public AccountAuthorizationRequest RejectRequest(AccountAuthorizationRequest request, NodeVisit visit)
{
ValidateByRole(visit, SystemRoleType.Admin);
ExceptionUtils.ThrowIfNull(request.Response, "request.Response");
if (!CollectionUtils.IsNullOrEmpty(request.RequestedFlows))
{
foreach (AccountAuthorizationRequestFlow flow in request.RequestedFlows)
{
flow.AccessGranted = false;
}
}
request.Response.AuthorizationAccountId = visit.Account.Id;
request.Response.DidCreateInNaas = false;
_accountAuthorizationRequestDao.DoRequestUpdate(request, visit.Account.NaasAccount, false);
string statusDetail = string.Format("{0} rejected authorization request from user \"{1} ({2})\": {3}",
visit.Account.NaasAccount, request.FullName, request.NaasAccount,
request.ToString());
ActivityManager.LogAudit(NodeMethod.None, null, request.TransactionId, visit, statusDetail);
return(request);
}
public AccountAuthorizationRequest AcceptRequest(AccountAuthorizationRequest request, NodeVisit visit)
{
ValidateByRole(visit, SystemRoleType.Admin);
ExceptionUtils.ThrowIfNull(request.Response, "request.Response");
IDictionary <string, string> upperFlowNameToIdMap = _flowManager.GetAllProtectedUpperDataFlowNamesToIdMap();
bool userExists = ValidateUserExistance(request.NaasAccount, request.AffiliatedNodeId,
null, upperFlowNameToIdMap);
string password = _accountManager.GenerateRandomPassword();
UserAccount userAccount = _accountDao.GetByName(request.NaasAccount);
List <UserAccessPolicy> policies = null;
if (userAccount == null)
{
userAccount = new UserAccount();
userAccount.ModifiedById = visit.Account.Id;
userAccount.NaasAccount = request.NaasAccount;
userAccount.Role = SystemRoleType.Authed;
}
else
{
if (!CollectionUtils.IsNullOrEmpty(userAccount.Policies))
{
policies = new List <UserAccessPolicy>(userAccount.Policies);
}
}
userAccount.IsActive = true;
if (!CollectionUtils.IsNullOrEmpty(request.RequestedFlows))
{
foreach (AccountAuthorizationRequestFlow requestedFlow in request.RequestedFlows)
{
UserAccessPolicy curPolicy = GetPolicyForFlow(requestedFlow.FlowName, policies);
bool foundFlow = (curPolicy != null);
if (foundFlow && !requestedFlow.AccessGranted)
{
policies.Remove(curPolicy);
}
else if (!foundFlow && requestedFlow.AccessGranted)
{
UserAccessPolicy policy =
_accountPolicyManager.CreatePolicy(userAccount.Role, null, requestedFlow.FlowName,
FlowRoleType.Endpoint);
policy.ModifiedById = visit.Account.Id;
CollectionUtils.Add(policy, ref policies);
}
}
userAccount.Policies = policies;
}
_accountManager.Save(userAccount, true, password, visit);
request.Response.AuthorizationAccountId = visit.Account.Id;
request.Response.DidCreateInNaas = !userExists;
_accountAuthorizationRequestDao.DoRequestUpdate(request, visit.Account.NaasAccount, true);
string statusDetail = string.Format("{0} accepted authorization request from user \"{1} ({2})\": {3}",
visit.Account.NaasAccount, request.FullName, request.NaasAccount,
request.ToString());
ActivityManager.LogAudit(NodeMethod.None, null, request.TransactionId, visit, statusDetail);
return(request);
}
/// <summary>
/// Check to see if the input request is already valid (user exists in NAAS and the node and already has access to
/// the requested flows. If so, automatically set the request to Accepted, thereby bypassing the need for
/// the node Admin to formally accept the request.
/// </summary>
protected void CheckForAlreadyValidAuthorizationRequest(AccountAuthorizationRequest item)
{
UserAccount userAccount = null;
try
{
userAccount = _accountManager.GetByName(item.NaasAccount);
}
catch (Exception)
{
}
if ((userAccount != null) && userAccount.IsActive)
{
IList <string> protectedFlows = _flowManager.GetProtectedFlowNames();
bool hasAccessToAllRequestedFlows = true;
IList <AccountAuthorizationRequestFlow> requestedFlows = null;
if (!CollectionUtils.IsNullOrEmpty(protectedFlows))
{
if (CollectionUtils.IsNullOrEmpty(item.RequestedFlows))
{
// If item.RequestedFlows == null, this is a request to grant access to all protected flows
requestedFlows = new List <AccountAuthorizationRequestFlow>(protectedFlows.Count);
foreach (string flowName in protectedFlows)
{
requestedFlows.Add(new AccountAuthorizationRequestFlow(flowName));
}
}
else
{
// Deep copy the list so that we can update element without affecting the "real" request
// until we are sure we will accept the user
requestedFlows = new List <AccountAuthorizationRequestFlow>(item.RequestedFlows.Count);
foreach (AccountAuthorizationRequestFlow requestedFlow in item.RequestedFlows)
{
requestedFlows.Add(new AccountAuthorizationRequestFlow(requestedFlow.FlowName));
}
}
// Check that the user has access to all the requested flows:
IDictionary <string, string> upperFlowNameToIdMap = _flowManager.GetAllProtectedUpperDataFlowNamesToIdMap();
foreach (AccountAuthorizationRequestFlow requestedFlow in requestedFlows)
{
if (upperFlowNameToIdMap.ContainsKey(requestedFlow.FlowName.ToUpper()))
{
if (!HasPolicyForFlow(requestedFlow.FlowName, userAccount.Policies))
{
hasAccessToAllRequestedFlows = false;
break;
}
else
{
requestedFlow.AccessGranted = true;
}
}
}
}
if (hasAccessToAllRequestedFlows)
{
// Validate that the user is actually in NAAS
if (_naasManager.UserExists(userAccount.NaasAccount))
{
// Accept this user automatically
item.RequestedFlows = requestedFlows;
item.Response = new AccountAuthorizationResponse();
item.Response.AuthorizationAccountId = _accountManager.AdminAccount.Id;
item.Response.AuthorizationComments = "The node admin automatically accepted the request since all requested policies are currently active";
item.Response.DidCreateInNaas = false;
_accountAuthorizationRequestDao.DoRequestUpdate(item, _accountManager.AdminAccount.NaasAccount, true);
string statusDetail = string.Format("Automatically accepted authorization request from user \"{0} ({1})\" since all requested policies are currently active: {2}",
item.FullName, item.NaasAccount, item.ToString());
ActivityManager.LogAudit(NodeMethod.None, null, item.TransactionId, null, statusDetail);
}
}
}
}