/// <summary>
/// Remove user from role
/// </summary>
public object Remove(Type scopingType, object scopingKey, object key)
{
var scope = this.m_roleRepository.Get((Guid)scopingKey);
if (scope == null)
{
throw new KeyNotFoundException($"Could not find SecurityRole with identifier {scopingKey}");
}
var user = this.m_userRepository.Get(Guid.Parse(key.ToString()));
if (user == null)
{
throw new KeyNotFoundException($"User {key} not found");
}
try
{
this.m_pep.Demand(PermissionPolicyIdentifiers.AlterRoles);
this.m_roleProvider.RemoveUsersFromRoles(new string[] { user.UserName }, new string[] { scope.Name }, AuthenticationContext.Current.Principal);
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"del user={user.UserName}");
return(user);
}
catch
{
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false, $"del user={key}");
throw;
}
}
/// <summary>
/// Remove the challenge
/// </summary>
public object Remove(Type scopingType, object scopingKey, object key)
{
// Get scope
object scope = this.GetScope(scopingType, scopingKey);
if (scope == null)
{
throw new KeyNotFoundException($"Could not find scoped object with identifier {scopingKey}");
}
var policy = this.m_pip.GetPolicies().FirstOrDefault(o => o.Key == (Guid)key);
if (policy == null)
{
throw new KeyNotFoundException($"Policy {key} not found");
}
try
{
this.DemandFor(scopingType);
this.m_pip.RemovePolicies(scope, AuthenticationContext.Current.Principal, policy.Oid);
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"removed policy={policy.Oid}");
return(null);
}
catch
{
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false, $"removed policy={policy.Oid}");
throw;
}
}
/// <summary>
/// Add the security challenge
/// </summary>
public object Add(Type scopingType, object scopingKey, object item)
{
// Get scope
object scope = this.GetScope(scopingType, scopingKey);
if (scope == null)
{
throw new KeyNotFoundException($"Could not find scoped object with identifier {scopingKey}");
}
try
{
this.DemandFor(scopingType);
// Get or create the scoped item
if (item is SecurityPolicy policy)
{
item = new SecurityPolicyInfo(policy);
}
var rd = item as SecurityPolicyInfo;
this.m_pip.AddPolicies(scope, rd.Grant, AuthenticationContext.Current.Principal, rd.Oid);
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"added policy={rd.Oid}:{rd.Policy}");
return(rd);
}
catch
{
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false);
throw;
}
}
/// <summary>
/// Add a new user to the role
/// </summary>
public object Add(Type scopingType, object scopingKey, object item)
{
var scope = this.m_roleRepository.Get((Guid)scopingKey);
if (scope == null)
{
throw new KeyNotFoundException($"Could not find SecurityRole with identifier {scopingKey}");
}
try
{
this.m_pep.Demand(PermissionPolicyIdentifiers.AlterRoles);
// Get user entity
if (item is SecurityUser su)
{
item = new SecurityUserInfo(su);
}
var rd = item as SecurityUserInfo;
if (!rd.Entity.Key.HasValue)
{
rd.Entity = this.m_securityRepository.GetUser(rd.Entity.UserName);
}
if (rd.Entity == null)
{
throw new KeyNotFoundException($"Could not find specified user");
}
this.m_roleProvider.AddUsersToRoles(new string[] { rd.Entity.UserName }, new string[] { scope.Name }, AuthenticationContext.Current.Principal);
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"add user={rd.Entity.UserName}");
return(rd.Entity);
}
catch
{
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false);
throw;
}
}
/// <summary>
/// Raise the security attributes change event
/// </summary>
protected void FireSecurityAttributesChanged(object scope, bool success, params String[] changedProperties)
{
AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, success, changedProperties);
}
/// <summary>
/// Changes the users password.
/// </summary>
/// <param name="userName">The username of the user.</param>
/// <param name="newPassword">The new password of the user.</param>
/// <param name="principal">The authentication principal (the user that is changing the password).</param>
public void ChangePassword(string userName, string newPassword, System.Security.Principal.IPrincipal principal)
{
try
{
// The principal must change their own password or must have the changepassword credential
if (!userName.Equals(principal.Identity.Name, StringComparison.InvariantCultureIgnoreCase))
{
new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.ChangePassword).Demand();
}
else if (!principal.Identity.IsAuthenticated)
{
throw new InvalidOperationException("Unauthenticated principal cannot change user password");
}
// Get the user's identity
var securityUserService = ApplicationContext.Current.GetService <ISecurityRepositoryService>();
var localIdp = ApplicationContext.Current.GetService <IOfflineIdentityProviderService>();
if (localIdp?.IsLocalUser(userName) == true) // User is a local user, so we only change password on local
{
localIdp.ChangePassword(userName, newPassword, principal);
}
else
{
using (AmiServiceClient client = new AmiServiceClient(ApplicationContext.Current.GetRestClient("ami")))
{
Guid userId = Guid.Empty;
if (principal.Identity.Name.ToLowerInvariant() == userName.ToLowerInvariant())
{
var subjectClaim = (principal as IClaimsPrincipal).FindFirst(SanteDBClaimTypes.Sid);
if (subjectClaim != null)
{
userId = Guid.Parse(subjectClaim.Value);
}
}
// User ID not found - lookup
if (userId == Guid.Empty)
{
// User service is null
var securityUser = securityUserService.GetUser(userName);
if (securityUser == null)
{
var tuser = client.GetUsers(o => o.UserName == userName).CollectionItem.OfType <SecurityUserInfo>().FirstOrDefault();
if (tuser == null)
{
throw new ArgumentException(string.Format("User {0} not found", userName));
}
else
{
userId = tuser.Entity.Key.Value;
}
}
else
{
userId = securityUser.Key.Value;
}
}
// Use the current configuration's credential provider
var user = new SecurityUserInfo(new SecurityUser()
{
Key = userId,
UserName = userName,
Password = newPassword
})
{
PasswordOnly = true
};
// Set the credentials
client.Client.Credentials = ApplicationContext.Current.Configuration.GetServiceDescription("ami").Binding.Security.CredentialProvider.GetCredentials(principal);
client.UpdateUser(userId, user);
// Change locally
var userInfo = localIdp?.GetIdentity(userName);
if (userInfo != null)
{
localIdp?.ChangePassword(userName, newPassword, principal);
}
// Audit - Local IDP has alerted this already
AuditUtil.AuditSecurityAttributeAction(new object[] { user.ToIdentifiedData() }, true, new string[] { "password" });
}
}
}
catch (Exception e)
{
this.m_tracer.TraceError("Error changing password for user {0} : {1}", userName, e);
throw;
}
}
