/// <summary>
/// Initializes a new instance of the <see cref="SystemRole"/> class.
/// </summary>
/// <param name="name">The name.</param>
/// <param name="description">The description.</param>
/// <param name="systemRoleType">Type of the system role.</param>
protected internal SystemRole( string name, string description, SystemRoleType systemRoleType )
{
Check.IsNotNullOrWhitespace ( name, "Name is required." );
Check.IsNotNull ( systemRoleType, "System role type is required." );
_name = name;
_description = description;
_systemRoleType = systemRoleType;
_grantedSystemPermissions = new List<SystemRolePermission> ();
_grantedSystemRoleRelationships = new List<SystemRoleRelationship> ();
}
public UserAccessPolicy CreatePolicy(SystemRoleType userRole, string userId,
string flowName, FlowRoleType flowRoleType)
{
if ((flowRoleType == FlowRoleType.None) ||
!IsFlowRoleTypePermittedForUserRole(userRole, flowRoleType))
{
throw new ArgumentException(string.Format("Invalid user role (\"{0}\") specified for flow role (\"{0}\")",
EnumUtils.ToDescription(userRole), EnumUtils.ToDescription(flowRoleType)));
}
return(new UserAccessPolicy(userId, ServiceRequestAuthorizationType.Flow,
flowName, flowRoleType));
}
/// <summary>
/// Assign system role.
/// </summary>
/// <param name="systemRole">
/// The system role.
/// </param>
/// <param name="systemRoleType">
/// The system role type.
/// </param>
private void AssignSystemRole(SystemRole systemRole, SystemRoleType systemRoleType)
{
CheckRoleAssignment(systemRole, systemRoleType);
var staffSystemRole = new StaffSystemRole(systemRole)
{
Staff = this
};
_systemRoles.Add(staffSystemRole);
NotifyItemAdded(() => SystemRoles, staffSystemRole);
}
/// <summary>
/// Validate that the input admin visitor has at least minimumRole permissions. Throw an
/// UnauthorizedAccessException() if visitor is not validated.
/// </summary>
public static void ValidateByRole(NodeVisit visit, SystemRoleType minimumRole)
{
if (visit == null)
{
throw new ArgumentException("Input visit is null.");
}
if ((visit.Account == null) || string.IsNullOrEmpty(visit.Account.Id) ||
((visit.Account.Role != SystemRoleType.Admin) && ((Int32)visit.Account.Role) < ((Int32)minimumRole)))
{
ThrowInsuficientPrivileges();
}
}
/// <summary>
/// Checks the role assignment.
/// </summary>
/// <param name="systemRole">The system role.</param>
/// <param name="systemRoleType">Type of the system role.</param>
private void CheckRoleAssignment(SystemRole systemRole, SystemRoleType systemRoleType)
{
Check.IsNotNull(systemRole, "System role is required.");
if (systemRole.SystemRoleType != systemRoleType)
{
throw new ArgumentException(string.Format(( string )"The type of the role is not a {0} role. ", ( object )systemRoleType));
}
StaffSystemRole existingStaffSystemRole =
(from sr in _systemRoles where sr.SystemRole.Key == systemRole.Key select sr).FirstOrDefault();
if (existingStaffSystemRole != null)
{
throw new InvalidOperationException("The same has already been Assigned.");
}
}
protected bool IsFlowRoleTypePermittedForUserRole(SystemRoleType userRole, FlowRoleType flowRole)
{
switch (userRole)
{
case SystemRoleType.Admin:
return(true);
case SystemRoleType.Program:
return((flowRole == FlowRoleType.Endpoint) || (flowRole == FlowRoleType.View) ||
(flowRole == FlowRoleType.Modify));
case SystemRoleType.Authed:
return(flowRole == FlowRoleType.Endpoint);
default:
return(false);
}
}
/// <summary>
/// Removes the system role.
/// </summary>
/// <param name="systemRole">The system role.</param>
/// <param name="systemRoleType">Type of the system role.</param>
private void RemoveSystemRole(SystemRole systemRole, SystemRoleType systemRoleType)
{
Check.IsNotNull(systemRole, "System role is required.");
if (systemRole.SystemRoleType != systemRoleType)
{
throw new ArgumentException(string.Format(( string )"The type of the role is not a {0} role. ", ( object )systemRoleType));
}
StaffSystemRole existingSystemRole = (from sa in _systemRoles where sa.SystemRole.Key == systemRole.Key select sa).FirstOrDefault();
if (existingSystemRole != null)
{
_systemRoles.Remove(existingSystemRole);
}
NotifyItemRemoved(() => SystemRoles, existingSystemRole);
}
public string BulkAddUsers(ICollection <string> usernames, bool createInNaas, string defaultPassword,
SystemRoleType defaultRole, ICollection <FlowNameAndRole> accessFlows,
bool isUserActive, NodeVisit visit)
{
ValidateByRole(visit, SystemRoleType.Admin);
if (CollectionUtils.IsNullOrEmpty(usernames))
{
throw new ArgumentException("usernames cannot be empty");
}
// Create the parameter list:
ByIndexOrNameDictionary <string> parameters = new ByIndexOrNameDictionary <string>(true);
int i = 0;
foreach (string username in usernames)
{
string key = string.Format("{0}{1}", BulkAddUsersConstants.PARAM_USERNAME_PREFIX, i.ToString());
parameters.Add(key, username);
++i;
}
parameters.Add(BulkAddUsersConstants.PARAM_CREATE_IN_NAAS, createInNaas.ToString());
if (!string.IsNullOrEmpty(defaultPassword))
{
parameters.Add(BulkAddUsersConstants.PARAM_DEFAULT_PASSWORD, defaultPassword);
}
parameters.Add(BulkAddUsersConstants.PARAM_DEFAULT_ROLE, defaultRole.ToString());
parameters.Add(BulkAddUsersConstants.PARAM_IS_ACTIVE, isUserActive.ToString());
if (!CollectionUtils.IsNullOrEmpty(accessFlows))
{
i = 0;
foreach (FlowNameAndRole accessFlow in accessFlows)
{
string key = string.Format("{0}{1}", BulkAddUsersConstants.PARAM_FLOW_NAME_PREFIX, i.ToString());
parameters.Add(key, accessFlow.FlowName + BulkAddUsersConstants.PARAM_VALUE_SEPARATOR + accessFlow.FlowRole);
++i;
}
}
// Create the task transaction and queue for running, the task will run asynchronously after
// this method returns
return(_transactionManager.QueueTask(_securityFlowName, _securityBulkAddUsersServiceName,
visit.Account.Id, parameters));
}
/// <summary>
/// Creates the system role.
/// </summary>
/// <param name="name">The name.</param>
/// <param name="description">The description.</param>
/// <param name="systemRoleType">Type of the system role.</param>
/// <returns>
/// A SystemRole
/// </returns>
public SystemRole CreateSystemRole( string name, string description, SystemRoleType systemRoleType )
{
Check.IsNotNullOrWhitespace(name, "Name is required.");
Check.IsNotNull(systemRoleType, "System role type is required.");
SystemRole systemRole;
var existingSystemRole = _systemRoleRepository.GetByName( name );
if (existingSystemRole != null)
{
systemRole = existingSystemRole;
}
else
{
systemRole = new SystemRole( name, description, systemRoleType );
_systemRoleRepository.MakePersistent( systemRole );
}
return systemRole;
}
/// <summary>
/// Creates the system role.
/// </summary>
/// <param name="name">The name.</param>
/// <param name="description">The description.</param>
/// <param name="systemRoleType">Type of the system role.</param>
/// <returns>
/// A SystemRole
/// </returns>
public SystemRole CreateSystemRole(string name, string description, SystemRoleType systemRoleType)
{
Check.IsNotNullOrWhitespace(name, "Name is required.");
Check.IsNotNull(systemRoleType, "System role type is required.");
SystemRole systemRole;
var existingSystemRole = _systemRoleRepository.GetByName(name);
if (existingSystemRole != null)
{
systemRole = existingSystemRole;
}
else
{
systemRole = new SystemRole(name, description, systemRoleType);
_systemRoleRepository.MakePersistent(systemRole);
}
return(systemRole);
}
public UserAccount BulkAddUser(string username, bool createInNaas, string defaultPassword,
SystemRoleType defaultRole, ICollection <FlowNameAndRole> accessFlows,
bool isUserActive, NodeVisit visit)
{
ValidateByRole(visit, SystemRoleType.Admin);
UserAccount usr = _accountDao.GetByName(username);
if (usr == null)
{
usr = new UserAccount();
usr.NaasAccount = username;
}
usr.ModifiedById = visit.Account.Id;
usr.IsActive = isUserActive;
usr.Role = defaultRole;
if (!CollectionUtils.IsNullOrEmpty(accessFlows))
{
List <UserAccessPolicy> policies = new List <UserAccessPolicy>(accessFlows.Count);
foreach (FlowNameAndRole accessFlow in accessFlows)
{
UserAccessPolicy policy =
_accountPolicyManager.CreatePolicy(usr.Role, null, accessFlow.FlowName,
accessFlow.FlowRole);
policy.ModifiedById = visit.Account.Id;
policies.Add(policy);
}
usr.Policies = _accountPolicyManager.CleanseFlowPoliciesForUser(usr.Role, policies);
}
else
{
usr.Policies = null;
}
if (string.IsNullOrEmpty(defaultPassword))
{
defaultPassword = GenerateRandomPassword();
}
return(Save(usr, createInNaas, defaultPassword, visit));
}
private static async Task <ApplicationUser> AssignUserToRole(UserManager <ApplicationUser> userManager,
ApplicationUser user,
SystemRoleType role)
{
var userInDb = await userManager.FindByNameAsync(user.UserName);
if (userInDb != null)
{
return(null);
}
var result = await userManager.CreateAsync(user, "Admin1.");
if (result.Succeeded)
{
await userManager.AddToRoleAsync(user, role.ToString());
return(userManager.FindByNameAsync(user.UserName).Result);
}
return(null);
}
protected void OnAddUsers(object sender, EventArgs e)
{
if (!this.IsValid)
{
// Error on page, get out of here
return;
}
try
{
IList <string> emails = GetUsernames();
ICollection <FlowNameAndRole> permissionedFlows = GetPermissionedFlows();
SystemRoleType role = EnumUtils.FromDescription <SystemRoleType>(roleCtrl.SelectedValue);
string password = passwordCtrl.Text;
bool createInNaas = createInNaasCheckBox.Checked;
bool isActive = activeCtrl.Checked;
if (emails.Count == 1)
{
_accountService.BulkAddUser(emails[0], createInNaas, password, role,
permissionedFlows, isActive, VisitHelper.GetVisit());
ResponseRedirect("../Secure/SecurityUser.aspx");
}
else
{
string transactionId =
_accountService.BulkAddUsers(emails, createInNaas, password, role, permissionedFlows,
isActive, VisitHelper.GetVisit());
_centralProcessor.WakeupProcessor(NodeMethod.Task);
ResponseRedirect("../Secure/TaskDetails.aspx?id=" + transactionId);
}
}
catch (Exception ex)
{
LOG.Error(ex.Message, ex);
SetDivPageError(ex);
}
}
protected ICollection <FlowNameAndRole> GetPermissionedFlows()
{
SystemRoleType role = EnumUtils.FromDescription <SystemRoleType>(roleCtrl.SelectedValue);
if (role == SystemRoleType.Admin)
{
return(null); // Everything is allowed
}
Repeater repeater = flowRepeaterList;
List <FlowNameAndRole> permissionedFlows = null;
foreach (RepeaterItem item in repeater.Items)
{
DropDownList flowRoleCtrl = item.FindControl("flowRoleCtrl") as DropDownList;
Label flowCodeLabel = item.FindControl("FlowCode") as Label;
HiddenField flowIsProtected = item.FindControl("flowIsProtected") as HiddenField;
FlowRoleType flowRole = FlowRoleType.None;
string flowName = null;
if ((flowRoleCtrl != null) && (flowCodeLabel != null) && (flowIsProtected != null) &&
flowRoleCtrl.Visible)
{
flowName = flowCodeLabel.Text;
flowRole = EnumUtils.FromDescription <FlowRoleType>(flowRoleCtrl.SelectedValue);
if (flowRole != FlowRoleType.None)
{
bool flowIsProtectedValue = flowIsProtected.Value == true.ToString();
if (flowIsProtectedValue || ((flowRole == FlowRoleType.View) || (flowRole == FlowRoleType.Modify)))
{
FlowNameAndRole flowNameAndRole = new FlowNameAndRole(flowName, flowRole);
CollectionUtils.Add(flowNameAndRole, ref permissionedFlows);
}
}
}
}
return(permissionedFlows);
}
/// <summary>
/// Assign system role.
/// </summary>
/// <param name="systemRole">
/// The system role.
/// </param>
/// <param name="systemRoleType">
/// The system role type.
/// </param>
private void AssignSystemRole( SystemRole systemRole, SystemRoleType systemRoleType )
{
CheckRoleAssignment ( systemRole, systemRoleType );
var staffSystemRole = new StaffSystemRole ( systemRole ) { Staff = this };
_systemRoles.Add ( staffSystemRole );
NotifyItemAdded ( () => SystemRoles, staffSystemRole );
}
public IList <UserAccessPolicy> CleanseFlowPoliciesForUser(SystemRoleType userRole, IList <UserAccessPolicy> policies)
{
if (CollectionUtils.IsNullOrEmpty(policies))
{
return(null);
}
if (userRole == SystemRoleType.Admin)
{
return(null); // Admin is allowed everything
}
List <UserAccessPolicy> cleansedPolicies = new List <UserAccessPolicy>(policies.Count);
IList <string> protectedFlows = _flowManager.GetProtectedFlowNames();
foreach (UserAccessPolicy policy in policies)
{
if (policy.PolicyType != ServiceRequestAuthorizationType.Flow)
{
cleansedPolicies.Add(policy);
}
else
{
if (!IsFlowRoleTypePermittedForUserRole(userRole, policy.FlowRoleType))
{
throw new ArgumentException(string.Format("Invalid user role (\"{0}\") specified for flow role (\"{0}\")",
EnumUtils.ToDescription(userRole), EnumUtils.ToDescription(policy.FlowRoleType)));
}
bool isFlowProtected =
(CollectionUtils.IndexOf(protectedFlows, policy.TypeQualifier,
StringComparison.InvariantCultureIgnoreCase) >= 0);
if (userRole == SystemRoleType.Authed)
{
DebugUtils.AssertDebuggerBreak(policy.FlowRoleType == FlowRoleType.Endpoint);
if (isFlowProtected)
{
cleansedPolicies.Add(policy);
}
else
{
// Don't add, must be FlowRoleType.Endpoint and flow is not protected
}
}
else if (userRole == SystemRoleType.Program)
{
if (isFlowProtected)
{
cleansedPolicies.Add(policy);
}
else
{
if ((policy.FlowRoleType == FlowRoleType.Modify) ||
(policy.FlowRoleType == FlowRoleType.View))
{
// Only add in these cases, not if FlowRoleType == FlowRoleType.Endpoint
// since flow is not protected
cleansedPolicies.Add(policy);
}
}
}
else
{
throw new ArgumentException("Unrecognized user role specified: \"(0)\"",
EnumUtils.ToDescription(userRole));
}
}
}
return(CollectionUtils.IsNullOrEmpty(cleansedPolicies) ? null : cleansedPolicies);
}
public void ValidateUserMinimumRole(NodeVisit visit, SystemRoleType minimumRole)
{
AccountManager.ValidateByRole(visit, minimumRole);
}
protected ICollection <string> GetBulkAddUsersParams(DataRequest dataRequest, IFlowManager flowManager,
out bool createInNaas, out string defaultPassword,
out SystemRoleType defaultRole, out bool isUserActive,
out ICollection <FlowNameAndRole> accessFlows)
{
if (CollectionUtils.IsNullOrEmpty(dataRequest.Parameters))
{
throw new ArgumentException("No parameters were specified for the service");
}
if (!dataRequest.Parameters.IsByName)
{
throw new ArgumentException("The parameters for the service must be \"by-name\"");
}
IDictionary <string, string> flowsNameToIdMap = flowManager.GetAllFlowsNameToIdMap();
createInNaas = true;
defaultRole = SystemRoleType.Authed;
defaultPassword = null;
isUserActive = true;
accessFlows = new List <FlowNameAndRole>();
List <string> usernames = new List <string>();
foreach (KeyValuePair <string, string> pair in dataRequest.Parameters.NameValuePairs)
{
string key = pair.Key.ToUpper();
if (key.StartsWith(BulkAddUsersConstants.PARAM_USERNAME_PREFIX))
{
if (!StringUtils.Contains(pair.Value, usernames, StringComparison.InvariantCultureIgnoreCase))
{
usernames.Add(pair.Value);
}
}
else if (key.StartsWith(BulkAddUsersConstants.PARAM_FLOW_NAME_PREFIX))
{
string[] flowParams =
pair.Value.Split(new string[] { BulkAddUsersConstants.PARAM_VALUE_SEPARATOR },
StringSplitOptions.RemoveEmptyEntries);
if ((flowParams.Length != 2) || string.IsNullOrEmpty(flowParams[0]) ||
string.IsNullOrEmpty(flowParams[1]))
{
throw new ArgumentException(string.Format("Invalid flow parameter specified: {0}",
pair.Value));
}
string flowId;
if (!flowsNameToIdMap.TryGetValue(flowParams[0], out flowId))
{
throw new ArgumentException(string.Format("A flow with the name \"{0}\" cannot be found",
flowParams[0]));
}
accessFlows.Add(new FlowNameAndRole(flowParams[0], EnumUtils.ParseEnum <FlowRoleType>(flowParams[1])));
}
else
{
switch (key)
{
case BulkAddUsersConstants.PARAM_CREATE_IN_NAAS:
createInNaas = bool.Parse(pair.Value);
break;
case BulkAddUsersConstants.PARAM_DEFAULT_PASSWORD:
defaultPassword = pair.Value;
break;
case BulkAddUsersConstants.PARAM_DEFAULT_ROLE:
defaultRole = (SystemRoleType)Enum.Parse(typeof(SystemRoleType), pair.Value, true);
break;
case BulkAddUsersConstants.PARAM_IS_ACTIVE:
isUserActive = bool.Parse(pair.Value);
break;
default:
throw new ArgumentException(string.Format("An unrecognized key/value parameter was found: \"{0}\" = \"{1}\"",
pair.Key, pair.Value));
}
}
}
return(usernames);
}
/// <summary>
/// Removes the system role.
/// </summary>
/// <param name="systemRole">The system role.</param>
/// <param name="systemRoleType">Type of the system role.</param>
private void RemoveSystemRole( SystemRole systemRole, SystemRoleType systemRoleType )
{
Check.IsNotNull ( systemRole, "System role is required." );
if ( systemRole.SystemRoleType != systemRoleType )
{
throw new ArgumentException ( string.Format ( ( string )"The type of the role is not a {0} role. ", ( object )systemRoleType ) );
}
StaffSystemRole existingSystemRole = ( from sa in _systemRoles where sa.SystemRole.Key == systemRole.Key select sa ).FirstOrDefault ();
if ( existingSystemRole != null )
{
_systemRoles.Remove ( existingSystemRole );
}
NotifyItemRemoved ( () => SystemRoles, existingSystemRole );
}
public NAAS_USRMGR.UserTypeCode SystemRoleToNAASUserType(SystemRoleType role)
{
return(NAAS_USRMGR.UserTypeCode.user); // Per Mark
}
/// <summary>
/// Checks the role assignment.
/// </summary>
/// <param name="systemRole">The system role.</param>
/// <param name="systemRoleType">Type of the system role.</param>
private void CheckRoleAssignment( SystemRole systemRole, SystemRoleType systemRoleType )
{
Check.IsNotNull ( systemRole, "System role is required." );
if ( systemRole.SystemRoleType != systemRoleType )
{
throw new ArgumentException ( string.Format ( ( string )"The type of the role is not a {0} role. ", ( object )systemRoleType ) );
}
StaffSystemRole existingStaffSystemRole =
( from sr in _systemRoles where sr.SystemRole.Key == systemRole.Key select sr ).FirstOrDefault ();
if ( existingStaffSystemRole != null )
{
throw new InvalidOperationException("The same has already been Assigned.");
}
}
public UserAccount()
{
_role = SystemRoleType.None;
_policies = new SortableCollection <UserAccessPolicy>();
}
