/// <summary> /// Authorizes a user /// For authorized users, it returns the WindowsIdentity in which context commands need to be executed /// </summary> /// <param name="userInfo">User information</param> /// <param name="quota">User quota value</param> /// <returns>WindowsIdentiy in which context commands need to be executed</returns> public WindowsIdentity AuthorizeUser(RbacUser.RbacUserInfo userInfo, out Microsoft.Management.Odata.UserQuota quota) { RbacUser user = this.FindUser(userInfo); quota = new Microsoft.Management.Odata.UserQuota(user.Quota.MaxConcurrentRequests, user.Quota.MaxRequestsPerTimeSlot, user.Quota.Timeslot); return(user.Group.GetWindowsIdentity(userInfo.WindowsIdentity)); }
/// <summary> /// Finds a user in the RbacSytem /// </summary> /// <param name="userInfo">User information</param> /// <returns>User from RbacSystem which was searched</returns> private RbacUser FindUser(RbacUser.RbacUserInfo userInfo) { RbacUser user = this.Users.Find(item => item.UserInfo.Equals(userInfo)); if (user == null) { throw new ArgumentException("User not found. Name = " + userInfo.Name + " Authentication Type = " + userInfo.AuthenticationType); } return(user); }
/// <summary> /// Finds group for a PSPrincipal /// </summary> /// <param name="principal">PSPrincipal instance</param> /// <returns>Group associated with the identity</returns> private RbacGroup FindGroup(PSPrincipal principal) { if (principal == null) { throw new ArgumentNullException("principal"); } if (principal.Identity == null) { throw new ArgumentException("Null identity passed"); } if (principal.Identity.IsAuthenticated == false) { throw new UnauthorizedAccessException(); } PSIdentity powerShellIdentity = principal.Identity; GenericIdentity identity = new GenericIdentity(powerShellIdentity.Name, powerShellIdentity.AuthenticationType); RbacUser.RbacUserInfo userInfo = new RbacUser.RbacUserInfo(identity, powerShellIdentity.CertificateDetails); RbacUser user = this.Users.Find(item => item.UserInfo.Equals(userInfo)); if (user == null) { throw new ArgumentException("User not found: name=" + userInfo.Name + ", authentication=" + userInfo.AuthenticationType); } RbacGroup group = this.Groups.Find(item => item.Name == user.Group.Name); if (group == null) { throw new ArgumentException("group not found = " + user.Group.Name); } return(group); }
/// <summary> /// Populates the RbacSystem from an RBAC configuration file /// </summary> /// <param name="configPath">full path to the config file</param> private void Populate(string configPath) { this.Reset(); XmlConfiguration rbacConfiguration = XmlConfiguration.Create(configPath); foreach (XmlGroup group in rbacConfiguration.Groups) { WindowsIdentity identity = null; try { if (group.UserName == null || group.Password == null) { if (group.UserName != null || group.Password != null) { if (group.UserName == null) { throw new ArgumentException("User name is null for group " + group.Name); } if (group.Password == null) { throw new ArgumentException("Password is null for group " + group.Name); } } } else { if (group.DomainName == null) { group.DomainName = Environment.MachineName; } identity = WindowsIdentityHelper.GetWindowsIdentity(group.UserName, group.Password, group.DomainName); } } catch (Exception) { // Not able to get the impersonated WindowsIdentity // use the current WindowsIdentity identity = WindowsIdentity.GetCurrent(); } this.Groups.Add(new RbacGroup(group)); } foreach (XmlUser userConfig in rbacConfiguration.Users) { RbacUser user = new RbacUser(new RbacUser.RbacUserInfo(userConfig.Name, userConfig.AuthenticationType, userConfig.DomainName), userConfig.Quota); RbacGroup group = this.Groups.Find(item => item.Name == userConfig.GroupName); if (group == null) { throw new ArgumentException("Group not found = " + userConfig.GroupName); } user.Group = group; this.Users.Add(user); } }