private UpdateResult CheckOtherUpdate(IIdentity actor, UserUpdateInfo update, IUser target)
{
if (update.ChangedDomain(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change domain"
});
}
if (Roles.IsInRole(actor, SecurityConst.ROLE_DOMAIN_ADMIN))
{
if (update.ChangedActive(target) && !target.Active)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate yourself"
});
}
if (update.ChangedLogable(target) && !target.Logable)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate logability"
});
}
return(new UpdateResult {
Ok = true
});
}
return(new UpdateResult {
IsError = true,
ErrorMessage = "only sys and domain admins can change other's profile"
});
}
private static UserUpdateInfo ExtractSingle(object j)
{
var _active = j.str("active");
var _admin = j.str("admin");
var _expire = j.str("expire");
var _custom = j.get("custom") as IDictionary <string, object>;
var _roles = j.get("roles") as object[];
var _groups = j.get("groups") as object[];
var _isgroup = j.str("isgroup");
var _logable = j.str("logable");
var result = new UserUpdateInfo {
Login = j.str("login"),
Name = j.str("name"),
Email = j.str("email"),
Active = string.IsNullOrWhiteSpace(_active) ? (bool?)null : _active.ToBool(),
IsGroup = string.IsNullOrWhiteSpace(_isgroup) ? (bool?)null : _isgroup.ToBool(),
IsAdmin = string.IsNullOrWhiteSpace(_admin) ? (bool?)null : _admin.ToBool(),
Logable = string.IsNullOrWhiteSpace(_logable) ? (bool?)null : _logable.ToBool(),
Expire = string.IsNullOrWhiteSpace(_expire) ? (DateTime?)null : _expire.ToDate(),
Password = j.str("password"),
Domain = j.str("domain"),
PublicKey = j.str("publickey"),
Roles = (_roles == null || _roles.Length == 0) ? null : _roles.Select(_ => _.ToStr()).ToList(),
Groups = (_groups == null || _groups.Length == 0) ? null : _groups.Select(_ => _.ToStr()).ToList(),
Custom = (_custom == null || _custom.Count == 0) ? null : _custom
};
return(result);
}
public UserPolicy GetNewUserPolicy(UserUpdateInfo update)
{
return(new UserPolicy {
Logable = true,
ExpirationDays = 180,
Active = true,
MakePassRequest = true
});
}
private UpdateResult CheckCreation(IIdentity actor, UserUpdateInfo update)
{
var id = actor as Identity;
var usr = id.User ?? Users.GetUser(actor.Name);
if (null == usr)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot check not registered actor"
});
}
if (string.IsNullOrWhiteSpace(usr.Domain))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "only admins can create becide domain"
});
}
if (!Roles.IsInRole(actor, SecurityConst.ROLE_DOMAIN_ADMIN))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "not domain administrator"
});
}
if (update.Domain != usr.Domain)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "only in-domain creation allowed"
});
}
if (!string.IsNullOrWhiteSpace(update.Password))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot set password for new user"
});
}
if (string.IsNullOrWhiteSpace(update.Email))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "email required for new users"
});
}
return(new UpdateResult {
Ok = true
});
}
public UpdateResult ValidateUpdate(IIdentity actor, UserUpdateInfo update, IUser target)
{
var validateUpdate = CheckCommons(actor, update, target);
if (validateUpdate != null)
{
return(validateUpdate);
}
if (null == target || 0 == target.Version)
{
return(CheckCreation(actor, update));
}
if (actor.Name == update.Login)
{
return(CheckSelfUpdate(actor, update, target));
}
return(CheckOtherUpdate(actor, update, target));
}
private UpdateResult UpdateResult(IIdentity actor, IUser target, bool store, UserUpdateInfo updateinfo
)
{
UpdateResult res = null;
Logg.Info(new { updateusr = "******", usr = actor.Name, info = updateinfo }.stringify());
if (string.IsNullOrWhiteSpace(updateinfo.Login))
{
updateinfo.Login = actor.Name;
}
target = target ?? Users.GetUser(updateinfo.Login);
var newuser = target == null;
if (!updateinfo.HasDelta(target))
{
return(new UpdateResult {
Ok = true, Message = "notchanged", ResultUser = target
});
}
res = Checker.ValidateUpdate(actor, updateinfo, target);
if (!res.Ok)
{
Logg.Warn(
new { updateusr = "******", validation = res, usr = actor.Name, info = updateinfo }.stringify());
return(res);
}
if (null == target)
{
target = new User {
Login = updateinfo.Login
};
}
updateinfo.Apply(target);
UserPolicy policy = null;
if (newuser)
{
policy = UserPolicy.GetNewUserPolicy(updateinfo);
}
if (null != policy)
{
policy.Apply(target);
}
if (store)
{
Users.Store(target);
}
if (null != policy && policy.MakePassRequest && null != Messendger)
{
if (newuser)
{
Messendger.SendWelcome(target);
}
}
Logg.Info(new { updateusr = "******", result = target, usr = actor.Name, info = updateinfo }.stringify());
Users.Clear();
Roles.Clear();
res = new UpdateResult {
Ok = true, ResultUser = target
};
return(res);
}
private UpdateResult CheckSelfUpdate(IIdentity actor, UserUpdateInfo update, IUser target)
{
if (update.ChangedDomain(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change domain"
});
}
if (Roles.IsInRole(actor, SecurityConst.ROLE_DOMAIN_ADMIN))
{
if (update.ChangedActive(target) && !target.Active)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate yourself"
});
}
if (update.ChangedLogable(target) && !target.Logable)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate logability"
});
}
return(new UpdateResult {
Ok = true
});
}
if (update.ChangedCustom(target))
{
if (update.Custom.stringify().ToUpper().Contains("SECURE_"))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure customs"
});
}
}
if (update.ChangedEmail(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change email"
});
}
if (update.ChangedRoles(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change roles"
});
}
if (update.ChangedGroups(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change groups"
});
}
if (update.ChangedExpire(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change expire"
});
}
return(new UpdateResult {
Ok = true
});
}
private UpdateResult CheckCommons(IIdentity actor, UserUpdateInfo update, IUser target)
{
if (null == Roles)
{
throw new Exception("cannot work without roles");
}
if (null == Users)
{
throw new Exception("cannot work without users");
}
var id = actor as Identity;
var u = target as User;
if (null != u)
{
if (null != u.UserSource)
{
var ws = u.UserSource as IWriteableUserSource;
if (null == ws || !ws.WriteUsersEnabled)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "no storage"
});
}
}
}
if (null == id)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "no actor"
});
}
if (!id.IsAuthenticated)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "not auth"
});
}
if (id.IsAdmin)
{
return(new UpdateResult {
Ok = true
});
}
#region Q543
// >>> #Q-543 implementation ROLE_SECURITY_ADMIN can do anything except ADMIN and SECURITY_ADMIN management
if (null != update.IsAdmin && update.IsAdmin != target.IsAdmin)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot set admin"
});
}
if (update.ChangedRoles(target))
{
if (update.Roles.Any(_ => _.Contains(SecurityConst.ROLE_SECURITY_ADMIN)))
{
return(new UpdateResult {
IsError = true, ErrorMessage = $"cannot manage {SecurityConst.ROLE_SECURITY_ADMIN} role"
});
}
}
if (Roles.IsInRole(id, SecurityConst.ROLE_SECURITY_ADMIN))
{
return(new UpdateResult {
Ok = true
});
}
#endregion
if (update.ChangedRoles(target))
{
if (update.Roles.Any(_ => _.ToUpper().Contains("SECURE_")))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure roles"
});
}
}
if (update.ChangedGroups(target))
{
if (update.Groups.Any(_ => _.ToUpper().Contains("SECURE_")))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure groups"
});
}
}
if (update.ChangedPublicKey(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot set public key"
});
}
if (null != update.IsGroup)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage groups"
});
}
if (!string.IsNullOrWhiteSpace(update.Email) &&
!Regex.IsMatch(update.Email, @"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$"))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "mailformed email"
});
}
return(null);
}
