private bool AzManTestCheckAccess() { WindowsIdentity identity = WindowsIdentity.GetCurrent(); string applicationName = "Application Test"; string[] operations = new string[] { this.txtOperation.Text }; HybridDictionary businessRuleParameters = new HybridDictionary(); AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, AzManStorePath, null); IAzApplication azApp = store.OpenApplication(applicationName, null); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken((UInt64)identity.Token, null); // costruisce il vettore dei valori e dei delle regole di business Object[] names = new Object[0]; Object[] values = new Object[0]; Object[] operationIds = new Object[operations.Length]; for (Int32 index = 0; index < operations.Length; index++) { operationIds[index] = azApp.OpenOperation(operations[index], null).OperationID; } Object[] internalScopes = new Object[1]; Object[] result = (Object[])clientCtx.AccessCheck("AuditString", internalScopes, operationIds, names, values, null, null, null); foreach (Int32 accessAllowed in result) { if (accessAllowed != 0) { return(false); } } return(true); }
/// <devdoc> /// Gets the client context for the call based on the identity, system and parameters. /// </devdoc> private IAzClientContext GetClientContext(WindowsIdentity identity, String applicationName, out IAzApplication azApp) { lock (contextLock) { AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, this.storeLocation, null); azApp = store.OpenApplication(applicationName, null); } ulong tokenHandle = (ulong)identity.Token.ToInt64(); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null); return(clientCtx); }
/// <devdoc> /// Gets the client context for the call based on the identity, system and parameters. /// </devdoc> private IAzClientContext GetClientContext(AzManAuthorizationProviderData data, IIdentity identity, String applicationName, out IAzApplication azApp) { WindowsIdentity winIdentity = identity as WindowsIdentity; if (winIdentity == null) { throw new ArgumentException(SR.WindowsIdentityOnly); } AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, data.StoreLocation, null); azApp = store.OpenApplication(applicationName, null); Debug.Assert(azApp != null, "could not open the application"); ulong tokenHandle = (ulong)winIdentity.Token.ToInt64(); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null); Debug.Assert(clientCtx != null, "could not get the context"); return(clientCtx); }
private void CreaStrutturaSuAzMan(string azManStorePath, int n) { this.Clessidra(true); this.StartTimer(); WindowsIdentity id = WindowsIdentity.GetCurrent(); NTAccount userName = new NTAccount(id.Name); IAzAuthorizationStore store = new AzAuthorizationStoreClass(); store.Initialize(0, azManStorePath, null); object o = null; this.pb.Maximum = n - 1; for (int a = 0; a < n; a++) { IAzApplication app = store.CreateApplication("Application" + a.ToString(), null); app.Submit(0, null); this.pb.Value = a; Application.DoEvents(); //IAzClientContext ctx = app.InitializeClientContextFromToken((UInt64)id.Token, null); for (int i = 0; i < n; i++) { IAzOperation op = app.CreateOperation("Operation" + i.ToString(), o); op.OperationID = i + 1; op.Submit(0, null); IAzTask task = app.CreateTask("Task" + i.ToString(), null); task.AddOperation(op.Name, null); task.Submit(0, null); IAzTask roleTask = app.CreateTask("Role" + i.ToString(), null); roleTask.IsRoleDefinition = 1; roleTask.AddTask("Task" + i.ToString(), null); roleTask.Submit(0, null); IAzRole role = app.CreateRole("Role" + i.ToString(), null); role.AddTask("Role" + i.ToString(), null); role.AddMember(id.User.Value, null); //add current user role.Submit(0, null); } } this.StopTimer(this.txtAzManElapsed); this.Clessidra(false); }
/// <summary> /// Check access permission for user /// </summary> /// <returns>void</returns> public bool CheckAccessPermissions(object[] operationIds) { bool bCheckAccess = false; AzAuthorizationStoreClass AzManStore = new AzAuthorizationStoreClass(); AzManStore.Initialize(0, ConfigurationManager.ConnectionStrings[AuthorizationManagerConstants.AZMANPOLICYSTORECONNECTIONSTRING].ConnectionString, null); IAzApplication azApp = AzManStore.OpenApplication(AuthorizationManagerConstants.AZMANAPPLICATION, null); // Get the current user context IPrincipal userPrincipal = HttpContext.Current.User; WindowsIdentity userIdentity = userPrincipal.Identity as WindowsIdentity; IAzClientContext clientContext = azApp.InitializeClientContextFromToken((ulong)userIdentity.Token, null); // Check if user has access to the operations // The first argument, "Auditstring", is a string that is used if you // have run-time auditing turned on object[] result = (object[])clientContext.AccessCheck("CheckAccessPermission", new object[1], operationIds, null, null, null, null, null); // Test the integer array we got back to see which operations are // authorized int accessAllowed = (int)result[0]; if (accessAllowed != 0) { // current user not authorized to perform operation bCheckAccess = false; } else { // current user authorized to perform operation bCheckAccess = true; } return(bCheckAccess); }
private void TestSuAzMan(string azManStorePath, int max) { WindowsIdentity id = WindowsIdentity.GetCurrent(); IAzAuthorizationStore store = new AzAuthorizationStoreClass(); store.Initialize(0, azManStorePath, null); int rnd = 0; // new Random().Next(max); IAzApplication app = store.OpenApplication("Application" + rnd.ToString(), null); IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)id.Token.ToInt64(), null); string opName = "Operation" + rnd.ToString(); IAzOperation op = app.OpenOperation(opName, null); object[] parameterNames = new object[1] { "chiave" }; object[] parameterValues = new object[1] { "valore" }; object[] oRes = (object[])ctx.AccessCheck("Test", null, new object[] { op.OperationID }, parameterNames, parameterValues, null, null, null); foreach (int accessAllowed in oRes) { if (accessAllowed != 0) { break; } } store.CloseApplication("Application" + rnd.ToString(), 0); System.Runtime.InteropServices.Marshal.FinalReleaseComObject(op); System.Runtime.InteropServices.Marshal.FinalReleaseComObject(app); System.Runtime.InteropServices.Marshal.FinalReleaseComObject(store); System.Runtime.InteropServices.Marshal.FinalReleaseComObject(ctx); op = null; ctx = null; app = null; store = null; }
private void ImportFromAzMan(string azManStorePath, string netSqlAzManStoreName) { Microsoft.Interop.Security.AzRoles.AzAuthorizationStore azstore = null; string tempFileName = Path.Combine(Environment.GetEnvironmentVariable("temp", EnvironmentVariableTarget.Machine), String.Format("AzMan{0}.xml", Guid.NewGuid())); try { this.storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted); string storeDescription = String.Format("Store imported from AzMan Store:" + " ({0}) - {1}", azManStorePath, DateTime.Now.ToString()); IAzManStore store = this.storage.CreateStore(netSqlAzManStoreName, storeDescription); azstore = new AzAuthorizationStoreClass(); if (this.rbtStoreFile.Checked) { this.FileUpload1.SaveAs(tempFileName); azManStorePath = String.Format("msxml://{0}", tempFileName); } azstore.Initialize(2, azManStorePath, null); #region Store Groups //Store Groups foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups) { //Store Groups Definition if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, String.Empty, GroupType.Basic); } else if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY) { //LDap store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, azStoreGroup.LdapQuery, GroupType.LDapQuery); } } //Store Groups Members foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups) { if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic IAzManStoreGroup storeGroup = store.GetStoreGroup(azStoreGroup.Name); //Store Group Members - Members Store Group object[] azStoreGroupMembers = azStoreGroup.AppMembers as object[]; if (azStoreGroupMembers != null) { foreach (string azStoreGroupMember in azStoreGroupMembers) { IAzManStoreGroup member = store.GetStoreGroup(azStoreGroupMember); storeGroup.CreateStoreGroupMember(member.SID, WhereDefined.Store, true); } } //Store Group Non-Members - Non-Members Store Group object[] azStoreGroupNonMembers = azStoreGroup.AppNonMembers as object[]; if (azStoreGroupNonMembers != null) { foreach (string azStoreGroupNonMember in azStoreGroupNonMembers) { IAzManStoreGroup nonMember = store.GetStoreGroup(azStoreGroupNonMember); storeGroup.CreateStoreGroupMember(nonMember.SID, WhereDefined.Store, false); } } //Store Group Members - Windows NT Account object[] azStoreGroupWindowsMembers = azStoreGroup.Members as object[]; if (azStoreGroupWindowsMembers != null) { foreach (string azStoreWindowsMember in azStoreGroupWindowsMembers) { IAzManSid sid = new SqlAzManSID(azStoreWindowsMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true); } } //Store Group NonMembers - Windows NT Account object[] azStoreGroupWindowsNonMembers = azStoreGroup.NonMembers as object[]; if (azStoreGroupWindowsNonMembers != null) { foreach (string azStoreWindowsNonMember in azStoreGroupWindowsNonMembers) { IAzManSid sid = new SqlAzManSID(azStoreWindowsNonMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false); } } } } #endregion Store Groups #region Applications //Applications foreach (IAzApplication azApplication in azstore.Applications) { IAzManApplication application = store.CreateApplication(azApplication.Name, azApplication.Description); #region Application Groups //Store Groups foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups) { //Application Groups Definition if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, String.Empty, GroupType.Basic); } else if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY) { //LDap application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, azApplicationGroup.LdapQuery, GroupType.LDapQuery); } } //Application Groups Members foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups) { if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic IAzManApplicationGroup applicationGroup = application.GetApplicationGroup(azApplicationGroup.Name); //Application Group Members - Members Group object[] azStoreGroupMembers = azApplicationGroup.AppMembers as object[]; if (azStoreGroupMembers != null) { foreach (string azGroupMember in azStoreGroupMembers) { IAzManStoreGroup storemember; try { storemember = store.GetStoreGroup(azGroupMember); } catch (SqlAzManException) { storemember = null; } IAzManApplicationGroup appmember; try { appmember = application.GetApplicationGroup(azGroupMember); } catch (SqlAzManException) { appmember = null; } if (storemember != null) { applicationGroup.CreateApplicationGroupMember(storemember.SID, WhereDefined.Store, true); } else { applicationGroup.CreateApplicationGroupMember(appmember.SID, WhereDefined.Application, true); } } } //Application Group Non-Members - Non-Members Group object[] azStoreGroupNonMembers = azApplicationGroup.AppNonMembers as object[]; if (azStoreGroupNonMembers != null) { foreach (string azGroupNonMember in azStoreGroupNonMembers) { IAzManStoreGroup storenonMember; try { storenonMember = store.GetStoreGroup(azGroupNonMember); } catch (SqlAzManException) { storenonMember = null; } IAzManApplicationGroup appnonMember; try { appnonMember = application.GetApplicationGroup(azGroupNonMember); } catch (SqlAzManException) { appnonMember = null; } if (storenonMember != null) { applicationGroup.CreateApplicationGroupMember(storenonMember.SID, WhereDefined.Store, false); } else { applicationGroup.CreateApplicationGroupMember(appnonMember.SID, WhereDefined.Application, false); } } } //Application Group Members - Windows NT Account object[] azApplicationGroupWindowsMembers = azApplicationGroup.Members as object[]; if (azApplicationGroupWindowsMembers != null) { foreach (string azApplicationWindowsMember in azApplicationGroupWindowsMembers) { IAzManSid sid = new SqlAzManSID(azApplicationWindowsMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true); } } //Application Group NonMembers - Windows NT Account object[] azApplicationGroupWindowsNonMembers = azApplicationGroup.NonMembers as object[]; if (azApplicationGroupWindowsNonMembers != null) { foreach (string azApplicationWindowsNonMember in azApplicationGroupWindowsNonMembers) { IAzManSid sid = new SqlAzManSID(azApplicationWindowsNonMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false); } } } } #endregion Application Groups //Without Scopes IAzTasks tasks = azApplication.Tasks as IAzTasks; if (tasks != null) { foreach (IAzTask azTask in tasks) { if (azTask.IsRoleDefinition == 1) { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role); } else { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task); } } } IAzOperations operations = azApplication.Operations as IAzOperations; if (operations != null) { foreach (IAzOperation azOperation in operations) { application.CreateItem(azOperation.Name, azOperation.Description, ItemType.Operation); } } //Build Item Hierarchy if (tasks != null) { foreach (IAzTask azTask in tasks) { this.SetHirearchy(null, azApplication, azTask.Name, application); } } //Scopes foreach (IAzScope azScope in azApplication.Scopes) { azApplication.OpenScope(azScope.Name, null); IAzTasks tasksOfScope = azScope.Tasks as IAzTasks; if (tasksOfScope != null) { foreach (IAzTask azTask in tasksOfScope) { if (azTask.IsRoleDefinition == 1) { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role); } else { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task); } } } //Build Item Hierarchy if (tasksOfScope != null) { foreach (IAzTask azTask in tasksOfScope) { this.SetHirearchy(azScope, azApplication, azTask.Name, application); } } } //Authorizations on Roles without Scopes AuthorizationType defaultAuthorization = AuthorizationType.AllowWithDelegation; IAzRoles azRoles = azApplication.Roles; foreach (IAzRole azRole in azRoles) { IAzManItem item; try { item = application.GetItem(azRole.Name); } catch (SqlAzManException) { item = null; } if (item == null) { item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role); } //Store & Application Groups Authorizations foreach (string member in (object[])azRole.AppMembers) { IAzManStoreGroup storeGroup; try { storeGroup = application.Store.GetStoreGroup(member); } catch (SqlAzManException) { storeGroup = null; } IAzManApplicationGroup applicationGroup; try { applicationGroup = application.GetApplicationGroup(member); } catch (SqlAzManException) { applicationGroup = null; } if (storeGroup != null) { item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null); } else if (applicationGroup != null) { item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null); } } //Windows Users & Groups Authorizations foreach (string sSid in (object[])azRole.Members) { IAzManSid sid = new SqlAzManSID(sSid); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null); } } //Authorizations on Roles with Scopes foreach (IAzScope azScope in azApplication.Scopes) { IAzRoles azRolesWithScopes = azScope.Roles; foreach (IAzRole azRole in azRolesWithScopes) { IAzManItem item; try { item = application.GetItem(azRole.Name); } catch (SqlAzManException) { item = null; } if (item == null) { item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role); } //Store & Application Groups Authorizations foreach (string member in (object[])azRole.AppMembers) { IAzManStoreGroup storeGroup; try { storeGroup = application.Store.GetStoreGroup(member); } catch (SqlAzManException) { storeGroup = null; } IAzManApplicationGroup applicationGroup; try { applicationGroup = application.GetApplicationGroup(member); } catch (SqlAzManException) { applicationGroup = null; } if (storeGroup != null) { item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null); } else if (applicationGroup != null) { item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null); } } //Windows Users & Groups Authorizations foreach (string sSid in (object[])azRole.Members) { IAzManSid sid = new SqlAzManSID(sSid); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null); } } } //try //{ // azstore.CloseApplication(azApplication.Name, 0); //} //catch //{ // //PorkAround: COM Is a mistery //} } #endregion Applications if (storage.TransactionInProgress) { storage.CommitTransaction(); } } catch { if (storage.TransactionInProgress) { storage.RollBackTransaction(); } throw; } finally { if (azstore != null) { System.Runtime.InteropServices.Marshal.ReleaseComObject(azstore); File.Delete(tempFileName); azstore = null; } } }
/// <devdoc> /// Gets the client context for the call based on the identity, system and parameters. /// </devdoc> private IAzClientContext GetClientContext(WindowsIdentity identity, String applicationName, out IAzApplication azApp) { lock (contextLock) { AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, this.storeLocation, null); azApp = store.OpenApplication(applicationName, null); } ulong tokenHandle = (ulong)identity.Token.ToInt64(); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null); return clientCtx; }
/// <summary> /// Initializes the WebExpense application to use the /// authorization policy and settings defined in Global.asax.cs /// </summary> /// <returns>Returns any errors encountered in the initialization process /// or null if no errors occured</returns> public static bool Initialize() { // // WebExpense Application object // IAzApplication AzManApp; // // WebExpense application store object // AzAuthorizationStoreClass AzManStore; string RtnMsg; // // Create a new Authorization Manager Store object // AzManStore = new AzAuthorizationStoreClass(); try { // // Open the Authorization Manager policy store from the path specified the in // the application variable AZMAN_STORE. This variable // is initially specified in Global.asax.cs // AzManStore.Initialize(0, (string)HttpContext.Current.Application["STORE_PATH"], null); } catch (System.IO.FileNotFoundException) { // IAzAuthorizationStore.Initialize failed w/ File Not Found. This can happen if the // store URL is bad. throw; // Since we can't proceed we'll throw to the default handler } catch (System.UnauthorizedAccessException) { // IAzAuthorizationStore.Initialize failed w/ AccessDenied. Make sure that the calling // context is in the Reader (or Admin if the app needs to write) role on the AzMan store throw; // Since we can't proceed we'll throw to the default handler } // // Save the policy store in a session variable // HttpContext.Current.Application["AZMAN_STORE"] = AzManStore; try { // // Open the application specified in the application variable // AZMAN_APP_NAME, This variable is initially specified in Global.asax.cs // AzManApp = AzManStore.OpenApplication((string)HttpContext.Current.Application["AZMAN_APP_NAME"], null); } catch (System.IO.FileNotFoundException) { // IAzAuthorizationStore.OpenApplication failed w/ File Not Found. This can happen if the // application name is not correct (no corresponding application in the store). throw; // Since we can't proceed we'll throw to the default handler } // // Save the application to a session variable // HttpContext.Current.Application["AZMAN_APP"] = AzManApp; // // Return initialization suceeded // return(true); }
private void ImportFromAzMan(string azManStorePath, string netSqlAzManStoreName) { Microsoft.Interop.Security.AzRoles.AzAuthorizationStore azstore = null; string tempFileName = Path.Combine(Environment.GetEnvironmentVariable("temp", EnvironmentVariableTarget.Machine), String.Format("AzMan{0}.xml", Guid.NewGuid())); try { this.storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted); string storeDescription = String.Format("Store imported from AzMan Store:" + " ({0}) - {1}", azManStorePath, DateTime.Now.ToString()); IAzManStore store = this.storage.CreateStore(netSqlAzManStoreName, storeDescription); azstore = new AzAuthorizationStoreClass(); if (this.rbtStoreFile.Checked) { this.FileUpload1.SaveAs(tempFileName); azManStorePath = String.Format("msxml://{0}", tempFileName); } azstore.Initialize(2, azManStorePath, null); #region Store Groups //Store Groups foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups) { //Store Groups Definition if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, String.Empty, GroupType.Basic); } else if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY) { //LDap store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, azStoreGroup.LdapQuery, GroupType.LDapQuery); } } //Store Groups Members foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups) { if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic IAzManStoreGroup storeGroup = store.GetStoreGroup(azStoreGroup.Name); //Store Group Members - Members Store Group object[] azStoreGroupMembers = azStoreGroup.AppMembers as object[]; if (azStoreGroupMembers != null) { foreach (string azStoreGroupMember in azStoreGroupMembers) { IAzManStoreGroup member = store.GetStoreGroup(azStoreGroupMember); storeGroup.CreateStoreGroupMember(member.SID, WhereDefined.Store, true); } } //Store Group Non-Members - Non-Members Store Group object[] azStoreGroupNonMembers = azStoreGroup.AppNonMembers as object[]; if (azStoreGroupNonMembers != null) { foreach (string azStoreGroupNonMember in azStoreGroupNonMembers) { IAzManStoreGroup nonMember = store.GetStoreGroup(azStoreGroupNonMember); storeGroup.CreateStoreGroupMember(nonMember.SID, WhereDefined.Store, false); } } //Store Group Members - Windows NT Account object[] azStoreGroupWindowsMembers = azStoreGroup.Members as object[]; if (azStoreGroupWindowsMembers != null) { foreach (string azStoreWindowsMember in azStoreGroupWindowsMembers) { IAzManSid sid = new SqlAzManSID(azStoreWindowsMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true); } } //Store Group NonMembers - Windows NT Account object[] azStoreGroupWindowsNonMembers = azStoreGroup.NonMembers as object[]; if (azStoreGroupWindowsNonMembers != null) { foreach (string azStoreWindowsNonMember in azStoreGroupWindowsNonMembers) { IAzManSid sid = new SqlAzManSID(azStoreWindowsNonMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false); } } } } #endregion Store Groups #region Applications //Applications foreach (IAzApplication azApplication in azstore.Applications) { IAzManApplication application = store.CreateApplication(azApplication.Name, azApplication.Description); #region Application Groups //Store Groups foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups) { //Application Groups Definition if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, String.Empty, GroupType.Basic); } else if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY) { //LDap application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, azApplicationGroup.LdapQuery, GroupType.LDapQuery); } } //Application Groups Members foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups) { if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC) { //Basic IAzManApplicationGroup applicationGroup = application.GetApplicationGroup(azApplicationGroup.Name); //Application Group Members - Members Group object[] azStoreGroupMembers = azApplicationGroup.AppMembers as object[]; if (azStoreGroupMembers != null) { foreach (string azGroupMember in azStoreGroupMembers) { IAzManStoreGroup storemember; try { storemember = store.GetStoreGroup(azGroupMember); } catch (SqlAzManException) { storemember = null; } IAzManApplicationGroup appmember; try { appmember = application.GetApplicationGroup(azGroupMember); } catch (SqlAzManException) { appmember = null; } if (storemember != null) applicationGroup.CreateApplicationGroupMember(storemember.SID, WhereDefined.Store, true); else applicationGroup.CreateApplicationGroupMember(appmember.SID, WhereDefined.Application, true); } } //Application Group Non-Members - Non-Members Group object[] azStoreGroupNonMembers = azApplicationGroup.AppNonMembers as object[]; if (azStoreGroupNonMembers != null) { foreach (string azGroupNonMember in azStoreGroupNonMembers) { IAzManStoreGroup storenonMember; try { storenonMember = store.GetStoreGroup(azGroupNonMember); } catch (SqlAzManException) { storenonMember = null; } IAzManApplicationGroup appnonMember; try { appnonMember = application.GetApplicationGroup(azGroupNonMember); } catch (SqlAzManException) { appnonMember = null; } if (storenonMember != null) applicationGroup.CreateApplicationGroupMember(storenonMember.SID, WhereDefined.Store, false); else applicationGroup.CreateApplicationGroupMember(appnonMember.SID, WhereDefined.Application, false); } } //Application Group Members - Windows NT Account object[] azApplicationGroupWindowsMembers = azApplicationGroup.Members as object[]; if (azApplicationGroupWindowsMembers != null) { foreach (string azApplicationWindowsMember in azApplicationGroupWindowsMembers) { IAzManSid sid = new SqlAzManSID(azApplicationWindowsMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true); } } //Application Group NonMembers - Windows NT Account object[] azApplicationGroupWindowsNonMembers = azApplicationGroup.NonMembers as object[]; if (azApplicationGroupWindowsNonMembers != null) { foreach (string azApplicationWindowsNonMember in azApplicationGroupWindowsNonMembers) { IAzManSid sid = new SqlAzManSID(azApplicationWindowsNonMember); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false); } } } } #endregion Application Groups //Without Scopes IAzTasks tasks = azApplication.Tasks as IAzTasks; if (tasks != null) { foreach (IAzTask azTask in tasks) { if (azTask.IsRoleDefinition == 1) { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role); } else { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task); } } } IAzOperations operations = azApplication.Operations as IAzOperations; if (operations != null) { foreach (IAzOperation azOperation in operations) { application.CreateItem(azOperation.Name, azOperation.Description, ItemType.Operation); } } //Build Item Hierarchy if (tasks != null) { foreach (IAzTask azTask in tasks) { this.SetHirearchy(null, azApplication, azTask.Name, application); } } //Scopes foreach (IAzScope azScope in azApplication.Scopes) { azApplication.OpenScope(azScope.Name, null); IAzTasks tasksOfScope = azScope.Tasks as IAzTasks; if (tasksOfScope != null) { foreach (IAzTask azTask in tasksOfScope) { if (azTask.IsRoleDefinition == 1) { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role); } else { IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task); } } } //Build Item Hierarchy if (tasksOfScope != null) { foreach (IAzTask azTask in tasksOfScope) { this.SetHirearchy(azScope, azApplication, azTask.Name, application); } } } //Authorizations on Roles without Scopes AuthorizationType defaultAuthorization = AuthorizationType.AllowWithDelegation; IAzRoles azRoles = azApplication.Roles; foreach (IAzRole azRole in azRoles) { IAzManItem item; try { item = application.GetItem(azRole.Name); } catch (SqlAzManException) { item = null; } if (item == null) item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role); //Store & Application Groups Authorizations foreach (string member in (object[])azRole.AppMembers) { IAzManStoreGroup storeGroup; try { storeGroup = application.Store.GetStoreGroup(member); } catch (SqlAzManException) { storeGroup = null; } IAzManApplicationGroup applicationGroup; try { applicationGroup = application.GetApplicationGroup(member); } catch (SqlAzManException) { applicationGroup = null; } if (storeGroup != null) item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null); else if (applicationGroup != null) item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null); } //Windows Users & Groups Authorizations foreach (string sSid in (object[])azRole.Members) { IAzManSid sid = new SqlAzManSID(sSid); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null); } } //Authorizations on Roles with Scopes foreach (IAzScope azScope in azApplication.Scopes) { IAzRoles azRolesWithScopes = azScope.Roles; foreach (IAzRole azRole in azRolesWithScopes) { IAzManItem item; try { item = application.GetItem(azRole.Name); } catch (SqlAzManException) { item = null; } if (item == null) item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role); //Store & Application Groups Authorizations foreach (string member in (object[])azRole.AppMembers) { IAzManStoreGroup storeGroup; try { storeGroup = application.Store.GetStoreGroup(member); } catch (SqlAzManException) { storeGroup = null; } IAzManApplicationGroup applicationGroup; try { applicationGroup = application.GetApplicationGroup(member); } catch (SqlAzManException) { applicationGroup = null; } if (storeGroup != null) item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null); else if (applicationGroup != null) item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null); } //Windows Users & Groups Authorizations foreach (string sSid in (object[])azRole.Members) { IAzManSid sid = new SqlAzManSID(sSid); string memberName; bool isLocal; DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal); item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null); } } } //try //{ // azstore.CloseApplication(azApplication.Name, 0); //} //catch //{ // //PorkAround: COM Is a mistery //} } #endregion Applications if (storage.TransactionInProgress) storage.CommitTransaction(); } catch { if (storage.TransactionInProgress) { storage.RollBackTransaction(); } throw; } finally { if (azstore != null) { System.Runtime.InteropServices.Marshal.ReleaseComObject(azstore); File.Delete(tempFileName); azstore = null; } } }
/// <devdoc> /// Gets the client context for the call based on the identity, system and parameters. /// </devdoc> private IAzClientContext GetClientContext(AzManAuthorizationProviderData data, IIdentity identity, String applicationName, out IAzApplication azApp) { WindowsIdentity winIdentity = identity as WindowsIdentity; if (winIdentity == null) { throw new ArgumentException(SR.WindowsIdentityOnly); } AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, data.StoreLocation, null); azApp = store.OpenApplication(applicationName, null); Debug.Assert(azApp != null, "could not open the application"); ulong tokenHandle = (ulong) winIdentity.Token.ToInt64(); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null); Debug.Assert(clientCtx != null, "could not get the context"); return clientCtx; }
/// <summary> /// Initializes the WebExpense application to use the /// authorization policy and settings defined in Global.asax.cs /// </summary> /// <returns>Returns any errors encountered in the initialization process /// or null if no errors occured</returns> public static bool Initialize() { // // WebExpense Application object // IAzApplication AzManApp; // // WebExpense application store object // AzAuthorizationStoreClass AzManStore; string RtnMsg; // // Create a new Authorization Manager Store object // AzManStore = new AzAuthorizationStoreClass(); try { // // Open the Authorization Manager policy store from the path specified the in // the application variable AZMAN_STORE. This variable // is initially specified in Global.asax.cs // AzManStore.Initialize(0, (string)HttpContext.Current.Application["STORE_PATH"], null); } catch (System.IO.FileNotFoundException) { // IAzAuthorizationStore.Initialize failed w/ File Not Found. This can happen if the // store URL is bad. throw; // Since we can't proceed we'll throw to the default handler } catch (System.UnauthorizedAccessException) { // IAzAuthorizationStore.Initialize failed w/ AccessDenied. Make sure that the calling // context is in the Reader (or Admin if the app needs to write) role on the AzMan store throw; // Since we can't proceed we'll throw to the default handler } // // Save the policy store in a session variable // HttpContext.Current.Application["AZMAN_STORE"] = AzManStore; try { // // Open the application specified in the application variable // AZMAN_APP_NAME, This variable is initially specified in Global.asax.cs // AzManApp = AzManStore.OpenApplication ((string)HttpContext.Current.Application["AZMAN_APP_NAME"], null); } catch (System.IO.FileNotFoundException) { // IAzAuthorizationStore.OpenApplication failed w/ File Not Found. This can happen if the // application name is not correct (no corresponding application in the store). throw; // Since we can't proceed we'll throw to the default handler } // // Save the application to a session variable // HttpContext.Current.Application["AZMAN_APP"] = AzManApp; // // Return initialization suceeded // return true; }
private bool AzManTestCheckAccess() { WindowsIdentity identity = this.Request.LogonUserIdentity; string applicationName = "Application Test"; string[] operations = new string[] { this.txtOperation.Text }; HybridDictionary businessRuleParameters = new HybridDictionary(); AzAuthorizationStoreClass store = new AzAuthorizationStoreClass(); store.Initialize(0, AzManStorePath, null); IAzApplication azApp = store.OpenApplication(applicationName, null); IAzClientContext clientCtx = azApp.InitializeClientContextFromToken((UInt64)identity.Token, null); // costruisce il vettore dei valori e dei delle regole di business Object[] names = new Object[0]; Object[] values = new Object[0]; Object[] operationIds = new Object[operations.Length]; for (Int32 index = 0; index < operations.Length; index++) { operationIds[index] = azApp.OpenOperation(operations[index], null).OperationID; } Object[] internalScopes = new Object[1]; Object[] result = (Object[])clientCtx.AccessCheck("AuditString", internalScopes, operationIds, names, values, null, null, null); foreach (Int32 accessAllowed in result) { if (accessAllowed != 0) { return false; } } return true; }