public static IEnumerable <RouteInformation> GetAuthorizedRoutes(RavenServer.AuthenticateConnection authenticateConnection, string db = null) { return(Routes.Where(route => { bool authorized = false; switch (authenticateConnection.Status) { case RavenServer.AuthenticationStatus.ClusterAdmin: authorized = true; break; case RavenServer.AuthenticationStatus.Operator: if (route.AuthorizationStatus != AuthorizationStatus.ClusterAdmin) { authorized = true; } break; case RavenServer.AuthenticationStatus.Allowed: if (route.AuthorizationStatus == AuthorizationStatus.ClusterAdmin || route.AuthorizationStatus == AuthorizationStatus.Operator) { break; } if (route.TypeOfRoute == RouteInformation.RouteType.Databases && (db == null || authenticateConnection.CanAccess(db, route.AuthorizationStatus == AuthorizationStatus.DatabaseAdmin) == false)) { break; } authorized = true; break; default: if (route.AuthorizationStatus == AuthorizationStatus.UnauthenticatedClients) { authorized = true; } break; } return authorized; })); }
internal bool CanAccessRoute(RouteInformation route, HttpContext context, string databaseName, RavenServer.AuthenticateConnection feature, out RavenServer.AuthenticationStatus authenticationStatus) { authenticationStatus = feature?.Status ?? RavenServer.AuthenticationStatus.None; switch (route.AuthorizationStatus) { case AuthorizationStatus.UnauthenticatedClients: var userWantsToAccessStudioMainPage = context.Request.Path == "/studio/index.html"; if (userWantsToAccessStudioMainPage) { switch (authenticationStatus) { case RavenServer.AuthenticationStatus.NoCertificateProvided: case RavenServer.AuthenticationStatus.Expired: case RavenServer.AuthenticationStatus.NotYetValid: case RavenServer.AuthenticationStatus.None: case RavenServer.AuthenticationStatus.UnfamiliarCertificate: case RavenServer.AuthenticationStatus.UnfamiliarIssuer: return(false); } } return(true); case AuthorizationStatus.ClusterAdmin: case AuthorizationStatus.Operator: case AuthorizationStatus.ValidUser: case AuthorizationStatus.DatabaseAdmin: case AuthorizationStatus.RestrictedAccess: switch (authenticationStatus) { case RavenServer.AuthenticationStatus.NoCertificateProvided: case RavenServer.AuthenticationStatus.Expired: case RavenServer.AuthenticationStatus.NotYetValid: case RavenServer.AuthenticationStatus.None: return(false); case RavenServer.AuthenticationStatus.UnfamiliarCertificate: case RavenServer.AuthenticationStatus.UnfamiliarIssuer: // we allow an access to the restricted endpoints with an unfamiliar certificate, since we will authorize it at the endpoint level if (route.AuthorizationStatus == AuthorizationStatus.RestrictedAccess) { return(true); } ; goto case RavenServer.AuthenticationStatus.None; case RavenServer.AuthenticationStatus.Allowed: if (route.AuthorizationStatus == AuthorizationStatus.Operator || route.AuthorizationStatus == AuthorizationStatus.ClusterAdmin) { goto case RavenServer.AuthenticationStatus.None; } if (databaseName == null) { return(true); } if (feature.CanAccess(databaseName, route.AuthorizationStatus == AuthorizationStatus.DatabaseAdmin, route.EndpointType == EndpointType.Write)) { return(true); } goto case RavenServer.AuthenticationStatus.None; case RavenServer.AuthenticationStatus.Operator: if (route.AuthorizationStatus == AuthorizationStatus.ClusterAdmin) { goto case RavenServer.AuthenticationStatus.None; } return(true); case RavenServer.AuthenticationStatus.ClusterAdmin: return(true); default: throw new ArgumentOutOfRangeException(); } default: ThrowUnknownAuthStatus(route); return(false); // never hit } }