Skip to content

Commit b2ed48a

Browse files
webprofusion-chriscwebprofusion-chrisc
committed
Implement API resource action access checks
1 parent 541c3cc commit b2ed48a

File tree

8 files changed

+229
-69
lines changed

8 files changed

+229
-69
lines changed

src/Certify.Core/Management/Access/AccessControl.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,7 @@ public async Task<bool> IsAuthorised(string contextUserId, string principleId, s
223223
{
224224
// if any of the service principles assigned roles are restricted by the type of resource type,
225225
// check for identifier matches (e.g. role assignment restricted on domains )
226-
if (spSpecificAssignedRoles.Any(a => a.IncludedResources.Any(r => r.ResourceType == resourceType)))
226+
if (spSpecificAssignedRoles.Any(a => a.IncludedResources?.Any(r => r.ResourceType == resourceType) == true))
227227
{
228228
var allIncludedResources = spSpecificAssignedRoles.SelectMany(a => a.IncludedResources).Distinct();
229229

src/Certify.Models/Hub/AccessControlConfig.cs

Lines changed: 94 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ public class StandardRoles
1919
{
2020
public static Role Administrator { get; } = new Role("sysadmin", "Administrator", "Certify Server Administrator",
2121
policies: new List<string> {
22+
StandardPolicies.ManagementHubAdmin,
2223
StandardPolicies.ManagedItemAdmin,
2324
StandardPolicies.CertificateAuthorityAdmin,
2425
StandardPolicies.AcmeAccountAdmin,
@@ -29,8 +30,9 @@ public class StandardRoles
2930

3031
public static Role CertificateManager { get; } = new Role("cert_manager", "Certificate Manager", "Can manage and administer all certificates",
3132
policies: new List<string> {
32-
StandardPolicies.ManagedItemAdmin,
33-
StandardPolicies.StoredCredentialAdmin
33+
StandardPolicies.ManagementHubReader,
34+
StandardPolicies.ManagedItemAdmin,
35+
StandardPolicies.StoredCredentialAdmin
3436
});
3537

3638
public static Role CertificateConsumer { get; } = new Role("cert_consumer", "Certificate Consumer", "User of a given certificate", policies: new List<string> { StandardPolicies.CertificateConsumer });
@@ -74,6 +76,7 @@ public class ResourceTypes
7476
public static string CertificateAuthority { get; } = "ca";
7577
public static string AcmeAccount { get; } = "acmeaccount";
7678
public static string ManagedChallenge { get; } = "managedchallenge";
79+
public static string ManagedInstance { get; } = "managedinstance";
7780
}
7881

7982
public static class StandardResourceActions
@@ -120,6 +123,8 @@ public static class StandardResourceActions
120123
public const string ManagedChallengeDelete = "managedchallenge_update";
121124
public const string ManagedChallengeRequest = "managedchallenge_request";
122125

126+
public const string ManagementHubInstancesList = "managementhub_instances_list";
127+
123128
}
124129

125130
public class StandardPolicies
@@ -133,6 +138,8 @@ public class StandardPolicies
133138
public const string StoredCredentialConsumer = "storedcredential_consumer";
134139
public const string ManagedChallengeConsumer = "managedchallenge_consumer";
135140
public const string ManagedChallengeAdmin = "managedchallenge_admin";
141+
public const string ManagementHubAdmin = "managementhub_admin";
142+
public const string ManagementHubReader = "managementhub_reader";
136143
}
137144

138145
public static class Policies
@@ -145,7 +152,7 @@ public static List<Role> GetStandardRoles()
145152
StandardRoles.CertificateManager,
146153
StandardRoles.CertificateConsumer,
147154
StandardRoles.StoredCredentialConsumer,
148-
StandardRoles.ManagedChallengeConsumer
155+
StandardRoles.ManagedChallengeConsumer,
149156
};
150157
}
151158

@@ -199,17 +206,19 @@ public static List<ResourceAction> GetStandardResourceActions()
199206
new(StandardResourceActions.ManagedChallengeUpdate, "Update managed challenge", ResourceTypes.ManagedChallenge),
200207
new(StandardResourceActions.ManagedChallengeDelete, "Delete managed challenge", ResourceTypes.ManagedChallenge),
201208
new(StandardResourceActions.ManagedChallengeRequest, "Request to perform a managed challenge response", ResourceTypes.ManagedChallenge),
209+
210+
new(StandardResourceActions.ManagementHubInstancesList, "List managed instances", ResourceTypes.ManagedInstance),
202211
};
203212
}
204213

205214
public static List<ResourcePolicy> GetStandardPolicies()
206215
{
207216
return new List<ResourcePolicy> {
208217
new() {
209-
Id=StandardPolicies.ManagedItemAdmin,
210-
Title="Managed Item Administration",
211-
SecurityPermissionType= SecurityPermissionType.ALLOW,
212-
ResourceActions= new List<string>{
218+
Id = StandardPolicies.ManagedItemAdmin,
219+
Title = "Managed Item Administration",
220+
SecurityPermissionType = SecurityPermissionType.ALLOW,
221+
ResourceActions = new List<string> {
213222
StandardResourceActions.ManagedItemList,
214223
StandardResourceActions.ManagedItemAdd,
215224
StandardResourceActions.ManagedItemUpdate,
@@ -224,87 +233,107 @@ public static List<ResourcePolicy> GetStandardPolicies()
224233
}
225234
},
226235
new() {
227-
Id=StandardPolicies.AccessAdmin,
228-
Title="Access Control Administration",
229-
SecurityPermissionType= SecurityPermissionType.ALLOW,
230-
ResourceActions= new List<string>{
231-
StandardResourceActions.SecurityPrincipleList,
232-
StandardResourceActions.SecurityPrincipleAdd,
233-
StandardResourceActions.SecurityPrincipleUpdate,
234-
StandardResourceActions.SecurityPrincipleDelete,
235-
StandardResourceActions.SecurityPrinciplePasswordUpdate
236+
Id = StandardPolicies.AccessAdmin,
237+
Title = "Access Control Administration",
238+
SecurityPermissionType = SecurityPermissionType.ALLOW,
239+
ResourceActions = new List<string> {
240+
StandardResourceActions.SecurityPrincipleList,
241+
StandardResourceActions.SecurityPrincipleAdd,
242+
StandardResourceActions.SecurityPrincipleUpdate,
243+
StandardResourceActions.SecurityPrincipleDelete,
244+
StandardResourceActions.SecurityPrinciplePasswordUpdate
236245
}
237246
},
238247
new() {
239-
Id=StandardPolicies.CertificateConsumer,
240-
Title="Consume Certificates",
241-
SecurityPermissionType= SecurityPermissionType.ALLOW,
242-
ResourceActions= new List<string>{
248+
Id = StandardPolicies.CertificateConsumer,
249+
Title = "Consume Certificates",
250+
SecurityPermissionType = SecurityPermissionType.ALLOW,
251+
ResourceActions = new List<string> {
243252
StandardResourceActions.CertificateDownload,
244253
StandardResourceActions.CertificateKeyDownload
245254
}
246255
},
247-
new() {
248-
Id=StandardPolicies.CertificateAuthorityAdmin,
249-
Title="Certificate Authority Administration",
250-
SecurityPermissionType= SecurityPermissionType.ALLOW,
251-
ResourceActions= new List<string>{
252-
StandardResourceActions.CertificateAuthorityAdd,
253-
StandardResourceActions.CertificateAuthorityUpdate,
254-
StandardResourceActions.CertificateAuthorityDelete,
255-
StandardResourceActions.CertificateAuthorityList
256-
}
257-
},
258256
new() {
259-
Id=StandardPolicies.AcmeAccountAdmin,
260-
Title="ACME Account Administration",
261-
SecurityPermissionType= SecurityPermissionType.ALLOW,
262-
ResourceActions= new List<string>{
257+
Id = StandardPolicies.CertificateAuthorityAdmin,
258+
Title = "Certificate Authority Administration",
259+
SecurityPermissionType = SecurityPermissionType.ALLOW,
260+
ResourceActions = new List<string> {
261+
StandardResourceActions.CertificateAuthorityAdd,
262+
StandardResourceActions.CertificateAuthorityUpdate,
263+
StandardResourceActions.CertificateAuthorityDelete,
264+
StandardResourceActions.CertificateAuthorityList
265+
}
266+
},
267+
new() {
268+
Id = StandardPolicies.AcmeAccountAdmin,
269+
Title = "ACME Account Administration",
270+
SecurityPermissionType = SecurityPermissionType.ALLOW,
271+
ResourceActions = new List<string> {
263272
StandardResourceActions.AcmeAccountList,
264273
StandardResourceActions.AcmeAccountAdd,
265274
StandardResourceActions.AcmeAccountUpdate,
266275
StandardResourceActions.AcmeAccountDelete
267-
}
268-
},
276+
}
277+
},
269278
new() {
270-
Id=StandardPolicies.StoredCredentialAdmin,
271-
Title="Stored Credential Administration",
272-
SecurityPermissionType= SecurityPermissionType.ALLOW,
273-
ResourceActions= new List<string>{
274-
StandardResourceActions.StoredCredentialList,
275-
StandardResourceActions.StoredCredentialAdd,
276-
StandardResourceActions.StoredCredentialUpdate,
277-
StandardResourceActions.StoredCredentialDelete
279+
Id = StandardPolicies.StoredCredentialAdmin,
280+
Title = "Stored Credential Administration",
281+
SecurityPermissionType = SecurityPermissionType.ALLOW,
282+
ResourceActions = new List<string> {
283+
StandardResourceActions.StoredCredentialList,
284+
StandardResourceActions.StoredCredentialAdd,
285+
StandardResourceActions.StoredCredentialUpdate,
286+
StandardResourceActions.StoredCredentialDelete
278287
}
279288
},
280289
new() {
281-
Id=StandardPolicies.StoredCredentialConsumer,
282-
Title="Stored Credential Consumer",
283-
Description="Provides access to fetch a decrypted stored credential.",
284-
SecurityPermissionType= SecurityPermissionType.ALLOW,
285-
IsResourceSpecific=true,
286-
ResourceActions= new List<string>{
287-
StandardResourceActions.StoredCredentialDownload
290+
Id = StandardPolicies.StoredCredentialConsumer,
291+
Title = "Stored Credential Consumer",
292+
Description = "Provides access to fetch a decrypted stored credential.",
293+
SecurityPermissionType = SecurityPermissionType.ALLOW,
294+
IsResourceSpecific = true,
295+
ResourceActions = new List<string> {
296+
StandardResourceActions.StoredCredentialDownload
288297
}
289298
},
290-
new() {
291-
Id=StandardPolicies.ManagedChallengeAdmin,
292-
Title="Managed Challenge Administration",
293-
SecurityPermissionType= SecurityPermissionType.ALLOW,
294-
ResourceActions= new List<string>{
299+
new() {
300+
Id = StandardPolicies.ManagedChallengeAdmin,
301+
Title = "Managed Challenge Administration",
302+
SecurityPermissionType = SecurityPermissionType.ALLOW,
303+
ResourceActions = new List<string> {
295304
StandardResourceActions.ManagedChallengeList,
296305
StandardResourceActions.ManagedChallengeUpdate,
297306
StandardResourceActions.ManagedChallengeDelete
298307
}
299308
},
300-
new() {
301-
Id=StandardPolicies.ManagedChallengeConsumer,
302-
Title="Managed Challenge Consumer",
303-
Description="Allows consumer to request that a managed challenge be performed.",
304-
SecurityPermissionType= SecurityPermissionType.ALLOW,
305-
IsResourceSpecific=true,
306-
ResourceActions= new List<string>{
307-
StandardResourceActions.ManagedChallengeRequest
309+
new() {
310+
Id = StandardPolicies.ManagedChallengeConsumer,
311+
Title = "Managed Challenge Consumer",
312+
Description = "Allows consumer to request that a managed challenge be performed.",
313+
SecurityPermissionType = SecurityPermissionType.ALLOW,
314+
IsResourceSpecific = true,
315+
ResourceActions = new List<string> {
316+
StandardResourceActions.ManagedChallengeRequest
317+
}
318+
},
319+
new() {
320+
Id = StandardPolicies.ManagementHubAdmin,
321+
Title = "Management Hub Admin",
322+
Description = "Administer management hub.",
323+
SecurityPermissionType = SecurityPermissionType.ALLOW,
324+
IsResourceSpecific = true,
325+
ResourceActions = new List<string> {
326+
StandardResourceActions.ManagementHubInstancesList
327+
}
328+
},
329+
new() {
330+
Id = StandardPolicies.ManagementHubAdmin,
331+
Title = "Management Hub Reader",
332+
Description = "View management hub.",
333+
SecurityPermissionType = SecurityPermissionType.ALLOW,
334+
IsResourceSpecific = true,
335+
ResourceActions = new List<string> {
336+
StandardResourceActions.ManagementHubInstancesList
308337
}
309338
}
310339
};

0 commit comments

Comments
 (0)