Exemplo n.º 1
0
 public SelfModule(SContext serverContext) : base("/u", serverContext)
 {
     Get <GetMyself>("/me", async(req, res) => { await res.Negotiate(new AuthenticatedUser(currentUser)); });
     Get <GetMyGroups>("/groups", async(req, res) => {
         var user = serverContext.userManager.loadGroups(currentUser);
         await res.Negotiate(user.groups);
     });
     Get <GetMyRules>("/rules", async(req, res) => {
         var resolver = new PermissionResolver(serverContext, currentUser);
         var rules    = resolver.aggregateRules();
         await res.Negotiate(rules);
     });
 }
Exemplo n.º 2
0
        public async Task <(RemoteIdentity, HttpStatusCode)> getAppAuthentication(HttpRequest req, HttpResponse res)
        {
            var appId = req.RouteValues.As <string>("appId");
            // check config for app layers
            var appDef = serverContext.config.apps.SingleOrDefault(x => x.name == appId);

            if (appDef == null)
            {
                return(null, HttpStatusCode.NotFound);
            }

            // load user groups, and aggregate their permissions
            var user            = serverContext.userManager.loadGroups(currentUser);
            var userPermissions = new PermissionResolver(serverContext, user)
                                  .aggregatePermissions();
            // check if any permission grants app access
            var maybeGrantedScope = default(AccessScope?);

            foreach (var permission in userPermissions)
            {
                var permissionScope = AccessScope.parse(permission.path); // permission: "/Layer" or "/Layer/App"
                foreach (var appDefLayer in appDef.layers)
                {
                    var appScope = new AccessScope(appDefLayer, appDef.name); // scope: "/Layer/App"
                    if (permissionScope.greaterThan(appScope))
                    {
                        maybeGrantedScope = appScope; // the granted scope is the one we authorize
                    }
                }
            }

            if (!maybeGrantedScope.HasValue)
            {
                return(null, HttpStatusCode.Forbidden);
            }

            var grantedScope = maybeGrantedScope.Value;

            // issue a new token for the app
            // TODO: configurable timespan
            var token = serverContext.userManager.issueTokenFor(user.id,
                                                                serverContext.tokenResolver.issue(grantedScope, TimeSpan.FromDays(7)));

            return(new RemoteIdentity(new PublicUser(user), token), HttpStatusCode.Created);
        }
Exemplo n.º 3
0
        public void Init()
        {
            this.ImageList  = images;
            this.CheckBoxes = true;
            this.Nodes.Clear();
            TreeNode root = new TreeNode(RootText, 0, 0);

            this.Nodes.Add(root);
            List <OperatorRightAttribute> items = PermissionResolver.Resolve();

            if (items != null && items.Count > 0)
            {
                List <string> categories = items.Select(it => it.Catalog).Distinct().ToList();
                foreach (string category in categories)
                {
                    TreeNode catalogNode = new TreeNode(category, 0, 0);
                    catalogNode.Tag = category;
                    root.Nodes.Add(catalogNode);
                    AddRightNode(catalogNode, items);
                }
            }
            root.Expand();
        }
Exemplo n.º 4
0
 public void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
 {
     PermissionResolver.Demand(AuthContext.CurrentAccount, objectId, securityObjProvider, actions);
 }
Exemplo n.º 5
0
 public void DemandPermissions(params IAction[] actions)
 {
     PermissionResolver.Demand(AuthContext.CurrentAccount, actions);
 }
Exemplo n.º 6
0
 public bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions)
 {
     return(PermissionResolver.Check(AuthContext.CurrentAccount, objectId, securityObjProvider, actions));
 }
Exemplo n.º 7
0
 public bool CheckPermissions(params IAction[] actions)
 {
     return(PermissionResolver.Check(AuthContext.CurrentAccount, actions));
 }
Exemplo n.º 8
0
        private IEnumerable <AccessRule> getRules()
        {
            var resolver = new PermissionResolver(serverContext, currentUser);

            return(resolver.aggregateRulesForApp(remoteApp.name));
        }
Exemplo n.º 9
0
        static void Main()
        {
            var storage = new Dictionary <Guid, List <object> >();
            Func <Guid, Tuple <Int32, IEnumerable <object> > > reader = id => {
                List <object> events;
                if (storage.TryGetValue(id, out events))
                {
                    return(new Tuple <int, IEnumerable <object> >(events.Count, events));
                }
                return(null);
            };
            var unitOfWork = new UnitOfWork();

            var roleRepository        = new Repository <Role>(Role.Factory, unitOfWork, reader);
            var roleGroupRepository   = new Repository <RoleGroup>(RoleGroup.Factory, unitOfWork, reader);
            var userAccountRepository = new Repository <UserAccount>(UserAccount.Factory, unitOfWork, reader);

            // Setting up security (accounts, roles and authorization)
            var administratorRoleId = new RoleId(Guid.NewGuid());
            var administratorRole   = new Role(administratorRoleId, new Name("Administrator"));

            administratorRole.AddPermissions(SecurityPermissions.All);
            administratorRole.AllowPermissions(SecurityPermissions.All);
            roleRepository.Add(administratorRole.Id, administratorRole);
            var subRole1Id = new RoleId(Guid.NewGuid());
            var subRole1   = new Role(subRole1Id, new Name("SubRole1"));

            subRole1.AddPermission(SecurityPermissions.AddRole);
            subRole1.DenyPermission(SecurityPermissions.AddRole);
            roleRepository.Add(subRole1.Id, subRole1);
            var subRole2Id = new RoleId(Guid.NewGuid());
            var subRole2   = new Role(subRole2Id, new Name("SubRole2"));

            subRole2.AddPermission(SecurityPermissions.AddRole);
            subRole2.AllowPermission(SecurityPermissions.AddRole);
            roleRepository.Add(subRole2.Id, subRole2);
            var group1Id = new RoleGroupId(Guid.NewGuid());
            var group1   = new RoleGroup(group1Id, new Name("SubRole 1 & 2"));

            group1.AddRole(subRole1);
            group1.AddRole(subRole2);
            roleGroupRepository.Add(group1.Id, group1);

            var administratorId = new UserAccountId(Guid.NewGuid());
            var administrator   = new UserAccount(administratorId, new UserAccountName("Administrator"));

            administrator.GrantRole(administratorRole);
            administrator.GrantRoleGroup(group1);
            userAccountRepository.Add(administrator.Id, administrator);

            // Using security - in domain layer code
            var combinator = new AccessDecisionCombinator();

            administrator.CombineDecisions(combinator, roleRepository, roleGroupRepository);
            var decider = combinator.BuildDecider();

            Console.WriteLine(decider.IsAllowed(SecurityPermissions.AddUserAccount));

            // Using security - in application layer code

            var command = new AddUserAccount(
                new Guid("735A259F-996B-4174-9899-3D40242BF6B1"),
                "Pierke Pol");
            var resolver = new PermissionResolver();
            var service  =
                new UserAccountApplicationService(
                    userAccountRepository,
                    roleRepository,
                    roleGroupRepository);
            var authorizer =
                new MessageAuthorizer(
                    resolver,
                    userAccountRepository,
                    roleRepository,
                    roleGroupRepository);
            var commandHandler = service.Secure <AddUserAccount>(authorizer);

            commandHandler.Handle(new SecurityContext <AddUserAccount>(administratorId, command));

            // Using security - in projection code
            var builder = new SqlConnectionStringBuilder("Data Source=.\\SQLEXPRESS;Initial Catalog=<YourStoreHere>;Integrated Security=SSPI;");

            // What that table could look like ...
            //CREATE TABLE [UserAccountEffectiveRoles](
            //  [UserAccountId] [uniqueidentifier] NOT NULL,
            //  [RoleId] [uniqueidentifier] NULL,
            //  [RoleGroupId] [uniqueidentifier] NULL,
            //  [Id] [int] IDENTITY(1,1) NOT NULL,
            //  CONSTRAINT [PK_UserAccountEffectiveRoles] PRIMARY KEY CLUSTERED ( [Id] ASC )
            //)

            var observer = new SqlStatementObserver();
            // var lookup = new MemoryRoleGroupLookup(new Dictionary<Guid, HashSet<Guid>>());
            var lookupInitializer          = new SqlBasedLookupRolesOfRoleGroupInitializer(builder);
            var lookup                     = lookupInitializer.Initialize();
            var projectionHandler          = new UserAccountEffectiveRolesProjectionHandler(observer, lookup);
            var compositeProjectionHandler = new CompositeHandler(
                new IHandle <object>[] {
                new HandlerAdapter <AddedRoleToRoleGroup>(lookup),
                new HandlerAdapter <RemovedRoleFromRoleGroup>(lookup),
                new HandlerAdapter <DisabledUserAccount>(projectionHandler),
                new HandlerAdapter <RoleGrantedToUserAccount>(projectionHandler),
                new HandlerAdapter <RoleRevokedFromUserAccount>(projectionHandler),
                new HandlerAdapter <RoleGroupGrantedToUserAccount>(projectionHandler),
                new HandlerAdapter <RoleRevokedFromUserAccount>(projectionHandler),
                new HandlerAdapter <AddedRoleToRoleGroup>(projectionHandler),
                new HandlerAdapter <RemovedRoleFromRoleGroup>(projectionHandler)
            });

            foreach (var change in unitOfWork.GetChanges())
            {
                compositeProjectionHandler.Handle(change);
            }

            new BatchedSqlStatementFlusher(
                builder).
            Flush(observer.Statements);

            Console.ReadLine();
        }
Exemplo n.º 10
0
 public static void DemandPermissions(params IAction[] actions)
 {
     PermissionResolver.Demand(CurrentAccount, actions);
 }
Exemplo n.º 11
0
 public static bool CheckPermissions(params IAction[] actions)
 {
     return(PermissionResolver.Check(CurrentAccount, actions));
 }