protected AclResult internalEvaluate(AclRequest request){
AclResult result = null;
result = tryEvaluateBySubProviders(request);
if(null!=result) return result;
result = tryEvaluateByRules(request);
if (null != result) return result;
return new AclResult {AccessAllowed = true, Processed = false};
}
private AclResult tryEvaluateByRules(AclRequest request){
var rules = new List<IAclRule>();
foreach (var rule in Rules){
if(!rule.Active) continue;
if(!(rule.StartDate <= DateTime.Now && rule.EndDate >= DateTime.Now)) continue;
if(!rule.Match(request)) continue;
rules.Add(rule);
}
rules = rules.OrderBy(x => x, new AclRuleComparer()).ToList();
if(log.IsDebugEnabled){
log.Debug("matched rules for " + request + " (" + rules.concat("; ") + ")");
}
if(rules.Count()==0) return null;
var result = new AclResult {Processed = true, AccessAllowed = true};
foreach (var rule in rules){
if(AclRuleType.Deny==rule.RuleType){
result.AccessAllowed = false;
log.debug(()=>"deny by "+rule);
break;
}
if(AclRuleType.Allow==rule.RuleType){
result.AccessAllowed = true;
log.debug(()=>"allow by "+rule);
break;
}
if(AclRuleType.Require==rule.RuleType){
if(!rule.IsRequireMatched(request)){
result.AccessAllowed = false;
log.debug(()=>"no meet require by "+rule);
break;
}
}
}
log.debug(()=>"result "+result.AccessAllowed);
return result;
}
private bool resolveByRoles(AclRequest request){
var principal = request.Principal;
return CheckRoles(principal);
}
public virtual bool IsRequireMatched(AclRequest request){
return resolveByRoles(request);
}
public virtual bool Match(AclRequest request){
//check by token
if (!string.IsNullOrWhiteSpace(TokenMask) && !request.Token.like(getRegex())) {
log.debug(()=>String.Empty+this+" no match token");
return false;
}
//check by system
if (!string.IsNullOrWhiteSpace(System) && request.System!=System) {
log.debug(()=>String.Empty+this+" no match system");
return false;
}
//check by domain or user
if (!string.IsNullOrWhiteSpace(PrincipalMask) && !PrincipalMask.StartsWith("r:")){
if (PrincipalMask.Contains("\\"))
{
if (request.Principal.Identity.Name != PrincipalMask) return false;
}
else{
if (!request.Principal.Identity.Name.StartsWith(PrincipalMask)) return false;
}
}
//check by permission
var rp = request.Permission;
if (string.IsNullOrWhiteSpace(rp)) rp = "_NULL_";
if (!string.IsNullOrWhiteSpace(Permissions) && !Permissions.Contains(rp + ";")){
log.debug(()=>String.Empty+this+" no match permission");
return false;
}
//check by role - if rule has special REQUIRE mode - roles are not checked at match stage, but collected in
//eval stage
if (!string.IsNullOrWhiteSpace(PrincipalMask) && PrincipalMask.StartsWith("r:") && RuleType!=AclRuleType.Require)
{
if (!resolveByRoles(request)) return false;
}
return true;
}
public AclResult Evaluate(AclRequest request){
Used = true;
if (request.Principal.Identity.Name == "test\\test"){
return new AclResult{Processed = true, AccessAllowed = true};
}
return null;
}
public AclResult Evaluate(AclRequest request){
lock (this){
checkInitialization();
return cache.get(request.ToString(), () => internalEvaluate(request));
}
}
private AclResult tryEvaluateBySubProviders(AclRequest request){
if(null==AclProviders) return null;
foreach (var impl in AclProviders.OrderBy(r=>r.Idx)){
var result = impl.Evaluate(request);
if(null!=result){
return result;
}
}
return null;
}