public void TestInit() {
_resourcePermissions = new ResourcePermissions( "r",new List<Permission> {
new Permission( "a",false ),
new Permission( "b",true ),
new Permission( "c",false ),
new Permission( "c",true ),
} );
}
public void TestInit()
{
_resourcePermissions = new ResourcePermissions("r", new List <Permission> {
new Permission("a", false),
new Permission("b", true),
new Permission("c", false),
new Permission("c", true),
});
}
public bool HasDuplicateResourcePermissions()
{
var duplicates = ResourcePermissions
.Where(i => !i.IsDeleted)
.GroupBy(i => new { i.ResourceID, i.WindowsGroup })
.Where(g => g.Count() > 1)
.Select(g => g.Key);
return(duplicates.Any());
}
/// <summary>
/// Extracts the requested permission string.
/// </summary>
/// <param name="permissions">The permissions to extract.</param>
/// <returns>The extracted permissions.</returns>
public virtual ResourcePermissions ExtractPermissions(string permissions)
{
if (string.IsNullOrWhiteSpace(permissions))
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
ResourcePermissions allowed = this.AllowedPermissions;
ResourcePermissions p = ResourcePermissions.None;
foreach (char c in permissions)
{
switch (c)
{
case 'r':
this.ValidatePermission(ResourcePermissions.Read, p, allowed);
p |= ResourcePermissions.Read;
break;
case 'a':
this.ValidatePermission(ResourcePermissions.Add, p, allowed);
p |= ResourcePermissions.Add;
break;
case 'u':
this.ValidatePermission(ResourcePermissions.Update, p, allowed);
p |= ResourcePermissions.Update;
break;
case 'd':
this.ValidatePermission(ResourcePermissions.Delete, p, allowed);
p |= ResourcePermissions.Delete;
break;
case 'p':
this.ValidatePermission(ResourcePermissions.Process, p, allowed);
p |= ResourcePermissions.Process;
break;
case 'w':
this.ValidatePermission(ResourcePermissions.Write, p, allowed);
p |= ResourcePermissions.Write;
break;
default:
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
}
return(p);
}
private void UpdateControlsStatus(IEnumerable <NavigationProperty> propertyCollection,
ResourcePermissions <Resource> userPermissions, bool isAdmin, bool isOwner)
{
ResourceTypeControl.ResourceHierarchy = SelectedResourceType;
if (IsEditMode)
{
ResourceTypeTab.Visible = false;
//Apply security checks
SummaryTab.Visible = ChangeHistoryTab.Visible =
userPermissions.Permissions.Contains(UserResourcePermissions.Read) ? true : false;
MetadataTab.Visible = AssociationsTab.Visible =
userPermissions.Permissions.Contains(UserResourcePermissions.Update) ? true : false;
//TODO: Add one more condittion to check whether the current user is admin or not(after changes in Security API)
ResourcePermissionsTab.Visible = isAdmin | isOwner ? true : false;
if (!userPermissions.Permissions.Contains(UserResourcePermissions.Update) ||
propertyCollection.Where(tuple => tuple.Name.Equals(_categoryNodesProperty)).Count() == 0)
{
CategoriesTab.Visible = false;
}
else
{
CategoriesTab.Visible = true;
}
if (!userPermissions.Permissions.Contains(UserResourcePermissions.Update) ||
propertyCollection.Where(tuple => tuple.Name.Equals(_tagsProperty)).Count() == 0)
{
TagsTab.Visible = false;
}
else
{
TagsTab.Visible = true;
}
}
else
{
ResourceTypeTab.Visible = true;
MetadataTab.Visible = Constants.MetadataTab.Equals(ActiveTab) ? true : false;
SummaryTab.Visible = AssociationsTab.Visible =
ResourcePermissionsTab.Visible = TagsTab.Visible =
CategoriesTab.Visible = ChangeHistoryTab.Visible = false;
}
}
/// <summary>
/// Throws a bad request exception if the given permission set already contains the specific permission.
/// </summary>
/// <param name="existingPermissions">The current permission set.</param>
/// <param name="newPermission">The specific permission to check for.</param>
protected virtual void ValidatePermission(ResourcePermissions newPermission, ResourcePermissions existingPermissions, ResourcePermissions allowedPermissions)
{
// First, determine whether we've already seen this permission before.
if ((existingPermissions & newPermission) == newPermission)
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
// Now, verify that this permission is allowed.
if ((allowedPermissions & newPermission) != newPermission)
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
}
private ResourceDto ConvertToTemplateData(ResourcePermissions m)
{
return(new ResourceDto
{
Name = m.Name,
Description = m.Description,
ResourceId = m.ResourceId,
Permissions = m.Permissions
.Select(p => new ResourceDto.Permission
{
PermissionId = p.PermissionId,
Name = p.Name,
Description = p.Description,
IsAllowed = p.IsAllowed
}).ToList(),
HasInstancePermissions = m.HasInstancePermissions
});
}
private void Initialize()
{
ResourceType type = null;
IEnumerable <NavigationProperty> propertyCollection = null;
ResourcePermissions <Resource> userPermissions = null;
bool isAdmin = false;
bool isOwner = false;
using (ResourceDataAccess dataAccess = new ResourceDataAccess())
{
if (IsEditMode)
{
AuthenticatedToken token = Session[Constants.AuthenticationTokenKey] as AuthenticatedToken;
userPermissions = dataAccess.GetResourcePermissions(token, ResourceId);
//Throw exception is user is not having atleast read permission on the resource.
if (userPermissions == null || !userPermissions.Permissions.Contains(UserResourcePermissions.Read))
{
throw new UnauthorizedAccessException(string.Format(CultureInfo.InvariantCulture,
Resources.Resources.MsgUnAuthorizeAccess, UserResourcePermissions.Read));
}
isAdmin = dataAccess.IsAdmin(token);
isOwner = dataAccess.IsOwner(token, userPermissions.Resource);
type = dataAccess.GetResourceType(ResourceId);
propertyCollection = dataAccess.GetNavigationProperties(Cache, ResourceId);
}
else
{
string resType = Convert.ToString(Request.QueryString[_resourceTypeKey]);
if (!string.IsNullOrEmpty(resType))
{
type = dataAccess.GetResourceType(resType);
}
}
}
if (type != null)
{
SelectedResourceType = type.Name;
}
UpdateControlsStatus(propertyCollection, userPermissions, isAdmin, isOwner);
}
void OnPermissionPropertyChanged(object sender, PropertyChangedEventArgs args)
{
IsDirty = true;
UpdateOverridingPermission(sender as WindowsGroupPermission, args.PropertyName);
if (args.PropertyName == "WindowsGroup" || args.PropertyName == "ResourceName")
{
var permission = (WindowsGroupPermission)sender;
if (permission.IsNew)
{
if (permission.IsValid)
{
permission.IsNew = false;
var newPermission = CreateNewPermission(permission.IsServer);
if (permission.IsServer)
{
ServerPermissions.Add(newPermission);
}
else
{
ResourcePermissions.Add(newPermission);
}
}
}
else
{
var isEmpty = string.IsNullOrEmpty(permission.WindowsGroup);
if (isEmpty)
{
if (permission.IsServer)
{
ServerPermissions.Remove(permission);
}
else
{
ResourcePermissions.Remove(permission);
}
}
}
}
}
/// <summary>
/// Creates a SAS key for a queue with the given name, permissions, and expiration.
/// </summary>
/// <param name="queueName">The name of the queue to create.</param>
/// <param name="permissions">The permissions to apply to the queue.</param>
/// <param name="expiration">The expiration time for the token.</param>
/// <returns>Returns the blob's URI access string.</returns>
public ResourceToken CreateQueueAccessToken(string queueName, ResourcePermissions permissions, DateTime?expiration = null)
{
if (string.IsNullOrWhiteSpace(queueName))
{
throw new ArgumentException("must not be null or empty", "queueName");
}
// Set up the SAS constraints.
SharedAccessQueuePolicy sasConstraints = GetQueueSasConstraints(permissions, expiration);
// Get a reference to the queue.
CloudQueue queue = this.QueueClient.GetQueueReference(queueName);
// Get the queue SAS.
string sasQueueToken = queue.GetSharedAccessSignature(sasConstraints);
// Append this to the URI.
return(new ResourceToken {
Uri = queue.Uri + sasQueueToken
});
}
public async Task <IEnumerable <ResourcePermissions> > GetResourcePermissionsAsync(ICollection <TKey> roleIds, CancellationToken token = default(CancellationToken))
{
var resources = _resourceRegistry.ResourceTypes
.Select((r, i) => new
{
Index = i,
Name = _namingConvertor.GetResourceUniqueName(r.ResourceType),
Type = r.ResourceType,
Permissions = r.StaticPermissions
}).ToList();
var result = new ResourcePermissions[resources.Count];
foreach (var resource in resources)
{
var permissions = new List <Permission>();
foreach (var permissionType in resource.Permissions)
{
var enumNames = Enum.GetNames(permissionType);
foreach (var enumName in enumNames)
{
var memberInfo = permissionType.GetField(enumName);
var permissionUniqueIdentifier =
_namingConvertor.GetPermissionUniqueIdentifier(permissionType, memberInfo);
permissions.Add(new Permission
{
Identifier = permissionUniqueIdentifier,
IsAllowed = (await _permissionStore.IsAllowedAsync(roleIds, resource.Name, permissionUniqueIdentifier, token)) ?? false
});
}
}
result.SetValue(new ResourcePermissions
{
UniqueName = resource.Name,
Permissions = permissions
}, resource.Index);
}
return(result);
}
/// <summary>
/// Creates SAS constraints from the given parameters.
/// </summary>
/// <param name="permissions">The permission set.</param>
/// <param name="expiration">The expiration time.</param>
/// <returns>Returns the access policy.</returns>
private static SharedAccessBlobPolicy GetBlobSasConstraints(ResourcePermissions permissions, DateTime?expiration)
{
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
// Set the start time to five minutes in the past.
sasConstraints.SharedAccessStartTime = DateTimeOffset.Now - TimeSpan.FromMinutes(5);
// Expiration.
if (expiration != null)
{
sasConstraints.SharedAccessExpiryTime = expiration.Value;
}
// Permissions.
sasConstraints.Permissions = SharedAccessBlobPermissions.None;
if ((permissions & ResourcePermissions.Read) == ResourcePermissions.Read)
{
sasConstraints.Permissions |= SharedAccessBlobPermissions.Read;
}
if ((permissions & ResourcePermissions.Write) == ResourcePermissions.Write)
{
sasConstraints.Permissions |= SharedAccessBlobPermissions.Write;
}
else
{
if ((permissions & ResourcePermissions.Add) == ResourcePermissions.Add ||
(permissions & ResourcePermissions.Update) == ResourcePermissions.Update ||
(permissions & ResourcePermissions.Delete) == ResourcePermissions.Delete)
{
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.BadRequest)
{
Content = new StringContent("Blobs do not support Add, Update, or Delete permissions. Use the Write permission instead.")
});
}
}
return(sasConstraints);
}
/// <summary>
/// Creates SAS constraints from the given parameters.
/// </summary>
/// <param name="permissions">The permission set.</param>
/// <param name="expiration">The expiration time.</param>
/// <returns>Returns the access policy.</returns>
private static SharedAccessQueuePolicy GetQueueSasConstraints(ResourcePermissions permissions, DateTime?expiration)
{
SharedAccessQueuePolicy sasConstraints = new SharedAccessQueuePolicy();
// Set the start time to five minutes in the past.
sasConstraints.SharedAccessStartTime = DateTimeOffset.Now - TimeSpan.FromMinutes(5);
// Expiration.
if (expiration != null)
{
sasConstraints.SharedAccessExpiryTime = expiration.Value;
}
// Permissions.
sasConstraints.Permissions = SharedAccessQueuePermissions.None;
if ((permissions & ResourcePermissions.Read) == ResourcePermissions.Read)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Read;
}
if ((permissions & ResourcePermissions.Add) == ResourcePermissions.Add)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Add;
}
if ((permissions & ResourcePermissions.Update) == ResourcePermissions.Update)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Update;
}
if ((permissions & ResourcePermissions.Process) == ResourcePermissions.Process)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.ProcessMessages;
}
return(sasConstraints);
}
/// <summary>
/// Throws a bad request exception if the given permission set already contains the specific permission.
/// </summary>
/// <param name="existingPermissions">The current permission set.</param>
/// <param name="newPermission">The specific permission to check for.</param>
protected virtual void ValidatePermission(ResourcePermissions newPermission, ResourcePermissions existingPermissions, ResourcePermissions allowedPermissions)
{
// First, determine whether we've already seen this permission before.
if ((existingPermissions & newPermission) == newPermission)
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
// Now, verify that this permission is allowed.
if ((allowedPermissions & newPermission) != newPermission)
{
throw new HttpResponseException(HttpStatusCode.BadRequest);
}
}
/// <summary>
/// Creates a SAS key for a queue with the given name, permissions, and expiration.
/// </summary>
/// <param name="queueName">The name of the queue to create.</param>
/// <param name="permissions">The permissions to apply to the queue.</param>
/// <param name="expiration">The expiration time for the token.</param>
/// <returns>Returns the blob's URI access string.</returns>
public ResourceToken CreateQueueAccessToken(string queueName, ResourcePermissions permissions, DateTime? expiration = null)
{
if (string.IsNullOrWhiteSpace(queueName))
{
throw new ArgumentException("must not be null or empty", "queueName");
}
// Set up the SAS constraints.
SharedAccessQueuePolicy sasConstraints = GetQueueSasConstraints(permissions, expiration);
// Get a reference to the queue.
CloudQueue queue = this.QueueClient.GetQueueReference(queueName);
// Get the queue SAS.
string sasQueueToken = queue.GetSharedAccessSignature(sasConstraints);
// Append this to the URI.
return new ResourceToken { Uri = queue.Uri + sasQueueToken };
}
/// <summary>
/// Creates a SAS key for a blob with the given name, permissions, and expiration.
/// </summary>
/// <param name="containerName">The name of the container to create the blob within.</param>
/// <param name="blobName">The name of the blob to create.</param>
/// <param name="permissions">The permissions to apply to the blob.</param>
/// <param name="expiration">The expiration time for the token.</param>
/// <returns>Returns the blob's URI access string.</returns>
public ResourceToken CreateBlobAccessToken(string containerName, string blobName, ResourcePermissions permissions, DateTime?expiration = null)
{
if (string.IsNullOrWhiteSpace(containerName))
{
throw new ArgumentException("must not be null or empty", "containerName");
}
if (string.IsNullOrWhiteSpace(blobName))
{
throw new ArgumentException("must not be null or empty", "blobName");
}
// Set up the container connection.
CloudBlobContainer container = this.BlobClient.GetContainerReference(containerName);
// Set up the SAS constraints.
SharedAccessBlobPolicy sasConstraints = GetBlobSasConstraints(permissions, expiration);
// Get a reference to the blob.
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
// Get the blob SAS.
string sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);
// Append this to the URI.
return(new ResourceToken {
Uri = blob.Uri + sasBlobToken
});
}
/// <summary>
/// Creates SAS constraints from the given parameters.
/// </summary>
/// <param name="permissions">The permission set.</param>
/// <param name="expiration">The expiration time.</param>
/// <returns>Returns the access policy.</returns>
private static SharedAccessBlobPolicy GetBlobSasConstraints(ResourcePermissions permissions, DateTime? expiration)
{
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
// Set the start time to five minutes in the past.
sasConstraints.SharedAccessStartTime = DateTimeOffset.Now - TimeSpan.FromMinutes(5);
// Expiration.
if (expiration != null)
{
sasConstraints.SharedAccessExpiryTime = expiration.Value;
}
// Permissions.
sasConstraints.Permissions = SharedAccessBlobPermissions.None;
if ((permissions & ResourcePermissions.Read) == ResourcePermissions.Read)
{
sasConstraints.Permissions |= SharedAccessBlobPermissions.Read;
}
if ((permissions & ResourcePermissions.Write) == ResourcePermissions.Write)
{
sasConstraints.Permissions |= SharedAccessBlobPermissions.Write;
}
else
{
if ((permissions & ResourcePermissions.Add) == ResourcePermissions.Add ||
(permissions & ResourcePermissions.Update) == ResourcePermissions.Update ||
(permissions & ResourcePermissions.Delete) == ResourcePermissions.Delete)
{
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.BadRequest) { Content = new StringContent("Blobs do not support Add, Update, or Delete permissions. Use the Write permission instead.") });
}
}
return sasConstraints;
}
/// <summary>
/// Creates SAS constraints from the given parameters.
/// </summary>
/// <param name="permissions">The permission set.</param>
/// <param name="expiration">The expiration time.</param>
/// <returns>Returns the access policy.</returns>
private static SharedAccessQueuePolicy GetQueueSasConstraints(ResourcePermissions permissions, DateTime? expiration)
{
SharedAccessQueuePolicy sasConstraints = new SharedAccessQueuePolicy();
// Set the start time to five minutes in the past.
sasConstraints.SharedAccessStartTime = DateTimeOffset.Now - TimeSpan.FromMinutes(5);
// Expiration.
if (expiration != null)
{
sasConstraints.SharedAccessExpiryTime = expiration.Value;
}
// Permissions.
sasConstraints.Permissions = SharedAccessQueuePermissions.None;
if ((permissions & ResourcePermissions.Read) == ResourcePermissions.Read)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Read;
}
if ((permissions & ResourcePermissions.Add) == ResourcePermissions.Add)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Add;
}
if ((permissions & ResourcePermissions.Update) == ResourcePermissions.Update)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.Update;
}
if ((permissions & ResourcePermissions.Process) == ResourcePermissions.Process)
{
sasConstraints.Permissions |= SharedAccessQueuePermissions.ProcessMessages;
}
return sasConstraints;
}
/// <summary>
/// Creates a SAS key for a blob with the given name, permissions, and expiration.
/// </summary>
/// <param name="containerName">The name of the container to create the blob within.</param>
/// <param name="blobName">The name of the blob to create.</param>
/// <param name="permissions">The permissions to apply to the blob.</param>
/// <param name="expiration">The expiration time for the token.</param>
/// <returns>Returns the blob's URI access string.</returns>
public ResourceToken CreateBlobAccessToken(string containerName, string blobName, ResourcePermissions permissions, DateTime? expiration = null)
{
if (string.IsNullOrWhiteSpace(containerName))
{
throw new ArgumentException("must not be null or empty", "containerName");
}
if (string.IsNullOrWhiteSpace(blobName))
{
throw new ArgumentException("must not be null or empty", "blobName");
}
// Set up the container connection.
CloudBlobContainer container = this.BlobClient.GetContainerReference(containerName);
// Set up the SAS constraints.
SharedAccessBlobPolicy sasConstraints = GetBlobSasConstraints(permissions, expiration);
// Get a reference to the blob.
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
// Get the blob SAS.
string sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);
// Append this to the URI.
return new ResourceToken { Uri = blob.Uri + sasBlobToken };
}
