/// <summary>
/// Remove users from roles
/// </summary>
public void RemoveUsersFromRoles(string[] users, string[] roles, IPrincipal authPrincipal)
{
this.VerifyPrincipal(authPrincipal, PermissionPolicyIdentifiers.AlterRoles);
// Add users to role
using (var dataContext = new Data.ModelDataContext(this.m_configuration.ReadWriteConnectionString))
{
foreach (var un in users)
{
SecurityUser user = dataContext.SecurityUsers.SingleOrDefault(u => u.UserName == un);
if (user == null)
{
throw new KeyNotFoundException(String.Format("Could not locate user {0}", un));
}
foreach (var rol in roles)
{
SecurityRole role = dataContext.SecurityRoles.SingleOrDefault(r => r.Name == rol);
if (role == null)
{
throw new KeyNotFoundException(String.Format("Could not locate role {0}", rol));
}
var securityUserRole = user.SecurityUserRoles.SingleOrDefault(ur => ur.RoleId == role.RoleId && ur.UserId == user.UserId);
if (securityUserRole != null)
{
// Remove
dataContext.SecurityUserRoles.DeleteOnSubmit(securityUserRole);
}
}
}
dataContext.SubmitChanges();
}
}
/// <summary>
/// Adds the specified users to the specified roles
/// </summary>
public void AddUsersToRoles(string[] users, string[] roles, IPrincipal authPrincipal)
{
this.VerifyPrincipal(authPrincipal, PermissionPolicyIdentifiers.AlterRoles);
// Add users to role
using (var dataContext = new Data.ModelDataContext(this.m_configuration.ReadWriteConnectionString))
{
foreach (var un in users)
{
SecurityUser user = dataContext.SecurityUsers.SingleOrDefault(u => u.UserName == un);
if (user == null)
{
throw new KeyNotFoundException(String.Format("Could not locate user {0}", un));
}
foreach (var rol in roles)
{
SecurityRole role = dataContext.SecurityRoles.SingleOrDefault(r => r.Name == rol);
if (role == null)
{
throw new KeyNotFoundException(String.Format("Could not locate role {0}", rol));
}
if (!user.SecurityUserRoles.Any(o => o.RoleId == role.RoleId))
{
user.SecurityUserRoles.Add(new SecurityUserRole()
{
UserId = user.UserId, RoleId = role.RoleId
});
}
}
}
dataContext.SubmitChanges();
}
}
/// <summary>
/// Insert the specified device entity
/// </summary>
public override Core.Model.Entities.DeviceEntity Insert(Data.ModelDataContext context, Core.Model.Entities.DeviceEntity data, IPrincipal principal)
{
data.SecurityDevice?.EnsureExists(context, principal);
data.SecurityDeviceKey = data.SecurityDevice?.Key ?? data.SecurityDeviceKey;
return(base.Insert(context, data, principal));
}
/// <summary>
/// Insert the specified object
/// </summary>
public override Core.Model.Entities.EntityAddress Insert(Data.ModelDataContext context, Core.Model.Entities.EntityAddress data, IPrincipal principal)
{
// Ensure exists
data.AddressUse?.EnsureExists(context, principal);
data.AddressUseKey = data.AddressUse?.Key ?? data.AddressUseKey;
var retVal = base.Insert(context, data, principal);
// Data component
if (data.Component != null)
{
base.UpdateAssociatedItems <Core.Model.Entities.EntityAddressComponent, Data.EntityAddressComponent>(
data.Component,
data,
context,
principal);
}
return(retVal);
}
/// <summary>
/// Creates an identity from a hash
/// </summary>
internal static SqlClaimsIdentity Create(String userName)
{
try
{
using (var dataContext = new Data.ModelDataContext(s_configuration.ReadonlyConnectionString))
{
var user = dataContext.SecurityUsers.SingleOrDefault(u => !u.ObsoletionTime.HasValue && u.UserName == userName);
if (user == null)
{
return(null);
}
return(new SqlClaimsIdentity(user, false));
}
}
catch (Exception e)
{
s_traceSource.TraceEvent(TraceEventType.Error, e.HResult, e.ToString());
throw new Exception("Creating unauthorized identity failed", e);
}
}
/// <summary>
/// Create a role
/// </summary>
public void CreateRole(string roleName, IPrincipal authPrincipal)
{
this.VerifyPrincipal(authPrincipal, PermissionPolicyIdentifiers.CreateRoles);
// Add users to role
using (var dataContext = new Data.ModelDataContext(this.m_configuration.ReadWriteConnectionString))
{
SecurityUser user = dataContext.SecurityUsers.SingleOrDefault(u => u.UserName == authPrincipal.Identity.Name);
if (user == null)
{
throw new SecurityException(String.Format("Could not verify identity of {0}", authPrincipal.Identity.Name));
}
// Insert
dataContext.SecurityRoles.InsertOnSubmit(new SecurityRole()
{
RoleId = Guid.NewGuid(),
CreatedByEntity = user,
Name = roleName
});
dataContext.SubmitChanges();
}
}
/// <summary>
/// To model instance
/// </summary>
public virtual TEntityType ToModelInstance <TEntityType>(Data.EntityVersion dbInstance, Data.ModelDataContext context, IPrincipal principal) where TEntityType : Core.Model.Entities.Entity, new()
{
var retVal = m_mapper.MapDomainInstance <Data.EntityVersion, TEntityType>(dbInstance);
retVal.ClassConceptKey = dbInstance.Entity.ClassConceptId;
retVal.DeterminerConceptKey = dbInstance.Entity.DeterminerConceptId;
// Inversion relationships
//if (retVal.Relationships != null)
//{
// retVal.Relationships.RemoveAll(o => o.InversionIndicator);
// retVal.Relationships.AddRange(context.EntityAssociations.Where(o => o.TargetEntityId == retVal.Key.Value).Distinct().Select(o => new EntityRelationship(o.AssociationTypeConceptId, o.TargetEntityId)
// {
// SourceEntityKey = o.SourceEntityId,
// Key = o.EntityAssociationId,
// InversionIndicator = true
// }));
//}
return(retVal);
}
/// <summary>
/// Creates a principal based on username and password
/// </summary>
internal static SqlClaimsIdentity Create(String userName, String password)
{
try
{
if (userName == AuthenticationContext.AnonymousPrincipal.Identity.Name ||
userName == AuthenticationContext.SystemPrincipal.Identity.Name)
{
throw new PolicyViolationException(PermissionPolicyIdentifiers.Login, PolicyDecisionOutcomeType.Deny);
}
Guid?userId = Guid.Empty;
using (var dataContext = new Data.ModelDataContext(s_configuration.ReadWriteConnectionString))
{
// Attempt to get a user
var hashingService = ApplicationContext.Current.GetService <IPasswordHashingService>();
var passwordHash = hashingService.EncodePassword(password);
dataContext.sp_Authenticate(userName, passwordHash, 3, ref userId);
}
using (var dataContext = new Data.ModelDataContext(s_configuration.ReadonlyConnectionString))
{
var user = dataContext.SecurityUsers.SingleOrDefault(u => u.UserId == userId);
var userIdentity = new SqlClaimsIdentity(user, true)
{
m_authenticationType = "Password"
};
// Is user allowed to login?
if (user.UserClass == UserClassKeys.HumanUser)
{
new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.Login, new GenericPrincipal(userIdentity, null)).Demand();
}
else if (user.UserClass == UserClassKeys.ApplicationUser)
{
new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.LoginAsService, new GenericPrincipal(userIdentity, null)).Demand();
}
return(userIdentity);
}
}
catch (AuthenticationException)
{
// TODO: Audit this
throw;
}
catch (SecurityException)
{
// TODO: Audit this
throw;
}
catch (SqlException e)
{
switch (e.Number)
{
case 51900:
throw new AuthenticationException("Account is locked");
case 51901:
throw new AuthenticationException("Invalid username/password");
case 51902:
throw new AuthenticationException("User requires two-factor authentication");
default:
throw e;
}
}
catch (Exception e)
{
s_traceSource.TraceEvent(TraceEventType.Error, e.HResult, e.ToString());
throw new Exception("Creating identity failed", e);
}
}
/// <summary>
/// Creates a principal based on username and password
/// </summary>
internal static SqlClaimsIdentity Create(byte[] refreshToken)
{
try
{
Guid?userId = Guid.Empty;
using (var dataContext = new Data.ModelDataContext(s_configuration.ReadWriteConnectionString))
{
// Attempt to get a user
var secretClaim = dataContext.SecurityUserClaims.FirstOrDefault(o => o.ClaimType == SqlServerConstants.RefreshSecretClaimType && o.ClaimValue == BitConverter.ToString(refreshToken).Replace("-", ""));
if (secretClaim == null)
{
throw new SecurityException("Invalid refresh token");
}
// Next we ensure that the claim isn't expired
var expiryClaim = dataContext.SecurityUserClaims.FirstOrDefault(o => o.ClaimType == SqlServerConstants.RefreshExpiryClaimType && o.UserId == secretClaim.UserId);
if (expiryClaim == null || DateTimeOffset.Parse(expiryClaim.ClaimValue) < DateTime.Now)
{
throw new SecurityException("Token expired");
}
dataContext.sp_Authenticate(secretClaim.SecurityUser.UserName, secretClaim.SecurityUser.UserPassword, 3, ref userId);
}
using (var dataContext = new Data.ModelDataContext(s_configuration.ReadonlyConnectionString))
{
var user = dataContext.SecurityUsers.SingleOrDefault(u => u.UserId == userId);
var userIdentity = new SqlClaimsIdentity(user, true)
{
m_authenticationType = "Refresh"
};
// Is user allowed to login?
if (user.UserClass == UserClassKeys.HumanUser)
{
new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.Login, new GenericPrincipal(userIdentity, null)).Demand();
}
else if (user.UserClass == UserClassKeys.ApplicationUser)
{
new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.LoginAsService, new GenericPrincipal(userIdentity, null)).Demand();
}
return(userIdentity);
}
}
catch (AuthenticationException)
{
// TODO: Audit this
throw;
}
catch (SecurityException)
{
// TODO: Audit this
throw;
}
catch (SqlException e)
{
switch (e.Number)
{
case 51900:
throw new AuthenticationException("Account is locked");
case 51901:
throw new AuthenticationException("Invalid username/password");
case 51902:
throw new AuthenticationException("User requires two-factor authentication");
default:
throw e;
}
}
catch (Exception e)
{
s_traceSource.TraceEvent(TraceEventType.Error, e.HResult, e.ToString());
throw new Exception("Creating identity failed", e);
}
}
/// <summary>
/// Convert the database representation to a model instance
/// </summary>
public override Core.Model.Entities.DeviceEntity ToModelInstance(object dataInstance, Data.ModelDataContext context, IPrincipal principal)
{
var idp = dataInstance as IDbVersionedData;
var deviceEntity = dataInstance as Data.DeviceEntity ?? context.GetTable <Data.DeviceEntity>().Where(o => o.EntityVersionId == idp.VersionId).First();
var dbe = dataInstance as Data.EntityVersion ?? context.GetTable <Data.EntityVersion>().Where(o => o.EntityVersionId == deviceEntity.EntityVersionId).First();
var retVal = m_entityPersister.ToModelInstance <Core.Model.Entities.DeviceEntity>(dbe, context, principal);
retVal.SecurityDeviceKey = deviceEntity.DeviceId;
retVal.ManufacturerModelName = deviceEntity.ManufacturedModelName;
retVal.OperatingSystemName = deviceEntity.OperatingSystemName;
return(retVal);
}
