jessikitty/Disco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature: flag permissions

Browse Source 
feature: flag permissions
This commit is contained in:
Gary Sharp
2025-07-20 10:45:55 +10:00
parent 7deead494b
commit be7ee4cae8
72 changed files with 5590 additions and 2109 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Disco.Services/Authorization/Claims.cs
+24 -16
View File
@@ -18,7 +18,7 @@ namespace Disco.Services.Authorization
static Claims()
{
#region Role Claim Dictionary
#region Role Claim Dictionary
_roleClaims = new Dictionary<string, Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>>()
{
{ "Config.DeviceCertificate.DownloadCertificates", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.Config.DeviceCertificate.DownloadCertificates, (c, v) => c.Config.DeviceCertificate.DownloadCertificates = v, "Download Certificates", "Can download certificates", false) },
@@ -242,9 +242,9 @@ namespace Disco.Services.Authorization
{ "ComputerAccount", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.ComputerAccount, (c, v) => c.ComputerAccount = v, "Computer Account", "Represents a computer account", true) },
{ "DiscoAdminAccount", new Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>(c => c.DiscoAdminAccount, (c, v) => c.DiscoAdminAccount = v, "Disco Administrator Account", "Represents a Disco ICT Administrator account", true) }
};
#endregion
#endregion
#region Role Claim Navigator
#region Role Claim Navigator
_claimNavigator =
new ClaimNavigatorItem("Claims", "Permissions", "Top-level node for all permissions", false, new List<IClaimNavigatorItem>() {
new ClaimNavigatorItem("Config", "Configuration", "Permissions related to Disco ICT Configuration", false, new List<IClaimNavigatorItem>() {
@@ -524,7 +524,7 @@ namespace Disco.Services.Authorization
new ClaimNavigatorItem("ComputerAccount", true),
new ClaimNavigatorItem("DiscoAdminAccount", true)
});
#endregion
#endregion
}
public static ClaimNavigatorItem RoleClaimNavigator
@@ -532,31 +532,36 @@ namespace Disco.Services.Authorization
get { return _claimNavigator; }
}
internal static Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool> GetClaimDefinition(string ClaimKey) {
internal static Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool> GetClaimDefinition(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Func<RoleClaims, bool> GetClaimAccessor(string ClaimKey) {
public static Func<RoleClaims, bool> GetClaimAccessor(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef.Item1;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Action<RoleClaims, bool> GetClaimSetter(string ClaimKey) {
public static Action<RoleClaims, bool> GetClaimSetter(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef.Item2;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Tuple<string, string, bool> GetClaimDetails(string ClaimKey) {
public static Tuple<string, string, bool> GetClaimDetails(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return Tuple.Create(claimDef.Item3, claimDef.Item4, claimDef.Item5);
throw new ArgumentException("Unknown Claim Key", "ClaimKey");
}
public static RoleClaims BuildClaims(IEnumerable<string> ClaimKeys){
public static RoleClaims BuildClaims(IEnumerable<string> ClaimKeys)
{
var c = new RoleClaims();
foreach (var claimKey in ClaimKeys)
c.Set(claimKey, true);
@@ -570,9 +575,10 @@ namespace Disco.Services.Authorization
return _roleClaims.Where(rc => rc.Value.Item1(claims)).Select(rc => rc.Key).ToList();
}
public static RoleClaims AdministratorClaims() {
public static RoleClaims AdministratorClaims()
{
var c = new RoleClaims();
#region Set All Administrator Claims
#region Set All Administrator Claims
c.Config.DeviceCertificate.DownloadCertificates = true;
c.Config.Enrolment.Configure = true;
c.Config.Enrolment.DownloadBootstrapper = true;
@@ -792,17 +798,19 @@ namespace Disco.Services.Authorization
c.User.ShowFlagAssignments = true;
c.User.ShowJobs = true;
c.DiscoAdminAccount = true;
#endregion
#endregion
return c;
}
public static RoleClaims ComputerAccountClaims() {
return new RoleClaims() {
public static RoleClaims ComputerAccountClaims()
{
return new RoleClaims()
{
ComputerAccount = true
};
}
#region Role Claim Constants
#region Role Claim Constants
/// <summary>Configuration
/// <para>Permissions related to Disco ICT Configuration</para>
@@ -2099,7 +2107,7 @@ namespace Disco.Services.Authorization
/// <para>Represents a Disco ICT Administrator account</para>
/// </summary>
public const string DiscoAdminAccount = "DiscoAdminAccount";
#endregion
#endregion
}
public static class ClaimExtensions
{
Disco.Services/Authorization/Claims.tt
+24 -16
View File
@@ -66,17 +66,17 @@ namespace Disco.Services.Authorization
static Claims()
{
#region Role Claim Dictionary
#region Role Claim Dictionary
_roleClaims = new Dictionary<string, Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool>>()
{
<#WriteAccessHashes(permissionRoot);#>
};
#endregion
#endregion
#region Role Claim Navigator
#region Role Claim Navigator
_claimNavigator =
<#WriteNavigator(permissionRoot);#>;
#endregion
#endregion
}
public static ClaimNavigatorItem RoleClaimNavigator
@@ -84,31 +84,36 @@ namespace Disco.Services.Authorization
get { return _claimNavigator; }
}
internal static Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool> GetClaimDefinition(string ClaimKey) {
internal static Tuple<Func<RoleClaims, bool>, Action<RoleClaims, bool>, string, string, bool> GetClaimDefinition(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Func<RoleClaims, bool> GetClaimAccessor(string ClaimKey) {
public static Func<RoleClaims, bool> GetClaimAccessor(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef.Item1;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Action<RoleClaims, bool> GetClaimSetter(string ClaimKey) {
public static Action<RoleClaims, bool> GetClaimSetter(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return claimDef.Item2;
throw new ArgumentException("Unknown Claim Key", nameof(ClaimKey));
}
public static Tuple<string, string, bool> GetClaimDetails(string ClaimKey) {
public static Tuple<string, string, bool> GetClaimDetails(string ClaimKey)
{
if (_roleClaims.TryGetValue(ClaimKey, out var claimDef))
return Tuple.Create(claimDef.Item3, claimDef.Item4, claimDef.Item5);
throw new ArgumentException("Unknown Claim Key", "ClaimKey");
}
public static RoleClaims BuildClaims(IEnumerable<string> ClaimKeys){
public static RoleClaims BuildClaims(IEnumerable<string> ClaimKeys)
{
var c = new RoleClaims();
foreach (var claimKey in ClaimKeys)
c.Set(claimKey, true);
@@ -122,23 +127,26 @@ namespace Disco.Services.Authorization
return _roleClaims.Where(rc => rc.Value.Item1(claims)).Select(rc => rc.Key).ToList();
}
public static RoleClaims AdministratorClaims() {
public static RoleClaims AdministratorClaims()
{
var c = new RoleClaims();
#region Set All Administrator Claims
#region Set All Administrator Claims
<#WriteAdministratorClaims(permissionRoot);#>
#endregion
#endregion
return c;
}
public static RoleClaims ComputerAccountClaims() {
return new RoleClaims() {
public static RoleClaims ComputerAccountClaims()
{
return new RoleClaims()
{
ComputerAccount = true
};
}
#region Role Claim Constants
#region Role Claim Constants
<#WritePermissionConsts(permissionRoot);#>
#endregion
#endregion
}
public static class ClaimExtensions
{
Disco.Services/Authorization/Roles/RoleCache.cs
+44 -58
View File
@@ -4,6 +4,7 @@ using Disco.Models.Services.Authorization;
using Disco.Services.Interop.ActiveDirectory;
using Newtonsoft.Json;
using System;
using System.Collections.Concurrent;
using System.Collections.Generic;
using System.Linq;
@@ -16,41 +17,41 @@ namespace Disco.Services.Authorization.Roles
internal const string ClaimsJsonEmpty = "null";
internal static readonly string[] _RequiredAdministratorSubjectIds = new string[] { "Domain Admins" };
private static List<RoleToken> _Cache;
private static ConcurrentDictionary<int, RoleToken> cache;
private static RoleToken _AdministratorToken;
internal static void Initialize(DiscoDataContext Database)
internal static void Initialize(DiscoDataContext database)
{
MigrateAuthorizationRoles(Database);
MigrateAuthorizationRoles(database);
_Cache = Database.AuthorizationRoles.ToList().Select(ar => RoleToken.FromAuthorizationRole(ar)).ToList();
cache = new ConcurrentDictionary<int, RoleToken>(database.AuthorizationRoles.ToList().Select(ar => RoleToken.FromAuthorizationRole(ar)).ToDictionary(r => r.Role.Id));
// Add System Roles
AddSystemRoles(Database);
AddSystemRoles(database);
}
private static void AddSystemRoles(DiscoDataContext Database)
private static void AddSystemRoles(DiscoDataContext database)
{
// Disco Administrators
_AdministratorToken = RoleToken.FromAuthorizationRole(new AuthorizationRole()
{
Id = AdministratorsTokenId,
Name = "Disco Administrators",
SubjectIds = string.Join(",", GenerateAdministratorSubjectIds(Database))
SubjectIds = string.Join(",", GenerateAdministratorSubjectIds(database))
}, Claims.AdministratorClaims());
_Cache.Add(_AdministratorToken);
cache.TryAdd(AdministratorsTokenId, _AdministratorToken);
// Computer Accounts
_Cache.Add(RoleToken.FromAuthorizationRole(new AuthorizationRole()
cache.TryAdd(ComputerAccountTokenId, RoleToken.FromAuthorizationRole(new AuthorizationRole()
{
Id = ComputerAccountTokenId,
Name = "Domain Computer Account"
}, Claims.ComputerAccountClaims()));
}
private static IEnumerable<string> GenerateAdministratorSubjectIds(DiscoDataContext Database)
private static IEnumerable<string> GenerateAdministratorSubjectIds(DiscoDataContext database)
{
var configuredSubjectIds = Database.DiscoConfiguration.Administrators.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(s => ActiveDirectory.ParseDomainAccountId(s));
var configuredSubjectIds = database.DiscoConfiguration.Administrators.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(s => ActiveDirectory.ParseDomainAccountId(s));
return RequiredAdministratorSubjectIds
.Concat(configuredSubjectIds)
@@ -58,94 +59,79 @@ namespace Disco.Services.Authorization.Roles
.OrderBy(s => s);
}
public static IEnumerable<string> RequiredAdministratorSubjectIds
{
get
{
return _RequiredAdministratorSubjectIds.Select(s => ActiveDirectory.ParseDomainAccountId(s));
}
}
=> _RequiredAdministratorSubjectIds.Select(s => ActiveDirectory.ParseDomainAccountId(s));
public static IEnumerable<string> AdministratorSubjectIds
{
get
{
return _AdministratorToken.SubjectIds.ToList();
}
}
=> _AdministratorToken.SubjectIds.ToList();
public static void UpdateAdministratorSubjectIds(DiscoDataContext Database, IEnumerable<string> SubjectIds)
public static void UpdateAdministratorSubjectIds(DiscoDataContext database, IEnumerable<string> subjectIds)
{
// Clean
SubjectIds = SubjectIds
subjectIds = subjectIds
.Where(s => !string.IsNullOrWhiteSpace(s))
.Concat(RequiredAdministratorSubjectIds)
.Distinct(StringComparer.OrdinalIgnoreCase)
.OrderBy(s => s);
var subjectIdsString = string.Join(",", SubjectIds);
var subjectIdsString = string.Join(",", subjectIds);
// Update Database
Database.DiscoConfiguration.Administrators = subjectIdsString;
Database.SaveChanges();
database.DiscoConfiguration.Administrators = subjectIdsString;
database.SaveChanges();
// Update State
_AdministratorToken.SubjectIds = SubjectIds.ToList();
_AdministratorToken.SubjectIdHashes = new HashSet<string>(SubjectIds, StringComparer.OrdinalIgnoreCase);
_AdministratorToken.SubjectIds = subjectIds.ToList();
_AdministratorToken.SubjectIdHashes = new HashSet<string>(subjectIds, StringComparer.OrdinalIgnoreCase);
}
/// <summary>
/// Create a clone of an Authorization Role
/// <para>Creates immutable clones to avoid side-effects</para>
/// </summary>
/// <param name="TemplateRole">Authorization Role to Clone</param>
/// <param name="templateRole">Authorization Role to Clone</param>
/// <returns>A copy of the Authorization Role</returns>
private static AuthorizationRole CloneAuthoriationRole(AuthorizationRole TemplateRole)
private static AuthorizationRole CloneAuthoriationRole(AuthorizationRole templateRole)
{
return new AuthorizationRole()
{
Id = TemplateRole.Id,
Name = TemplateRole.Name,
ClaimsJson = TemplateRole.ClaimsJson,
SubjectIds = TemplateRole.SubjectIds
Id = templateRole.Id,
Name = templateRole.Name,
ClaimsJson = templateRole.ClaimsJson,
SubjectIds = templateRole.SubjectIds
};
}
internal static RoleToken AddRole(AuthorizationRole Role)
{
var token = RoleToken.FromAuthorizationRole(CloneAuthoriationRole(Role));
_Cache.Add(token);
return token;
}
internal static void RemoveRole(AuthorizationRole Role)
{
var token = GetRoleToken(Role.Id);
if (token != null)
_Cache.Remove(token);
cache.TryRemove(Role.Id, out _);
}
internal static RoleToken UpdateRole(AuthorizationRole Role)
internal static RoleToken AddOrUpdateRole(AuthorizationRole role)
{
RemoveRole(Role);
return AddRole(Role);
var token = RoleToken.FromAuthorizationRole(CloneAuthoriationRole(role));
cache.AddOrUpdate(token.Role.Id, token, (i, e) => token);
return token;
}
internal static RoleToken GetRoleToken(int Id)
internal static RoleToken GetRoleToken(int id)
{
return _Cache.FirstOrDefault(t => t.Role.Id == Id);
if (cache.TryGetValue(id, out var result))
return result;
else
return null;
}
internal static RoleToken GetRoleToken(string SecurityGroup)
internal static RoleToken GetRoleToken(string securityGroup)
{
return _Cache.FirstOrDefault(t => t.SubjectIdHashes.Contains(SecurityGroup));
return cache.Values.FirstOrDefault(t => t.SubjectIdHashes.Contains(securityGroup));
}
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> SecurityGroup)
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> securityGroups)
{
return _Cache.Where(t => SecurityGroup.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
return cache.Values.Where(t => securityGroups.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
}
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> SecurityGroup, User User)
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> securityGroups, User user)
{
var subjectIds = SecurityGroup.Concat(new string[] { User.UserId });
var subjectIds = securityGroups.Concat(new string[] { user.UserId });
return _Cache.Where(t => subjectIds.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
return cache.Values.Where(t => subjectIds.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
}
/// <summary>