/// <summary> /// Can the main session on this connection already perform all the API methods? If on George or less this will return false. /// Also return the list of valid roles. /// </summary> /// <param name="apiMethodsToRoleCheck">The methods to check</param> /// <param name="connection">The connection on which to perform the methods</param> /// <param name="validRoleList">The list of roles which can perform all the methods</param> public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList, bool debug) { if (!connection.IsConnected) { validRoleList = new List <Role>(); return(false); } else { validRoleList = ValidRoleList(apiMethodsToRoleCheck, connection, debug); } if (connection.Session != null && connection.Session.IsLocalSuperuser) { return(true); } foreach (Role role in validRoleList) { if (connection.Session != null && connection.Session.Roles != null && connection.Session.Roles.Contains(role)) { return(true); } } return(false); }
private void CheckPermission(IXenConnection xenConnection) { ShellCmd cmd = _menuItemFeature.ShellCmd; RbacMethodList methodsToCheck = cmd.RequiredMethods.Count == 0 ? _menuItemFeature.GetMethodList(cmd.RequiredMethodList) : cmd.RequiredMethods; if (methodsToCheck == null || xenConnection.Session == null || xenConnection.Session.IsLocalSuperuser) { return; } log.DebugFormat("Checking Plugin can run against connection {0}", xenConnection.Name); List <Role> rolesAbleToCompleteAction; bool ableToCompleteAction = Role.CanPerform(methodsToCheck, xenConnection, out rolesAbleToCompleteAction); log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction)); log.DebugFormat("Subject {0} has roles: {1}", xenConnection.Session.UserLogName(), Role.FriendlyCSVRoleList(xenConnection.Session.Roles)); if (ableToCompleteAction) { log.Debug("Subject authorized to complete action"); return; } // Can't run on this connection, bail out string desc = string.Format(FriendlyErrorNames.RBAC_PERMISSION_DENIED_FRIENDLY_CONNECTION, xenConnection.Session.FriendlyRoleDescription(), Role.FriendlyCSVRoleList(rolesAbleToCompleteAction), xenConnection.Name); throw new Exception(desc); }
public void AddApiCheckRange(RbacMethodList methodList) { foreach (var method in methodList) { ApiCallsToCheck.Add(method); } }
/// <summary> /// Can the main session on this connection already perform all the API methods? If on George or less this will return false. /// Also return the list of valid roles. /// </summary> /// <param name="apiMethodsToRoleCheck">The methods to check</param> /// <param name="connection">The connection on which to perform the methods</param> /// <param name="validRoleList">The list of roles which can perform all the methods</param> public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList, bool debug) { validRoleList = ValidRoleList(apiMethodsToRoleCheck, connection, debug); if (Helpers.MidnightRideOrGreater(connection)) { if (!connection.IsConnected) { return(false); } if (connection.Session.IsLocalSuperuser) { return(true); } foreach (Role role in validRoleList) { if (connection.Session.Roles.Contains(role)) { return(true); } } } return(false); }
/// <summary> /// Retrieves all the server RBAC roles which are able to complete all the api methods supplied. If on George or less this will return an empty list. /// </summary> /// <param name="ApiMethodsToRoleCheck">list of RbacMethods to check</param> /// <param name="Connection">server connection to retrieve roles from</param> /// <returns></returns> public static List <Role> ValidRoleList(RbacMethodList ApiMethodsToRoleCheck, IXenConnection Connection, bool debug) { List <Role> rolesAbleToCompleteAction = new List <Role>(); if (debug) { log.DebugFormat("Checking roles required to complete the following calls: {0}", String.Join(", ", ApiMethodsToRoleCheck.ToStringArray())); } foreach (RbacMethod method in ApiMethodsToRoleCheck) { // For every call in the list, compile a list of the roles that can perform it, taking the intersection of the // roles able to perform the call in question and those in the list already. List <Role> rolesAbleToCompleteApiCall = ValidRoleList(method, Connection); if (rolesAbleToCompleteAction.Count == 0) { rolesAbleToCompleteAction.AddRange(rolesAbleToCompleteApiCall); continue; } if (rolesAbleToCompleteApiCall.Count != 0) // zero is a bug: see Assert below { // take intersection of existing authorized roles and this set of authorized roles rolesAbleToCompleteAction.RemoveAll(delegate(Role r) { return(!rolesAbleToCompleteApiCall.Contains(r)); }); } } return(rolesAbleToCompleteAction); }
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription, Func <Session, object> function, bool suppressHistory, params string[] rbacMethods) : base(connection, title, startDescription, suppressHistory) { this.endDescription = endDescription; this.function = function; ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods); }
private List <string> ExtractApiCallList(AsyncAction myAction) { RbacMethodList rbacMethods = new RbacMethodList(); RbacCollectorProxy.GetProxy(rbacMethods); Session session = new Session(RbacCollectorProxy.GetProxy(rbacMethods), myAction.Connection); myAction.RunExternal(session); return(rbacMethods.ConvertAll(c => c.Method.ToLower().Replace('.', '_').Replace("async_", ""))); }
/// <summary> /// If the action has detailed the Api calls that it will make then find the set of roles that can complete the entire action. If the /// current user's role is not on that list then show the Role Elevation Dialog to give them the oppertunity to change to a new user. /// </summary> private void SetSessionByRole() { if (Connection == null || Connection.Session == null || Session != null) // We have been pre-seeded with a Session to use { return; } RbacMethodList rbacMethodList; if (Connection.Session.IsLocalSuperuser || !Helpers.MidnightRideOrGreater(Connection) || XenAdminConfigManager.Provider.DontSudo) // don't need to / can't / don't want to sudo { rbacMethodList = new RbacMethodList(); } else { rbacMethodList = GetApiMethodsToRoleCheck; } if (rbacMethodList.Count == 0) { Session = NewSession(); return; } List <Role> rolesAbleToCompleteAction; bool ableToCompleteAction = Role.CanPerform(rbacMethodList, Connection, out rolesAbleToCompleteAction); log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction)); log.DebugFormat("Subject {0} has roles: {1}", Connection.Session.UserLogName, Role.FriendlyCSVRoleList(Connection.Session.Roles)); if (ableToCompleteAction) { log.Debug("Subject authorized to complete action"); Session = Connection.Session; return; } log.Debug("Subject not authorized to complete action, showing sudo dialog"); var result = sudoDialog(rolesAbleToCompleteAction, Connection, Title); if (result.Result) { sudoUsername = result.ElevatedUsername; sudoPassword = result.ElevatedPassword; Session = result.ElevatedSession; return; } else { log.Debug("User cancelled sudo dialog, cancelling action"); throw new CancelledException(); } }
public ShellCmd(string filename, bool window, bool logoutput, float disposetime, string[] reqdMethods, string reqMethodList, string[] extraParams) { Filename = filename; Window = window; LogOutput = logoutput; _disposeTime = disposetime; // The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class requiredMethods = new RbacMethodList(reqdMethods); requiredMethodList = reqMethodList; Params = new ReadOnlyCollection <string>(extraParams); }
public ShellCmd(string filename, bool window, bool logoutput, float disposetime, string[] reqdMethods, string reqMethodList, string[] extraParams) { Filename = filename; Window = window; LogOutput = logoutput; _disposeTime = disposetime; // The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class requiredMethods = new RbacMethodList(reqdMethods); requiredMethodList = reqMethodList; Params = new ReadOnlyCollection<string>(extraParams); }
public ShellCmd(XmlNode node, List <string> extraParams) { this.node = node; Filename = Helpers.GetStringXmlAttribute(node, ATT_FILENAME); Window = Helpers.GetBoolXmlAttribute(node, ATT_WINDOW, true); LogOutput = Helpers.GetBoolXmlAttribute(node, ATT_LOG_OUTPUT); _disposeTime = Helpers.GetFloatXmlAttribute(node, ATT_DISPOSE_TIME, 20.0f); // The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class requiredMethods = new RbacMethodList(Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHODS, "").Split(',')); requiredMethodList = Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHOD_LIST); Params = new ReadOnlyCollection <string>(extraParams); }
public ShellCmd(XmlNode node, List<string> extraParams) { this.node = node; Filename = Helpers.GetStringXmlAttribute(node, ATT_FILENAME); Window = Helpers.GetBoolXmlAttribute(node, ATT_WINDOW, true); LogOutput = Helpers.GetBoolXmlAttribute(node, ATT_LOG_OUTPUT, false); _disposeTime = Helpers.GetFloatXmlAttribute(node, ATT_DISPOSE_TIME, 20.0f); // The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class requiredMethods = new RbacMethodList(Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHODS, "").Split(',')); requiredMethodList = Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHOD_LIST); Params = new ReadOnlyCollection<string>(extraParams); }
private static bool CanViewVMConsole(XenAdmin.Network.IXenConnection xenConnection) { if (xenConnection.Session == null) { return(false); } RbacMethodList r = new RbacMethodList("http/connect_console"); if (Role.CanPerform(r, xenConnection, false)) { return(true); } return(false); }
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription, Action<Session> invoker, bool suppressHistory, params string[] rbacMethods) : this(connection, title, startDescription, endDescription, invoker, suppressHistory) { ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods); }
public WizardPermissionCheck(string warningMessage) { this.WarningMessage = warningMessage; ApiCallsToCheck = new RbacMethodList(); }
/// <summary> /// If the action has detailed the Api calls that it will make then find the set of roles that can complete the entire action. If the /// current user's role is not on that list then show the Role Elevation Dialog to give them the oppertunity to change to a new user. /// </summary> private void SetSessionByRole() { if (Connection == null || Connection.Session == null || Session != null) // We have been pre-seeded with a Session to use return; RbacMethodList rbacMethodList; if (Connection.Session.IsLocalSuperuser || !Helpers.MidnightRideOrGreater(Connection) || XenAdminConfigManager.Provider.DontSudo) // don't need to / can't / don't want to sudo rbacMethodList = new RbacMethodList(); else rbacMethodList = GetApiMethodsToRoleCheck; if (rbacMethodList.Count == 0) { Session = NewSession(); return; } List<Role> rolesAbleToCompleteAction; bool ableToCompleteAction = Role.CanPerform(rbacMethodList, Connection, out rolesAbleToCompleteAction); log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction)); log.DebugFormat("Subject {0} has roles: {1}", Connection.Session.UserLogName, Role.FriendlyCSVRoleList(Connection.Session.Roles)); if (ableToCompleteAction) { log.Debug("Subject authorized to complete action"); Session = Connection.Session; return; } log.Debug("Subject not authorized to complete action, showing sudo dialog"); var result = sudoDialog(rolesAbleToCompleteAction, Connection, Title); if (result.Result) { sudoUsername = result.ElevatedUsername; sudoPassword = result.ElevatedPassword; Session = result.ElevatedSession; return; } else { log.Debug("User cancelled sudo dialog, cancelling action"); throw new CancelledException(); } }
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription, Action <Session> invoker, bool suppressHistory, params string[] rbacMethods) : this(connection, title, startDescription, endDescription, invoker, suppressHistory) { ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods); }
private List<string> ExtractApiCallList(AsyncAction myAction) { RbacMethodList rbacMethods = new RbacMethodList(); RbacCollectorProxy.GetProxy(rbacMethods); Session session = new Session(RbacCollectorProxy.GetProxy(rbacMethods), myAction.Connection); myAction.RunExternal(session); return rbacMethods.ConvertAll(c => c.Method.ToLower().Replace('.', '_').Replace("async_", "")); }
private static bool CanViewVMConsole(XenAdmin.Network.IXenConnection xenConnection) { if (xenConnection.Session == null) return false; if (!Helpers.MidnightRideOrGreater(xenConnection)) return true; RbacMethodList r = new RbacMethodList("http/connect_console"); if (Role.CanPerform(r, xenConnection, false)) return true; return false; }
public RbacCollectorProxy(RbacMethodList rbacMethods) { this.rbacMethods = rbacMethods; }
public WizardPermissionCheck(string warningMessage) { this.WarningMessage = warningMessage; ApiCallsToCheck = new RbacMethodList(); }
public static Proxy GetProxy(RbacMethodList rbacMethods) { return (Proxy)generator.CreateProxyInstance(proxyType, new RbacCollectorProxy(rbacMethods)); }
/// <summary> /// Can the main session on this connection already perform all the API methods? If on George or less this will return false. /// </summary> /// <param name="apiMethodsToRoleCheck">The methods to check</param> /// <param name="connection">The connection on which to perform the methods</param> public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, bool debug) { List <Role> validRoleList; return(CanPerform(apiMethodsToRoleCheck, connection, out validRoleList, debug)); }
/// <summary> /// Can the main session on this connection already perform all the API methods? If on George or less this will return false. /// Also return the list of valid roles. /// </summary> /// <param name="apiMethodsToRoleCheck">The methods to check</param> /// <param name="connection">The connection on which to perform the methods</param> /// <param name="validRoleList">The list of roles which can perform all the methods</param> public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList) { return(CanPerform(apiMethodsToRoleCheck, connection, out validRoleList, true)); }
/// <summary> /// Retrieves all the server RBAC roles which are able to complete all the api methods supplied. If on George or less this will return an empty list. /// </summary> /// <param name="ApiMethodsToRoleCheck">list of RbacMethods to check</param> /// <param name="Connection">server connection to retrieve roles from</param> /// <returns></returns> public static List <Role> ValidRoleList(RbacMethodList ApiMethodsToRoleCheck, IXenConnection Connection) { return(ValidRoleList(ApiMethodsToRoleCheck, Connection, true)); }
public void AddApiCheckRange(RbacMethodList methodList) { foreach (var method in methodList) ApiCallsToCheck.Add(method); }