private void CheckPermissions(UtilityRow existingRow, ChangeDescription changeDescription) { string partitionKey = null; string rowKey = null; if (existingRow != null) { partitionKey = existingRow.PartitionKey; rowKey = existingRow.RowKey; } else { partitionKey = ((UtilityRow)changeDescription.Row).PartitionKey; rowKey = ((UtilityRow)changeDescription.Row).RowKey; } this.CheckPermission(this.m_currentResourceContainer.Name, false, false, changeDescription.UpdateType); XfeTableSASAuthorizationManager.CheckSignedAccessKeyBoundary(this.SignedAccountIdentifier, partitionKey, rowKey); }
internal void CheckPermission(string userTableName, bool isUtilityTableCommand, bool shouldCheckGet, UpdateKind commandKind) { PermissionLevel permissionLevel; if (this.SignedAccountIdentifier != null) { IStringDataEventStream verboseDebug = Logger <IRestProtocolHeadLogger> .Instance.VerboseDebug; object[] tableName = new object[] { this.SignedAccountIdentifier.TableName, this.SignedAccountIdentifier.StartingPartitionKey, this.SignedAccountIdentifier.StartingRowKey, this.SignedAccountIdentifier.EndingPartitionKey, this.SignedAccountIdentifier.EndingRowKey }; verboseDebug.Log("Sas tn={0} spk={1} srk={2} epk={3} erk={4}", tableName); } List <SASPermission> sASPermissions = new List <SASPermission>(); if (!shouldCheckGet) { switch (commandKind) { case UpdateKind.Insert: { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Add); } else { sASPermissions.Add(SASPermission.Create); sASPermissions.Add(SASPermission.Write); } permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.Delete: { sASPermissions.Add(SASPermission.Delete); permissionLevel = PermissionLevel.Delete; this.CheckAnalyticsPermissions(userTableName, new bool?(isUtilityTableCommand)); goto Label0; } case UpdateKind.Replace: case UpdateKind.Merge: { sASPermissions.Add(SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } case UpdateKind.InsertOrMerge: case UpdateKind.InsertOrReplace: { sASPermissions.Add(SASPermission.Add | SASPermission.Update); permissionLevel = PermissionLevel.Write; this.CheckAnalyticsPermissions(userTableName, null); goto Label0; } } CultureInfo invariantCulture = CultureInfo.InvariantCulture; object[] accountName = new object[] { this.AccountName, commandKind, this.m_currentResourceContainer.Name }; throw new NephosUnauthorizedAccessException(string.Format(invariantCulture, "Account {0} is not authorized to perform operation {1} on table {2}.", accountName)); } else { if (!isUtilityTableCommand) { sASPermissions.Add(SASPermission.Read); } else { sASPermissions.Add(SASPermission.List); } permissionLevel = PermissionLevel.Read; } Label0: this.CheckPermissionCallback(permissionLevel); if (this.SignedAccountIdentifier != null) { SASPermission item = SASPermission.None; if (sASPermissions.Count > 0) { item = sASPermissions[0]; } XfeTableSASAuthorizationManager.AuthorizeSASRequest(this.SignedAccountIdentifier, PermissionLevel.Write, item, userTableName, isUtilityTableCommand); return; } if (this.AccountIdentifier is AccountSasAccessIdentifier) { string lower = userTableName.ToLower(); if (isUtilityTableCommand) { lower = "Tables"; } if (!string.Equals(this.m_currentResourceContainer.Name, lower, StringComparison.OrdinalIgnoreCase)) { throw new NephosUnauthorizedAccessException("Signed access not supported for this request as table name did not match", AuthorizationFailureReason.InvalidOperationSAS); } AccountSasAccessIdentifier accountIdentifier = this.AccountIdentifier as AccountSasAccessIdentifier; AuthorizationResult authorizationResult = new AuthorizationResult(false, AuthorizationFailureReason.UnauthorizedAccountSasRequest); SASAuthorizationParameters sASAuthorizationParameter = new SASAuthorizationParameters() { SignedResourceType = (isUtilityTableCommand ? SasResourceType.Container : SasResourceType.Object), SupportedSasTypes = SasType.AccountSas }; SASAuthorizationParameters item1 = sASAuthorizationParameter; for (int i = 0; !authorizationResult.Authorized && i < sASPermissions.Count; i++) { item1.SignedPermission = sASPermissions[i]; authorizationResult = AuthorizationManager.AuthorizeAccountSignedAccessRequest(accountIdentifier, this.AccountName, item1); } if (!authorizationResult.Authorized) { throw new NephosUnauthorizedAccessException("Signed access insufficient permission", authorizationResult.FailureReason); } } }