public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
{
var grain = resolutionRequest.Grain;
var securableItem = resolutionRequest.SecurableItem;
var groupNames = resolutionRequest.UserGroups.ToList();
var roles = (await _roleService.GetRoles(grain, securableItem)).ToList();
var allowedPermissions = new List <ResolvedPermission>();
var deniedPermissions = new List <ResolvedPermission>();
foreach (var role in roles)
{
if (BypassRoleEvaluation(role, groupNames, resolutionRequest))
{
continue;
}
var resolvedPermissions = role.Permissions
.Where(
p => IsActiveGrainAndSecurableItemMatch(p, grain, securableItem))
.Select(p => p.ToResolvedPermission(ResolvedPermission.Allow))
.ToList();
AddResolvedPermissions(allowedPermissions, resolvedPermissions, role);
resolvedPermissions = role.DeniedPermissions
.Select(p =>
p.ToResolvedPermission(ResolvedPermission.Deny))
.ToList();
AddResolvedPermissions(deniedPermissions, resolvedPermissions, role);
// add permissions from parent roles
var ancestorRoles = _roleService.GetRoleHierarchy(role, roles);
foreach (var ancestorRole in ancestorRoles)
{
resolvedPermissions = ancestorRole.Permissions
.Where(
p => IsActiveGrainAndSecurableItemMatch(p, grain, securableItem))
.Select(p => p.ToResolvedPermission(ResolvedPermission.Allow))
.ToList();
AddResolvedPermissions(allowedPermissions, resolvedPermissions, ancestorRole);
resolvedPermissions = ancestorRole.DeniedPermissions
.Select(p =>
p.ToResolvedPermission(ResolvedPermission.Deny))
.ToList();
AddResolvedPermissions(deniedPermissions, resolvedPermissions, ancestorRole);
}
}
return(new PermissionResolutionResult
{
AllowedPermissions = allowedPermissions.Distinct(),
DeniedPermissions = deniedPermissions.Distinct()
});
}
public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
{
var subjectId = resolutionRequest.SubjectId;
var identityProvider = resolutionRequest.IdentityProvider;
if (string.IsNullOrWhiteSpace(subjectId) || string.IsNullOrWhiteSpace(identityProvider))
{
_logger.Debug($"Attempted to resolve granular permissions without a complete user ID (subjectId = {subjectId}, identityProvider = {identityProvider}");
return(new PermissionResolutionResult());
}
try
{
var granularPermissions =
await _permissionService.GetUserGranularPermissions($"{subjectId}:{identityProvider}");
granularPermissions = await HydrateGranularPermissionDocuments(granularPermissions, resolutionRequest);
return(new PermissionResolutionResult
{
AllowedPermissions = granularPermissions.AdditionalPermissions?.Select(p => p.ToResolvedPermission(ResolvedPermission.Allow)),
DeniedPermissions = granularPermissions.DeniedPermissions?.Select(p => p.ToResolvedPermission(ResolvedPermission.Deny))
});
}
catch (NotFoundException <GranularPermission> )
{
_logger.Debug($"No granular permissions found for user {subjectId}:{identityProvider}");
}
return(new PermissionResolutionResult());
}
public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
{
var allowedPermissions = new List <ResolvedPermission>();
var deniedPermissions = new List <ResolvedPermission>();
foreach (var permissionResolverService in PermissionResolverServices)
{
var permissionResolutionResult = await permissionResolverService.Resolve(resolutionRequest);
allowedPermissions.AddRange(permissionResolutionResult.AllowedPermissions);
deniedPermissions.AddRange(permissionResolutionResult.DeniedPermissions);
}
return(new PermissionResolutionResult
{
AllowedPermissions = allowedPermissions,
DeniedPermissions = deniedPermissions
});
}
public async Task <PermissionResolutionResult> Resolve(PermissionResolutionRequest resolutionRequest)
{
if (!resolutionRequest.IncludeSharedPermissions)
{
return(new PermissionResolutionResult());
}
var sharedGrains = await _grainService.GetSharedGrains();
var permissionResolutionResult = new PermissionResolutionResult();
foreach (var sharedGrain in sharedGrains)
{
foreach (var securableItem in sharedGrain.SecurableItems)
{
// the current instance of SharedGrainPermissionResolverService will be in the _permissionResolverServices
// collection, but because the PermissionResolutionRequest is being created with IncludeSharedPermissions = false,
// infinite recursion will not happen
foreach (var permissionResolverService in _permissionResolverServices)
{
var result = await permissionResolverService.Resolve(new PermissionResolutionRequest
{
Grain = sharedGrain.Name,
SecurableItem = securableItem.Name,
IdentityProvider = resolutionRequest.IdentityProvider,
SubjectId = resolutionRequest.SubjectId,
UserGroups = resolutionRequest.UserGroups,
IncludeSharedPermissions = false
});
permissionResolutionResult.AllowedPermissions =
permissionResolutionResult.AllowedPermissions.Concat(result.AllowedPermissions);
permissionResolutionResult.DeniedPermissions =
permissionResolutionResult.DeniedPermissions.Concat(result.DeniedPermissions);
}
}
}
return(permissionResolutionResult);
}
private static bool BypassRoleEvaluation(Role role, List <string> groupNames, PermissionResolutionRequest permissionResolutionRequest)
{
return(!(role.Groups.Any(g => groupNames.Contains(g, StringComparer.OrdinalIgnoreCase)) || role.Users.Any(
u => u.SubjectId.Equals(permissionResolutionRequest.SubjectId,
StringComparison.OrdinalIgnoreCase) &&
u.IdentityProvider.Equals(permissionResolutionRequest.IdentityProvider,
StringComparison.OrdinalIgnoreCase))) || role.IsDeleted ||
role.Permissions == null || role.Permissions.Count == 0);
}
private static bool BypassRoleEvaluation(Role role, IReadOnlyCollection <Group> groups, PermissionResolutionRequest permissionResolutionRequest)
{
return(!(role.Groups.Any(g => groups.Select(g1 => g1.GroupIdentifier).Contains(g.GroupIdentifier, new GroupIdentifierComparer())) ||
role.Users.Any(u =>
u.SubjectId.Equals(permissionResolutionRequest.SubjectId, StringComparison.OrdinalIgnoreCase) &&
u.IdentityProvider.Equals(permissionResolutionRequest.IdentityProvider,
StringComparison.OrdinalIgnoreCase)) ||
role.IsDeleted ||
role.Permissions == null ||
role.Permissions.Count == 0));
}
private async Task <GranularPermission> HydrateGranularPermissionDocuments(GranularPermission granularPermissions, PermissionResolutionRequest resolutionRequest)
{
// retrieve all Permission documents that match the request's grain + securable item
var sourcePermissionDocuments =
(await _permissionService.GetPermissions(resolutionRequest.Grain, resolutionRequest.SecurableItem)).ToList();
granularPermissions.AdditionalPermissions =
sourcePermissionDocuments.Intersect(granularPermissions.AdditionalPermissions);
granularPermissions.DeniedPermissions =
sourcePermissionDocuments.Intersect(granularPermissions.DeniedPermissions);
return(granularPermissions);
}
