private bool AzManTestCheckAccess()
{
WindowsIdentity identity = WindowsIdentity.GetCurrent();
string applicationName = "Application Test";
string[] operations = new string[] { this.txtOperation.Text };
HybridDictionary businessRuleParameters = new HybridDictionary();
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, AzManStorePath, null);
IAzApplication azApp = store.OpenApplication(applicationName, null);
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken((UInt64)identity.Token, null);
// costruisce il vettore dei valori e dei delle regole di business
Object[] names = new Object[0];
Object[] values = new Object[0];
Object[] operationIds = new Object[operations.Length];
for (Int32 index = 0; index < operations.Length; index++)
{
operationIds[index] = azApp.OpenOperation(operations[index], null).OperationID;
}
Object[] internalScopes = new Object[1];
Object[] result = (Object[])clientCtx.AccessCheck("AuditString", internalScopes, operationIds, names, values, null, null, null);
foreach (Int32 accessAllowed in result)
{
if (accessAllowed != 0)
{
return(false);
}
}
return(true);
}
/// <devdoc>
/// Gets the client context for the call based on the identity, system and parameters.
/// </devdoc>
private IAzClientContext GetClientContext(WindowsIdentity identity, String applicationName, out IAzApplication azApp)
{
lock (contextLock)
{
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, this.storeLocation, null);
azApp = store.OpenApplication(applicationName, null);
}
ulong tokenHandle = (ulong)identity.Token.ToInt64();
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null);
return(clientCtx);
}
/// <devdoc>
/// Gets the client context for the call based on the identity, system and parameters.
/// </devdoc>
private IAzClientContext GetClientContext(AzManAuthorizationProviderData data, IIdentity identity, String applicationName, out IAzApplication azApp)
{
WindowsIdentity winIdentity = identity as WindowsIdentity;
if (winIdentity == null)
{
throw new ArgumentException(SR.WindowsIdentityOnly);
}
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, data.StoreLocation, null);
azApp = store.OpenApplication(applicationName, null);
Debug.Assert(azApp != null, "could not open the application");
ulong tokenHandle = (ulong)winIdentity.Token.ToInt64();
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null);
Debug.Assert(clientCtx != null, "could not get the context");
return(clientCtx);
}
private void CreaStrutturaSuAzMan(string azManStorePath, int n)
{
this.Clessidra(true);
this.StartTimer();
WindowsIdentity id = WindowsIdentity.GetCurrent();
NTAccount userName = new NTAccount(id.Name);
IAzAuthorizationStore store = new AzAuthorizationStoreClass();
store.Initialize(0, azManStorePath, null);
object o = null;
this.pb.Maximum = n - 1;
for (int a = 0; a < n; a++)
{
IAzApplication app = store.CreateApplication("Application" + a.ToString(), null);
app.Submit(0, null);
this.pb.Value = a;
Application.DoEvents();
//IAzClientContext ctx = app.InitializeClientContextFromToken((UInt64)id.Token, null);
for (int i = 0; i < n; i++)
{
IAzOperation op = app.CreateOperation("Operation" + i.ToString(), o);
op.OperationID = i + 1;
op.Submit(0, null);
IAzTask task = app.CreateTask("Task" + i.ToString(), null);
task.AddOperation(op.Name, null);
task.Submit(0, null);
IAzTask roleTask = app.CreateTask("Role" + i.ToString(), null);
roleTask.IsRoleDefinition = 1;
roleTask.AddTask("Task" + i.ToString(), null);
roleTask.Submit(0, null);
IAzRole role = app.CreateRole("Role" + i.ToString(), null);
role.AddTask("Role" + i.ToString(), null);
role.AddMember(id.User.Value, null); //add current user
role.Submit(0, null);
}
}
this.StopTimer(this.txtAzManElapsed);
this.Clessidra(false);
}
/// <summary>
/// Check access permission for user
/// </summary>
/// <returns>void</returns>
public bool CheckAccessPermissions(object[] operationIds)
{
bool bCheckAccess = false;
AzAuthorizationStoreClass AzManStore = new AzAuthorizationStoreClass();
AzManStore.Initialize(0, ConfigurationManager.ConnectionStrings[AuthorizationManagerConstants.AZMANPOLICYSTORECONNECTIONSTRING].ConnectionString, null);
IAzApplication azApp = AzManStore.OpenApplication(AuthorizationManagerConstants.AZMANAPPLICATION, null);
// Get the current user context
IPrincipal userPrincipal = HttpContext.Current.User;
WindowsIdentity userIdentity = userPrincipal.Identity as WindowsIdentity;
IAzClientContext clientContext = azApp.InitializeClientContextFromToken((ulong)userIdentity.Token, null);
// Check if user has access to the operations
// The first argument, "Auditstring", is a string that is used if you
// have run-time auditing turned on
object[] result = (object[])clientContext.AccessCheck("CheckAccessPermission", new object[1], operationIds, null, null, null, null, null);
// Test the integer array we got back to see which operations are
// authorized
int accessAllowed = (int)result[0];
if (accessAllowed != 0)
{
// current user not authorized to perform operation
bCheckAccess = false;
}
else
{
// current user authorized to perform operation
bCheckAccess = true;
}
return(bCheckAccess);
}
private void TestSuAzMan(string azManStorePath, int max)
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
IAzAuthorizationStore store = new AzAuthorizationStoreClass();
store.Initialize(0, azManStorePath, null);
int rnd = 0; // new Random().Next(max);
IAzApplication app = store.OpenApplication("Application" + rnd.ToString(), null);
IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)id.Token.ToInt64(), null);
string opName = "Operation" + rnd.ToString();
IAzOperation op = app.OpenOperation(opName, null);
object[] parameterNames = new object[1] {
"chiave"
};
object[] parameterValues = new object[1] {
"valore"
};
object[] oRes = (object[])ctx.AccessCheck("Test", null, new object[] { op.OperationID }, parameterNames, parameterValues, null, null, null);
foreach (int accessAllowed in oRes)
{
if (accessAllowed != 0)
{
break;
}
}
store.CloseApplication("Application" + rnd.ToString(), 0);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(op);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(app);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(store);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(ctx);
op = null;
ctx = null;
app = null;
store = null;
}
private void ImportFromAzMan(string azManStorePath, string netSqlAzManStoreName)
{
Microsoft.Interop.Security.AzRoles.AzAuthorizationStore azstore = null;
string tempFileName = Path.Combine(Environment.GetEnvironmentVariable("temp", EnvironmentVariableTarget.Machine), String.Format("AzMan{0}.xml", Guid.NewGuid()));
try
{
this.storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
string storeDescription = String.Format("Store imported from AzMan Store:" + " ({0}) - {1}", azManStorePath, DateTime.Now.ToString());
IAzManStore store = this.storage.CreateStore(netSqlAzManStoreName, storeDescription);
azstore = new AzAuthorizationStoreClass();
if (this.rbtStoreFile.Checked)
{
this.FileUpload1.SaveAs(tempFileName);
azManStorePath = String.Format("msxml://{0}", tempFileName);
}
azstore.Initialize(2, azManStorePath, null);
#region Store Groups
//Store Groups
foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups)
{
//Store Groups Definition
if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, String.Empty, GroupType.Basic);
}
else if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY)
{
//LDap
store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, azStoreGroup.LdapQuery, GroupType.LDapQuery);
}
}
//Store Groups Members
foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups)
{
if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
IAzManStoreGroup storeGroup = store.GetStoreGroup(azStoreGroup.Name);
//Store Group Members - Members Store Group
object[] azStoreGroupMembers = azStoreGroup.AppMembers as object[];
if (azStoreGroupMembers != null)
{
foreach (string azStoreGroupMember in azStoreGroupMembers)
{
IAzManStoreGroup member = store.GetStoreGroup(azStoreGroupMember);
storeGroup.CreateStoreGroupMember(member.SID, WhereDefined.Store, true);
}
}
//Store Group Non-Members - Non-Members Store Group
object[] azStoreGroupNonMembers = azStoreGroup.AppNonMembers as object[];
if (azStoreGroupNonMembers != null)
{
foreach (string azStoreGroupNonMember in azStoreGroupNonMembers)
{
IAzManStoreGroup nonMember = store.GetStoreGroup(azStoreGroupNonMember);
storeGroup.CreateStoreGroupMember(nonMember.SID, WhereDefined.Store, false);
}
}
//Store Group Members - Windows NT Account
object[] azStoreGroupWindowsMembers = azStoreGroup.Members as object[];
if (azStoreGroupWindowsMembers != null)
{
foreach (string azStoreWindowsMember in azStoreGroupWindowsMembers)
{
IAzManSid sid = new SqlAzManSID(azStoreWindowsMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true);
}
}
//Store Group NonMembers - Windows NT Account
object[] azStoreGroupWindowsNonMembers = azStoreGroup.NonMembers as object[];
if (azStoreGroupWindowsNonMembers != null)
{
foreach (string azStoreWindowsNonMember in azStoreGroupWindowsNonMembers)
{
IAzManSid sid = new SqlAzManSID(azStoreWindowsNonMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false);
}
}
}
}
#endregion Store Groups
#region Applications
//Applications
foreach (IAzApplication azApplication in azstore.Applications)
{
IAzManApplication application = store.CreateApplication(azApplication.Name, azApplication.Description);
#region Application Groups
//Store Groups
foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups)
{
//Application Groups Definition
if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, String.Empty, GroupType.Basic);
}
else if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY)
{
//LDap
application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, azApplicationGroup.LdapQuery, GroupType.LDapQuery);
}
}
//Application Groups Members
foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups)
{
if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
IAzManApplicationGroup applicationGroup = application.GetApplicationGroup(azApplicationGroup.Name);
//Application Group Members - Members Group
object[] azStoreGroupMembers = azApplicationGroup.AppMembers as object[];
if (azStoreGroupMembers != null)
{
foreach (string azGroupMember in azStoreGroupMembers)
{
IAzManStoreGroup storemember;
try
{
storemember = store.GetStoreGroup(azGroupMember);
}
catch (SqlAzManException)
{
storemember = null;
}
IAzManApplicationGroup appmember;
try
{
appmember = application.GetApplicationGroup(azGroupMember);
}
catch (SqlAzManException)
{
appmember = null;
}
if (storemember != null)
{
applicationGroup.CreateApplicationGroupMember(storemember.SID, WhereDefined.Store, true);
}
else
{
applicationGroup.CreateApplicationGroupMember(appmember.SID, WhereDefined.Application, true);
}
}
}
//Application Group Non-Members - Non-Members Group
object[] azStoreGroupNonMembers = azApplicationGroup.AppNonMembers as object[];
if (azStoreGroupNonMembers != null)
{
foreach (string azGroupNonMember in azStoreGroupNonMembers)
{
IAzManStoreGroup storenonMember;
try
{
storenonMember = store.GetStoreGroup(azGroupNonMember);
}
catch (SqlAzManException)
{
storenonMember = null;
}
IAzManApplicationGroup appnonMember;
try
{
appnonMember = application.GetApplicationGroup(azGroupNonMember);
}
catch (SqlAzManException)
{
appnonMember = null;
}
if (storenonMember != null)
{
applicationGroup.CreateApplicationGroupMember(storenonMember.SID, WhereDefined.Store, false);
}
else
{
applicationGroup.CreateApplicationGroupMember(appnonMember.SID, WhereDefined.Application, false);
}
}
}
//Application Group Members - Windows NT Account
object[] azApplicationGroupWindowsMembers = azApplicationGroup.Members as object[];
if (azApplicationGroupWindowsMembers != null)
{
foreach (string azApplicationWindowsMember in azApplicationGroupWindowsMembers)
{
IAzManSid sid = new SqlAzManSID(azApplicationWindowsMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true);
}
}
//Application Group NonMembers - Windows NT Account
object[] azApplicationGroupWindowsNonMembers = azApplicationGroup.NonMembers as object[];
if (azApplicationGroupWindowsNonMembers != null)
{
foreach (string azApplicationWindowsNonMember in azApplicationGroupWindowsNonMembers)
{
IAzManSid sid = new SqlAzManSID(azApplicationWindowsNonMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false);
}
}
}
}
#endregion Application Groups
//Without Scopes
IAzTasks tasks = azApplication.Tasks as IAzTasks;
if (tasks != null)
{
foreach (IAzTask azTask in tasks)
{
if (azTask.IsRoleDefinition == 1)
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role);
}
else
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task);
}
}
}
IAzOperations operations = azApplication.Operations as IAzOperations;
if (operations != null)
{
foreach (IAzOperation azOperation in operations)
{
application.CreateItem(azOperation.Name, azOperation.Description, ItemType.Operation);
}
}
//Build Item Hierarchy
if (tasks != null)
{
foreach (IAzTask azTask in tasks)
{
this.SetHirearchy(null, azApplication, azTask.Name, application);
}
}
//Scopes
foreach (IAzScope azScope in azApplication.Scopes)
{
azApplication.OpenScope(azScope.Name, null);
IAzTasks tasksOfScope = azScope.Tasks as IAzTasks;
if (tasksOfScope != null)
{
foreach (IAzTask azTask in tasksOfScope)
{
if (azTask.IsRoleDefinition == 1)
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role);
}
else
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task);
}
}
}
//Build Item Hierarchy
if (tasksOfScope != null)
{
foreach (IAzTask azTask in tasksOfScope)
{
this.SetHirearchy(azScope, azApplication, azTask.Name, application);
}
}
}
//Authorizations on Roles without Scopes
AuthorizationType defaultAuthorization = AuthorizationType.AllowWithDelegation;
IAzRoles azRoles = azApplication.Roles;
foreach (IAzRole azRole in azRoles)
{
IAzManItem item;
try
{
item = application.GetItem(azRole.Name);
}
catch (SqlAzManException)
{
item = null;
}
if (item == null)
{
item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role);
}
//Store & Application Groups Authorizations
foreach (string member in (object[])azRole.AppMembers)
{
IAzManStoreGroup storeGroup;
try
{
storeGroup = application.Store.GetStoreGroup(member);
}
catch (SqlAzManException)
{
storeGroup = null;
}
IAzManApplicationGroup applicationGroup;
try
{
applicationGroup = application.GetApplicationGroup(member);
}
catch (SqlAzManException)
{
applicationGroup = null;
}
if (storeGroup != null)
{
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null);
}
else if (applicationGroup != null)
{
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null);
}
}
//Windows Users & Groups Authorizations
foreach (string sSid in (object[])azRole.Members)
{
IAzManSid sid = new SqlAzManSID(sSid);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null);
}
}
//Authorizations on Roles with Scopes
foreach (IAzScope azScope in azApplication.Scopes)
{
IAzRoles azRolesWithScopes = azScope.Roles;
foreach (IAzRole azRole in azRolesWithScopes)
{
IAzManItem item;
try
{
item = application.GetItem(azRole.Name);
}
catch (SqlAzManException)
{
item = null;
}
if (item == null)
{
item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role);
}
//Store & Application Groups Authorizations
foreach (string member in (object[])azRole.AppMembers)
{
IAzManStoreGroup storeGroup;
try
{
storeGroup = application.Store.GetStoreGroup(member);
}
catch (SqlAzManException)
{
storeGroup = null;
}
IAzManApplicationGroup applicationGroup;
try
{
applicationGroup = application.GetApplicationGroup(member);
}
catch (SqlAzManException)
{
applicationGroup = null;
}
if (storeGroup != null)
{
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null);
}
else if (applicationGroup != null)
{
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null);
}
}
//Windows Users & Groups Authorizations
foreach (string sSid in (object[])azRole.Members)
{
IAzManSid sid = new SqlAzManSID(sSid);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null);
}
}
}
//try
//{
// azstore.CloseApplication(azApplication.Name, 0);
//}
//catch
//{
// //PorkAround: COM Is a mistery
//}
}
#endregion Applications
if (storage.TransactionInProgress)
{
storage.CommitTransaction();
}
}
catch
{
if (storage.TransactionInProgress)
{
storage.RollBackTransaction();
}
throw;
}
finally
{
if (azstore != null)
{
System.Runtime.InteropServices.Marshal.ReleaseComObject(azstore);
File.Delete(tempFileName);
azstore = null;
}
}
}
/// <devdoc>
/// Gets the client context for the call based on the identity, system and parameters.
/// </devdoc>
private IAzClientContext GetClientContext(WindowsIdentity identity, String applicationName, out IAzApplication azApp)
{
lock (contextLock)
{
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, this.storeLocation, null);
azApp = store.OpenApplication(applicationName, null);
}
ulong tokenHandle = (ulong)identity.Token.ToInt64();
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null);
return clientCtx;
}
/// <summary>
/// Initializes the WebExpense application to use the
/// authorization policy and settings defined in Global.asax.cs
/// </summary>
/// <returns>Returns any errors encountered in the initialization process
/// or null if no errors occured</returns>
public static bool Initialize()
{
//
// WebExpense Application object
//
IAzApplication AzManApp;
//
// WebExpense application store object
//
AzAuthorizationStoreClass AzManStore;
string RtnMsg;
//
// Create a new Authorization Manager Store object
//
AzManStore = new AzAuthorizationStoreClass();
try
{
//
// Open the Authorization Manager policy store from the path specified the in
// the application variable AZMAN_STORE. This variable
// is initially specified in Global.asax.cs
//
AzManStore.Initialize(0, (string)HttpContext.Current.Application["STORE_PATH"], null);
}
catch (System.IO.FileNotFoundException)
{
// IAzAuthorizationStore.Initialize failed w/ File Not Found. This can happen if the
// store URL is bad.
throw; // Since we can't proceed we'll throw to the default handler
}
catch (System.UnauthorizedAccessException)
{
// IAzAuthorizationStore.Initialize failed w/ AccessDenied. Make sure that the calling
// context is in the Reader (or Admin if the app needs to write) role on the AzMan store
throw; // Since we can't proceed we'll throw to the default handler
}
//
// Save the policy store in a session variable
//
HttpContext.Current.Application["AZMAN_STORE"] = AzManStore;
try
{
//
// Open the application specified in the application variable
// AZMAN_APP_NAME, This variable is initially specified in Global.asax.cs
//
AzManApp = AzManStore.OpenApplication((string)HttpContext.Current.Application["AZMAN_APP_NAME"], null);
}
catch (System.IO.FileNotFoundException)
{
// IAzAuthorizationStore.OpenApplication failed w/ File Not Found. This can happen if the
// application name is not correct (no corresponding application in the store).
throw; // Since we can't proceed we'll throw to the default handler
}
//
// Save the application to a session variable
//
HttpContext.Current.Application["AZMAN_APP"] = AzManApp;
//
// Return initialization suceeded
//
return(true);
}
private void ImportFromAzMan(string azManStorePath, string netSqlAzManStoreName)
{
Microsoft.Interop.Security.AzRoles.AzAuthorizationStore azstore = null;
string tempFileName = Path.Combine(Environment.GetEnvironmentVariable("temp", EnvironmentVariableTarget.Machine), String.Format("AzMan{0}.xml", Guid.NewGuid()));
try
{
this.storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
string storeDescription = String.Format("Store imported from AzMan Store:" + " ({0}) - {1}", azManStorePath, DateTime.Now.ToString());
IAzManStore store = this.storage.CreateStore(netSqlAzManStoreName, storeDescription);
azstore = new AzAuthorizationStoreClass();
if (this.rbtStoreFile.Checked)
{
this.FileUpload1.SaveAs(tempFileName);
azManStorePath = String.Format("msxml://{0}", tempFileName);
}
azstore.Initialize(2, azManStorePath, null);
#region Store Groups
//Store Groups
foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups)
{
//Store Groups Definition
if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, String.Empty, GroupType.Basic);
}
else if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY)
{
//LDap
store.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), azStoreGroup.Name, azStoreGroup.Description, azStoreGroup.LdapQuery, GroupType.LDapQuery);
}
}
//Store Groups Members
foreach (IAzApplicationGroup azStoreGroup in azstore.ApplicationGroups)
{
if (azStoreGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
IAzManStoreGroup storeGroup = store.GetStoreGroup(azStoreGroup.Name);
//Store Group Members - Members Store Group
object[] azStoreGroupMembers = azStoreGroup.AppMembers as object[];
if (azStoreGroupMembers != null)
{
foreach (string azStoreGroupMember in azStoreGroupMembers)
{
IAzManStoreGroup member = store.GetStoreGroup(azStoreGroupMember);
storeGroup.CreateStoreGroupMember(member.SID, WhereDefined.Store, true);
}
}
//Store Group Non-Members - Non-Members Store Group
object[] azStoreGroupNonMembers = azStoreGroup.AppNonMembers as object[];
if (azStoreGroupNonMembers != null)
{
foreach (string azStoreGroupNonMember in azStoreGroupNonMembers)
{
IAzManStoreGroup nonMember = store.GetStoreGroup(azStoreGroupNonMember);
storeGroup.CreateStoreGroupMember(nonMember.SID, WhereDefined.Store, false);
}
}
//Store Group Members - Windows NT Account
object[] azStoreGroupWindowsMembers = azStoreGroup.Members as object[];
if (azStoreGroupWindowsMembers != null)
{
foreach (string azStoreWindowsMember in azStoreGroupWindowsMembers)
{
IAzManSid sid = new SqlAzManSID(azStoreWindowsMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true);
}
}
//Store Group NonMembers - Windows NT Account
object[] azStoreGroupWindowsNonMembers = azStoreGroup.NonMembers as object[];
if (azStoreGroupWindowsNonMembers != null)
{
foreach (string azStoreWindowsNonMember in azStoreGroupWindowsNonMembers)
{
IAzManSid sid = new SqlAzManSID(azStoreWindowsNonMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
storeGroup.CreateStoreGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false);
}
}
}
}
#endregion Store Groups
#region Applications
//Applications
foreach (IAzApplication azApplication in azstore.Applications)
{
IAzManApplication application = store.CreateApplication(azApplication.Name, azApplication.Description);
#region Application Groups
//Store Groups
foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups)
{
//Application Groups Definition
if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, String.Empty, GroupType.Basic);
}
else if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_LDAP_QUERY)
{
//LDap
application.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), azApplicationGroup.Name, azApplicationGroup.Description, azApplicationGroup.LdapQuery, GroupType.LDapQuery);
}
}
//Application Groups Members
foreach (IAzApplicationGroup azApplicationGroup in azApplication.ApplicationGroups)
{
if (azApplicationGroup.Type == (int)tagAZ_PROP_CONSTANTS.AZ_GROUPTYPE_BASIC)
{
//Basic
IAzManApplicationGroup applicationGroup = application.GetApplicationGroup(azApplicationGroup.Name);
//Application Group Members - Members Group
object[] azStoreGroupMembers = azApplicationGroup.AppMembers as object[];
if (azStoreGroupMembers != null)
{
foreach (string azGroupMember in azStoreGroupMembers)
{
IAzManStoreGroup storemember;
try
{
storemember = store.GetStoreGroup(azGroupMember);
}
catch (SqlAzManException)
{
storemember = null;
}
IAzManApplicationGroup appmember;
try
{
appmember = application.GetApplicationGroup(azGroupMember);
}
catch (SqlAzManException)
{
appmember = null;
}
if (storemember != null)
applicationGroup.CreateApplicationGroupMember(storemember.SID, WhereDefined.Store, true);
else
applicationGroup.CreateApplicationGroupMember(appmember.SID, WhereDefined.Application, true);
}
}
//Application Group Non-Members - Non-Members Group
object[] azStoreGroupNonMembers = azApplicationGroup.AppNonMembers as object[];
if (azStoreGroupNonMembers != null)
{
foreach (string azGroupNonMember in azStoreGroupNonMembers)
{
IAzManStoreGroup storenonMember;
try
{
storenonMember = store.GetStoreGroup(azGroupNonMember);
}
catch (SqlAzManException)
{
storenonMember = null;
}
IAzManApplicationGroup appnonMember;
try
{
appnonMember = application.GetApplicationGroup(azGroupNonMember);
}
catch (SqlAzManException)
{
appnonMember = null;
}
if (storenonMember != null)
applicationGroup.CreateApplicationGroupMember(storenonMember.SID, WhereDefined.Store, false);
else
applicationGroup.CreateApplicationGroupMember(appnonMember.SID, WhereDefined.Application, false);
}
}
//Application Group Members - Windows NT Account
object[] azApplicationGroupWindowsMembers = azApplicationGroup.Members as object[];
if (azApplicationGroupWindowsMembers != null)
{
foreach (string azApplicationWindowsMember in azApplicationGroupWindowsMembers)
{
IAzManSid sid = new SqlAzManSID(azApplicationWindowsMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, true);
}
}
//Application Group NonMembers - Windows NT Account
object[] azApplicationGroupWindowsNonMembers = azApplicationGroup.NonMembers as object[];
if (azApplicationGroupWindowsNonMembers != null)
{
foreach (string azApplicationWindowsNonMember in azApplicationGroupWindowsNonMembers)
{
IAzManSid sid = new SqlAzManSID(azApplicationWindowsNonMember);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
applicationGroup.CreateApplicationGroupMember(sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, false);
}
}
}
}
#endregion Application Groups
//Without Scopes
IAzTasks tasks = azApplication.Tasks as IAzTasks;
if (tasks != null)
{
foreach (IAzTask azTask in tasks)
{
if (azTask.IsRoleDefinition == 1)
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role);
}
else
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task);
}
}
}
IAzOperations operations = azApplication.Operations as IAzOperations;
if (operations != null)
{
foreach (IAzOperation azOperation in operations)
{
application.CreateItem(azOperation.Name, azOperation.Description, ItemType.Operation);
}
}
//Build Item Hierarchy
if (tasks != null)
{
foreach (IAzTask azTask in tasks)
{
this.SetHirearchy(null, azApplication, azTask.Name, application);
}
}
//Scopes
foreach (IAzScope azScope in azApplication.Scopes)
{
azApplication.OpenScope(azScope.Name, null);
IAzTasks tasksOfScope = azScope.Tasks as IAzTasks;
if (tasksOfScope != null)
{
foreach (IAzTask azTask in tasksOfScope)
{
if (azTask.IsRoleDefinition == 1)
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Role);
}
else
{
IAzManItem item = application.CreateItem(azTask.Name, azTask.Description, ItemType.Task);
}
}
}
//Build Item Hierarchy
if (tasksOfScope != null)
{
foreach (IAzTask azTask in tasksOfScope)
{
this.SetHirearchy(azScope, azApplication, azTask.Name, application);
}
}
}
//Authorizations on Roles without Scopes
AuthorizationType defaultAuthorization = AuthorizationType.AllowWithDelegation;
IAzRoles azRoles = azApplication.Roles;
foreach (IAzRole azRole in azRoles)
{
IAzManItem item;
try
{
item = application.GetItem(azRole.Name);
}
catch (SqlAzManException)
{
item = null;
}
if (item == null)
item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role);
//Store & Application Groups Authorizations
foreach (string member in (object[])azRole.AppMembers)
{
IAzManStoreGroup storeGroup;
try
{
storeGroup = application.Store.GetStoreGroup(member);
}
catch (SqlAzManException)
{
storeGroup = null;
}
IAzManApplicationGroup applicationGroup;
try
{
applicationGroup = application.GetApplicationGroup(member);
}
catch (SqlAzManException)
{
applicationGroup = null;
}
if (storeGroup != null)
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null);
else if (applicationGroup != null)
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null);
}
//Windows Users & Groups Authorizations
foreach (string sSid in (object[])azRole.Members)
{
IAzManSid sid = new SqlAzManSID(sSid);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null);
}
}
//Authorizations on Roles with Scopes
foreach (IAzScope azScope in azApplication.Scopes)
{
IAzRoles azRolesWithScopes = azScope.Roles;
foreach (IAzRole azRole in azRolesWithScopes)
{
IAzManItem item;
try
{
item = application.GetItem(azRole.Name);
}
catch (SqlAzManException)
{
item = null;
}
if (item == null)
item = application.CreateItem(azRole.Name, azRole.Description, ItemType.Role);
//Store & Application Groups Authorizations
foreach (string member in (object[])azRole.AppMembers)
{
IAzManStoreGroup storeGroup;
try
{
storeGroup = application.Store.GetStoreGroup(member);
}
catch (SqlAzManException)
{
storeGroup = null;
}
IAzManApplicationGroup applicationGroup;
try
{
applicationGroup = application.GetApplicationGroup(member);
}
catch (SqlAzManException)
{
applicationGroup = null;
}
if (storeGroup != null)
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, storeGroup.SID, WhereDefined.Store, defaultAuthorization, null, null);
else if (applicationGroup != null)
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, applicationGroup.SID, WhereDefined.Application, defaultAuthorization, null, null);
}
//Windows Users & Groups Authorizations
foreach (string sSid in (object[])azRole.Members)
{
IAzManSid sid = new SqlAzManSID(sSid);
string memberName;
bool isLocal;
DirectoryServicesWebUtils.GetMemberInfo(sid.StringValue, out memberName, out isLocal);
item.CreateAuthorization(this.currentOwnerSid, this.currentOwnerSidWhereDefined, sid, isLocal ? WhereDefined.Local : WhereDefined.LDAP, defaultAuthorization, null, null);
}
}
}
//try
//{
// azstore.CloseApplication(azApplication.Name, 0);
//}
//catch
//{
// //PorkAround: COM Is a mistery
//}
}
#endregion Applications
if (storage.TransactionInProgress)
storage.CommitTransaction();
}
catch
{
if (storage.TransactionInProgress)
{
storage.RollBackTransaction();
}
throw;
}
finally
{
if (azstore != null)
{
System.Runtime.InteropServices.Marshal.ReleaseComObject(azstore);
File.Delete(tempFileName);
azstore = null;
}
}
}
/// <devdoc>
/// Gets the client context for the call based on the identity, system and parameters.
/// </devdoc>
private IAzClientContext GetClientContext(AzManAuthorizationProviderData data, IIdentity identity, String applicationName, out IAzApplication azApp)
{
WindowsIdentity winIdentity = identity as WindowsIdentity;
if (winIdentity == null)
{
throw new ArgumentException(SR.WindowsIdentityOnly);
}
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, data.StoreLocation, null);
azApp = store.OpenApplication(applicationName, null);
Debug.Assert(azApp != null, "could not open the application");
ulong tokenHandle = (ulong) winIdentity.Token.ToInt64();
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken(tokenHandle, null);
Debug.Assert(clientCtx != null, "could not get the context");
return clientCtx;
}
/// <summary>
/// Initializes the WebExpense application to use the
/// authorization policy and settings defined in Global.asax.cs
/// </summary>
/// <returns>Returns any errors encountered in the initialization process
/// or null if no errors occured</returns>
public static bool Initialize()
{
//
// WebExpense Application object
//
IAzApplication AzManApp;
//
// WebExpense application store object
//
AzAuthorizationStoreClass AzManStore;
string RtnMsg;
//
// Create a new Authorization Manager Store object
//
AzManStore = new AzAuthorizationStoreClass();
try
{
//
// Open the Authorization Manager policy store from the path specified the in
// the application variable AZMAN_STORE. This variable
// is initially specified in Global.asax.cs
//
AzManStore.Initialize(0, (string)HttpContext.Current.Application["STORE_PATH"], null);
}
catch (System.IO.FileNotFoundException)
{
// IAzAuthorizationStore.Initialize failed w/ File Not Found. This can happen if the
// store URL is bad.
throw; // Since we can't proceed we'll throw to the default handler
}
catch (System.UnauthorizedAccessException)
{
// IAzAuthorizationStore.Initialize failed w/ AccessDenied. Make sure that the calling
// context is in the Reader (or Admin if the app needs to write) role on the AzMan store
throw; // Since we can't proceed we'll throw to the default handler
}
//
// Save the policy store in a session variable
//
HttpContext.Current.Application["AZMAN_STORE"] = AzManStore;
try
{
//
// Open the application specified in the application variable
// AZMAN_APP_NAME, This variable is initially specified in Global.asax.cs
//
AzManApp = AzManStore.OpenApplication ((string)HttpContext.Current.Application["AZMAN_APP_NAME"], null);
}
catch (System.IO.FileNotFoundException)
{
// IAzAuthorizationStore.OpenApplication failed w/ File Not Found. This can happen if the
// application name is not correct (no corresponding application in the store).
throw; // Since we can't proceed we'll throw to the default handler
}
//
// Save the application to a session variable
//
HttpContext.Current.Application["AZMAN_APP"] = AzManApp;
//
// Return initialization suceeded
//
return true;
}
private void TestSuAzMan(string azManStorePath, int max)
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
IAzAuthorizationStore store = new AzAuthorizationStoreClass();
store.Initialize(0, azManStorePath, null);
int rnd = 0; // new Random().Next(max);
IAzApplication app = store.OpenApplication("Application" + rnd.ToString(), null);
IAzClientContext ctx = app.InitializeClientContextFromToken((ulong)id.Token.ToInt64(), null);
string opName = "Operation" + rnd.ToString();
IAzOperation op = app.OpenOperation(opName, null);
object[] parameterNames = new object[1] { "chiave" };
object[] parameterValues = new object[1] { "valore" };
object[] oRes = (object[])ctx.AccessCheck("Test", null, new object[] { op.OperationID }, parameterNames, parameterValues, null, null, null);
foreach (int accessAllowed in oRes)
{
if (accessAllowed != 0)
{
break;
}
}
store.CloseApplication("Application" + rnd.ToString(), 0);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(op);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(app);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(store);
System.Runtime.InteropServices.Marshal.FinalReleaseComObject(ctx);
op = null;
ctx = null;
app = null;
store = null;
}
private void CreaStrutturaSuAzMan(string azManStorePath, int n)
{
this.Clessidra(true);
this.StartTimer();
WindowsIdentity id = WindowsIdentity.GetCurrent();
NTAccount userName = new NTAccount(id.Name);
IAzAuthorizationStore store = new AzAuthorizationStoreClass();
store.Initialize(0, azManStorePath, null);
object o = null;
this.pb.Maximum = n - 1;
for (int a = 0; a < n; a++)
{
IAzApplication app = store.CreateApplication("Application" + a.ToString(), null);
app.Submit(0, null);
this.pb.Value = a;
Application.DoEvents();
//IAzClientContext ctx = app.InitializeClientContextFromToken((UInt64)id.Token, null);
for (int i = 0; i < n; i++)
{
IAzOperation op = app.CreateOperation("Operation" + i.ToString(), o);
op.OperationID = i + 1;
op.Submit(0, null);
IAzTask task = app.CreateTask("Task" + i.ToString(), null);
task.AddOperation(op.Name, null);
task.Submit(0, null);
IAzTask roleTask = app.CreateTask("Role" + i.ToString(), null);
roleTask.IsRoleDefinition = 1;
roleTask.AddTask("Task" + i.ToString(), null);
roleTask.Submit(0, null);
IAzRole role = app.CreateRole("Role" + i.ToString(), null);
role.AddTask("Role" + i.ToString(), null);
role.AddMember(id.User.Value, null); //add current user
role.Submit(0, null);
}
}
this.StopTimer(this.txtAzManElapsed);
this.Clessidra(false);
}
private bool AzManTestCheckAccess()
{
WindowsIdentity identity = this.Request.LogonUserIdentity;
string applicationName = "Application Test";
string[] operations = new string[] { this.txtOperation.Text };
HybridDictionary businessRuleParameters = new HybridDictionary();
AzAuthorizationStoreClass store = new AzAuthorizationStoreClass();
store.Initialize(0, AzManStorePath, null);
IAzApplication azApp = store.OpenApplication(applicationName, null);
IAzClientContext clientCtx = azApp.InitializeClientContextFromToken((UInt64)identity.Token, null);
// costruisce il vettore dei valori e dei delle regole di business
Object[] names = new Object[0];
Object[] values = new Object[0];
Object[] operationIds = new Object[operations.Length];
for (Int32 index = 0; index < operations.Length; index++)
{
operationIds[index] = azApp.OpenOperation(operations[index], null).OperationID;
}
Object[] internalScopes = new Object[1];
Object[] result = (Object[])clientCtx.AccessCheck("AuditString", internalScopes, operationIds, names, values, null, null, null);
foreach (Int32 accessAllowed in result)
{
if (accessAllowed != 0)
{
return false;
}
}
return true;
}
