summaryrefslogtreecommitdiff
path: root/Services/SecurityService.cs
blob: 6e5ecb822d18baf07ae012224bbaff8921aa768f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using System.Data;

namespace HyperBooru.Services;

public class SecurityService {
    private IDbContextFactory<HBContext> dbFactory;

    private Group[] groups;
    private Acl[]   acls;

    public SecurityService(IDbContextFactory<HBContext> dbFactory) {
        this.dbFactory = dbFactory;
        Reload();
    }

    public void Reload() {
        using var db = dbFactory.CreateDbContext();

        groups = db.Groups
            .Include(g => g.MemberOf)
            .ToArray();

        acls = db.Acls
            .Include(a => a.Rules)
            .ThenInclude(r => r.Principal)
            .ToArray();
    }

    public IEnumerable<HBObject> Filter(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        ulong permissions) {

        foreach(var obj in objects) {
            var perms = GetPermissions(obj.Acl, principal);
            if((perms & permissions) == permissions)
                yield return obj;
        }
    }

    public IEnumerable<HBObject> Filter<T>(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        T permissions) where T : Enum =>
        Filter(objects, principal, permissions);

    private ulong GetPermissions(Acl? acl, HBPrincipal principal) {
        if(acl is null)
            return ulong.MaxValue;

        bool hasAllowRules = acl.Rules
            .Any(r => r.Action == AclRuleAction.Allow);

        ulong permissions = hasAllowRules ? 0 : ulong.MaxValue;

        var principals = GetGroupMemberShip(principal)
            .Cast<HBPrincipal>()
            .Concat(new[] { principal })
            .ToArray();

        acl.Rules.IntersectBy(principals, r => r.Principal);

        foreach(var rule in acl.Rules) {
            if(!principals.Contains(rule.Principal))
                continue;

            if(rule.Action == AclRuleAction.Allow)
                permissions |= rule.Permissions;
            else
                permissions &= ~rule.Permissions;
        }

        return permissions;
    }

    private List<Group> GetGroupMemberShip(HBPrincipal principal) {
        var groups = principal.MemberOf.ToList();

        while(true) {
            var toAdd = this.groups
                .Where(g => !groups.Contains(g))
                .ToArray();

            if(toAdd.Count() == 0)
                break;

            groups.AddRange(toAdd);
        }

        return groups;
    }
}
generated by cgit v1.3 (git 2.53.0) at 2026-06-12 17:31:17 +0000