/// <summary>
/// Performs an authorization request.
/// </summary>
/// <param name="authorizationRequest">
/// The authorization request.
/// </param>
/// <returns>
/// True if the request is authorized. False otherwise.
/// </returns>
public bool Authorize(AuthorizationRequest authorizationRequest)
{
Guard.Will.ThrowExceptionOfType<LeadPipeNetSecurityException>("Authorization requests must supply a user context.").When(authorizationRequest.ApplicationUser.User == null);
Guard.Will.ThrowExceptionOfType<LeadPipeNetSecurityException>("Authorization requests must supply a name in the user context.").When(string.IsNullOrEmpty(authorizationRequest.ApplicationUser.User.Name));
Guard.Will.ThrowExceptionOfType<LeadPipeNetSecurityException>("Authorization requests must supply activity names.").When(authorizationRequest.Activities == null);
Guard.Will.ThrowExceptionOfType<LeadPipeNetSecurityException>("Authorization requests must supply an application name.").When(string.IsNullOrEmpty(authorizationRequest.ApplicationUser.Application.Name));
var grantedActivities = authorizationRequest.ApplicationUser.GetEffectivePermissions();
var isGranted = false;
// For each of the activity names in the request...
foreach (var activityName in authorizationRequest.Activities)
{
// Check to see if the user has been granted the activity...
isGranted = grantedActivities.Any(x => x.Name.Equals(activityName));
// TODO: Fire a domain event here to handle this.
// Log the request...
var authorizationRequestLogEntry = new AuthorizationRequestLogEntry() { Activity = activityName, User = authorizationRequest.ApplicationUser.User, RequestedOn = DateTime.Now, Granted = isGranted };
// If the user is authorized then we may as well stop here...
if (isGranted && authorizationRequest.AuthorizeAll.IsFalse())
{
return true;
}
}
return isGranted;
}
/// <summary>
/// Authorizes this instance.
/// </summary>
/// <param name="authorizationRequest">
/// The authorization request.
/// </param>
/// <returns>
/// True if authorized. False otherwise.
/// </returns>
private bool Authorize(AuthorizationRequest authorizationRequest)
{
var authorizationResult = this.AuthorizationProvider.Authorize(authorizationRequest);
if (this.shouldThrow)
{
// If we don't already have an exception built up then build the default exception...
if (this.exception == null)
{
var exceptionMessage = new StringBuilder();
exceptionMessage.Append(this.user.Name.FormattedWith("{0} is not authorized to perform "));
if (authorizationRequest.Activities != null)
{
if (authorizationRequest.Activities.Count() > 1)
{
var activityNames = authorizationRequest.Activities.Select(activity => activity.Name).ToList();
if (activityNames.Count() > 2)
{
activityNames[activityNames.Count() - 1] = "or " + activityNames[activityNames.Count() - 1];
exceptionMessage.Append(activityNames.WrapEachWith(string.Empty, string.Empty, ", "));
}
else
{
exceptionMessage.Append(activityNames.WrapEachWith(string.Empty, string.Empty, " or "));
}
}
else if (authorizationRequest.Activities.Count() == 1)
{
var firstOrDefault = authorizationRequest.Activities.FirstOrDefault();
exceptionMessage.Append(firstOrDefault != null
? firstOrDefault.Name.ToFriendlyName().FormattedWith("the \"{0}\" activity")
: "Unknown".FormattedWith("the \"{0}\" activity"));
}
}
exceptionMessage.Append(authorizationRequest.ApplicationUser.Application.Name.FormattedWith(" in {0}."));
this.exception = new LeadPipeNetAccessDeniedException(exceptionMessage.ToString());
}
// If CAN...
if (!this.not)
{
if (authorizationResult)
{
return true;
}
throw this.exception;
}
// If CAN NOT...
if (this.not)
{
// Throw if they can...
if (authorizationResult)
{
return true;
}
throw this.exception;
}
}
// If CAN NOT return the inverse...
if (this.not)
{
return !authorizationResult;
}
return authorizationResult;
}
/// <summary>
/// Sets the application name and performs the authorization assertion.
/// </summary>
/// <param name="applicationName">
/// Name of the application.
/// </param>
/// <returns>
/// <c>true</c> if the user can perform the specified activity; otherwise, <c>false</c>.
/// </returns>
public bool In(Application application)
{
Guard.Will.ProtectAgainstNullArgument(() => application);
this.application = application;
var applicationUser = new ApplicationUser
{
Application = this.application,
User = this.user
};
var authorizationRequest = new AuthorizationRequest
{
ApplicationUser = applicationUser,
Activities = this.activities,
AuthorizeAll = this.authorizeAllActivities
};
return this.Authorize(authorizationRequest);
}
/// <summary>
/// Authorizes this instance.
/// </summary>
/// <param name="authorizationRequest">
/// The authorization request.
/// </param>
/// <returns>
/// True if authorized. False otherwise.
/// </returns>
private bool Authorize(AuthorizationRequest authorizationRequest)
{
var authorizationResult = this.AuthorizationProvider.Authorize(authorizationRequest);
if (this.shouldThrow)
{
// If we don't already have an exception built up then build the default exception...
if (this.exception == null)
{
var exceptionMessage = new StringBuilder();
exceptionMessage.Append(this.user.Login.FormattedWith("{0} is not authorized to perform "));
if (authorizationRequest.Activities != null)
{
if (authorizationRequest.Activities.Count() > 1)
{
var activityNames = authorizationRequest.Activities.Select(activity => activity.Name).ToList();
if (activityNames.Count() > 2)
{
activityNames[activityNames.Count() - 1] = "or " + activityNames[activityNames.Count() - 1];
exceptionMessage.Append(activityNames.WrapEachWith(string.Empty, string.Empty, ", "));
}
else
{
exceptionMessage.Append(activityNames.WrapEachWith(string.Empty, string.Empty, " or "));
}
}
else if (authorizationRequest.Activities.Count() == 1)
{
var firstOrDefault = authorizationRequest.Activities.FirstOrDefault();
exceptionMessage.Append(firstOrDefault != null
? firstOrDefault.Name.ToFriendlyName().FormattedWith("the \"{0}\" activity")
: "Unknown".FormattedWith("the \"{0}\" activity"));
}
}
exceptionMessage.Append(authorizationRequest.ApplicationUser.Application.Name.FormattedWith(" in {0}."));
this.exception = new LeadPipeNetAccessDeniedException(exceptionMessage.ToString());
}
// If CAN...
if (!this.not)
{
if (authorizationResult)
{
return(true);
}
throw this.exception;
}
// If CAN NOT...
if (this.not)
{
// Throw if they can...
if (authorizationResult)
{
return(true);
}
throw this.exception;
}
}
// If CAN NOT return the inverse...
if (this.not)
{
return(!authorizationResult);
}
return(authorizationResult);
}
