageStringBuilder = new StringBuilder();
foreach (var authorizationFailureMessage in authorizationFailureMessages)
{
authorizationMessageStringBuilder.Append(authorizationFailureMessage);
authorizationMessageStringBuilder.Append(" ");
}
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, authorizationMessageStringBuilder);
return authorizationResponse;
}
private AuthorizationResponse ProcessEnumerable(Type securedPropertyType, object securedObject, object originalObject, PropertyInfo securedPropertyInfo, PropertyInfo originalPropertyInfo, string action, string role, int depth = 0)
{
var authorizationResponse = new AuthorizationResponse();
if (securedObject == null)
{
return authorizationResponse;
}
if (originalObject == null)
{
throw new SecurityException("No Secure State of Object Exists!");
}
var securedValue = securedPropertyInfo.GetValue(securedObject, null);
if (securedValue == null)
{
return authorizationResponse;
}
var originalValue = originalPropertyInfo.GetValue(originalObject, null);
if (securedPropertyType.FullName != "System.String" && securedPropertyType.GetInterface("IEnumerable") != null)
{
var securedEnumerable = securedValue as IEnumerable;
var originalEnumerable = originalValue as IEnumerable;
var securedList = new List<object>();
var originalList = new List<object>();
foreach (var item in securedEnumerable)
{
securedList.Add(item);
}
if (originalEnumerable != null)
{
foreach (var item in originalEnumerable)
{
originalList.Add(item);
}
}
for (var j = 0; j < securedList.Count; j++)
{
var securedCollectionItem = securedList[j];
var securedCollectionItemType = securedCollectionItem.GetType();
object originalCollectionItem = null;
if (originalList.Count > j)
{
originalCollectionItem = originalList[j];
}
else
{
originalCollectionItem = _objectFactory.Create(securedCollectionItemType);
}
var originalCollectionItemType = originalCollectionItem.GetType();
// TODO: Test List<List<object>>
if (securedCollectionItemType.FullName != "System.String" &&
securedCollectionItemType.GetInterface("IEnumerable") != null)
{
var securedCollectionItemPropertyInfo = securedCollectionItemType.GetProperty("Item");
var originalCollectionItemPropertyInfo = originalCollectionItemType.GetProperty("Item");
var recursiveAuthorizationResponse = ProcessEnumerable(securedCollectionItemType, securedCollectionItem, originalCollectionItem, securedCollectionItemPropertyInfo, originalCollectionItemPropertyInfo, action, role, depth);
securedList[j] = recursiveAuthorizationResponse.SecuredObject;
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, recursiveAuthorizationResponse.AuthorizationMessage);
}
if (!(securedCollectionItemType.IsPrimitive || securedCollectionItemType.IsValueType || (securedCollectionItemType == typeof(string))) && depth < _securityContext.FieldLevelSecurityEvaulationDepth)
{
var newDepth = depth + 1;
var recursiveAuthorizationResponse = ProcessObjectFieldSecurity(securedCollectionItem, originalCollectionItem, action, role, newDepth);
securedList[j] = recursiveAuthorizationResponse.SecuredObject;
authorizationResponse.AuthorizationMessage = string.Format("{0} {1}", authorizationResponse.AuthorizationMessage, recursiveAuthorizationResponse.AuthorizationMessage);
}
}
}
authorizationResponse.SecuredObject = securedValue;
return authorizationResponse;
}
