unclshura/dbMango
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dbMango/Rms.Risk.Mango/Services/Security/DatabaseAccessAuthorizationHandler.cs
Alexander Shabarshov 2a7a24c9e7 Initial contribution
2025-11-03 14:43:26 +00:00

192 lines
5.9 KiB
C#
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* dbMango
*
* Copyright 2025 Deutsche Bank AG
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Novell.Directory.Ldap;
using Rms.Risk.Mango.Interfaces;
using Rms.Risk.Mango.Services.Context;
using Rms.Service.Bootstrap.Security;
// ReSharper disable InconsistentNaming
namespace Rms.Risk.Mango.Services.Security;
public class AdminAccessRequirement : IAuthorizationRequirement;
public class ReadAccessRequirement : IAuthorizationRequirement;
public class WriteAccessRequirement : IAuthorizationRequirement;
public class AdminAuthorizationHandler(IDatabaseConfigurationService _databases, LdapChecker _ldap)
: AuthorizationHandler<AdminAccessRequirement, string>
{
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
AdminAccessRequirement requirement,
string /*database name*/ resource)
{
using var cts = new CancellationTokenSource(DatabaseConfigurationService.DefaultTimeout);
var error = await HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.Admin,
cts.Token
);
if (error == null)
context.Succeed(requirement);
else
context.Fail(new(this, error));
}
public static async Task<string?> HandleRequirement(
IDatabaseConfigurationService config,
LdapChecker ldap,
ClaimsPrincipal user,
string database,
Func<DatabasesConfig.DatabaseConfig.LdapGroups, string> getAcl,
CancellationToken token)
{
if (string.IsNullOrWhiteSpace(database))
return null;
if (!config.Databases.TryGetValue(database, out var conf))
return $"Database {database} is not configured";
var requiredGroup = getAcl(conf.Groups);
if (string.IsNullOrWhiteSpace(requiredGroup))
return null;
try
{
var success = await ldap.IsGroupMember(UserService.GetEmail(user), requiredGroup, token);
return success
? null
: $"To access database {database} user should be a member of the group: {requiredGroup}"
;
}
catch (LdapException ex)
{
return $"To access database {database} user should be a member of the group: {requiredGroup}. Exception: {ex.LdapErrorMessage}";
}
catch (Exception ex)
{
return $"To access database {database} user should be a member of the group: {requiredGroup}. Exception: {ex.Message}";
}
}
}
public class ReadWriteAuthorizationHandler(IDatabaseConfigurationService _databases, LdapChecker _ldap)
: AuthorizationHandler<WriteAccessRequirement, string>
{
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
WriteAccessRequirement requirement,
string /*database name*/ resource)
{
using var cts = new CancellationTokenSource(DatabaseConfigurationService.DefaultTimeout);
var error = await AdminAuthorizationHandler.HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.Admin,
cts.Token
);
if (error == null)
{
context.Succeed(requirement);
return;
}
error = await AdminAuthorizationHandler.HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.ReadWrite,
cts.Token
);
if (error == null)
context.Succeed(requirement);
else
context.Fail(new(this, error));
}
}
public class ReadOnlyAuthorizationHandler(IDatabaseConfigurationService _databases, LdapChecker _ldap)
: AuthorizationHandler<ReadAccessRequirement, string>
{
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
ReadAccessRequirement requirement,
string /*database name*/ resource)
{
using var cts = new CancellationTokenSource(DatabaseConfigurationService.DefaultTimeout);
var error = await AdminAuthorizationHandler.HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.ReadWrite,
cts.Token);
if (error == null)
{
context.Succeed(requirement);
return;
}
error = await AdminAuthorizationHandler.HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.Admin,
cts.Token
);
if (error == null)
{
context.Succeed(requirement);
return;
}
error = await AdminAuthorizationHandler.HandleRequirement(
_databases,
_ldap,
context.User,
resource,
x => x.ReadOnly,
cts.Token
);
if (error == null)
context.Succeed(requirement);
else
context.Fail(new(this, error));
}
}
Reference in New Issue View Git Blame Copy Permalink