/// <summary> /// Get or create Cosmos permission (resource tokens) base on role (AD group) /// It will create Cosmos permision if does not exist /// </summary> /// <param name="rolePermission">The role permission record</param> /// <returns>A permission class or null</returns> private async Task <PermissionProperties> GetOrCreatePermission(CosmosRolePermission rolePermission) { // get cosmos permission by id: role_name/table_name var permission = await CosmosService.Instance.GetPermission(Name, rolePermission.Table); if (permission == null) { // create permission if not exist var newPermission = await rolePermission.CreateCosmosPermission(Name, rolePermission.Table); if (newPermission != null) { return(newPermission); } else { Logger.Log?.LogWarning($"error create permission ${Name} ${rolePermission.Table}"); } } else { if ((rolePermission.Permission.EqualsIgnoreCase("read") && permission.PermissionMode != PermissionMode.Read) || (rolePermission.Permission.EqualsIgnoreCase("read-write") && permission.PermissionMode != PermissionMode.All)) { // rolePermission is changed, need to update in cosmos var updatedPermission = await CosmosService.Instance.ReplacePermission(Name, rolePermission.Table, rolePermission.Permission.EqualsIgnoreCase("read"), rolePermission.Table); if (updatedPermission != null) { return(updatedPermission); } else { Logger.Log?.LogWarning($"error update permission ${Name} ${rolePermission.Table}"); } } else { return(permission); } } return(null); }
/// <summary> /// Get or create Cosmos permission for a user /// </summary> /// <param name="rolePermission">The role permission record</param> /// <returns>A permission class or null</returns> private async Task <PermissionProperties> GetOrCreateUserPermissions(CosmosRolePermission rolePermission) { var permission = await CosmosService.Instance.GetPermission(ObjectId, rolePermission.Table); if (permission == null) { // create permission if not exist var newPermission = await rolePermission.CreateCosmosPermission(ObjectId, rolePermission.Table, ObjectId); if (newPermission != null) { return(newPermission); } else { Logger.Log?.LogError($"error create permission ${ObjectId} ${rolePermission.Table}"); } } else { if ((rolePermission.Permission.EqualsIgnoreCase("id-read") && permission.PermissionMode == PermissionMode.All) || (rolePermission.Permission.EqualsIgnoreCase("id-read-write") && permission.PermissionMode == PermissionMode.Read)) { // rolePermission is changed, need to update in cosmos var updatedPermission = await CosmosService.Instance.ReplacePermission(ObjectId, rolePermission.Table, rolePermission.Permission.EqualsIgnoreCase("id-read"), rolePermission.Table, partition : ObjectId); if (updatedPermission != null) { return(updatedPermission); } else { Logger.Log?.LogError($"error update permission ${ObjectId} ${rolePermission.Table}"); } } else { return(permission); } } return(null); }
/// <summary> /// Get or create Cosmos permission for an admin user /// </summary> /// <param name="rolePermission">The role permission record</param> /// <returns>A permission class or null</returns> private async Task <PermissionProperties> GetOrCreateAdminPermissions(CosmosRolePermission rolePermission) { var adminPermission = await CosmosService.Instance.GetPermission(ObjectId, rolePermission.Table); if (adminPermission == null) { // create permission if not exist var newPermission = await CosmosService.Instance.CreatePermission(ObjectId, rolePermission.Table, false, rolePermission.Table, ObjectId); if (newPermission != null) { return(newPermission); } else { Logger.Log?.LogWarning($"error create admin permission ${ObjectId} ${rolePermission.Table}"); } } return(adminPermission); }
/// <summary> /// Get cosmos permission of this user /// </summary> /// <returns>List of permissions</returns> public async Task <List <PermissionProperties> > GetPermissions(string groupName) { var result = new List <PermissionProperties>(); // create user if needed await CosmosService.Instance.CreateUser(ObjectId); var rolePermissions = await CosmosRolePermission.QueryByIdPermissions(); List <Task <PermissionProperties> > tasks = new List <Task <PermissionProperties> >(); foreach (var rolePermission in rolePermissions) { // admin will have id-read-write permission for all tables if ("admin".EqualsIgnoreCase(groupName)) { tasks.Add(GetOrCreateAdminPermissions(rolePermission)); continue; } // only check for current group that user belongs if (!groupName.EqualsIgnoreCase(rolePermission.Role)) { continue; } tasks.Add(GetOrCreateUserPermissions(rolePermission)); } // add shared permission if (!Configurations.Cosmos.IgnoreConnectionPermission) { var connections = await Connection.QueryByShareUser(ObjectId); foreach (var connection in connections) { // only process the accepted connection if (!"accepted".EqualsIgnoreCase(connection.Status)) { continue; } tasks.Add(GetOrCreateSharePermissions(connection)); // add shared profile permission if (connection.Profiles != null && connection.Profiles.Count > 0) { tasks.Add(GetOrCreateShareProfilePermissions(connection)); } } } await Task.WhenAll(tasks); foreach (var task in tasks) { if (task.Result != null) { var data = task.Result; result.Add(data); } } // remove duplicated result = result.GroupBy(p => new { p.ETag, p.Id, p.ResourceUri, p.LastModified, p.PermissionMode, p.SelfLink }) .Select(g => g.First()).ToList(); return(result); }
/// <summary> /// Get cosmos permissions of group /// If the permission list is in the cache, then return it. Otherwise refresh cache and return /// </summary> /// <returns>List of permissions</returns> public async Task <List <PermissionProperties> > GetPermissions() { var result = new List <PermissionProperties>(); if (string.IsNullOrWhiteSpace(Name)) { return(result); } var cacheKey = $"groupPermission{Name}"; var cacheItems = cacheStore.GetCacheItem(cacheKey); if (cacheItems != null) { return((List <PermissionProperties>)cacheItems.Value); } // create user if needed await CosmosService.Instance.CreateUser(Name); // admin should have read-write permission for all except tables that have id-read or id-read-write if (Name.EqualsIgnoreCase("admin")) { List <Task <PermissionProperties> > adminTasks = new List <Task <PermissionProperties> >(); var tables = await CosmosRolePermission.GetAllTables(); foreach (var table in tables) { var rolePermisisons = await CosmosRolePermission.QueryByTable(table); if (rolePermisisons != null) { var containsIdPermission = rolePermisisons.Exists(e => e.Permission.EqualsIgnoreCase("id-read") || e.Permission.EqualsIgnoreCase("id-read-write")); if (containsIdPermission) { continue; } } adminTasks.Add(GetOrCreateAdminPermission(table)); } await Task.WhenAll(adminTasks); foreach (var task in adminTasks) { if (task.Result != null) { var data = task.Result; result.Add(data); } } cacheStore.Set(cacheKey, result, new CacheItemPolicy { SlidingExpiration = TimeSpan.FromMinutes(20) }); return(result); } List <Task <PermissionProperties> > tasks = new List <Task <PermissionProperties> >(); var rolePermissions = await CosmosRolePermission.QueryByRole(Name); foreach (var rolePermission in rolePermissions) { // don't return none, id-read, id-read-write permission in that group if (rolePermission.Permission.EqualsIgnoreCase("none") || rolePermission.Permission.EqualsIgnoreCase("id-read") || rolePermission.Permission.EqualsIgnoreCase("id-read-write")) { continue; } tasks.Add(GetOrCreatePermission(rolePermission)); } await Task.WhenAll(tasks); foreach (var task in tasks) { if (task.Result != null) { var data = task.Result; result.Add(data); } } cacheStore.Set(cacheKey, result, new CacheItemPolicy { SlidingExpiration = TimeSpan.FromMinutes(20) }); return(result); }