public override bool CheckAccess(OperationContext operationContext, ref Message message) { // Open the request message using an xml reader XmlReader xr = OperationContext.Current.IncomingMessageHeaders.GetReaderAtHeader(0); // Split the URL at the API name--Parameters junction indicated by the '?' character - taking the first string will ignore all parameters string[] urlSplit = xr.ReadElementContentAsString().Split('/'); // Extract just the API name and rest of the URL, which will be the last item in the split using '/' string[] apiSplit = urlSplit[3].Split('?'); // Logging the username and API name Tracer.WriteUserLog(apiSplit[0] + " request from user: "******"CheckAccess: Authorized"); return(true); } else { Tracer.WriteUserLog("CheckAccess: NOT Authorized"); return(false); } }
// Returns the most privileged role this user belongs to static internal authorizationRole GetCurrentUserMostPrivilegedRole() { try { ServiceSecurityContext context = OperationContext.Current.ServiceSecurityContext; WindowsIdentity windowsIdentity = context.WindowsIdentity; var principal = new WindowsPrincipal(windowsIdentity); // Extract domain + role names to check for access privilege // The first item before '\' is the domain name - extract it string[] usernameSplit = windowsIdentity.Name.Split('\\'); // Apend role names after the domain name string wcscmadminRole = usernameSplit[0] + "\\" + "WcsCmAdmin"; string wcscmoperatorRole = usernameSplit[0] + "\\" + "WcsCmOperator"; string wcscmuserRole = usernameSplit[0] + "\\" + "WcsCmUser"; if (principal.IsInRole("Administrators")) { Tracer.WriteUserLog("User({0}) belongs to Administrators group and hence belongs to WcsCmAdmin privilege role", windowsIdentity.Name); return(authorizationRole.WcsCmAdmin); } // Is user in local WcsCmAdmin group or domain's WcsCmAdmin group? if (principal.IsInRole("WcsCmAdmin") || principal.IsInRole(wcscmadminRole)) { Tracer.WriteUserLog("User({0}) belongs to WcsCmAdmin privilege role", windowsIdentity.Name); return(authorizationRole.WcsCmAdmin); } // Is user in local WcsCmOperator group or domain's WcsCmOperator group? if (principal.IsInRole("WcsCmOperator") || principal.IsInRole(wcscmoperatorRole)) { Tracer.WriteUserLog("User({0}) belongs to WcsCmOperator privilege role", windowsIdentity.Name); return(authorizationRole.WcsCmOperator); } // Is user in local WcsCmUser group or domain's WcsCmUser group? if (principal.IsInRole("WcsCmUser") || principal.IsInRole(wcscmuserRole)) { Tracer.WriteUserLog("User({0}) belongs to WcsCmUser privilege role", windowsIdentity.Name); return(authorizationRole.WcsCmUser); } // User not mapped to any standard roles Tracer.WriteWarning("GetCurrentUserMostPrivilegedRole: Current user({0}) not mapped to the standard WCS roles", windowsIdentity.Name); Tracer.WriteUserLog("GetCurrentUserMostPrivilegedRole: Current user({0}) not mapped to the standard WCS roles", windowsIdentity.Name); } catch (Exception ex) { Tracer.WriteError("User Authorization check exception was thrown: " + ex); } // Return as unauthorized if the user do not belong to any of the category or if there is an exception return(authorizationRole.WcsCmUnAuthorized); }
public Contracts.ChassisResponse StopSerialPortConsole(int portID, string sessionToken, bool forceKillExistingSession = false) { Contracts.ChassisResponse response = new Contracts.ChassisResponse(); response.completionCode = Contracts.CompletionCode.Failure; this.portId = portID; Tracer.WriteInfo("Received StopSerialPortConsole({0}) with sessionToken({1}) and forcekill({2})", this.portId, sessionToken, forceKillExistingSession); Tracer.WriteUserLog("Received StopSerialPortConsole({0}) with sessionToken({1}) and forcekill({2})", this.portId, sessionToken, forceKillExistingSession); int currPort = this.portId; // If there is NOT an already existing serial session (indicated by an invalid sessionToken), return failure with appropriate completion code if (CompareAndSwapMetadata(ConfigLoaded.InactiveSerialPortSessionToken, ConfigLoaded.InactiveSerialPortSessionToken) == CompletionCode.Success) { Tracer.WriteError("StopSerialPortConsole({0}): Stop failed because of no active session.", portID); response.completionCode = Contracts.CompletionCode.NoActiveSerialSession; return(response); } if (!forceKillExistingSession) { // If this do not currently hold the serial session, return failure if (CompareAndSwapMetadata(sessionToken, sessionToken) != CompletionCode.Success) { response.completionCode = Contracts.CompletionCode.SerialSessionActive; return(response); } // else proceed further to stop the session } else { // else force kill the current session } // Ipmi command to indicate end of serial session if (!ResetMetadata()) { Tracer.WriteError("StopSerialPortConsole({0}): Unable to reset metadata", this.portId); } SerialPortConsole currConsole = new SerialPortConsole((byte)currPort); SerialStatusPacket serialStatus = new SerialStatusPacket(); serialStatus = currConsole.closeSerialPortConsole(); if (serialStatus.completionCode != CompletionCode.Success) { Tracer.WriteError("StopSerialConsolePort({0}): Error in closeserialportconsole()", currPort); return(response); } response.completionCode = Contracts.CompletionCode.Success; return(response); }
public override bool CheckAccess(OperationContext operationContext, ref Message message) { // Open the request message using an xml reader XmlReader xr = OperationContext.Current.IncomingMessageHeaders.GetReaderAtHeader(0); // Split the URL at the API name--Parameters junction indicated by the '?' character - taking the first string will ignore all parameters string[] urlSplit = xr.ReadElementContentAsString().Split('/'); // Extract just the API name and rest of the URL, which will be the last item in the split using '/' string[] apiSplit = urlSplit[3].Split('?'); // Logging the username and API name Tracer.WriteUserLog(apiSplit[0] + " request from user: "******"Client IP address : " + ip); } // If the most-privileged-role that this user belongs has access to this api, then allow access, otherwise deny access // Returning true will allow the user to execute the actual API function; Returning false will deny access to the user // TODO: May be we should send back a HTTP error code; will include this after shivi checks in her code if (ChassisManagerSecurity.GetCurrentUserMostPrivilegedRole() <= ChassisManagerSecurity.GetCurrentApiLeastPrivilegedRole(apiSplit[0])) { Tracer.WriteUserLog("CheckAccess: Authorized"); return(true); } else { Tracer.WriteUserLog("CheckAccess: NOT Authorized"); return(false); } }