/// <summary> /// Remove user from role /// </summary> public object Remove(Type scopingType, object scopingKey, object key) { var scope = this.m_roleRepository.Get((Guid)scopingKey); if (scope == null) { throw new KeyNotFoundException($"Could not find SecurityRole with identifier {scopingKey}"); } var user = this.m_userRepository.Get(Guid.Parse(key.ToString())); if (user == null) { throw new KeyNotFoundException($"User {key} not found"); } try { this.m_pep.Demand(PermissionPolicyIdentifiers.AlterRoles); this.m_roleProvider.RemoveUsersFromRoles(new string[] { user.UserName }, new string[] { scope.Name }, AuthenticationContext.Current.Principal); AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"del user={user.UserName}"); return(user); } catch { AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false, $"del user={key}"); throw; } }
/// <summary> /// Remove the challenge /// </summary> public object Remove(Type scopingType, object scopingKey, object key) { // Get scope object scope = this.GetScope(scopingType, scopingKey); if (scope == null) { throw new KeyNotFoundException($"Could not find scoped object with identifier {scopingKey}"); } var policy = this.m_pip.GetPolicies().FirstOrDefault(o => o.Key == (Guid)key); if (policy == null) { throw new KeyNotFoundException($"Policy {key} not found"); } try { this.DemandFor(scopingType); this.m_pip.RemovePolicies(scope, AuthenticationContext.Current.Principal, policy.Oid); AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"removed policy={policy.Oid}"); return(null); } catch { AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false, $"removed policy={policy.Oid}"); throw; } }
/// <summary> /// Add the security challenge /// </summary> public object Add(Type scopingType, object scopingKey, object item) { // Get scope object scope = this.GetScope(scopingType, scopingKey); if (scope == null) { throw new KeyNotFoundException($"Could not find scoped object with identifier {scopingKey}"); } try { this.DemandFor(scopingType); // Get or create the scoped item if (item is SecurityPolicy policy) { item = new SecurityPolicyInfo(policy); } var rd = item as SecurityPolicyInfo; this.m_pip.AddPolicies(scope, rd.Grant, AuthenticationContext.Current.Principal, rd.Oid); AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"added policy={rd.Oid}:{rd.Policy}"); return(rd); } catch { AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false); throw; } }
/// <summary> /// Add a new user to the role /// </summary> public object Add(Type scopingType, object scopingKey, object item) { var scope = this.m_roleRepository.Get((Guid)scopingKey); if (scope == null) { throw new KeyNotFoundException($"Could not find SecurityRole with identifier {scopingKey}"); } try { this.m_pep.Demand(PermissionPolicyIdentifiers.AlterRoles); // Get user entity if (item is SecurityUser su) { item = new SecurityUserInfo(su); } var rd = item as SecurityUserInfo; if (!rd.Entity.Key.HasValue) { rd.Entity = this.m_securityRepository.GetUser(rd.Entity.UserName); } if (rd.Entity == null) { throw new KeyNotFoundException($"Could not find specified user"); } this.m_roleProvider.AddUsersToRoles(new string[] { rd.Entity.UserName }, new string[] { scope.Name }, AuthenticationContext.Current.Principal); AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, true, $"add user={rd.Entity.UserName}"); return(rd.Entity); } catch { AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, false); throw; } }
/// <summary> /// Raise the security attributes change event /// </summary> protected void FireSecurityAttributesChanged(object scope, bool success, params String[] changedProperties) { AuditUtil.AuditSecurityAttributeAction(new object[] { scope }, success, changedProperties); }
/// <summary> /// Changes the users password. /// </summary> /// <param name="userName">The username of the user.</param> /// <param name="newPassword">The new password of the user.</param> /// <param name="principal">The authentication principal (the user that is changing the password).</param> public void ChangePassword(string userName, string newPassword, System.Security.Principal.IPrincipal principal) { try { // The principal must change their own password or must have the changepassword credential if (!userName.Equals(principal.Identity.Name, StringComparison.InvariantCultureIgnoreCase)) { new PolicyPermission(System.Security.Permissions.PermissionState.Unrestricted, PermissionPolicyIdentifiers.ChangePassword).Demand(); } else if (!principal.Identity.IsAuthenticated) { throw new InvalidOperationException("Unauthenticated principal cannot change user password"); } // Get the user's identity var securityUserService = ApplicationContext.Current.GetService <ISecurityRepositoryService>(); var localIdp = ApplicationContext.Current.GetService <IOfflineIdentityProviderService>(); if (localIdp?.IsLocalUser(userName) == true) // User is a local user, so we only change password on local { localIdp.ChangePassword(userName, newPassword, principal); } else { using (AmiServiceClient client = new AmiServiceClient(ApplicationContext.Current.GetRestClient("ami"))) { Guid userId = Guid.Empty; if (principal.Identity.Name.ToLowerInvariant() == userName.ToLowerInvariant()) { var subjectClaim = (principal as IClaimsPrincipal).FindFirst(SanteDBClaimTypes.Sid); if (subjectClaim != null) { userId = Guid.Parse(subjectClaim.Value); } } // User ID not found - lookup if (userId == Guid.Empty) { // User service is null var securityUser = securityUserService.GetUser(userName); if (securityUser == null) { var tuser = client.GetUsers(o => o.UserName == userName).CollectionItem.OfType <SecurityUserInfo>().FirstOrDefault(); if (tuser == null) { throw new ArgumentException(string.Format("User {0} not found", userName)); } else { userId = tuser.Entity.Key.Value; } } else { userId = securityUser.Key.Value; } } // Use the current configuration's credential provider var user = new SecurityUserInfo(new SecurityUser() { Key = userId, UserName = userName, Password = newPassword }) { PasswordOnly = true }; // Set the credentials client.Client.Credentials = ApplicationContext.Current.Configuration.GetServiceDescription("ami").Binding.Security.CredentialProvider.GetCredentials(principal); client.UpdateUser(userId, user); // Change locally var userInfo = localIdp?.GetIdentity(userName); if (userInfo != null) { localIdp?.ChangePassword(userName, newPassword, principal); } // Audit - Local IDP has alerted this already AuditUtil.AuditSecurityAttributeAction(new object[] { user.ToIdentifiedData() }, true, new string[] { "password" }); } } } catch (Exception e) { this.m_tracer.TraceError("Error changing password for user {0} : {1}", userName, e); throw; } }