initial commit

Author: devio-at

.gitignore

@@ -0,0 +1,5 @@
+/packages
+bin
+obj
+/nuget/versions
+*.nupkg

AssemblyVersion.cs

@@ -0,0 +1,20 @@
+
+using System.Reflection;
+
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("ScrewTurn Wiki")]
+[assembly: AssemblyCopyright("Copyright © Threeplicate Srl 2006-2011")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Revision and Build Numbers 
+// by using the '*' as shown below:
+[assembly: AssemblyVersion("6.0.0.0")]
+[assembly: AssemblyFileVersion("6.0.0.0")]

ScrewTurnWiki.AclEngine/AclChangedEventArgs.cs

@@ -0,0 +1,61 @@
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace ScrewTurn.Wiki.AclEngine {
+
+	/// <summary>
+	/// Contains arguments for the <see cref="IAclManager.AclChanged" /> event.
+	/// </summary>
+	public class AclChangedEventArgs : EventArgs {
+
+		private AclEntry[] entries;
+		private Change change;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="T:AclChangedEventArgs" /> class.
+		/// </summary>
+		/// <param name="entries">The entries that changed.</param>
+		/// <param name="change">The change.</param>
+		/// <exception cref="ArgumentNullException">If <paramref name="entries"/> is <c>null</c>.</exception>
+		/// <exception cref="ArgumentException">If <paramref name="entries"/> is empty.</exception>
+		public AclChangedEventArgs(AclEntry[] entries, Change change) {
+			if(entries == null) throw new ArgumentNullException("entry");
+			if(entries.Length == 0) throw new ArgumentException("Entries cannot be empty", "entries");
+
+			this.entries = entries;
+			this.change = change;
+		}
+
+		/// <summary>
+		/// Gets the entries that changed.
+		/// </summary>
+		public AclEntry[] Entries {
+			get { return entries; }
+		}
+
+		/// <summary>
+		/// Gets the change.
+		/// </summary>
+		public Change Change {
+			get { return change; }
+		}
+
+	}
+
+	/// <summary>
+	/// Lists legal changes for ACL entries.
+	/// </summary>
+	public enum Change {
+		/// <summary>
+		/// An entry is stored.
+		/// </summary>
+		EntryStored,
+		/// <summary>
+		/// An entry is deleted.
+		/// </summary>
+		EntryDeleted
+	}
+
+}

ScrewTurnWiki.AclEngine/AclEntry.cs

@@ -0,0 +1,162 @@
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace ScrewTurn.Wiki.AclEngine {
+
+	/// <summary>
+	/// Represents an ACL Entry.
+	/// </summary>
+	public class AclEntry {
+
+		/// <summary>
+		/// The full control action.
+		/// </summary>
+		public const string FullControlAction = "*";
+
+		/// <summary>
+		/// The controlled resource.
+		/// </summary>
+		private string resource;
+		/// <summary>
+		/// The controlled action on the resource.
+		/// </summary>
+		private string action;
+		/// <summary>
+		/// The subject whose access to the resource/action is controlled.
+		/// </summary>
+		private string subject;
+		/// <summary>
+		/// The entry value.
+		/// </summary>
+		private Value value;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AclEntry"/> class.
+		/// </summary>
+		public AclEntry() { }
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="T:AclEntry" /> class.
+		/// </summary>
+		/// <param name="resource">The controlled resource.</param>
+		/// <param name="action">The controlled action on the resource.</param>
+		/// <param name="subject">The subject whose access to the resource/action is controlled.</param>
+		/// <param name="value">The entry value.</param>
+		/// <exception cref="ArgumentNullException">If <paramref name="resource"/>, <paramref name="action"/> or <paramref name="subject"/> are <c>null</c>.</exception>
+		/// <exception cref="ArgumentException">If <paramref name="resource"/>, <paramref name="action"/> or <paramref name="subject"/> are empty.</exception>
+		public AclEntry(string resource, string action, string subject, Value value) {
+			if(resource == null) throw new ArgumentNullException("resource");
+			if(resource.Length == 0) throw new ArgumentException("Resource cannot be empty", "resource");
+			if(action == null) throw new ArgumentNullException("action");
+			if(action.Length == 0) throw new ArgumentException("Action cannot be empty", "action");
+			if(subject == null) throw new ArgumentNullException("subject");
+			if(subject.Length == 0) throw new ArgumentException("Subject cannot be empty", "subject");
+
+			this.resource = resource;
+			this.action = action;
+			this.subject = subject;
+			this.value = value;
+		}
+
+		/// <summary>
+		/// Gets the controlled resource.
+		/// </summary>
+		public string Resource {
+			get { return resource; }
+			set { resource = value; }
+		}
+
+		/// <summary>
+		/// Gets the controlled action on the resource.
+		/// </summary>
+		public string Action {
+			get { return action; }
+			set { action = value; }
+		}
+
+		/// <summary>
+		/// Gets the subject of the entry.
+		/// </summary>
+		public string Subject {
+			get { return subject; }
+			set { subject = value; }
+		}
+
+		/// <summary>
+		/// Gets the value of the entry.
+		/// </summary>
+		public Value Value {
+			get { return value; }
+			set { this.value = value; }
+		}
+
+		/// <summary>
+		/// Gets a string representation of the current object.
+		/// </summary>
+		/// <returns>The string representation.</returns>
+		public override string ToString() {
+			return resource + "->" + action + ": " + subject + " (" + value.ToString() + ")";
+		}
+
+		/// <summary>
+		/// Gets a hash code for the current object.
+		/// </summary>
+		/// <returns>The hash code.</returns>
+		public override int GetHashCode() {
+			return base.GetHashCode();
+		}
+
+		/// <summary>
+		/// Determines whether this object equals another (by value).
+		/// </summary>
+		/// <param name="obj">The other object.</param>
+		/// <returns><c>true</c> if this object equals <b>obj</b>, <c>false</c> otherwise.</returns>
+		public override bool Equals(object obj) {
+			AclEntry other = obj as AclEntry;
+			if(other != null) return Equals(other);
+			else return false;
+		}
+
+		/// <summary>
+		/// Determines whether this instance equals another (by value).
+		/// </summary>
+		/// <param name="other">The other instance.</param>
+		/// <returns><c>true</c> if this instance equals <b>other</b>, <c>false</c> otherwise.</returns>
+		public bool Equals(AclEntry other) {
+			if(object.ReferenceEquals(other, null)) return false;
+			else return resource == other.Resource &&
+				action == other.Action && subject == other.Subject;
+		}
+
+		/// <summary>
+		/// Determines whether two instances of <see cref="T:AclEntry" /> are equal (by value).
+		/// </summary>
+		/// <param name="x">The first instance.</param>
+		/// <param name="y">The second instance.</param>
+		/// <returns><c>true</c> if <b>x</b> equals <b>y</b>, <c>false</c> otherwise.</returns>
+		public static bool Equals(AclEntry x, AclEntry y) {
+			if(object.ReferenceEquals(x, null) && !object.ReferenceEquals(x, null)) return false;
+			if(!object.ReferenceEquals(x, null) && object.ReferenceEquals(x, null)) return false;
+			if(object.ReferenceEquals(x, null) && object.ReferenceEquals(x, null)) return true;
+			return x.Equals(y);
+		}
+
+	}
+
+	/// <summary>
+	/// Lists legal ACL Entry values.
+	/// </summary>
+	public enum Value {
+		/// <summary>
+		/// Deny the action.
+		/// </summary>
+		Deny = 0,
+		/// <summary>
+		/// Grant the action.
+		/// </summary>
+		Grant = 1
+	}
+
+}

ScrewTurnWiki.AclEngine/AclEvaluator.cs

@@ -0,0 +1,129 @@
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace ScrewTurn.Wiki.AclEngine {
+
+	/// <summary>
+	/// Implements tools for evaluating permissions.
+	/// </summary>
+	public static class AclEvaluator {
+
+		/// <summary>
+		/// Decides whether a user, member of some groups, is authorized to perform an action on a resource.
+		/// </summary>
+		/// <param name="resource">The resource.</param>
+		/// <param name="action">The action on the resource.</param>
+		/// <param name="user">The user, in the form 'U.Name'.</param>
+		/// <param name="groups">The groups the user is member of, in the form 'G.Name'.</param>
+		/// <param name="entries">The available ACL entries for the resource.</param>
+		/// <returns>The positive, negative, or indeterminate result.</returns>
+		/// <exception cref="ArgumentNullException">If <paramref name="resource"/>, <paramref name="action"/>, <paramref name="user"/>, <paramref name="groups"/> or <paramref name="entries"/> are <c>null</c>.</exception>
+		/// <exception cref="ArgumentException">If <paramref name="resource"/>, <paramref name="action"/>, <paramref name="user"/> are empty, or if <paramref name="action"/> equals <see cref="AclEntry.FullControlAction"/>.</exception>
+		public static Authorization AuthorizeAction(string resource, string action, string user, string[] groups, AclEntry[] entries) {
+			if(resource == null) throw new ArgumentNullException("resource");
+			if(resource.Length == 0) throw new ArgumentException("Resource cannot be empty", "resource");
+			if(action == null) throw new ArgumentNullException("action");
+			if(action.Length == 0) throw new ArgumentException("Action cannot be empty", "action");
+			if(action == AclEntry.FullControlAction) throw new ArgumentException("Action cannot be the FullControl flag", "action");
+			if(user == null) throw new ArgumentNullException("user");
+			if(user.Length == 0) throw new ArgumentException("User cannot be empty", "user");
+			if(groups == null) throw new ArgumentNullException("groups");
+			if(entries == null) throw new ArgumentNullException("entries");
+
+			// Simple ACL model
+			// Sort entries so that FullControl ones are at the bottom
+			// First look for an entry specific for the user
+			// If not found, look for a group that denies the permission
+
+			AclEntry[] sortedEntries = new AclEntry[entries.Length];
+			Array.Copy(entries, sortedEntries, entries.Length);
+
+			Array.Sort(sortedEntries, delegate(AclEntry x, AclEntry y) {
+				return x.Action.CompareTo(y.Action);
+			});
+			Array.Reverse(sortedEntries);
+
+			foreach(AclEntry entry in sortedEntries) {
+				if(entry.Resource == resource && (entry.Action == action || entry.Action == AclEntry.FullControlAction) && entry.Subject == user) {
+					if(entry.Value == Value.Grant) return Authorization.Granted;
+					else if(entry.Value == Value.Deny) return Authorization.Denied;
+					else throw new NotSupportedException("Entry value not supported");
+				}
+			}
+
+			// For each group, a decision is made
+			Dictionary<string, bool> groupFullControlGrant = new Dictionary<string, bool>();
+			Dictionary<string, bool> groupExplicitGrant = new Dictionary<string, bool>();
+			Dictionary<string, bool> groupFullControlDeny = new Dictionary<string, bool>();
+
+			foreach(string group in groups) {
+				foreach(AclEntry entry in entries) {
+
+					if(entry.Resource == resource && entry.Subject == group) {
+						if(!groupFullControlGrant.ContainsKey(group)) {
+							groupFullControlGrant.Add(group, false);
+							groupExplicitGrant.Add(group, false);
+							groupFullControlDeny.Add(group, false);
+						}
+
+						if(entry.Action == action) {
+							// Explicit action
+							if(entry.Value == Value.Grant) {
+								// An explicit grant only wins if there are no other explicit deny
+								groupExplicitGrant[group] = true;
+							}
+							else if(entry.Value == Value.Deny) {
+								// An explicit deny wins over all other entries
+								return Authorization.Denied;
+							}
+						}
+						else if(entry.Action == AclEntry.FullControlAction) {
+							// Full control, lower priority
+							if(entry.Value == Value.Deny) {
+								groupFullControlDeny[group] = true;
+							}
+							else if(entry.Value == Value.Grant) {
+								groupFullControlGrant[group] = true;
+							}
+						}
+					}
+				}
+			}
+
+			// Any explicit grant found at this step wins, because all explicit deny have been processed previously
+			bool tentativeGrant = false;
+			bool tentativeDeny = false;
+			foreach(string group in groupFullControlGrant.Keys) {
+				if(groupExplicitGrant[group]) return Authorization.Granted;
+				
+				if(groupFullControlGrant[group] && !groupFullControlDeny[group]) tentativeGrant = true;
+				if(!groupFullControlGrant[group] && groupFullControlDeny[group]) tentativeDeny = true;
+			}
+			if(tentativeGrant && !tentativeDeny) return Authorization.Granted;
+			else if(tentativeDeny) return Authorization.Denied;
+			else return Authorization.Unknown;
+		}
+
+	}
+
+	/// <summary>
+	/// Lists legal authorization values.
+	/// </summary>
+	public enum Authorization {
+		/// <summary>
+		/// Authorization granted.
+		/// </summary>
+		Granted,
+		/// <summary>
+		/// Authorization denied.
+		/// </summary>
+		Denied,
+		/// <summary>
+		/// No information available.
+		/// </summary>
+		Unknown
+	}
+
+}