From bedcb6b176130fc2c6bd4657c8af4d407b64c970 Mon Sep 17 00:00:00 2001
From: Jake Mannens <jake@asger.xyz>
Date: Thu, 28 Sep 2023 03:14:35 +1000
Subject: Updated DB schema and configured ACLs to use SIDs

---
 Services/SecurityService.cs | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

(limited to 'Services/SecurityService.cs')

diff --git a/Services/SecurityService.cs b/Services/SecurityService.cs
index f0ebd70..f1444c1 100644
--- a/Services/SecurityService.cs
+++ b/Services/SecurityService.cs
@@ -7,7 +7,7 @@ namespace HyperBooru.Services;
 public class SecurityService {
     private IDbContextFactory<HBContext> dbFactory;
 
-    private MemoryCache<int, HBPrincipal> principalCache;
+    private MemoryCache<SidStruct, HBPrincipal> principalCache;
     private MemoryCache<int, Acl>         aclCache;
 
     public SecurityService(IDbContextFactory<HBContext> dbFactory) {
@@ -17,11 +17,11 @@ public class SecurityService {
         principalCache = new() {
             MaxItems   = 10_000,
             MaxAge     = TimeSpan.FromMinutes(10),
-            DataSource = (int id) => {
+            DataSource = (SidStruct sid) => {
                 using var db = dbFactory.CreateDbContext();
                 return db.Principals
                     .Include(p => p.MemberOf)
-                    .FirstOrDefault(p => p.ObjectId == id);
+                    .FirstOrDefault(p => p.Sid.SidStruct.Equals(sid));
             }
         };
 
@@ -32,7 +32,7 @@ public class SecurityService {
                 using var db = dbFactory.CreateDbContext();
                 return db.Acls
                     .Include(a => a.Rules)
-                    .FirstOrDefault(a => a.ObjectId == id);
+                    .FirstOrDefault(a => a.AclId == id);
             }
         };
     }
@@ -66,26 +66,27 @@ public class SecurityService {
         if(acl is null)
             return ulong.MaxValue;
 
-        bool hasAllowRules = acl.Rules
-            .Any(r => r.Action == AclRuleAction.Allow);
-
-        ulong permissions = hasAllowRules ? 0 : ulong.MaxValue;
+        ulong permissions = 0;
 
         var principals = GetGroupMemberShip(principal)
             .Cast<HBPrincipal>()
             .Concat(new[] { principal })
+            .Select(p => p.Sid)
             .ToArray();
 
-        acl.Rules.IntersectBy(principals, r => r.Principal);
+        var allowRules = acl.Rules.Where(r => r.Action == AclRuleAction.Allow);
+        var denyRules  = acl.Rules.Where(r => r.Action == AclRuleAction.Deny);
 
-        foreach(var rule in acl.Rules) {
+        foreach(var rule in allowRules) {
             if(!principals.Contains(rule.Principal))
                 continue;
+            permissions |= rule.Permissions;
+        }
 
-            if(rule.Action == AclRuleAction.Allow)
-                permissions |= rule.Permissions;
-            else
-                permissions &= ~rule.Permissions;
+        foreach(var rule in denyRules) {
+            if(!principals.Contains(rule.Principal))
+                continue;
+            permissions &= ~rule.Permissions;
         }
 
         return permissions;
@@ -101,15 +102,15 @@ public class SecurityService {
         while(true) {
             var toAdd = groups
                 .SelectMany(g => g.MemberOf)
-                .Select(g => g.ObjectId)
-                .Where(id => !groups.Select(g => g.ObjectId).Contains(id))
+                .Select(g => g.Sid.SidStruct)
+                .Where(sid => !groups.Select(g => g.Sid.SidStruct).Contains(sid))
                 .ToArray();
 
             if(toAdd.Count() == 0)
                 break;
 
-            foreach(var id in toAdd)
-                groups.Add((Group) principalCache[id]);
+            foreach(var sid in toAdd)
+                groups.Add((Group) principalCache[sid]);
         }
 
         return groups;
-- 
cgit v1.3