/// <summary>
/// Sets a permission for a global resource.
/// </summary>
/// <param name="status">The authorization status.</param>
/// <param name="action">The action of which to modify the authorization status.</param>
/// <param name="subject">The subject of the authorization change.</param>
/// <returns><c>true</c> if the authorization status is changed, <c>false</c> otherwise.</returns>
private bool SetPermissionForGlobals(AuthStatus status, string action, string subject)
{
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (action != Actions.FullControl && !AuthTools.IsValidAction(action, Actions.ForGlobals.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (status == AuthStatus.Delete)
{
bool done = _settingsProvider.AclManager.DeleteEntry(Actions.ForGlobals.ResourceMasterPrefix, action, subject);
if (done)
{
Log.LogEntry(MessageDeleteSuccess + GetLogMessage(Actions.ForGlobals.ResourceMasterPrefix, "",
action, subject, Delete), EntryType.General, Log.SystemUsername, _settingsProvider.CurrentWiki);
}
else
{
Log.LogEntry(MessageDeleteFailure + GetLogMessage(Actions.ForGlobals.ResourceMasterPrefix, "",
action, subject, Delete), EntryType.Error, Log.SystemUsername, _settingsProvider.CurrentWiki);
}
return(done);
}
else
{
bool done = _settingsProvider.AclManager.StoreEntry(Actions.ForGlobals.ResourceMasterPrefix,
action, subject, status == AuthStatus.Grant ? Value.Grant : Value.Deny);
if (done)
{
Log.LogEntry(MessageSetSuccess + GetLogMessage(Actions.ForGlobals.ResourceMasterPrefix, "",
action, subject, Set + status.ToString()), EntryType.General, Log.SystemUsername, _settingsProvider.CurrentWiki);
}
else
{
Log.LogEntry(MessageSetFailure + GetLogMessage(Actions.ForGlobals.ResourceMasterPrefix, "",
action, subject, Set + status.ToString()), EntryType.Error, Log.SystemUsername, _settingsProvider.CurrentWiki);
}
return(done);
}
}
private static void MigrateDirectories(IFilesStorageProviderV30 source, IFilesStorageProviderV30 destination, string current, ISettingsStorageProviderV30 settingsProvider)
{
// Copy files
var files = source.ListFiles(current);
foreach (var file in files)
{
// Copy file content
using (var ms = new MemoryStream(1048576))
{
source.RetrieveFile(file, ms, false);
ms.Seek(0, SeekOrigin.Begin);
destination.StoreFile(file, ms, false);
}
// Copy download count
FileDetails fileDetails = source.GetFileDetails(file);
destination.SetFileRetrievalCount(file, fileDetails.RetrievalCount);
// Delete source file, if root
if (current == "/")
{
source.DeleteFile(file);
}
}
settingsProvider.AclManager.RenameResource(
Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(source, current),
Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(destination, current));
// Copy directories
var directories = source.ListDirectories(current);
foreach (var dir in directories)
{
destination.CreateDirectory(current, dir.Substring(dir.TrimEnd('/').LastIndexOf("/") + 1).Trim('/'));
MigrateDirectories(source, destination, dir, settingsProvider);
// Delete directory, if root
if (current == "/")
{
source.DeleteDirectory(dir);
}
}
}
/// <summary>
/// Checks whether an action is allowed for the global resources.
/// </summary>
/// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param>
/// <returns><c>true</c> if the action is allowed.</returns>
public static bool CheckActionForGlobals(string action, string currentUser, string[] groups)
{
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (!AuthTools.IsValidAction(action, Actions.ForGlobals.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (currentUser == null)
{
throw new ArgumentNullException("currentUser");
}
if (currentUser.Length == 0)
{
throw new ArgumentException("Current User cannot be empty", "currentUser");
}
if (groups == null)
{
throw new ArgumentNullException("groups");
}
if (currentUser == "admin")
{
return(true);
}
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
return(auth == Authorization.Granted);
}
/// <summary>
/// Clears all the ACL entries for a directory.
/// </summary>
/// <param name="provider">The provider.</param>
/// <param name="directory">The directory.</param>
public void ClearEntriesForDirectory(IFilesStorageProviderV40 provider, string directory)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
if (directory == null)
{
throw new ArgumentNullException("directory");
}
if (directory.Length == 0)
{
throw new ArgumentException("Directory cannot be empty", "directory");
}
string resourceName = Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(provider, directory);
_settingsProvider.AclManager.DeleteEntriesForResource(resourceName);
}
/// <summary>
/// Checks whether an action is allowed for a page.
/// </summary>
/// <param name="page">The current page.</param>
/// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param>
/// <param name="localEscalator"><c>true</c> is the method is called in a local escalator process.</param>
/// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns>
public static bool CheckActionForPage(PageInfo page, string action, string currentUser, string[] groups, bool localEscalator = false)
{
if (page == null)
{
throw new ArgumentNullException("page");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (!AuthTools.IsValidAction(action, Actions.ForPages.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (currentUser == null)
{
throw new ArgumentNullException("currentUser");
}
if (currentUser.Length == 0)
{
throw new ArgumentException("Current User cannot be empty", "currentUser");
}
if (groups == null)
{
throw new ArgumentNullException("groups");
}
if (currentUser == "admin")
{
return(true);
}
return(LocalCheckActionForPage(page, action, currentUser, groups, localEscalator) == Authorization.Granted);
}
/// <summary>
/// Retrieves the subjects that have ACL entries set for a directory.
/// </summary>
/// <param name="provider">The provider.</param>
/// <param name="directory">The directory.</param>
/// <returns>The subjects.</returns>
public static SubjectInfo[] RetrieveSubjectsForDirectory(IFilesStorageProviderV30 provider, string directory)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
if (directory == null)
{
throw new ArgumentNullException("directory");
}
if (directory.Length == 0)
{
throw new ArgumentException("Directory cannot be empty", "directory");
}
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(provider, directory));
List <SubjectInfo> result = new List <SubjectInfo>(entries.Length);
for (int i = 0; i < entries.Length; i++)
{
SubjectType type = AuthTools.IsGroup(entries[i].Subject) ? SubjectType.Group : SubjectType.User;
// Remove the subject qualifier ('U.' or 'G.')
string name = entries[i].Subject.Substring(2);
if (result.Find(delegate(SubjectInfo x) { return(x.Name == name && x.Type == type); }) == null)
{
result.Add(new SubjectInfo(name, type));
}
}
return(result.ToArray());
}
/// <summary>
/// Checks whether an action is allowed for the global resources.
/// </summary>
/// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param>
/// <returns><c>true</c> if the action is allowed.</returns>
public static bool CheckActionForGlobals(string action, string currentUser, string[] groups)
{
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (!AuthTools.IsValidAction(action, Actions.ForGlobals.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (currentUser == null)
{
throw new ArgumentNullException("currentUser");
}
if (currentUser.Length == 0)
{
throw new ArgumentException("Current User cannot be empty", "currentUser");
}
if (groups == null)
{
throw new ArgumentNullException("groups");
}
if (currentUser == "admin")
{
return(true);
}
return(LocalCheckActionForGlobals(action, currentUser, groups) == Authorization.Granted);
}
/// <summary>
/// Removes all the ACL Entries for a directory that are bound to a subject.
/// </summary>
/// <param name="subject">The subject.</param>
/// <param name="provider">The provider.</param>
/// <param name="directory">The directory.</param>
/// <returns><c>true</c> if the operation succeeded, <c>false</c> otherwise.</returns>
private static bool RemoveEntriesForDirectory(string subject, IFilesStorageProviderV30 provider, string directory)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
if (directory == null)
{
throw new ArgumentNullException("directory");
}
if (directory.Length == 0)
{
throw new ArgumentException("Directory cannot be empty", "directory");
}
string resourceName = Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(provider, directory);
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForSubject(subject);
foreach (AclEntry entry in entries)
{
if (entry.Resource == resourceName)
{
// This call automatically logs the operation result
bool done = SetPermissionForDirectory(AuthStatus.Delete, provider, directory, entry.Action, subject);
if (!done)
{
return(false);
}
}
}
return(true);
}
private static Authorization LocalCheckActionForGlobals(string action, string currentUser, string[] groups)
{
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
return(auth);
}
/// <summary>
/// Checks whether an action is allowed for a directory.
/// </summary>
/// <param name="provider">The provider that manages the directory.</param>
/// <param name="directory">The full path of the directory.</param>
/// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param>
/// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns>
public static bool CheckActionForDirectory(IFilesStorageProviderV30 provider, string directory, string action, string currentUser, string[] groups)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
if (directory == null)
{
throw new ArgumentNullException("directory");
}
if (directory.Length == 0)
{
throw new ArgumentException("Directory cannot be empty", "directory");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (!AuthTools.IsValidAction(action, Actions.ForDirectories.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (currentUser == null)
{
throw new ArgumentNullException("currentUser");
}
if (currentUser.Length == 0)
{
throw new ArgumentException("Current User cannot be empty", "currentUser");
}
if (groups == null)
{
throw new ArgumentNullException("groups");
}
if (currentUser == "admin")
{
return(true);
}
string resourceName = Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(provider, directory);
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(resourceName);
Authorization auth = AclEvaluator.AuthorizeAction(resourceName, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if (auth != Authorization.Unknown)
{
return(auth == Authorization.Granted);
}
// Try local escalators
string[] localEscalators = null;
if (Actions.ForDirectories.LocalEscalators.TryGetValue(action, out localEscalators))
{
foreach (string localAction in localEscalators)
{
bool authorized = CheckActionForDirectory(provider, directory, localAction, currentUser, groups);
if (authorized)
{
return(true);
}
}
}
// Try directory escalation (extract parent directory and check its permissions)
// Path manipulation keeps the format used by the caller (leading and trailing slashes are preserved if appropriate)
string trimmedDirectory = directory.Trim('/');
if (trimmedDirectory.Length > 0)
{
int slashIndex = trimmedDirectory.LastIndexOf('/');
string parentDir = "";
if (slashIndex > 0)
{
// Navigate one level up, using the same slash format as the current one
parentDir = (directory.StartsWith("/") ? "/" : "") +
trimmedDirectory.Substring(0, slashIndex) + (directory.EndsWith("/") ? "/" : "");
}
else
{
// This is the root
parentDir = directory.StartsWith("/") ? "/" : "";
}
bool authorized = CheckActionForDirectory(provider, parentDir, action, currentUser, groups);
if (authorized)
{
return(true);
}
}
// Try global escalators
string[] globalEscalators = null;
if (Actions.ForDirectories.GlobalEscalators.TryGetValue(action, out globalEscalators))
{
foreach (string globalAction in globalEscalators)
{
bool authorized = CheckActionForGlobals(globalAction, currentUser, groups);
if (authorized)
{
return(true);
}
}
}
return(false);
}
private static Authorization LocalCheckActionForPage(PageInfo page, string action, string currentUser, string[] groups, bool localEscalator = false)
{
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForPages.ResourceMasterPrefix + page.FullName);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForPages.ResourceMasterPrefix + page.FullName, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if (localEscalator || auth != Authorization.Unknown)
{
return(auth);
}
// Try local escalators
string[] localEscalators = null;
if (Actions.ForPages.LocalEscalators.TryGetValue(action, out localEscalators))
{
foreach (string localAction in localEscalators)
{
Authorization authorization = LocalCheckActionForPage(page, localAction, currentUser, groups, true);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
}
// Try namespace escalators
string[] namespaceEscalators = null;
string nsName = NameTools.GetNamespace(page.FullName);
NamespaceInfo ns = string.IsNullOrEmpty(nsName) ? null : new NamespaceInfo(nsName, null, null);
if (Actions.ForPages.NamespaceEscalators.TryGetValue(action, out namespaceEscalators))
{
foreach (string namespaceAction in namespaceEscalators)
{
Authorization authorization = LocalCheckActionForNamespace(ns, namespaceAction, currentUser, groups, true);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
// Try root escalation
if (ns != null)
{
authorization = LocalCheckActionForNamespace(null, namespaceAction, currentUser, groups, true);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
}
}
// Try global escalators
string[] globalEscalators = null;
if (Actions.ForPages.GlobalEscalators.TryGetValue(action, out globalEscalators))
{
foreach (string globalAction in globalEscalators)
{
Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
}
return(Authorization.Unknown);
}
private static Authorization LocalCheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups, bool localEscalator = false)
{
string namespaceName = nspace != null ? nspace.Name : "";
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(
Actions.ForNamespaces.ResourceMasterPrefix + namespaceName);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName,
action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if (localEscalator || auth != Authorization.Unknown)
{
return(auth);
}
// Try local escalators
string[] localEscalators = null;
if (Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators))
{
foreach (string localAction in localEscalators)
{
Authorization authorization = LocalCheckActionForNamespace(nspace, localAction, currentUser, groups, true);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
}
// Try root escalation
if (nspace != null)
{
Authorization authorization = LocalCheckActionForNamespace(null, action, currentUser, groups);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
// Try global escalators
string[] globalEscalators = null;
if (Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators))
{
foreach (string globalAction in globalEscalators)
{
Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups);
if (authorization != Authorization.Unknown)
{
return(authorization);
}
}
}
return(Authorization.Unknown);
}
/// <summary>
/// Checks whether an action is allowed for a namespace.
/// </summary>
/// <param name="nspace">The current namespace (<c>null</c> for the root).</param>
/// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param>
/// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns>
public static bool CheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups)
{
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (!AuthTools.IsValidAction(action, Actions.ForNamespaces.All))
{
throw new ArgumentException("Invalid action", "action");
}
if (currentUser == null)
{
throw new ArgumentNullException("currentUser");
}
if (currentUser.Length == 0)
{
throw new ArgumentException("Current User cannot be empty", "currentUser");
}
if (groups == null)
{
throw new ArgumentNullException("groups");
}
if (currentUser == "admin")
{
return(true);
}
string namespaceName = nspace != null ? nspace.Name : "";
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(
Actions.ForNamespaces.ResourceMasterPrefix + namespaceName);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName,
action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if (auth != Authorization.Unknown)
{
return(auth == Authorization.Granted);
}
// Try local escalators
string[] localEscalators = null;
if (Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators))
{
foreach (string localAction in localEscalators)
{
bool authorized = CheckActionForNamespace(nspace, localAction, currentUser, groups);
if (authorized)
{
return(true);
}
}
}
// Try root escalation
if (nspace != null)
{
bool authorized = CheckActionForNamespace(null, action, currentUser, groups);
if (authorized)
{
return(true);
}
}
// Try global escalators
string[] globalEscalators = null;
if (Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators))
{
foreach (string globalAction in globalEscalators)
{
bool authorized = CheckActionForGlobals(globalAction, currentUser, groups);
if (authorized)
{
return(true);
}
}
}
return(false);
}
/// <summary>
/// Sets a permission for a directory.
/// </summary>
/// <param name="status">The authorization status.</param>
/// <param name="provider">The provider that handles the directory.</param>
/// <param name="directory">The directory.</param>
/// <param name="action">The action of which to modify the authorization status.</param>
/// <param name="subject">The subject of the authorization change.</param>
/// <returns><c>true</c> if the authorization status is changed, <c>false</c> otherwise.</returns>
private static bool SetPermissionForDirectory(AuthStatus status, IFilesStorageProviderV30 provider, string directory, string action, string subject)
{
if (provider == null)
{
throw new ArgumentNullException("provider");
}
if (directory == null)
{
throw new ArgumentNullException("directory");
}
if (directory.Length == 0)
{
throw new ArgumentException("Directory cannot be empty", "directory");
}
if (action == null)
{
throw new ArgumentNullException("action");
}
if (action.Length == 0)
{
throw new ArgumentException("Action cannot be empty", "action");
}
if (action != Actions.FullControl && !AuthTools.IsValidAction(action, Actions.ForDirectories.All))
{
throw new ArgumentException("Invalid action", "action");
}
var directoryName = AuthTools.GetDirectoryName(provider, directory);
if (status == AuthStatus.Delete)
{
var done = SettingsProvider.AclManager.DeleteEntry(Actions.ForDirectories.ResourceMasterPrefix + directoryName,
action, subject);
if (done)
{
Log.LogEntry(MessageDeleteSuccess + GetLogMessage(Actions.ForDirectories.ResourceMasterPrefix, directoryName,
action, subject, Delete), EntryType.General, Log.SystemUsername);
}
else
{
Log.LogEntry(MessageDeleteFailure + GetLogMessage(Actions.ForDirectories.ResourceMasterPrefix, directoryName,
action, subject, Delete), EntryType.Error, Log.SystemUsername);
}
return(done);
}
else
{
var done = SettingsProvider.AclManager.StoreEntry(Actions.ForDirectories.ResourceMasterPrefix + directoryName,
action, subject, status == AuthStatus.Grant ? Value.Grant : Value.Deny);
if (done)
{
Log.LogEntry(MessageSetSuccess + GetLogMessage(Actions.ForDirectories.ResourceMasterPrefix, directoryName,
action, subject, Set + status.ToString()), EntryType.General, Log.SystemUsername);
}
else
{
Log.LogEntry(MessageSetFailure + GetLogMessage(Actions.ForDirectories.ResourceMasterPrefix, directoryName,
action, subject, Set + status.ToString()), EntryType.Error, Log.SystemUsername);
}
return(done);
}
}