Gary Sharp
214 lines
9.2 KiB
C#
214 lines
9.2 KiB
C#
using Disco.Data.Repository;
|
|
using Disco.Models.Repository;
|
|
using Disco.Models.Services.Authorization;
|
|
using Disco.Services.Interop.ActiveDirectory;
|
|
using Newtonsoft.Json;
|
|
using System;
|
|
using System.Collections.Concurrent;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
|
|
namespace Disco.Services.Authorization.Roles
|
|
{
|
|
internal static class RoleCache
|
|
{
|
|
internal const int AdministratorsTokenId = -1;
|
|
internal const int ComputerAccountTokenId = -200;
|
|
internal const string ClaimsJsonEmpty = "null";
|
|
internal static readonly string[] _RequiredAdministratorSubjectIds = new string[] { "Domain Admins" };
|
|
|
|
private static ConcurrentDictionary<int, RoleToken> cache;
|
|
private static RoleToken _AdministratorToken;
|
|
|
|
internal static void Initialize(DiscoDataContext database)
|
|
{
|
|
MigrateAuthorizationRoles(database);
|
|
|
|
cache = new ConcurrentDictionary<int, RoleToken>(database.AuthorizationRoles.ToList().Select(ar => RoleToken.FromAuthorizationRole(ar)).ToDictionary(r => r.Role.Id));
|
|
|
|
// Add System Roles
|
|
AddSystemRoles(database);
|
|
}
|
|
|
|
private static void AddSystemRoles(DiscoDataContext database)
|
|
{
|
|
// Disco Administrators
|
|
_AdministratorToken = RoleToken.FromAuthorizationRole(new AuthorizationRole()
|
|
{
|
|
Id = AdministratorsTokenId,
|
|
Name = "Disco Administrators",
|
|
SubjectIds = string.Join(",", GenerateAdministratorSubjectIds(database))
|
|
}, Claims.AdministratorClaims());
|
|
cache.TryAdd(AdministratorsTokenId, _AdministratorToken);
|
|
|
|
// Computer Accounts
|
|
cache.TryAdd(ComputerAccountTokenId, RoleToken.FromAuthorizationRole(new AuthorizationRole()
|
|
{
|
|
Id = ComputerAccountTokenId,
|
|
Name = "Domain Computer Account"
|
|
}, Claims.ComputerAccountClaims()));
|
|
}
|
|
|
|
private static IEnumerable<string> GenerateAdministratorSubjectIds(DiscoDataContext database)
|
|
{
|
|
var configuredSubjectIds = database.DiscoConfiguration.Administrators.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries).Select(s => ActiveDirectory.ParseDomainAccountId(s));
|
|
|
|
return RequiredAdministratorSubjectIds
|
|
.Concat(configuredSubjectIds)
|
|
.Distinct(StringComparer.OrdinalIgnoreCase)
|
|
.OrderBy(s => s);
|
|
}
|
|
public static IEnumerable<string> RequiredAdministratorSubjectIds
|
|
=> _RequiredAdministratorSubjectIds.Select(s => ActiveDirectory.ParseDomainAccountId(s));
|
|
public static IEnumerable<string> AdministratorSubjectIds
|
|
=> _AdministratorToken.SubjectIds.ToList();
|
|
|
|
public static void UpdateAdministratorSubjectIds(DiscoDataContext database, IEnumerable<string> subjectIds)
|
|
{
|
|
// Clean
|
|
subjectIds = subjectIds
|
|
.Where(s => !string.IsNullOrWhiteSpace(s))
|
|
.Concat(RequiredAdministratorSubjectIds)
|
|
.Distinct(StringComparer.OrdinalIgnoreCase)
|
|
.OrderBy(s => s);
|
|
|
|
var subjectIdsString = string.Join(",", subjectIds);
|
|
|
|
// Update Database
|
|
database.DiscoConfiguration.Administrators = subjectIdsString;
|
|
database.SaveChanges();
|
|
|
|
// Update State
|
|
_AdministratorToken.SubjectIds = subjectIds.ToList();
|
|
_AdministratorToken.SubjectIdHashes = new HashSet<string>(subjectIds, StringComparer.OrdinalIgnoreCase);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Create a clone of an Authorization Role
|
|
/// <para>Creates immutable clones to avoid side-effects</para>
|
|
/// </summary>
|
|
/// <param name="templateRole">Authorization Role to Clone</param>
|
|
/// <returns>A copy of the Authorization Role</returns>
|
|
private static AuthorizationRole CloneAuthoriationRole(AuthorizationRole templateRole)
|
|
{
|
|
return new AuthorizationRole()
|
|
{
|
|
Id = templateRole.Id,
|
|
Name = templateRole.Name,
|
|
ClaimsJson = templateRole.ClaimsJson,
|
|
SubjectIds = templateRole.SubjectIds
|
|
};
|
|
}
|
|
|
|
internal static void RemoveRole(AuthorizationRole Role)
|
|
{
|
|
cache.TryRemove(Role.Id, out _);
|
|
}
|
|
|
|
internal static RoleToken AddOrUpdateRole(AuthorizationRole role)
|
|
{
|
|
var token = RoleToken.FromAuthorizationRole(CloneAuthoriationRole(role));
|
|
cache.AddOrUpdate(token.Role.Id, token, (i, e) => token);
|
|
return token;
|
|
}
|
|
|
|
internal static RoleToken GetRoleToken(int id)
|
|
{
|
|
if (cache.TryGetValue(id, out var result))
|
|
return result;
|
|
else
|
|
return null;
|
|
}
|
|
internal static RoleToken GetRoleToken(string securityGroup)
|
|
{
|
|
return cache.Values.FirstOrDefault(t => t.SubjectIdHashes.Contains(securityGroup));
|
|
}
|
|
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> securityGroups)
|
|
{
|
|
return cache.Values.Where(t => securityGroups.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
|
|
}
|
|
internal static List<IRoleToken> GetRoleTokens(IEnumerable<string> securityGroups, User user)
|
|
{
|
|
var subjectIds = securityGroups.Concat(new string[] { user.UserId });
|
|
|
|
return cache.Values.Where(t => subjectIds.Any(sg => t.SubjectIdHashes.Contains(sg))).Cast<IRoleToken>().ToList();
|
|
}
|
|
|
|
/// <summary>
|
|
/// Migrates authorization role claims to conform with changes to Disco ICT since the last release.
|
|
/// Claims are only added when the meaning of an existing claim has changed (or expanded/contracted) to improve the migration experience.
|
|
/// </summary>
|
|
private static void MigrateAuthorizationRoles(DiscoDataContext Database)
|
|
{
|
|
// Determine roles which need migration from DBv11 -> DBv14
|
|
var affectedRoles_DBv14 = Database.AuthorizationRoles.Where(r => !r.ClaimsJson.Contains("MyJobs")).ToList();
|
|
|
|
// Determine roles which need migration from DBv14 -> DBv15
|
|
var affectedRoles_DBv15 = Database.AuthorizationRoles.Where(r => !r.ClaimsJson.Contains("RepairProviderDetails")).ToList();
|
|
|
|
if (affectedRoles_DBv14.Count > 0)
|
|
{
|
|
foreach (var role in affectedRoles_DBv14)
|
|
{
|
|
var claims = JsonConvert.DeserializeObject<RoleClaims>(role.ClaimsJson);
|
|
|
|
// MyJobs replaces 'AwaitingTechnicianAction' jobs on the Job page.
|
|
if (claims.Job.Lists.AwaitingTechnicianAction)
|
|
{
|
|
claims.Job.Lists.MyJobs = true;
|
|
claims.Job.Lists.MyJobsOrphaned = true;
|
|
}
|
|
// Stale Jobs expands on Long Running Jobs (and replaces it on the Job page)
|
|
if (claims.Job.Lists.LongRunningJobs)
|
|
{
|
|
claims.Job.Lists.StaleJobs = true;
|
|
}
|
|
// Greater control to create jobs was added, this adds claims to keep the behaviour the same for existing roles
|
|
if (claims.Job.Actions.Create)
|
|
{
|
|
claims.Job.Types.CreateHMisc = true;
|
|
claims.Job.Types.CreateHNWar = true;
|
|
claims.Job.Types.CreateHWar = true;
|
|
claims.Job.Types.CreateSApp = true;
|
|
claims.Job.Types.CreateSOS = true;
|
|
claims.Job.Types.CreateSImg = true;
|
|
claims.Job.Types.CreateUMgmt = true;
|
|
}
|
|
// A claim was added to control whether Current User Assignments could be shown (independently of User Assignment History)
|
|
if (claims.User.ShowAssignmentHistory)
|
|
{
|
|
claims.User.ShowAssignments = true;
|
|
}
|
|
// A claim was added to control whether User personal details could be shown
|
|
if (claims.User.Show)
|
|
{
|
|
claims.User.ShowDetails = true;
|
|
}
|
|
|
|
role.ClaimsJson = JsonConvert.SerializeObject(claims);
|
|
}
|
|
|
|
Database.SaveChanges();
|
|
}
|
|
|
|
if (affectedRoles_DBv15.Count > 0)
|
|
{
|
|
foreach (var role in affectedRoles_DBv15)
|
|
{
|
|
var claims = JsonConvert.DeserializeObject<RoleClaims>(role.ClaimsJson);
|
|
|
|
// If the user previously had the ability to view warranty provider details, they probably should be able to view repair provider details (new feature).
|
|
if (claims.Job.Properties.WarrantyProperties.ProviderDetails)
|
|
{
|
|
claims.Job.Properties.NonWarrantyProperties.RepairProviderDetails = true;
|
|
}
|
|
|
|
role.ClaimsJson = JsonConvert.SerializeObject(claims);
|
|
}
|
|
|
|
Database.SaveChanges();
|
|
}
|
|
}
|
|
}
|
|
}
|