From e0cf80a5d0e2d6898b611892a331aa917b9370d9 Mon Sep 17 00:00:00 2001
From: Jake Mannens <jake@asger.xyz>
Date: Fri, 29 Sep 2023 17:46:47 +1000
Subject: Finalised security service

---
 Services/PrincipalProvider.cs | 12 ++++++++++--
 Services/SecurityService.cs   | 29 ++++++++++++++++++++---------
 2 files changed, 30 insertions(+), 11 deletions(-)

(limited to 'Services')

diff --git a/Services/PrincipalProvider.cs b/Services/PrincipalProvider.cs
index 0c35007..d37e8c0 100644
--- a/Services/PrincipalProvider.cs
+++ b/Services/PrincipalProvider.cs
@@ -8,6 +8,9 @@ public interface IPrincipalProvider {
     public IGroup[] GetGroups(IPrincipal principal);
     public IGroup[] GetGroups(IPrincipal principal, bool recurse);
 
+    public IGroup[] GetGroups(SecurityIdentifier sid);
+    public IGroup[] GetGroups(SecurityIdentifier sid, bool recurse);
+
     public bool ValidatePassword(IUser user, string password);
 }
 
@@ -16,8 +19,13 @@ public abstract class PrincipalProvider : IPrincipalProvider {
     public abstract IUser? GetUser(string name);
     public abstract IGroup? GetGroup(string name);
 
-    public IGroup[] GetGroups(IPrincipal principal) => GetGroups(principal, false);
-    public abstract IGroup[] GetGroups(IPrincipal principal, bool recurse);
+    public IGroup[] GetGroups(IPrincipal principal) =>
+        GetGroups(principal.Sid, false);
+    public IGroup[] GetGroups(IPrincipal principal, bool recurse) =>
+        GetGroups(principal.Sid, recurse);
+
+    public IGroup[] GetGroups(SecurityIdentifier sid) => GetGroups(sid, false);
+    public abstract IGroup[] GetGroups(SecurityIdentifier sid, bool recurse);
 
     public abstract bool ValidatePassword(IUser user, string password);
 }
diff --git a/Services/SecurityService.cs b/Services/SecurityService.cs
index 48f2d3e..e365266 100644
--- a/Services/SecurityService.cs
+++ b/Services/SecurityService.cs
@@ -4,7 +4,19 @@ using System.Data;
 
 namespace HyperBooru.Services;
 
-public class SecurityService {
+public interface ISecurityService {
+    public IEnumerable<HBObject> Filter(
+        IEnumerable<HBObject> objects,
+        IPrincipal principal,
+        ulong permissions);
+
+    public IEnumerable<HBObject> Filter<T>(
+        IEnumerable<HBObject> objects,
+        IPrincipal principal,
+        T permissions) where T : Enum;
+}
+
+public class SecurityService : ISecurityService {
     private IDbContextFactory<HBContext> dbFactory;
 
     private MemoryCache<SidStruct, IGroup[]>   membershipCache;
@@ -21,10 +33,10 @@ public class SecurityService {
 
         // TODO: preload the principal cache
         membershipCache = new() {
-            MaxItems   = 1000,
-            MaxAge     = TimeSpan.FromMinutes(10),
-            DataSource = (SidStruct sid) => {
-            }
+            MaxItems = 1000,
+            MaxAge = TimeSpan.FromMinutes(10),
+            DataSource = (SidStruct sid) =>
+                principalProvider.GetGroups(new SecurityIdentifier(sid), true)
         };
 
         aclCache = new() {
@@ -70,10 +82,9 @@ public class SecurityService {
 
         ulong permissions = 0;
 
-        var principals = GetGroupMemberShip(principal)
-            .Cast<IPrincipal>()
-            .Concat(new[] { principal })
-            .Select(p => p.Sid)
+        var principals = membershipCache[principal.Sid.SidStruct]
+            .Select(g => g.Sid)
+            .Concat(new[] { principal.Sid })
             .ToArray();
 
         var allowRules = acl.Rules.Where(r => r.Action == AclRuleAction.Allow);
-- 
cgit v1.3