/// <summary>
/// Tests security for (RlsOwner /or/ RlsMask).
/// </summary>
/// <param name="rlsOwner">The rlsOwner from the row.</param>
/// <param name="rlsMask">The rlsMask from the row.</param>
/// <param name="user">The current security principal.</param>
void TryRowLevelSecurityOrException(Guid rlsOwner, byte[] rlsMask, ss.User user)
{
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rlsOwner != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rlsOwner,
RowRlsMask = rlsMask,
SecurityPrincipalId = user.IdToGuid(),
SecurityPrincipalRlsMask = user.RlsMask,
Option = option
};
rlsHelper.Eval();
bool ok = rlsHelper.IsRowOwner || rlsHelper.HasMaskMatch;
if (!ok)
{
throw new SecurityException("You do not have rights to this record.");
}
}
public static SuplexUserRecord FromSuplexNative(this ss.User user)
{
return(new SuplexUserRecord()
{
Id = user.Id,
Name = user.Name,
Description = user.Description,
IsLocal = user.IsLocal,
IsAnonymous = user.IsAnonymous
});
}
public SuplexUserRecord GetSuplexResolvedUserByName(string name)
{
ss.User user = new ss.User()
{
Name = name,
CreateUnresolvedName = true,
DataAccessor = _da
};
user.ResolveByName();
return(user.FromSuplexNative());
}
// internal ss.User GetSuplexUser(bool resolve)
//{
// return this.GetSuplexUser( resolve, true );
//}
internal ss.User GetSuplexUser(string userName, bool resolve = false, bool resolveRls = true)
{
ss.User user = new ss.User()
{
Name = userName,
CreateUnresolvedName = true
};
if (resolve)
{
user.DataAccessor = _da;
//this is just for the option of avoiding the AD lookup
if (resolveRls)
{
ExternalGroupInfo egi = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv);
egi.BuildGroupsList(userName);
sg.SqlResult result = user.ResolveByName(true, egi.GroupsList);
//sometimes multithreaded requests to create a new user get too close together, causing a dup-username error
//this is a cheap retry
if (result.SqlException != null)
{
if (result.SqlException.Number == 2601) //2601 == duplicate value error
{
System.Threading.Thread.Sleep(500);
result = user.ResolveByName(true, egi.GroupsList);
}
//if err not duplicate or it still didn't work in retry, throw the exeption
if (result.SqlException != null)
{
throw result.SqlException;
}
}
}
else
{
user.ResolveByName();
}
}
if (user.RlsMask == null)
{
user.RlsMask = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
}
return(user);
}
public SuplexSecurityInfo(ss.User user, SplxSecureManagerBase security)
{
User = user;
Security = security;
}
public SuplexUserRecord GetCurrentSuplexUser(string userName)
{
ss.User user = this.GetSuplexUser(userName, resolve: true);
return(user.FromSuplexNative());
}
/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public ss.User TrySecurityOrException(string uniqueName, AceType aceType, object right,
Guid?rowOwnerId = null, byte[] rowRlsMask = null, bool?allowOwnerOverride = null,
ss.User user = null)
{
if (rowOwnerId == null)
{
rowOwnerId = Guid.Empty;
}
if (rowOwnerId != Guid.Empty && allowOwnerOverride == null)
{
allowOwnerOverride = true;
}
if (allowOwnerOverride == null)
{
allowOwnerOverride = false;
}
string exceptionMsg = $"You do not have {right} rights to this record.";
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = user == null?this.GetSuplexUser(true) : user
};
SplxSecureManagerBase perms = this.GetSecureManagerManagerSecurity(aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId.Value,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride.Value);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(slp.User);
}
