jessikitty/Disco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Authorization Logging #24

Browse Source 
Record 'Access Denied' and any changes to Authorization Roles.
This commit is contained in:
Gary Sharp
2013-10-15 16:13:41 +11:00
parent 7b62eabeee
commit 017b1435d8
14 changed files with 515 additions and 223 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Disco.Web/Areas/API/Controllers/AuthorizationRoleController.cs
+28 -5
View File
@@ -3,6 +3,7 @@ using Disco.BI.Interop.ActiveDirectory;
using Disco.Models.Interop.ActiveDirectory;
using Disco.Models.Repository;
using Disco.Services.Authorization;
using Disco.Services.Authorization.Roles;
using Disco.Services.Users;
using Disco.Services.Web;
using System;
@@ -71,24 +72,37 @@ namespace Disco.Web.Areas.API.Controllers
{
throw new Exception("An Authorization Role with that name already exists");
}
var oldRoleName = AuthorizationRole.Name;
AuthorizationRole.Name = Name;
UserService.UpdateAuthorizationRole(Database, AuthorizationRole);
AuthorizationLog.LogRoleConfiguredRenamed(AuthorizationRole, CurrentUser.Id, oldRoleName);
}
}
}
private void UpdateClaims(AuthorizationRole AuthorizationRole, string[] ClaimKeys)
{
var claims = Claims.BuildClaims(ClaimKeys);
AuthorizationRole.SetClaims(claims);
var proposedClaims = Claims.BuildClaims(ClaimKeys);
var currentToken = RoleToken.FromAuthorizationRole(AuthorizationRole);
var currentClaimKeys = Claims.GetClaimKeys(currentToken.Claims);
var removedClaims = currentClaimKeys.Except(ClaimKeys).ToArray();
var addedClaims = ClaimKeys.Except(currentClaimKeys).ToArray();
AuthorizationRole.SetClaims(proposedClaims);
UserService.UpdateAuthorizationRole(Database, AuthorizationRole);
if (removedClaims.Length > 0)
AuthorizationLog.LogRoleConfiguredClaimsRemoved(AuthorizationRole, CurrentUser.Id, removedClaims);
if (addedClaims.Length > 0)
AuthorizationLog.LogRoleConfiguredClaimsAdded(AuthorizationRole, CurrentUser.Id, addedClaims);
}
private void UpdateSubjects(AuthorizationRole AuthorizationRole, string[] Subjects)
{
string subjectIds = null;
string[] removedSubjects = null;
string[] addedSubjects = null;
// Validate Subjects
if (Subjects != null && Subjects.Length > 0)
@@ -99,7 +113,12 @@ namespace Disco.Web.Areas.API.Controllers
if (invalidSubjects.Count > 0)
throw new ArgumentException(string.Format("Subjects not found: {0}", string.Join(", ", invalidSubjects)), "Subjects");
subjectIds = string.Join(",", subjects.Select(s => s.Item2.SamAccountName).OrderBy(s => s));
var proposedSubjects = subjects.Select(s => s.Item2.SamAccountName).OrderBy(s => s).ToArray();
var currentSubjects = AuthorizationRole.SubjectIds.Split(',');
removedSubjects = currentSubjects.Except(proposedSubjects).ToArray();
addedSubjects = proposedSubjects.Except(currentSubjects).ToArray();
subjectIds = string.Join(",", proposedSubjects);
if (string.IsNullOrEmpty(subjectIds))
subjectIds = null;
@@ -109,6 +128,11 @@ namespace Disco.Web.Areas.API.Controllers
{
AuthorizationRole.SubjectIds = subjectIds;
UserService.UpdateAuthorizationRole(Database, AuthorizationRole);
if (removedSubjects != null && removedSubjects.Length > 0)
AuthorizationLog.LogRoleConfiguredSubjectsRemoved(AuthorizationRole, CurrentUser.Id, removedSubjects);
if (addedSubjects != null && addedSubjects.Length > 0)
AuthorizationLog.LogRoleConfiguredSubjectsAdded(AuthorizationRole, CurrentUser.Id, addedSubjects);
}
}
@@ -189,7 +213,6 @@ namespace Disco.Web.Areas.API.Controllers
if (ar != null)
{
ar.Delete(Database);
Database.SaveChanges();
if (redirect.HasValue && redirect.Value)
return RedirectToAction(MVC.Config.AuthorizationRole.Index(null));
Disco.Web/Controllers/PluginWebHandlerController.cs
+4
View File
@@ -6,6 +6,7 @@ using System.Web;
using System.Web.Mvc;
using Disco.Services.Plugins;
using Disco.Services.Authorization;
using Disco.Services.Users;
namespace Disco.Web.Controllers
{
@@ -28,6 +29,9 @@ namespace Disco.Web.Controllers
}
catch (AccessDeniedException accessDeniedException)
{
if (UserService.CurrentUserId != null)
AuthorizationLog.LogAccessDenied(UserService.CurrentUserId, string.Format("{0} [{1}]", accessDeniedException.Resource, Request.RawUrl), accessDeniedException.Message);
return new HttpUnauthorizedResult(accessDeniedException.Message);
}
}
Disco.Web/Global.asax.cs
+20 -8
View File
@@ -1,17 +1,14 @@
using System;
using System.Collections.Generic;
using Disco.Data.Repository;
using Disco.Services.Authorization;
using Disco.Services.Users;
using System;
using System.Configuration;
using System.Diagnostics;
using System.Linq;
using System.Net;
using System.Security.Principal;
using System.Web;
using System.Web.Http;
using System.Web.Mvc;
using System.Web.Routing;
using Disco.Data.Repository;
using Disco.Models.Repository;
using Disco.Services.Users;
namespace Disco.Web
{
@@ -219,7 +216,22 @@ namespace Disco.Web
{
try
{
Disco.Services.Logging.SystemLog.LogException("Global Application Exception Caught", Server.GetLastError());
var ex = Server.GetLastError();
if (ex is AccessDeniedException)
{
var accessDeniedException = (AccessDeniedException)ex;
var resource = accessDeniedException.Resource;
var httpContext = HttpContext.Current;
if (httpContext != null && httpContext.Request != null)
resource = string.Format("{0} [{1}]", resource, httpContext.Request.RawUrl);
AuthorizationLog.LogAccessDenied(UserService.CurrentUserId ?? "[Anonymous]", resource, accessDeniedException.Message);
}
else
{
Disco.Services.Logging.SystemLog.LogException("Global Application Exception Caught", ex);
}
}
catch (Exception)
{