private void ParentsChanged(object sender, NotifyCollectionChangedEventArgs e)
{
if (e.Action == NotifyCollectionChangedAction.Add)
{
ISecurityItem parent = (ISecurityItem)e.NewItems[0];
parent.Children.Add(this);
_store.OnSecurityItemRelationAdded(parent, this);
}
if (e.Action == NotifyCollectionChangedAction.Remove)
{
ISecurityItem parent = (ISecurityItem)e.OldItems[0];
parent.Children.Remove(this);
_store.OnSecurityItemRelationRemoved(parent, this);
}
if (e.Action == NotifyCollectionChangedAction.Reset)
{
foreach (ISecurityItem parent in e.OldItems)
{
parent.Children.Remove(this);
_store.OnSecurityItemRelationRemoved(parent, this);
}
}
}
public void Operation_Deny_Direct_To_User()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation1 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation1");
ISecurityItem operation2 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation2");
ISecurityItem task = engine.Store.AddSecurityItem().AddBagItem(Name, "Task");
task.Children.Add(operation1);
task.Children.Add(operation2);
ISecurityItem hasNoAccessFromUserOperation = engine.Store.AddSecurityItem().AddBagItem(Name, "HasNoAccessFromUserOperation");
ISecurityIdentity user = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user");
engine.Store.AccessAuthorize(user, task);
engine.Store.AccessAuthorize(user, operation1).Deny();
ICheckAccessResult operation1AccessResult = engine.CheckAccess(user, operation1);
ICheckAccessResult operation2AccessResult = engine.CheckAccess(user, operation2);
ICheckAccessResult taskAccessResult = engine.CheckAccess(user, task);
ICheckAccessResult hasNoAccessFromUserOperationAccessResult = engine.CheckAccess(user, hasNoAccessFromUserOperation);
Assert.False(operation1AccessResult.HasAccess());
Assert.True(operation2AccessResult.HasAccess());
Assert.True(taskAccessResult.HasAccess());
Assert.False(hasNoAccessFromUserOperationAccessResult.HasAccess());
}
public void OnSecurityItemRemoved(ISecurityItem securityItem)
{
if (_ignoreEvents)
{
return;
}
AddNewAction(StorageActionType.Remove, new StorageSecurityItem(securityItem.Id));
}
public IEnumerable <IAuthorization> GetSecurityItemAuthorizations(ISecurityItem securityItem)
{
if (_securityItemAuthorizations.TryGetValue(securityItem, out HashSet <IAuthorization> authorizations))
{
return(authorizations);
}
return(Enumerable.Empty <IAuthorization>());
}
public void OnSecurityItemRelationRemoved(ISecurityItem parent, ISecurityItem child)
{
if (_ignoreEvents)
{
return;
}
AddNewAction(StorageActionType.Remove, new StorageSecurityItemRelation(parent.Id, child.Id));
}
public IConditionResult GetConditions(ISecurityItem securityItem)
{
ConditionResult conditionResult = (ConditionResult) OnlySelfGetConditions(securityItem);
foreach (ISecurityIdentity parent in _securityIdentity.Parents)
{
ISecurityIdentityAuthorizer securityIdentityAuthorizer = _securityIdentityAuthorizerFactory.CreateCache(parent);
IConditionResult parentConditions = securityIdentityAuthorizer.GetConditions(securityItem);
MergeConditionResult(conditionResult,parentConditions);
}
return conditionResult;
}
private static IEnumerable <ISecurityItem> InternalGetAllAncestors(this ISecurityItem securityItem)
{
foreach (ISecurityItem parent in securityItem.Parents)
{
yield return(parent);
foreach (ISecurityItem parentOfParent in parent.InternalGetAllAncestors())
{
yield return(parentOfParent);
}
}
}
public ISecurityItemAuthorizationsResolver CreateResolver(ISecurityItem securityItem)
{
lock (this)
{
if (!_securityItemsCache.TryGetValue(securityItem, out ISecurityItemAuthorizationsResolver result))
{
result = new SecurityItemAuthorizationsResolver(_store, securityItem);
_securityItemsCache[securityItem] = result;
}
return(result);
}
}
public void Add_SecurityItem_Bag()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
TestSecurityStorage securityStorage = new TestSecurityStorage();
engine.Store.AttachToStorage(securityStorage);
ISecurityItem securityItem = engine.Store.AddSecurityItem("07325155-574E-4D89-B680-C0F1B90569E5");
securityItem.Bag["Name"] = "Test";
Assert.Contains("07325155-574E-4D89-B680-C0F1B90569E5_Name", securityStorage.StorageEntities.Keys);
}
private IConditionResult OnlySelfGetConditions(ISecurityItem securityItem)
{
DateTime now = DateTime.Now;
ISecurityItemAuthorizationsResolver securityItemAuthorizationsResolver = _securityItemAuthorizationsResolverFactory.CreateResolver(securityItem);
Dictionary < IConditionalAuthorization, IEnumerable < IAccessCondition >> result = new Dictionary<IConditionalAuthorization, IEnumerable<IAccessCondition>>();
foreach (IConditionalAuthorization conditionalAuthorization in securityItemAuthorizationsResolver.GetAuthorizations()
.Where(a => a.SecurityIdentity.Equals(_securityIdentity)).OfType<IConditionalAuthorization>())
{
if (conditionalAuthorization.LifeTime != null && !conditionalAuthorization.LifeTime.IsActive(now))
continue;
result.Add(conditionalAuthorization,conditionalAuthorization.Conditions);
}
return new ConditionResult(result);
}
public void Add_SecurityItem_Relation()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
TestSecurityStorage securityStorage = new TestSecurityStorage();
engine.Store.AttachToStorage(securityStorage);
ISecurityItem parentSecurityItem = engine.Store.AddSecurityItem("3F028123-7EDA-42F7-80B9-09A9DE954047");
ISecurityItem childSecurityItem = engine.Store.AddSecurityItem("13F1C233-90DC-4904-9EAA-C1A912D2B0A7");
parentSecurityItem.Children.Add(childSecurityItem);
Assert.Contains("3F028123-7EDA-42F7-80B9-09A9DE954047_13F1C233-90DC-4904-9EAA-C1A912D2B0A7", securityStorage.StorageEntities.Keys);
}
public void Operation_Access_Operation_Direct_To_User()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation");
ISecurityItem hasNoAccessFromUserOperation = engine.Store.AddSecurityItem().AddBagItem(Name, "HasNoAccessFromUserOperation");
ISecurityIdentity user = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user");
engine.Store.AccessAuthorize(user, operation);
ICheckAccessResult operationAccessResult = engine.CheckAccess(user, operation);
ICheckAccessResult hasNoAccessFromUserOperationAccessResult = engine.CheckAccess(user, hasNoAccessFromUserOperation);
Assert.True(operationAccessResult.HasAccess());
Assert.False(hasNoAccessFromUserOperationAccessResult.HasAccess());
}
public void Add_SecurityItem()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine firstEngine = factory.CreateEngine();
using (StorageProvider storageProvider = GetStorageProvider())
{
firstEngine.Store.AttachToStorage(storageProvider.Storage);
ISecurityItem addSecurityItem = firstEngine.Store.AddSecurityItem();
}
ISecurityEngine secondEngine = factory.CreateEngine();
using (StorageProvider storageProvider = GetStorageProvider())
{
secondEngine.Store.AttachToStorage(storageProvider.Storage);
}
}
public void Engine_Instantiate()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation1 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation1");
ISecurityItem operation2 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation2");
ISecurityItem task = engine.Store.AddSecurityItem().AddBagItem(Name, "Task");
task.Children.Add(operation1);
task.Children.Add(operation2);
ISecurityIdentity user1 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user1");
ISecurityIdentity user2 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user2");
ISecurityIdentity group = engine.Store.AddSecurityIdentity().AddBagItem(Name, "group");
group.Children.Add(user1);
group.Children.Add(user2);
IAccessAuthorization user1ToOperationAccessAuthorization = engine.Store.AccessAuthorize(user1, operation1);
}
public void Operation_Access_To_Group()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation");
ISecurityIdentity user1 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user1");
ISecurityIdentity user2 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user2");
ISecurityIdentity adminGroup = engine.Store.AddSecurityIdentity().AddBagItem(Name, "adminGroup");
adminGroup.Children.Add(user1);
engine.Store.AccessAuthorize(adminGroup, operation);
ICheckAccessResult user1AccessResult = engine.CheckAccess(user1, operation);
ICheckAccessResult user2AccessResult = engine.CheckAccess(user2, operation);
Assert.True(user1AccessResult.HasAccess());
Assert.False(user2AccessResult.HasAccess());
}
private void ChildrenChanged(object sender, NotifyCollectionChangedEventArgs e)
{
if (e.Action == NotifyCollectionChangedAction.Add)
{
ISecurityItem child = (ISecurityItem)e.NewItems[0];
child.Parents.Add(this);
}
if (e.Action == NotifyCollectionChangedAction.Remove)
{
ISecurityItem child = (ISecurityItem)e.OldItems[0];
child.Parents.Remove(this);
}
if (e.Action == NotifyCollectionChangedAction.Reset)
{
foreach (ISecurityItem child in e.OldItems)
{
child.Parents.Remove(this);
}
}
}
public ICheckAccessResult CheckAccess(ISecurityItem securityItem)
{
ICheckAccessResult checkAccessResult = OnlyCheckAccessSelf(securityItem);
if (checkAccessResult.AccessType == AccessType.Deny)
return checkAccessResult;
IList<ICheckAccessResult> allowedParentCheckAccessResults = new List<ICheckAccessResult>();
foreach (ISecurityIdentity parent in _securityIdentity.Parents)
{
ISecurityIdentityAuthorizer securityIdentityAuthorizer = _securityIdentityAuthorizerFactory.CreateCache(parent);
ICheckAccessResult parentCheckAccessResult = securityIdentityAuthorizer.CheckAccess(securityItem);
if (parentCheckAccessResult.AccessType == AccessType.Deny)
return parentCheckAccessResult;
if (parentCheckAccessResult.AccessType == AccessType.Allow)
allowedParentCheckAccessResults.Add(parentCheckAccessResult);
}
if (checkAccessResult.AccessType == AccessType.Allow)
return checkAccessResult;
if (allowedParentCheckAccessResults.Count>0)
return new CheckAccessResult(AccessType.Allow, allowedParentCheckAccessResults.SelectMany(r => r.AffectedAuthorizations));
return new CheckAccessResult(AccessType.Neutral,Enumerable.Empty<IAccessAuthorization>());
}
private ICheckAccessResult OnlyCheckAccessSelf(ISecurityItem securityItem)
{
DateTime now = DateTime.Now;
ISecurityItemAuthorizationsResolver securityItemAuthorizationsResolver = _securityItemAuthorizationsResolverFactory.CreateResolver(securityItem);
List<IAccessAuthorization> affectedAuthorizations = new List<IAccessAuthorization>();
bool deniedFound = false;
bool allowedFound = false;
foreach (IAccessAuthorization accessAuthorization in securityItemAuthorizationsResolver.GetAuthorizations()
.Where(a => a.SecurityIdentity.Equals(_securityIdentity)).OfType<IAccessAuthorization>())
{
if(accessAuthorization.LifeTime != null && !accessAuthorization.LifeTime.IsActive(now))
continue;
switch (accessAuthorization.AccessType)
{
case AccessType.Allow:
if(!deniedFound)
affectedAuthorizations.Add(accessAuthorization);
allowedFound = true;
break;
case AccessType.Deny:
if(allowedFound && !deniedFound)
affectedAuthorizations.Clear();
affectedAuthorizations.Add(accessAuthorization);
deniedFound = true;
break;
case AccessType.Neutral:
break;
default:
throw new ArgumentOutOfRangeException();
}
}
if(deniedFound)
return new CheckAccessResult(AccessType.Deny,affectedAuthorizations);
if(allowedFound)
return new CheckAccessResult(AccessType.Allow, affectedAuthorizations);
return new CheckAccessResult(AccessType.Neutral,Enumerable.Empty<IAccessAuthorization>());
}
private void OnSecurityItemRemoved(ISecurityItem securityItem)
{
_storageSynchronizer?.OnSecurityItemRemoved(securityItem);
}
public static IEnumerable <ISecurityItem> GetAllAncestors(this ISecurityItem securityItem)
{
return(InternalGetAllAncestors(securityItem).Distinct());
}
public void OnSecurityItemRelationRemoved(ISecurityItem parent, ISecurityItem child)
{
_storageSynchronizer?.OnSecurityItemRelationRemoved(parent, child);
}
public IConditionResult GetConditions(ISecurityIdentity securityIdentity, ISecurityItem securityItem)
{
ISecurityIdentityAuthorizer securityIdentityAuthorizer = CreateCache(securityIdentity);
return(securityIdentityAuthorizer.GetConditions(securityItem));
}
public ICheckAccessResult CheckAccess(ISecurityIdentity securityIdentity, ISecurityItem securityItem)
{
ISecurityIdentityAuthorizer securityIdentityAuthorizer = CreateCache(securityIdentity);
return(securityIdentityAuthorizer.CheckAccess(securityItem));
}
public SecurityItemAuthorizationsResolver(SecurityStore store, ISecurityItem securityItem)
{
_store = store;
_securityItem = securityItem;
}
public static IConditionalAuthorization ConditionalAuthorize(this ISecurityStore store, ISecurityIdentity securityIdentity, ISecurityItem securityItem, string id = null)
{
if (string.IsNullOrEmpty(id))
{
id = Guid.NewGuid().ToString();
}
SecurityStore securityStore = (SecurityStore)store;
ConditionalAuthorization conditionalAuthorization = new ConditionalAuthorization((SecurityStore)store, id)
{
SecurityIdentity = securityIdentity, SecurityItem = securityItem
};
securityStore.Authorizations.Add(conditionalAuthorization);
return(conditionalAuthorization);
}
