Exemple #1
0
        /// <summary>
        /// Tests security for (RlsOwner /or/ RlsMask).
        /// </summary>
        /// <param name="rlsOwner">The rlsOwner from the row.</param>
        /// <param name="rlsMask">The rlsMask from the row.</param>
        /// <param name="user">The current security principal.</param>
        void TryRowLevelSecurityOrException(Guid rlsOwner, byte[] rlsMask, ss.User user)
        {
            RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
            if (rlsOwner != Guid.Empty)
            {
                option |= RowLevelSecurityHelper.EvalOption.Owner;
            }
            if (rlsMask != null)
            {
                option |= RowLevelSecurityHelper.EvalOption.Mask;
            }

            RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
            {
                RowOwnerId               = rlsOwner,
                RowRlsMask               = rlsMask,
                SecurityPrincipalId      = user.IdToGuid(),
                SecurityPrincipalRlsMask = user.RlsMask,
                Option = option
            };

            rlsHelper.Eval();

            bool ok = rlsHelper.IsRowOwner || rlsHelper.HasMaskMatch;

            if (!ok)
            {
                throw new SecurityException("You do not have rights to this record.");
            }
        }
Exemple #2
0
 public static SuplexUserRecord FromSuplexNative(this ss.User user)
 {
     return(new SuplexUserRecord()
     {
         Id = user.Id,
         Name = user.Name,
         Description = user.Description,
         IsLocal = user.IsLocal,
         IsAnonymous = user.IsAnonymous
     });
 }
Exemple #3
0
        public SuplexUserRecord GetSuplexResolvedUserByName(string name)
        {
            ss.User user = new ss.User()
            {
                Name = name,
                CreateUnresolvedName = true,
                DataAccessor         = _da
            };
            user.ResolveByName();

            return(user.FromSuplexNative());
        }
Exemple #4
0
        //      internal ss.User GetSuplexUser(bool resolve)
        //{
        //	return this.GetSuplexUser( resolve, true );
        //}

        internal ss.User GetSuplexUser(string userName, bool resolve = false, bool resolveRls = true)
        {
            ss.User user = new ss.User()
            {
                Name = userName,
                CreateUnresolvedName = true
            };
            if (resolve)
            {
                user.DataAccessor = _da;

                //this is just for the option of avoiding the AD lookup
                if (resolveRls)
                {
                    ExternalGroupInfo egi = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv);
                    egi.BuildGroupsList(userName);

                    sg.SqlResult result = user.ResolveByName(true, egi.GroupsList);
                    //sometimes multithreaded requests to create a new user get too close together, causing a dup-username error
                    //this is a cheap retry
                    if (result.SqlException != null)
                    {
                        if (result.SqlException.Number == 2601)  //2601 == duplicate value error
                        {
                            System.Threading.Thread.Sleep(500);
                            result = user.ResolveByName(true, egi.GroupsList);
                        }

                        //if err not duplicate or it still didn't work in retry, throw the exeption
                        if (result.SqlException != null)
                        {
                            throw result.SqlException;
                        }
                    }
                }
                else
                {
                    user.ResolveByName();
                }
            }

            if (user.RlsMask == null)
            {
                user.RlsMask = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
            }

            return(user);
        }
Exemple #5
0
 public SuplexSecurityInfo(ss.User user, SplxSecureManagerBase security)
 {
     User     = user;
     Security = security;
 }
Exemple #6
0
 public SuplexUserRecord GetCurrentSuplexUser(string userName)
 {
     ss.User user = this.GetSuplexUser(userName, resolve: true);
     return(user.FromSuplexNative());
 }
Exemple #7
0
        /// <summary>
        /// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
        /// </summary>
        /// <param name="uniqueName">The UniqueName for which to select security.</param>
        /// <param name="right">The RecordRight to test (used in error message).</param>
        /// <param name="assetType">The associated AssetType (used in error message).</param>
        /// <param name="rowOwnerId">The rlsOwner from the row.</param>
        /// <param name="rowRlsMask">The rlsMask from the row.</param>
        public ss.User TrySecurityOrException(string uniqueName, AceType aceType, object right,
                                              Guid?rowOwnerId = null, byte[] rowRlsMask = null, bool?allowOwnerOverride = null,
                                              ss.User user    = null)
        {
            if (rowOwnerId == null)
            {
                rowOwnerId = Guid.Empty;
            }
            if (rowOwnerId != Guid.Empty && allowOwnerOverride == null)
            {
                allowOwnerOverride = true;
            }
            if (allowOwnerOverride == null)
            {
                allowOwnerOverride = false;
            }

            string exceptionMsg        = $"You do not have {right} rights to this record.";
            SecurityLoadParameters slp = new SecurityLoadParameters()
            {
                ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
                User = user == null?this.GetSuplexUser(true) : user
            };

            SplxSecureManagerBase perms = this.GetSecureManagerManagerSecurity(aceType, uniqueName, slp);

            #region eval rls
            RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
            if (rowOwnerId != Guid.Empty)
            {
                option |= RowLevelSecurityHelper.EvalOption.Owner;
            }
            if (rowRlsMask != null)
            {
                option |= RowLevelSecurityHelper.EvalOption.Mask;
            }

            RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
            {
                RowOwnerId               = rowOwnerId.Value,
                RowRlsMask               = rowRlsMask,
                SecurityPrincipalId      = slp.User.IdToGuid(),
                SecurityPrincipalRlsMask = slp.User.RlsMask,
                Option = option
            };

            perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride.Value);

            if (option != RowLevelSecurityHelper.EvalOption.None &&
                !perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
            {
                exceptionMsg = "You do not have rights to this record.";
            }
            #endregion


            if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
            {
                throw new SecurityException(exceptionMsg);
            }

            return(slp.User);
        }