/// <summary>
/// Can the main session on this connection already perform all the API methods? If on George or less this will return false.
/// Also return the list of valid roles.
/// </summary>
/// <param name="apiMethodsToRoleCheck">The methods to check</param>
/// <param name="connection">The connection on which to perform the methods</param>
/// <param name="validRoleList">The list of roles which can perform all the methods</param>
public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList, bool debug)
{
if (!connection.IsConnected)
{
validRoleList = new List <Role>();
return(false);
}
else
{
validRoleList = ValidRoleList(apiMethodsToRoleCheck, connection, debug);
}
if (connection.Session != null && connection.Session.IsLocalSuperuser)
{
return(true);
}
foreach (Role role in validRoleList)
{
if (connection.Session != null && connection.Session.Roles != null && connection.Session.Roles.Contains(role))
{
return(true);
}
}
return(false);
}
private void CheckPermission(IXenConnection xenConnection)
{
ShellCmd cmd = _menuItemFeature.ShellCmd;
RbacMethodList methodsToCheck = cmd.RequiredMethods.Count == 0 ? _menuItemFeature.GetMethodList(cmd.RequiredMethodList) : cmd.RequiredMethods;
if (methodsToCheck == null || xenConnection.Session == null || xenConnection.Session.IsLocalSuperuser)
{
return;
}
log.DebugFormat("Checking Plugin can run against connection {0}", xenConnection.Name);
List <Role> rolesAbleToCompleteAction;
bool ableToCompleteAction = Role.CanPerform(methodsToCheck, xenConnection, out rolesAbleToCompleteAction);
log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction));
log.DebugFormat("Subject {0} has roles: {1}", xenConnection.Session.UserLogName(), Role.FriendlyCSVRoleList(xenConnection.Session.Roles));
if (ableToCompleteAction)
{
log.Debug("Subject authorized to complete action");
return;
}
// Can't run on this connection, bail out
string desc = string.Format(FriendlyErrorNames.RBAC_PERMISSION_DENIED_FRIENDLY_CONNECTION,
xenConnection.Session.FriendlyRoleDescription(),
Role.FriendlyCSVRoleList(rolesAbleToCompleteAction),
xenConnection.Name);
throw new Exception(desc);
}
public void AddApiCheckRange(RbacMethodList methodList)
{
foreach (var method in methodList)
{
ApiCallsToCheck.Add(method);
}
}
/// <summary>
/// Can the main session on this connection already perform all the API methods? If on George or less this will return false.
/// Also return the list of valid roles.
/// </summary>
/// <param name="apiMethodsToRoleCheck">The methods to check</param>
/// <param name="connection">The connection on which to perform the methods</param>
/// <param name="validRoleList">The list of roles which can perform all the methods</param>
public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList, bool debug)
{
validRoleList = ValidRoleList(apiMethodsToRoleCheck, connection, debug);
if (Helpers.MidnightRideOrGreater(connection))
{
if (!connection.IsConnected)
{
return(false);
}
if (connection.Session.IsLocalSuperuser)
{
return(true);
}
foreach (Role role in validRoleList)
{
if (connection.Session.Roles.Contains(role))
{
return(true);
}
}
}
return(false);
}
/// <summary>
/// Retrieves all the server RBAC roles which are able to complete all the api methods supplied. If on George or less this will return an empty list.
/// </summary>
/// <param name="ApiMethodsToRoleCheck">list of RbacMethods to check</param>
/// <param name="Connection">server connection to retrieve roles from</param>
/// <returns></returns>
public static List <Role> ValidRoleList(RbacMethodList ApiMethodsToRoleCheck, IXenConnection Connection, bool debug)
{
List <Role> rolesAbleToCompleteAction = new List <Role>();
if (debug)
{
log.DebugFormat("Checking roles required to complete the following calls: {0}", String.Join(", ", ApiMethodsToRoleCheck.ToStringArray()));
}
foreach (RbacMethod method in ApiMethodsToRoleCheck)
{
// For every call in the list, compile a list of the roles that can perform it, taking the intersection of the
// roles able to perform the call in question and those in the list already.
List <Role> rolesAbleToCompleteApiCall = ValidRoleList(method, Connection);
if (rolesAbleToCompleteAction.Count == 0)
{
rolesAbleToCompleteAction.AddRange(rolesAbleToCompleteApiCall);
continue;
}
if (rolesAbleToCompleteApiCall.Count != 0) // zero is a bug: see Assert below
{
// take intersection of existing authorized roles and this set of authorized roles
rolesAbleToCompleteAction.RemoveAll(delegate(Role r)
{
return(!rolesAbleToCompleteApiCall.Contains(r));
});
}
}
return(rolesAbleToCompleteAction);
}
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription,
Func <Session, object> function, bool suppressHistory, params string[] rbacMethods)
: base(connection, title, startDescription, suppressHistory)
{
this.endDescription = endDescription;
this.function = function;
ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods);
}
private List <string> ExtractApiCallList(AsyncAction myAction)
{
RbacMethodList rbacMethods = new RbacMethodList();
RbacCollectorProxy.GetProxy(rbacMethods);
Session session = new Session(RbacCollectorProxy.GetProxy(rbacMethods), myAction.Connection);
myAction.RunExternal(session);
return(rbacMethods.ConvertAll(c => c.Method.ToLower().Replace('.', '_').Replace("async_", "")));
}
/// <summary>
/// If the action has detailed the Api calls that it will make then find the set of roles that can complete the entire action. If the
/// current user's role is not on that list then show the Role Elevation Dialog to give them the oppertunity to change to a new user.
/// </summary>
private void SetSessionByRole()
{
if (Connection == null ||
Connection.Session == null ||
Session != null) // We have been pre-seeded with a Session to use
{
return;
}
RbacMethodList rbacMethodList;
if (Connection.Session.IsLocalSuperuser || !Helpers.MidnightRideOrGreater(Connection) || XenAdminConfigManager.Provider.DontSudo) // don't need to / can't / don't want to sudo
{
rbacMethodList = new RbacMethodList();
}
else
{
rbacMethodList = GetApiMethodsToRoleCheck;
}
if (rbacMethodList.Count == 0)
{
Session = NewSession();
return;
}
List <Role> rolesAbleToCompleteAction;
bool ableToCompleteAction = Role.CanPerform(rbacMethodList, Connection, out rolesAbleToCompleteAction);
log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction));
log.DebugFormat("Subject {0} has roles: {1}", Connection.Session.UserLogName, Role.FriendlyCSVRoleList(Connection.Session.Roles));
if (ableToCompleteAction)
{
log.Debug("Subject authorized to complete action");
Session = Connection.Session;
return;
}
log.Debug("Subject not authorized to complete action, showing sudo dialog");
var result = sudoDialog(rolesAbleToCompleteAction, Connection, Title);
if (result.Result)
{
sudoUsername = result.ElevatedUsername;
sudoPassword = result.ElevatedPassword;
Session = result.ElevatedSession;
return;
}
else
{
log.Debug("User cancelled sudo dialog, cancelling action");
throw new CancelledException();
}
}
public ShellCmd(string filename, bool window, bool logoutput, float disposetime, string[] reqdMethods, string reqMethodList, string[] extraParams)
{
Filename = filename;
Window = window;
LogOutput = logoutput;
_disposeTime = disposetime;
// The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class
requiredMethods = new RbacMethodList(reqdMethods);
requiredMethodList = reqMethodList;
Params = new ReadOnlyCollection <string>(extraParams);
}
public ShellCmd(string filename, bool window, bool logoutput, float disposetime, string[] reqdMethods, string reqMethodList, string[] extraParams)
{
Filename = filename;
Window = window;
LogOutput = logoutput;
_disposeTime = disposetime;
// The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class
requiredMethods = new RbacMethodList(reqdMethods);
requiredMethodList = reqMethodList;
Params = new ReadOnlyCollection<string>(extraParams);
}
public ShellCmd(XmlNode node, List <string> extraParams)
{
this.node = node;
Filename = Helpers.GetStringXmlAttribute(node, ATT_FILENAME);
Window = Helpers.GetBoolXmlAttribute(node, ATT_WINDOW, true);
LogOutput = Helpers.GetBoolXmlAttribute(node, ATT_LOG_OUTPUT);
_disposeTime = Helpers.GetFloatXmlAttribute(node, ATT_DISPOSE_TIME, 20.0f);
// The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class
requiredMethods = new RbacMethodList(Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHODS, "").Split(','));
requiredMethodList = Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHOD_LIST);
Params = new ReadOnlyCollection <string>(extraParams);
}
public ShellCmd(XmlNode node, List<string> extraParams)
{
this.node = node;
Filename = Helpers.GetStringXmlAttribute(node, ATT_FILENAME);
Window = Helpers.GetBoolXmlAttribute(node, ATT_WINDOW, true);
LogOutput = Helpers.GetBoolXmlAttribute(node, ATT_LOG_OUTPUT, false);
_disposeTime = Helpers.GetFloatXmlAttribute(node, ATT_DISPOSE_TIME, 20.0f);
// The required methods to run this plugin are a comma separated list of strings that can be parsed by the RbacMethodList class
requiredMethods = new RbacMethodList(Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHODS, "").Split(','));
requiredMethodList = Helpers.GetStringXmlAttribute(node, ATT_REQUIRED_METHOD_LIST);
Params = new ReadOnlyCollection<string>(extraParams);
}
private static bool CanViewVMConsole(XenAdmin.Network.IXenConnection xenConnection)
{
if (xenConnection.Session == null)
{
return(false);
}
RbacMethodList r = new RbacMethodList("http/connect_console");
if (Role.CanPerform(r, xenConnection, false))
{
return(true);
}
return(false);
}
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription,
Action<Session> invoker, bool suppressHistory, params string[] rbacMethods)
: this(connection, title, startDescription, endDescription, invoker, suppressHistory)
{
ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods);
}
public WizardPermissionCheck(string warningMessage)
{
this.WarningMessage = warningMessage;
ApiCallsToCheck = new RbacMethodList();
}
/// <summary>
/// If the action has detailed the Api calls that it will make then find the set of roles that can complete the entire action. If the
/// current user's role is not on that list then show the Role Elevation Dialog to give them the oppertunity to change to a new user.
/// </summary>
private void SetSessionByRole()
{
if (Connection == null
|| Connection.Session == null
|| Session != null) // We have been pre-seeded with a Session to use
return;
RbacMethodList rbacMethodList;
if (Connection.Session.IsLocalSuperuser || !Helpers.MidnightRideOrGreater(Connection) || XenAdminConfigManager.Provider.DontSudo) // don't need to / can't / don't want to sudo
rbacMethodList = new RbacMethodList();
else
rbacMethodList = GetApiMethodsToRoleCheck;
if (rbacMethodList.Count == 0)
{
Session = NewSession();
return;
}
List<Role> rolesAbleToCompleteAction;
bool ableToCompleteAction = Role.CanPerform(rbacMethodList, Connection, out rolesAbleToCompleteAction);
log.DebugFormat("Roles able to complete action: {0}", Role.FriendlyCSVRoleList(rolesAbleToCompleteAction));
log.DebugFormat("Subject {0} has roles: {1}", Connection.Session.UserLogName, Role.FriendlyCSVRoleList(Connection.Session.Roles));
if (ableToCompleteAction)
{
log.Debug("Subject authorized to complete action");
Session = Connection.Session;
return;
}
log.Debug("Subject not authorized to complete action, showing sudo dialog");
var result = sudoDialog(rolesAbleToCompleteAction, Connection, Title);
if (result.Result)
{
sudoUsername = result.ElevatedUsername;
sudoPassword = result.ElevatedPassword;
Session = result.ElevatedSession;
return;
}
else
{
log.Debug("User cancelled sudo dialog, cancelling action");
throw new CancelledException();
}
}
public DelegatedAsyncAction(IXenConnection connection, string title, string startDescription, string endDescription,
Action <Session> invoker, bool suppressHistory, params string[] rbacMethods)
: this(connection, title, startDescription, endDescription, invoker, suppressHistory)
{
ApiMethodsToRoleCheck = new RbacMethodList(rbacMethods);
}
private List<string> ExtractApiCallList(AsyncAction myAction)
{
RbacMethodList rbacMethods = new RbacMethodList();
RbacCollectorProxy.GetProxy(rbacMethods);
Session session = new Session(RbacCollectorProxy.GetProxy(rbacMethods), myAction.Connection);
myAction.RunExternal(session);
return rbacMethods.ConvertAll(c => c.Method.ToLower().Replace('.', '_').Replace("async_", ""));
}
private static bool CanViewVMConsole(XenAdmin.Network.IXenConnection xenConnection)
{
if (xenConnection.Session == null)
return false;
if (!Helpers.MidnightRideOrGreater(xenConnection))
return true;
RbacMethodList r = new RbacMethodList("http/connect_console");
if (Role.CanPerform(r, xenConnection, false))
return true;
return false;
}
public RbacCollectorProxy(RbacMethodList rbacMethods)
{
this.rbacMethods = rbacMethods;
}
public WizardPermissionCheck(string warningMessage)
{
this.WarningMessage = warningMessage;
ApiCallsToCheck = new RbacMethodList();
}
public static Proxy GetProxy(RbacMethodList rbacMethods)
{
return (Proxy)generator.CreateProxyInstance(proxyType, new RbacCollectorProxy(rbacMethods));
}
/// <summary>
/// Can the main session on this connection already perform all the API methods? If on George or less this will return false.
/// </summary>
/// <param name="apiMethodsToRoleCheck">The methods to check</param>
/// <param name="connection">The connection on which to perform the methods</param>
public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, bool debug)
{
List <Role> validRoleList;
return(CanPerform(apiMethodsToRoleCheck, connection, out validRoleList, debug));
}
/// <summary>
/// Can the main session on this connection already perform all the API methods? If on George or less this will return false.
/// Also return the list of valid roles.
/// </summary>
/// <param name="apiMethodsToRoleCheck">The methods to check</param>
/// <param name="connection">The connection on which to perform the methods</param>
/// <param name="validRoleList">The list of roles which can perform all the methods</param>
public static bool CanPerform(RbacMethodList apiMethodsToRoleCheck, IXenConnection connection, out List <Role> validRoleList)
{
return(CanPerform(apiMethodsToRoleCheck, connection, out validRoleList, true));
}
/// <summary>
/// Retrieves all the server RBAC roles which are able to complete all the api methods supplied. If on George or less this will return an empty list.
/// </summary>
/// <param name="ApiMethodsToRoleCheck">list of RbacMethods to check</param>
/// <param name="Connection">server connection to retrieve roles from</param>
/// <returns></returns>
public static List <Role> ValidRoleList(RbacMethodList ApiMethodsToRoleCheck, IXenConnection Connection)
{
return(ValidRoleList(ApiMethodsToRoleCheck, Connection, true));
}
public void AddApiCheckRange(RbacMethodList methodList)
{
foreach (var method in methodList)
ApiCallsToCheck.Add(method);
}
