536 lines
20 KiB
C#
Raw Normal View History

//------------------------------------------------------------------------------
// <copyright file="AuthorizationRule.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//------------------------------------------------------------------------------
namespace System.Web.Configuration {
using System;
using System.Xml;
using System.Configuration;
using System.Collections.Specialized;
using System.Collections;
using System.Globalization;
using System.IO;
using System.Text;
using System.Security.Principal;
using System.Web.Util;
using System.ComponentModel;
using System.Security.Permissions;
public sealed class AuthorizationRule : ConfigurationElement {
private static readonly TypeConverter s_PropConverter = new CommaDelimitedStringCollectionConverter();
private static ConfigurationPropertyCollection _properties;
private static readonly ConfigurationProperty _propVerbs =
new ConfigurationProperty("verbs",
typeof(CommaDelimitedStringCollection),
null,
s_PropConverter,
null,
ConfigurationPropertyOptions.None);
private static readonly ConfigurationProperty _propUsers =
new ConfigurationProperty("users",
typeof(CommaDelimitedStringCollection),
null,
s_PropConverter,
null,
ConfigurationPropertyOptions.None);
private static readonly ConfigurationProperty _propRoles =
new ConfigurationProperty("roles",
typeof(CommaDelimitedStringCollection),
null,
s_PropConverter,
null,
ConfigurationPropertyOptions.None);
private AuthorizationRuleAction _Action = AuthorizationRuleAction.Allow;
internal string _ActionString = AuthorizationRuleAction.Allow.ToString();
private string _ElementName = "allow";
private CommaDelimitedStringCollection _Roles = null;
private CommaDelimitedStringCollection _Verbs = null;
private CommaDelimitedStringCollection _Users = null;
private StringCollection _RolesExpanded;
private StringCollection _UsersExpanded;
private char[] _delimiters = { ',' };
private string machineName = null;
private const String _strAnonUserTag = "?";
private const String _strAllUsersTag = "*";
private bool _AllUsersSpecified = false;
private bool _AnonUserSpecified = false;
private bool DataReady = false;
private bool _Everyone = false;
internal bool Everyone { get { return _Everyone; } }
private bool _ActionModified = false;
static AuthorizationRule() {
// Property initialization
_properties = new ConfigurationPropertyCollection();
// If updating, check out CloneMutableExposedObjects
_properties.Add(_propVerbs);
_properties.Add(_propUsers);
_properties.Add(_propRoles);
}
internal AuthorizationRule() {
}
public AuthorizationRule(AuthorizationRuleAction action) : this() {
Action = action;
}
protected override ConfigurationPropertyCollection Properties {
get {
return _properties;
}
}
protected override void Unmerge(ConfigurationElement sourceElement,
ConfigurationElement parentElement,
ConfigurationSaveMode saveMode) {
AuthorizationRule parentProviders = parentElement as AuthorizationRule;
AuthorizationRule sourceProviders = sourceElement as AuthorizationRule;
if (parentProviders != null) {
parentProviders.UpdateUsersRolesVerbs();
}
if (sourceProviders != null) {
sourceProviders.UpdateUsersRolesVerbs();
}
base.Unmerge(sourceElement, parentElement, saveMode);
}
protected override void Reset(ConfigurationElement parentElement) {
AuthorizationRule parentProviders = parentElement as AuthorizationRule;
if (parentProviders != null) {
parentProviders.UpdateUsersRolesVerbs();
}
base.Reset(parentElement);
EvaluateData();
}
internal void AddRole(string role) {
if (!String.IsNullOrEmpty(role)) {
role = role.ToLower(CultureInfo.InvariantCulture);
}
Roles.Add(role);
RolesExpanded.Add(ExpandName(role));
}
internal void AddUser(string user) {
if (!String.IsNullOrEmpty(user)) {
user = user.ToLower(CultureInfo.InvariantCulture);
}
Users.Add(user);
UsersExpanded.Add(ExpandName(user));
}
private void UpdateUsersRolesVerbs() {
CommaDelimitedStringCollection roles;
CommaDelimitedStringCollection users;
CommaDelimitedStringCollection verbs;
roles = (CommaDelimitedStringCollection)Roles;
users = (CommaDelimitedStringCollection)Users;
verbs = (CommaDelimitedStringCollection)Verbs;
if (roles.IsModified) {
_RolesExpanded = null; // throw away old collection and force a new one to be created
base[_propRoles] = roles; // Update property bag
}
if (users.IsModified) {
_UsersExpanded = null; // throw away old collection and force a new one to be created
base[_propUsers] = users; // Update property bag
}
if (verbs.IsModified) {
base[_propVerbs] = verbs; // Update property bag
}
}
protected override bool IsModified() {
UpdateUsersRolesVerbs();
return _ActionModified || base.IsModified() || (((CommaDelimitedStringCollection)Users).IsModified) ||
(((CommaDelimitedStringCollection)Roles).IsModified) ||
(((CommaDelimitedStringCollection)Verbs).IsModified);
}
protected override void ResetModified() {
_ActionModified = false;
base.ResetModified();
}
public override bool Equals(object obj) {
AuthorizationRule o = obj as AuthorizationRule;
bool bRet = false;
if (o != null) {
UpdateUsersRolesVerbs();
bRet = (o.Verbs.ToString() == Verbs.ToString() &&
o.Roles.ToString() == Roles.ToString() &&
o.Users.ToString() == Users.ToString() &&
o.Action == Action);
}
return bRet;
}
public override int GetHashCode() {
string __verbs = Verbs.ToString();
string __roles = Roles.ToString();
string __users = Users.ToString();
if (__verbs == null) {
__verbs = String.Empty;
}
if (__roles == null) {
__roles = String.Empty;
}
if (__users == null) {
__users = String.Empty;
}
int hHashCode = HashCodeCombiner.CombineHashCodes(__verbs.GetHashCode(), __roles.GetHashCode(),
__users.GetHashCode(), (int)Action);
return hHashCode;
}
protected override void SetReadOnly() {
((CommaDelimitedStringCollection)Users).SetReadOnly();
((CommaDelimitedStringCollection)Roles).SetReadOnly();
((CommaDelimitedStringCollection)Verbs).SetReadOnly();
base.SetReadOnly();
}
/// <devdoc>
/// <para> Defines the action that needs to be taken if the rule is satisfied.
/// </para>
/// </devdoc>
//
// No Configuration properties are set on this property because its supposed to be hidden to tools.
//
public AuthorizationRuleAction Action {
get {
return _Action;
}
set {
_ElementName = value.ToString().ToLower(CultureInfo.InvariantCulture);
_Action = value;
_ActionString = _Action.ToString();
_ActionModified = true;
}
}
/// <devdoc>
/// <para> Defines a list of verbs needed to satisfy the rule
/// </para>
/// </devdoc>
[ConfigurationProperty("verbs")]
[TypeConverter(typeof(CommaDelimitedStringCollectionConverter))]
public StringCollection Verbs {
get {
if (_Verbs == null) {
CommaDelimitedStringCollection propertyBagValue;
propertyBagValue = (CommaDelimitedStringCollection)base[_propVerbs];
if (propertyBagValue == null) {
_Verbs = new CommaDelimitedStringCollection();
}
else {
// Clone it so we don't give back same mutable
// object as possibly parent
_Verbs = propertyBagValue.Clone();
}
}
return (StringCollection)_Verbs;
}
}
/// <devdoc>
/// <para> Defines a list of users authorized for this rule.
/// </para>
/// </devdoc>
[ConfigurationProperty("users")]
[TypeConverter(typeof(CommaDelimitedStringCollectionConverter))]
public StringCollection Users {
get {
if (_Users == null) {
CommaDelimitedStringCollection propertyBagValue;
propertyBagValue = (CommaDelimitedStringCollection)base[_propUsers];
if (propertyBagValue == null) {
_Users = new CommaDelimitedStringCollection();
}
else {
// Clone it so we don't give back same mutable
// object as possibly parent
_Users = propertyBagValue.Clone();
}
_UsersExpanded = null; // throw away old collection and force a new one to be created
}
return (StringCollection)_Users;
}
}
[ConfigurationProperty("roles")]
[TypeConverter(typeof(CommaDelimitedStringCollectionConverter))]
public StringCollection Roles {
get {
if (_Roles == null) {
CommaDelimitedStringCollection propertyBagValue;
propertyBagValue = (CommaDelimitedStringCollection)base[_propRoles];
if (propertyBagValue == null) {
_Roles = new CommaDelimitedStringCollection();
}
else {
// Clone it so we don't give back same mutable
// object as possibly parent
_Roles = propertyBagValue.Clone();
}
_RolesExpanded = null; // throw away old collection and force a new one to be created
}
return (StringCollection)_Roles;
}
}
internal StringCollection UsersExpanded {
get {
if (_UsersExpanded == null) {
_UsersExpanded = CreateExpandedCollection(Users);
}
return _UsersExpanded;
}
}
internal StringCollection RolesExpanded {
get {
if (_RolesExpanded == null) {
_RolesExpanded = CreateExpandedCollection(Roles);
}
return _RolesExpanded;
}
}
protected override bool SerializeElement(XmlWriter writer, bool serializeCollectionKey) {
bool DataToWrite = false;
UpdateUsersRolesVerbs(); // the ismodifed can be short circuited
if (base.SerializeElement(null, false) == true) {
if (writer != null) {
writer.WriteStartElement(_ElementName);
DataToWrite |= base.SerializeElement(writer, false);
writer.WriteEndElement();
}
else
DataToWrite |= base.SerializeElement(writer, false);
}
return DataToWrite;
}
private string ExpandName(string name) {
string ExpandedName = name;
if (StringUtil.StringStartsWith(name, @".\")) {
if (machineName == null) {
machineName = HttpServerUtility.GetMachineNameInternal().ToLower(CultureInfo.InvariantCulture);
}
ExpandedName = machineName + name.Substring(1);
}
return ExpandedName;
}
private StringCollection CreateExpandedCollection(StringCollection collection) {
StringCollection ExpandedCollection = new StringCollection();
foreach (string name in collection) {
string ExpandedName = ExpandName(name);
ExpandedCollection.Add(ExpandedName);
}
return ExpandedCollection;
}
private void EvaluateData() {
if (DataReady == false) {
if (Users.Count > 0) {
foreach (string User in Users) {
if (User.Length > 1) {
int foundIndex = User.IndexOfAny(new char[] { '*', '?' });
if (foundIndex >= 0) {
throw new ConfigurationErrorsException(SR.GetString(SR.Auth_rule_names_cant_contain_char, User[foundIndex].ToString(CultureInfo.InvariantCulture)));
}
}
if (User.Equals(_strAllUsersTag)) {
_AllUsersSpecified = true;
}
if (User.Equals(_strAnonUserTag)) {
_AnonUserSpecified = true;
}
}
}
if (Roles.Count > 0) {
foreach (string Role in Roles) {
if (Role.Length > 0) {
int foundIndex = Role.IndexOfAny(new char[] { '*', '?' });
if (foundIndex >= 0) {
throw new ConfigurationErrorsException(SR.GetString(SR.Auth_rule_names_cant_contain_char, Role[foundIndex].ToString(CultureInfo.InvariantCulture)));
}
}
}
}
_Everyone = (_AllUsersSpecified && (Verbs.Count == 0));
_RolesExpanded = CreateExpandedCollection(Roles);
_UsersExpanded = CreateExpandedCollection(Users);
if (Roles.Count == 0 && Users.Count == 0) {
throw new ConfigurationErrorsException(SR.GetString(SR.Auth_rule_must_specify_users_andor_roles));
}
DataReady = true;
}
}
internal bool IncludesAnonymous {
get {
EvaluateData();
return (_AnonUserSpecified && Verbs.Count == 0);
}
}
protected override void PreSerialize(XmlWriter writer) {
EvaluateData();
}
protected override void PostDeserialize() {
EvaluateData();
}
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
// 0 => Don't know, 1 => Yes, -1 => No
internal int IsUserAllowed(IPrincipal user, String verb) {
EvaluateData();
int answer = ((Action == AuthorizationRuleAction.Allow) ? 1 : -1); // return value if this rule applies
if (Everyone) {
return answer;
}
///////////////////////////////////////////////////
// Step 1: Make sure the verbs match
if (!FindVerb(verb)) {
return 0;
}
//////////////////////////////////////////////////
// Step 2a: See if the rule applies to all users
if (_AllUsersSpecified) { // All users specified
return answer;
}
//////////////////////////////////////////////////
// Step 2b: See if the rule applies to anonymous user and this user is anonymous
if (_AnonUserSpecified && !user.Identity.IsAuthenticated) {
return answer;
}
//////////////////////////////////////////////////
// Step 3: Is user is WindowsIdentity, use the expanded
// set of users and roles
StringCollection users;
StringCollection roles;
if (user.Identity is WindowsIdentity) {
users = UsersExpanded;
roles = RolesExpanded;
}
else {
users = Users;
roles = Roles;
}
////////////////////////////////////////////////////
// Step 4: See if the user is specified
if (users.Count > 0 && FindUser(users, user.Identity.Name)) {
return answer;
}
////////////////////////////////////////////////////
// Step 5: See if the user is in any specified role
if (roles.Count > 0 && IsTheUserInAnyRole(roles, user)) {
return answer;
}
// Rule doesn't apply
return 0;
}
/////////////////////////////////////////////////////////////////////////
private bool FindVerb(String verb) {
if (Verbs.Count < 1) {
return true; // No verbs specified => all verbs are allowed
}
foreach (string sVerb in Verbs) {
if (String.Equals(sVerb, verb, StringComparison.OrdinalIgnoreCase)) {
return true;
}
}
return false;
}
private bool FindUser(StringCollection users, String principal) {
foreach (string user in users) {
if (String.Equals(user, principal, StringComparison.OrdinalIgnoreCase)) {
return true;
}
}
return false;
}
private bool IsTheUserInAnyRole(StringCollection roles, IPrincipal principal) {
if (!HttpRuntime.DisableProcessRequestInApplicationTrust) {
if (HttpRuntime.NamedPermissionSet != null && HttpRuntime.ProcessRequestInApplicationTrust) {
HttpRuntime.NamedPermissionSet.PermitOnly();
}
}
foreach (string role in roles) {
if (principal.IsInRole(role)) {
return true; // Found it!
}
}
// Not in any specified role
return false;
}
} // class AuthorizationRule
}