private DenyResult[] GetDenyActions(ISubject subject, IAction[] actions, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
var denyActions = new List<DenyResult>();
if (actions == null) actions = new IAction[0];
if (subject == null)
{
denyActions = actions.Select(a => new DenyResult(a, null, null)).ToList();
}
else if (subject is ISystemAccount && subject.ID == Constants.CoreSystem.ID)
{
// allow all
}
else
{
ISubject denySubject = null;
IAction denyAction = null;
foreach (var action in actions)
{
var allow = azManager.CheckPermission(subject, action, objectId, securityObjProvider, out denySubject, out denyAction);
if (!allow)
{
denyActions.Add(new DenyResult(action, denySubject, denyAction));
break;
}
}
}
return denyActions.ToArray();
}
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator())
{
return;
}
SecurityContext.DemandPermissions(objectId, securityObjProvider, actions);
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator())
{
return(true);
}
return(SecurityContext.CheckPermissions(objectId, securityObjProvider, actions));
}
public IEnumerable<Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (subject == null) throw new ArgumentNullException("subject");
if (action == null) throw new ArgumentNullException("action");
return CoreContext.AuthorizationManager
.GetAcesWithInherits(subject.ID, action.ID, objectId, secObjProvider)
.Select(r => new Ace(r.ActionId, r.Reaction));
}
public bool CheckPermission(ISubject subject, IAction action, ISecurityObjectId objectId,
ISecurityObjectProvider securityObjProvider, out ISubject denySubject,
out IAction denyAction)
{
if (subject == null) throw new ArgumentNullException("subject");
if (action == null) throw new ArgumentNullException("action");
var acl = GetAzManagerAcl(subject, action, objectId, securityObjProvider);
denySubject = acl.DenySubject;
denyAction = acl.DenyAction;
return acl.IsAllow;
}
public bool NextInherit()
{
if (currSecObjProvider == null || !currSecObjProvider.InheritSupported) return false;
currObjId = currSecObjProvider.InheritFrom(currObjId);
if (currObjId == null) return false;
if (currObjIdAsProvider)
{
currSecObjProvider = currObjId as ISecurityObjectProvider;
}
callContext.ObjectsStack.Insert(0, CurrentObjectId);
return currSecObjProvider != null;
}
public void Demand(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider);
if (0 < denyActions.Length)
{
throw new AuthorizingException(
subject,
Array.ConvertAll(denyActions, r => r.TargetAction),
Array.ConvertAll(denyActions, r => r.DenySubject),
Array.ConvertAll(denyActions, r => r.DenyAction));
}
}
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
currObjIdAsProvider = false;
CurrentObjectId = objectId ?? throw new ArgumentNullException(nameof(objectId));
currSecObjProvider = secObjProvider;
if (currSecObjProvider == null && CurrentObjectId is ISecurityObjectProvider)
{
currObjIdAsProvider = true;
currSecObjProvider = (ISecurityObjectProvider)CurrentObjectId;
}
callContext = new SecurityCallContext();
}
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (objectId == null) throw new ArgumentNullException("objectId");
currObjIdAsProvider = false;
currObjId = objectId;
currSecObjProvider = secObjProvider;
if (currSecObjProvider == null && currObjId is ISecurityObjectProvider)
{
currObjIdAsProvider = true;
currSecObjProvider = (ISecurityObjectProvider) currObjId;
}
callContext = new SecurityCallContext();
}
public void Demand(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider);
if (0 < denyActions.Length)
{
throw new AuthorizingException(
subject,
Array.ConvertAll(denyActions, r => r.TargetAction),
Array.ConvertAll(denyActions, r => r.DenySubject),
Array.ConvertAll(denyActions, r => r.DenyAction));
}
}
public AzObjectSecurityProviderHelper(ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (objectId == null)
{
throw new ArgumentNullException("objectId");
}
currObjIdAsProvider = false;
currObjId = objectId;
currSecObjProvider = secObjProvider;
if (currSecObjProvider == null && currObjId is ISecurityObjectProvider)
{
currObjIdAsProvider = true;
currSecObjProvider = (ISecurityObjectProvider)currObjId;
}
callContext = new SecurityCallContext();
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator()) return true;
if (IsOutsider())
{
var actionArray = actions ?? new IAction[0];
var containsReadAction = false;
foreach (var action in actionArray)
{
containsReadAction = action.ID.Equals(new Guid("{E0759A42-47F0-4763-A26A-D5AA665BEC35}"));//"Read forum post action"
}
if (!containsReadAction) return false;
}
return SecurityContext.CheckPermissions(objectId, securityObjProvider, actions);
}
public bool NextInherit()
{
if (currSecObjProvider == null || !currSecObjProvider.InheritSupported)
{
return(false);
}
currObjId = currSecObjProvider.InheritFrom(currObjId);
if (currObjId == null)
{
return(false);
}
if (currObjIdAsProvider)
{
currSecObjProvider = currObjId as ISecurityObjectProvider;
}
callContext.ObjectsStack.Insert(0, CurrentObjectId);
return(currSecObjProvider != null);
}
public bool CheckPermission(ISubject subject, IAction action, ISecurityObjectId objectId,
ISecurityObjectProvider securityObjProvider, out ISubject denySubject,
out IAction denyAction)
{
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
var acl = GetAzManagerAcl(subject, action, objectId, securityObjProvider);
denySubject = acl.DenySubject;
denyAction = acl.DenyAction;
return(acl.IsAllow);
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator())
{
return(true);
}
if (IsOutsider())
{
var actionArray = actions ?? new IAction[0];
var containsReadAction = false;
foreach (var action in actionArray)
{
containsReadAction = action.ID.Equals(new Guid("{E0759A42-47F0-4763-A26A-D5AA665BEC35}"));//"Read forum post action"
}
if (!containsReadAction)
{
return(false);
}
}
return(SecurityContext.CheckPermissions(objectId, securityObjProvider, actions));
}
internal IEnumerable<ISubject> GetSubjects(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
var subjects = new List<ISubject>();
subjects.Add(subject);
subjects.AddRange(
roleProvider.GetRoles(subject)
.ConvertAll(r => { return (ISubject)r; })
);
if (objectId != null)
{
var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, securityObjProvider);
do
{
if (!secObjProviderHelper.ObjectRolesSupported) continue;
foreach (IRole role in secObjProviderHelper.GetObjectRoles(subject))
{
if (!subjects.Contains(role)) subjects.Add(role);
}
} while (secObjProviderHelper.NextInherit());
}
return subjects;
}
public IEnumerable<AzRecord> GetAcesWithInherits(Guid subjectId, Guid actionId, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (objectId == null)
{
return GetAces(subjectId, actionId, null);
}
var result = new List<AzRecord>();
var aces = service.GetAces(CoreContext.TenantManager.GetCurrentTenant().TenantId, default(DateTime));
result.AddRange(FilterAces(aces, subjectId, actionId, objectId));
var inherits = new List<AzRecord>();
var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider);
while (secObjProviderHelper.NextInherit())
{
inherits.AddRange(FilterAces(aces, subjectId, actionId, secObjProviderHelper.CurrentObjectId));
}
inherits.AddRange(FilterAces(aces, subjectId, actionId, null));
result.AddRange(DistinctAces(inherits));
return result;
}
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
if (action.AdministratorAlwaysAllow && (Constants.Admin.ID == subject.ID || roleProvider.IsSubjectInRole(subject, Constants.Admin)))
{
return AzManagerAcl.Allow;
}
var acl = AzManagerAcl.Default;
var exit = false;
foreach (var s in GetSubjects(subject, objectId, securityObjProvider))
{
var aceList = permissionProvider.GetAcl(s, action, objectId, securityObjProvider);
foreach (var ace in aceList)
{
if (ace.Reaction == AceType.Deny && !exit)
{
acl.IsAllow = false;
acl.DenySubject = s;
acl.DenyAction = action;
exit = true;
}
if (ace.Reaction == AceType.Allow && !exit)
{
acl.IsAllow = true;
if (!action.Conjunction)
{
// disjunction: first allow and exit
exit = true;
}
}
if (exit) break;
}
if (exit) break;
}
return acl;
}
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
PermissionResolver.Demand(CurrentAccount, objectId, securityObjProvider, actions);
}
public bool Check(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider);
return denyActions.Length == 0;
}
public IEnumerable<AzRecord> GetAcesWithInherits(Guid subjectId, Guid actionId, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (objectId == null)
{
return GetAces(subjectId, actionId, null);
}
var result = new List<AzRecord>();
var aces = service.GetAces(TenantManager.GetCurrentTenant().TenantId, default);
result.AddRange(FilterAces(aces, subjectId, actionId, objectId));
var inherits = new List<AzRecord>();
var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider);
while (secObjProviderHelper.NextInherit())
{
inherits.AddRange(FilterAces(aces, subjectId, actionId, secObjProviderHelper.CurrentObjectId));
}
inherits.AddRange(FilterAces(aces, subjectId, actionId, null));
result.AddRange(DistinctAces(inherits));
return result;
}
public IEnumerable <Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
if (objectId == null)
{
throw new ArgumentNullException("objectId");
}
var allAces = new List <Ace>();
var fullObjectId = AzObjectIdHelper.GetFullObjectId(objectId);
allAces.AddRange(GetAcl(subject, action, fullObjectId));
bool inherit = GetObjectAcesInheritance(objectId);
if (inherit)
{
var providerHelper = new AzObjectSecurityProviderHelper(objectId, secObjProvider);
while (providerHelper.NextInherit())
{
allAces.AddRange(GetAcl(subject, action, AzObjectIdHelper.GetFullObjectId(providerHelper.CurrentObjectId)));
}
allAces.AddRange(GetAcl(subject, action));
}
var aces = new List <Ace>();
var aclKeys = new List <string>();
foreach (var ace in allAces)
{
var key = string.Format("{0}{1:D}", ace.ActionId, ace.Reaction);
if (!aclKeys.Contains(key))
{
aces.Add(ace);
aclKeys.Add(key);
}
}
return(aces);
}
public bool Check(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
var denyActions = GetDenyActions(subject, actions, objectId, securityObjProvider);
return(denyActions.Length == 0);
}
internal IEnumerable <ISubject> GetSubjects(ISubject subject, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
var subjects = new List <ISubject>();
subjects.Add(subject);
subjects.AddRange(
roleProvider.GetRoles(subject)
.ConvertAll(r => { return((ISubject)r); })
);
if (objectId != null)
{
var secObjProviderHelper = new AzObjectSecurityProviderHelper(objectId, securityObjProvider);
do
{
if (!secObjProviderHelper.ObjectRolesSupported)
{
continue;
}
foreach (IRole role in secObjProviderHelper.GetObjectRoles(subject))
{
if (!subjects.Contains(role))
{
subjects.Add(role);
}
}
} while (secObjProviderHelper.NextInherit());
}
return(subjects);
}
public IEnumerable <Ace> GetAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider secObjProvider)
{
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
return(CoreContext.AuthorizationManager
.GetAcesWithInherits(subject.ID, action.ID, objectId, secObjProvider)
.Select(r => new Ace(r.ActionId, r.Reaction)));
}
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator()) return;
SecurityContext.DemandPermissions(objectId, securityObjProvider, actions);
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
if (IsAdministrator()) return true;
return SecurityContext.CheckPermissions(objectId, securityObjProvider, actions);
}
private DenyResult[] GetDenyActions(ISubject subject, IAction[] actions, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
var denyActions = new List <DenyResult>();
if (actions == null)
{
actions = new IAction[0];
}
if (subject == null)
{
denyActions = actions.Select(a => new DenyResult(a, null, null)).ToList();
}
else if (subject is ISystemAccount && subject.ID == Constants.CoreSystem.ID)
{
// allow all
}
else
{
ISubject denySubject = null;
IAction denyAction = null;
foreach (var action in actions)
{
var allow = azManager.CheckPermission(subject, action, objectId, securityObjProvider, out denySubject, out denyAction);
if (!allow)
{
denyActions.Add(new DenyResult(action, denySubject, denyAction));
break;
}
}
}
return(denyActions.ToArray());
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
return PermissionResolver.Check(CurrentAccount, objectId, securityObjProvider, actions);
}
public static bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
return(PermissionResolver.Check(CurrentAccount, objectId, securityObjProvider, actions));
}
public static void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
{
PermissionResolver.Demand(CurrentAccount, objectId, securityObjProvider, actions);
}
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
{
if (action.AdministratorAlwaysAllow && (Constants.Admin.ID == subject.ID || roleProvider.IsSubjectInRole(subject, Constants.Admin)))
{
return(AzManagerAcl.Allow);
}
var acl = AzManagerAcl.Default;
var exit = false;
foreach (var s in GetSubjects(subject, objectId, securityObjProvider))
{
var aceList = permissionProvider.GetAcl(s, action, objectId, securityObjProvider);
foreach (var ace in aceList)
{
if (ace.Reaction == AceType.Deny && !exit)
{
acl.IsAllow = false;
acl.DenySubject = s;
acl.DenyAction = action;
exit = true;
}
if (ace.Reaction == AceType.Allow && !exit)
{
acl.IsAllow = true;
if (!action.Conjunction)
{
// disjunction: first allow and exit
exit = true;
}
}
if (exit)
{
break;
}
}
if (exit)
{
break;
}
}
return(acl);
}
