private bool IsValidAccess(string domainOfAccess, string privilegeLevel, string userIdentifier)
{
ResultCode result;
//NOTE: if this class in the platform appdomain then the platform has no reference to ModuleBase and hence Module Friendly Name
// Hence we construct "module friendly name" (e.g., GuiWeb, scouts) by looking at the base addresses of the service host
string accessedModuleName = safeServiceHost.BaseAddresses()[0].LocalPath.Split('/').ElementAt(2);
result = (ResultCode)consumer.IsValidAccess(accessedModuleName, domainOfAccess, privilegeLevel, userIdentifier);
if (result == ResultCode.InSufficientPrivilege)
{
ThrowRejection(HttpStatusCode.Unauthorized, "Insufficient privilege of given token.");
}
if (result == ResultCode.InvalidUser)
{
ThrowRejection(HttpStatusCode.Forbidden, "User access for given user not authorized.");
}
if (result == ResultCode.ForbiddenAccess)
{
ThrowRejection(HttpStatusCode.Forbidden, "User access forbidden by policy.");
}
if (result == ResultCode.Allow)
{
return(true);
}
return(false);
}
public static SafeServiceHost CreateServiceHost(VLogger logger, ModuleBase moduleBase, ISimplexValveControllerNotifierContract instance,
string address)
{
SafeServiceHost service = new SafeServiceHost(logger, moduleBase, instance, address);
var contract = ContractDescription.GetContract(typeof(ISimplexValveControllerNotifierContract));
var webBinding = new WebHttpBinding();
var webEndPoint = new ServiceEndpoint(contract, webBinding, new EndpointAddress(service.BaseAddresses()[0]));
webEndPoint.EndpointBehaviors.Add(new WebHttpBehavior());
service.AddServiceEndpoint(webEndPoint);
service.AddServiceMetadataBehavior(new ServiceMetadataBehavior());
return service;
}
public SafeServiceAuthorizationManager(SafeServicePolicyDecider consumer, SafeServiceHost safeServiceHost)
: base()
{
hostTokenResultCache = new Dictionary <string, Dictionary <DateTime, bool> >();
this.consumer = consumer;
this.safeServiceHost = safeServiceHost;
this.enforcePolicies = true;
// stub to check if policies are not to be enforced
// Assumption: if the policy is to allow every user from every domain access to every module => EnforcePolicies = false
string accessedModuleName = safeServiceHost.BaseAddresses()[0].LocalPath.Split('/').ElementAt(2);
if ((ResultCode)consumer.IsValidAccess(accessedModuleName, "*", "*", "*") == ResultCode.Allow)
{
this.enforcePolicies = false;
}
}
/*public static ServiceHost CreateServiceHost(ISimplexDoorjambContract instance,
Uri baseAddress)*/
public static SafeServiceHost CreateServiceHost(VLogger logger, ModuleBase moduleBase, ISimplexDoorjambContract instance,
string address)
{
SafeServiceHost service = new SafeServiceHost(logger, moduleBase, instance, address);
var contract = ContractDescription.GetContract(typeof(ISimplexDoorjambContract));
var webBinding = new WebHttpBinding();
var webEndPoint = new ServiceEndpoint(contract, webBinding, new EndpointAddress(service.BaseAddresses()[0]));
webEndPoint.EndpointBehaviors.Add(new WebHttpBehavior());
service.AddServiceEndpoint(webEndPoint);
service.AddServiceMetadataBehavior(new ServiceMetadataBehavior());
//service.Description.Behaviors.Add(new ServiceMetadataBehavior());
//service.AddServiceEndpoint(typeof(IMetadataExchange), MetadataExchangeBindings.CreateMexHttpBinding(), "mex");
return service;
}
public SafeServiceAuthorizationManager(SafeServicePolicyDecider consumer, SafeServiceHost safeServiceHost)
: base()
{
hostTokenResultCache = new Dictionary<string, Dictionary<DateTime,bool>>();
this.consumer = consumer;
this.safeServiceHost = safeServiceHost;
this.enforcePolicies = true;
// stub to check if policies are not to be enforced
// Assumption: if the policy is to allow every user from every domain access to every module => EnforcePolicies = false
string accessedModuleName = safeServiceHost.BaseAddresses()[0].LocalPath.Split('/').ElementAt(2);
if ((ResultCode)consumer.IsValidAccess(accessedModuleName, "*", "*", "*") == ResultCode.Allow)
this.enforcePolicies = false;
}
