protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateCurrentUserIsStaff(request);
var studentListType = request.GetParameterValueByName(ClaimValidatorRequest.StudentListTypeParameterName);
// DJWhite 4 Jan 2012: Default null or empty to NONE which is equivalent to ALL.
if (String.IsNullOrEmpty(studentListType)) studentListType = StudentListType.None.ToString();
switch (studentListType.ToLower())
{
case ClaimValidatorRequest.StudentListEnumSection:
ValidateClaimSchoolStaffSection(request, ClaimType);
break;
case ClaimValidatorRequest.StudentListEnumCohort:
ValidateClaimSchoolCohortStaff(request, ClaimType);
break;
case ClaimValidatorRequest.StudentListEnumCustomStudentList:
ValidateClaimSchoolCustomStudentListStaff(request, ClaimType);
break;
case ClaimValidatorRequest.StudentListEnumMetricsBasedWatchList:
case ClaimValidatorRequest.StudentListEnumAll:
case ClaimValidatorRequest.StudentListEnumNone:
ValidateClaimSchoolStaff(request, ClaimType);
break;
default:
throw new UserAccessDeniedException(ClaimValidatorRequest.InvalidParameterErrorMessage);
}
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
//ValidateClaimSchoolStaff(request, ClaimType);
ValidateClaimSchoolUser(request, ClaimType);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateCurrentUserIsStaff(request);
ValidateClaimSchoolStaffSection(request, ClaimType);
return null;
}
public object ValidateRequest(ClaimValidatorRequest request)
{
throw new UnhandledSignatureException(false, // Not explicitly unhandled... it fell through to the end of the chain of responsibility
string.Format(
ClaimValidatorRequest.UnhandledParameterErrorMessageFormat,
request.BuildSignatureKey()));
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
var leaId = request.GetLocalEducationAgencyId();
//View my metrics is currently siloed.
SecurityAssertionProvider.CurrentUserMustHaveClaimOnEducationOrganization(leaId, ClaimType);
return null;
//throw new UserAccessDeniedException(Implementations.SecurityAssertionProvider.NoEducationOrganizationPermissionErrorMessage);
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
//TODO: Start using this again once the staffUSI issue is fixed
//ValidateCurrentUserIsStaff(request);
CheckEducationOrganization(request);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateClaimLocalEducationAgencyMetric(request, ClaimType);
// TODO: GKM - Do we need to secure specific metrics (such as Operational Dashboards), or does Manage Goals allow them to read those metrics too?
return null;
}
protected void CheckLea(ClaimValidatorRequest request)
{
var lea = request.GetNullableIdByName(ClaimValidatorRequest.LocalEducationAgencyParameterName);
if (null == lea) return;
var userInfo = UserInformation.Current;
//Look at LEA or higher.
var claimValidatorLeaEdorgs = SecurityAssertionProvider.GetEducationOrganizationHierarchy((int)lea);
if (userInfo.AssociatedOrganizations.Any(
n => ((n.ClaimTypes.Contains(ClaimType)) &&
(claimValidatorLeaEdorgs.Contains(n.EducationOrganizationId) || //The user has an explict claim for the LEA or State level
(SecurityAssertionProvider.GetEducationOrganizationHierarchy(n.EducationOrganizationId).Contains((int)lea)))))) //The user has the lea within the hierarchy of one of thier claims.
//Note: Can not look higher than LEA in this last check because the State agency ID always comes back in the hierarchy.
return;
throw new UserAccessDeniedException(Implementations.SecurityAssertionProvider.NoEducationOrganizationPermissionErrorMessage);
}
protected void CheckEducationOrganization(ClaimValidatorRequest request)
{
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
var localEducationAgencyId =
request.GetNullableIdByName(ClaimValidatorRequest.LocalEducationAgencyParameterName);
var userInfo = UserInformation.Current;
if (schoolId.HasUsableValue())
{
var claimValidatorSchoolEdOrgs =
SecurityAssertionProvider.GetEducationOrganizationHierarchy(schoolId.Value);
if (
userInfo.AssociatedOrganizations.Any(
org =>
org.ClaimTypes.Contains(ClaimType) &&
(claimValidatorSchoolEdOrgs.Contains(org.EducationOrganizationId) ||
SecurityAssertionProvider.GetEducationOrganizationHierarchy(org.EducationOrganizationId)
.Contains(schoolId.Value))))
{
return;
}
}
else if (localEducationAgencyId.HasUsableValue())
{
var claimValidatorLocalEducationAgencyEdOrgs =
SecurityAssertionProvider.GetEducationOrganizationHierarchy(localEducationAgencyId.Value);
if (
userInfo.AssociatedOrganizations.Any(
org =>
org.ClaimTypes.Contains(ClaimType) &&
(claimValidatorLocalEducationAgencyEdOrgs.Contains(org.EducationOrganizationId) ||
SecurityAssertionProvider.GetEducationOrganizationHierarchy(org.EducationOrganizationId)
.Contains(localEducationAgencyId.Value))))
{
return;
}
}
throw new UserAccessDeniedException(Implementations.SecurityAssertionProvider.NoEducationOrganizationPermissionErrorMessage);
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateClaimLocalEducationAgency(request, ClaimType);
return null;
}
public void AuthorizeRequest(ClaimValidatorRequest request)
{
claimValidator.ValidateRequest(request);
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
CheckLea(request);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
var schoolId = request.GetParameterValueByName(ClaimValidatorRequest.SchoolParameterName);
if (schoolId != null)
{
ValidateClaimSchool(request, ClaimType);
return null;
}
var leaId = request.GetParameterValueByName(ClaimValidatorRequest.LocalEducationAgencyParameterName);
if (leaId != null)
{
CheckLea(request);
return null;
}
throw new ArgumentException("SchoolId and LocalEducationAgency can not both be null.");
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateClaimSchoolStudentByOrganizationAssociation(request, ClaimType);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
if (schoolId.HasValue)
ValidateClaimSchoolStaff(request, ClaimType);
else
ValidateClaimLocalEducationAgencyStaff(request, ClaimType);
var customStudentListId = request.GetNullableIdByName(ClaimValidatorRequest.CustomStudentListParameterName);
if (customStudentListId.HasValue && schoolId.HasValue)
{
try
{
ValidateClaimSchoolCustomStudentListStaff(request, ClaimType);
}
catch (UserAccessDeniedException)
{
// this lets a LEA level user modify a LEA custom student list at a school level
ValidateClaimLocalEducationAgencyStaff(request, ClaimType);
ValidateClaimLocalEducationAgencyCustomStudentListStaff(request, ClaimType);
}
}
else if (customStudentListId.HasValue)
ValidateClaimLocalEducationAgencyCustomStudentListStaff(request, ClaimType);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
var staffUSI = request.GetNullableLongIdByName(ClaimValidatorRequest.StaffParameterName);
if (staffUSI.HasValue)
{
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
if (schoolId.HasValue)
ValidateClaimSchoolStaff(request, ClaimType);
else
ValidateClaimLocalEducationAgencyStaff(request, ClaimType);
}
else
{
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
if (schoolId.HasValue)
ValidateClaimSchool(request, ClaimType);
else
ValidateClaimLocalEducationAgency(request, ClaimType);
}
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateClaimStaff(request, ClaimType);
return null;
}
public bool AuthorizeByClaim(IEnumerable<ParameterInstance> parameters, IEnumerable<string> claims)
{
Exception firstAuthorizationException = null;
var allExceptions = new List<Exception>();
if ((null == claims) || (!claims.Any())) return false;
var request = new ClaimValidatorRequest {Parameters = parameters};
foreach (var claim in claims)
{
try
{
var authorization = GetClaimAuthorization(claim);
authorization.AuthorizeRequest(request);
return true;
}
catch (InvalidCastException)
{
// Several claim validators have been throwing invalid cast exceptions which have been hidden by the catch block below
throw;
}
catch (Exception ex)
{
if (firstAuthorizationException == null)
firstAuthorizationException = ex;
allExceptions.Add(ex);
}
}
// If all claims failed authorization, throw the first exception.
// However the first exception is not necessarily the most useful message. So,
// we'll log all the information we have here to allow better debugging
// of failures. Also look at the exception thrown in the BeforeExecution method for the
// service name and method that it was trying to authorize.
if (firstAuthorizationException != null)
{
var sb = new StringBuilder();
sb.AppendFormat("Authorization Failure: Parameters: [{0}] Claims: [{1}]", string.Join(", ", parameters), string.Join(", ", claims));
sb.AppendLine();
var claimsPrincipal = UserInformation.Current.ToClaimsPrincipal();
foreach (var identity in claimsPrincipal.Identities)
foreach (var claim in identity.Claims)
sb.AppendLine(claim.ClaimType + ": " + claim.Value);
foreach (var ex in allExceptions)
sb.AppendLine(ex.ToString());
logger.Warn(sb);
throw firstAuthorizationException;
}
throw new SecurityAccessDeniedException("Could not authorize by claim.");
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateClaimStudentByCurrentUser(request, ClaimType);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
ValidateCurrentUserIsStaff(request);
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
if (schoolId.HasValue)
ValidateClaimSchoolStaff(request, ClaimType);
else
ValidateClaimLocalEducationAgencyStaff(request, ClaimType);
return null;
}
protected override object HandleRequest(ClaimValidatorRequest request)
{
var studentListType = request.GetParameterValueByName(ClaimValidatorRequest.StudentListTypeParameterName);
var schoolId = request.GetNullableIdByName(ClaimValidatorRequest.SchoolParameterName);
var staffUSI = request.GetNullableLongIdByName(ClaimValidatorRequest.StaffParameterName);
// DJWhite 4 Jan 2012: Default null or empty to NONE which is equivalent to ALL.
if (String.IsNullOrEmpty(studentListType)) studentListType = StudentListType.None.ToString();
switch (studentListType.ToLower())
{
case ClaimValidatorRequest.StudentListEnumSection:
if (!schoolId.HasValue)
throw new UserAccessDeniedException(ClaimValidatorRequest.InvalidParameterErrorMessage);
if (staffUSI.HasValue)
ValidateClaimSchoolStaffSection(request, ClaimType);
else
ValidateClaimSchoolSection(request, ClaimType);
break;
case ClaimValidatorRequest.StudentListEnumCohort:
if (staffUSI.HasValue)
{
if (schoolId.HasValue)
ValidateClaimSchoolCohortStaff(request, ClaimType);
else
ValidateClaimLocalEducationAgencyCohortStaff(request, ClaimType);
}
else
{
if (schoolId.HasValue)
ValidateClaimSchoolCohort(request, ClaimType);
else
ValidateClaimLocalEducationAgencyCohort(request, ClaimType);
}
break;
case ClaimValidatorRequest.StudentListEnumCustomStudentList:
ValidateClaimSchoolCustomStudentListStaff(request, ClaimType);
break;
case ClaimValidatorRequest.StudentListEnumMetricsBasedWatchList:
case ClaimValidatorRequest.StudentListEnumAll:
case ClaimValidatorRequest.StudentListEnumNone:
if (staffUSI.HasValue)
{
if (schoolId.HasValue)
ValidateClaimSchoolStaff(request, ClaimType);
else
ValidateClaimLocalEducationAgencyStaff(request, ClaimType);
}
else
{
if (schoolId.HasValue)
ValidateClaimSchool(request, ClaimType);
else
ValidateClaimLocalEducationAgency(request, ClaimType);
}
break;
default:
throw new UserAccessDeniedException(ClaimValidatorRequest.InvalidParameterErrorMessage);
}
return null;
}
public ClaimValidatorRequest GetClaimValidatorRequest()
{
var result = new ClaimValidatorRequest {Parameters = GetSuppliedParameters()};
return result;
}
