public SelfModule(SContext serverContext) : base("/u", serverContext) { Get <GetMyself>("/me", async(req, res) => { await res.Negotiate(new AuthenticatedUser(currentUser)); }); Get <GetMyGroups>("/groups", async(req, res) => { var user = serverContext.userManager.loadGroups(currentUser); await res.Negotiate(user.groups); }); Get <GetMyRules>("/rules", async(req, res) => { var resolver = new PermissionResolver(serverContext, currentUser); var rules = resolver.aggregateRules(); await res.Negotiate(rules); }); }
public async Task <(RemoteIdentity, HttpStatusCode)> getAppAuthentication(HttpRequest req, HttpResponse res) { var appId = req.RouteValues.As <string>("appId"); // check config for app layers var appDef = serverContext.config.apps.SingleOrDefault(x => x.name == appId); if (appDef == null) { return(null, HttpStatusCode.NotFound); } // load user groups, and aggregate their permissions var user = serverContext.userManager.loadGroups(currentUser); var userPermissions = new PermissionResolver(serverContext, user) .aggregatePermissions(); // check if any permission grants app access var maybeGrantedScope = default(AccessScope?); foreach (var permission in userPermissions) { var permissionScope = AccessScope.parse(permission.path); // permission: "/Layer" or "/Layer/App" foreach (var appDefLayer in appDef.layers) { var appScope = new AccessScope(appDefLayer, appDef.name); // scope: "/Layer/App" if (permissionScope.greaterThan(appScope)) { maybeGrantedScope = appScope; // the granted scope is the one we authorize } } } if (!maybeGrantedScope.HasValue) { return(null, HttpStatusCode.Forbidden); } var grantedScope = maybeGrantedScope.Value; // issue a new token for the app // TODO: configurable timespan var token = serverContext.userManager.issueTokenFor(user.id, serverContext.tokenResolver.issue(grantedScope, TimeSpan.FromDays(7))); return(new RemoteIdentity(new PublicUser(user), token), HttpStatusCode.Created); }
public void Init() { this.ImageList = images; this.CheckBoxes = true; this.Nodes.Clear(); TreeNode root = new TreeNode(RootText, 0, 0); this.Nodes.Add(root); List <OperatorRightAttribute> items = PermissionResolver.Resolve(); if (items != null && items.Count > 0) { List <string> categories = items.Select(it => it.Catalog).Distinct().ToList(); foreach (string category in categories) { TreeNode catalogNode = new TreeNode(category, 0, 0); catalogNode.Tag = category; root.Nodes.Add(catalogNode); AddRightNode(catalogNode, items); } } root.Expand(); }
public void DemandPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { PermissionResolver.Demand(AuthContext.CurrentAccount, objectId, securityObjProvider, actions); }
public void DemandPermissions(params IAction[] actions) { PermissionResolver.Demand(AuthContext.CurrentAccount, actions); }
public bool CheckPermissions(ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider, params IAction[] actions) { return(PermissionResolver.Check(AuthContext.CurrentAccount, objectId, securityObjProvider, actions)); }
public bool CheckPermissions(params IAction[] actions) { return(PermissionResolver.Check(AuthContext.CurrentAccount, actions)); }
private IEnumerable <AccessRule> getRules() { var resolver = new PermissionResolver(serverContext, currentUser); return(resolver.aggregateRulesForApp(remoteApp.name)); }
static void Main() { var storage = new Dictionary <Guid, List <object> >(); Func <Guid, Tuple <Int32, IEnumerable <object> > > reader = id => { List <object> events; if (storage.TryGetValue(id, out events)) { return(new Tuple <int, IEnumerable <object> >(events.Count, events)); } return(null); }; var unitOfWork = new UnitOfWork(); var roleRepository = new Repository <Role>(Role.Factory, unitOfWork, reader); var roleGroupRepository = new Repository <RoleGroup>(RoleGroup.Factory, unitOfWork, reader); var userAccountRepository = new Repository <UserAccount>(UserAccount.Factory, unitOfWork, reader); // Setting up security (accounts, roles and authorization) var administratorRoleId = new RoleId(Guid.NewGuid()); var administratorRole = new Role(administratorRoleId, new Name("Administrator")); administratorRole.AddPermissions(SecurityPermissions.All); administratorRole.AllowPermissions(SecurityPermissions.All); roleRepository.Add(administratorRole.Id, administratorRole); var subRole1Id = new RoleId(Guid.NewGuid()); var subRole1 = new Role(subRole1Id, new Name("SubRole1")); subRole1.AddPermission(SecurityPermissions.AddRole); subRole1.DenyPermission(SecurityPermissions.AddRole); roleRepository.Add(subRole1.Id, subRole1); var subRole2Id = new RoleId(Guid.NewGuid()); var subRole2 = new Role(subRole2Id, new Name("SubRole2")); subRole2.AddPermission(SecurityPermissions.AddRole); subRole2.AllowPermission(SecurityPermissions.AddRole); roleRepository.Add(subRole2.Id, subRole2); var group1Id = new RoleGroupId(Guid.NewGuid()); var group1 = new RoleGroup(group1Id, new Name("SubRole 1 & 2")); group1.AddRole(subRole1); group1.AddRole(subRole2); roleGroupRepository.Add(group1.Id, group1); var administratorId = new UserAccountId(Guid.NewGuid()); var administrator = new UserAccount(administratorId, new UserAccountName("Administrator")); administrator.GrantRole(administratorRole); administrator.GrantRoleGroup(group1); userAccountRepository.Add(administrator.Id, administrator); // Using security - in domain layer code var combinator = new AccessDecisionCombinator(); administrator.CombineDecisions(combinator, roleRepository, roleGroupRepository); var decider = combinator.BuildDecider(); Console.WriteLine(decider.IsAllowed(SecurityPermissions.AddUserAccount)); // Using security - in application layer code var command = new AddUserAccount( new Guid("735A259F-996B-4174-9899-3D40242BF6B1"), "Pierke Pol"); var resolver = new PermissionResolver(); var service = new UserAccountApplicationService( userAccountRepository, roleRepository, roleGroupRepository); var authorizer = new MessageAuthorizer( resolver, userAccountRepository, roleRepository, roleGroupRepository); var commandHandler = service.Secure <AddUserAccount>(authorizer); commandHandler.Handle(new SecurityContext <AddUserAccount>(administratorId, command)); // Using security - in projection code var builder = new SqlConnectionStringBuilder("Data Source=.\\SQLEXPRESS;Initial Catalog=<YourStoreHere>;Integrated Security=SSPI;"); // What that table could look like ... //CREATE TABLE [UserAccountEffectiveRoles]( // [UserAccountId] [uniqueidentifier] NOT NULL, // [RoleId] [uniqueidentifier] NULL, // [RoleGroupId] [uniqueidentifier] NULL, // [Id] [int] IDENTITY(1,1) NOT NULL, // CONSTRAINT [PK_UserAccountEffectiveRoles] PRIMARY KEY CLUSTERED ( [Id] ASC ) //) var observer = new SqlStatementObserver(); // var lookup = new MemoryRoleGroupLookup(new Dictionary<Guid, HashSet<Guid>>()); var lookupInitializer = new SqlBasedLookupRolesOfRoleGroupInitializer(builder); var lookup = lookupInitializer.Initialize(); var projectionHandler = new UserAccountEffectiveRolesProjectionHandler(observer, lookup); var compositeProjectionHandler = new CompositeHandler( new IHandle <object>[] { new HandlerAdapter <AddedRoleToRoleGroup>(lookup), new HandlerAdapter <RemovedRoleFromRoleGroup>(lookup), new HandlerAdapter <DisabledUserAccount>(projectionHandler), new HandlerAdapter <RoleGrantedToUserAccount>(projectionHandler), new HandlerAdapter <RoleRevokedFromUserAccount>(projectionHandler), new HandlerAdapter <RoleGroupGrantedToUserAccount>(projectionHandler), new HandlerAdapter <RoleRevokedFromUserAccount>(projectionHandler), new HandlerAdapter <AddedRoleToRoleGroup>(projectionHandler), new HandlerAdapter <RemovedRoleFromRoleGroup>(projectionHandler) }); foreach (var change in unitOfWork.GetChanges()) { compositeProjectionHandler.Handle(change); } new BatchedSqlStatementFlusher( builder). Flush(observer.Statements); Console.ReadLine(); }
public static void DemandPermissions(params IAction[] actions) { PermissionResolver.Demand(CurrentAccount, actions); }
public static bool CheckPermissions(params IAction[] actions) { return(PermissionResolver.Check(CurrentAccount, actions)); }