Services/SecurityService.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

using HyperBooru.Util;
using Microsoft.EntityFrameworkCore;
using System.Data;

namespace HyperBooru.Services;

public class SecurityService {
    private IDbContextFactory<HBContext> dbFactory;

    private MemoryCache<int, HBPrincipal> principalCache;
    private MemoryCache<int, Acl>         aclCache;

    public SecurityService(IDbContextFactory<HBContext> dbFactory) {
        this.dbFactory = dbFactory;

        // TODO: preload the principal cache
        principalCache = new() {
            MaxItems   = 10_000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (int id) => {
                using var db = dbFactory.CreateDbContext();
                return db.Principals
                    .Include(p => p.MemberOf)
                    .FirstOrDefault(p => p.ObjectId == id);
            }
        };

        aclCache = new() {
            MaxItems   = 1000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (int id) => {
                using var db = dbFactory.CreateDbContext();
                return db.Acls
                    .Include(a => a.Rules)
                    .FirstOrDefault(a => a.ObjectId == id);
            }
        };
    }

    public IEnumerable<HBObject> Filter(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        ulong permissions) {

        foreach(var obj in objects) {
            var perms = GetPermissions(obj.Acl, principal);
            if((perms & permissions) == permissions)
                yield return obj;
        }
    }

    public IEnumerable<HBObject> Filter<T>(
        IEnumerable<HBObject> objects,
        HBPrincipal principal,
        T permissions) where T : Enum =>
        Filter(objects, principal, permissions);

    /// <summary>
    /// Resolve the specified ACL and return a bitmask representing
    /// all the permissions the specified principal has.
    /// </summary>
    /// <param name="acl">
    /// ACL to resolve (returns a bitmask consisting of all 1's if this field is null)
    /// </param>
    private ulong GetPermissions(Acl? acl, HBPrincipal principal) {
        if(acl is null)
            return ulong.MaxValue;

        bool hasAllowRules = acl.Rules
            .Any(r => r.Action == AclRuleAction.Allow);

        ulong permissions = hasAllowRules ? 0 : ulong.MaxValue;

        var principals = GetGroupMemberShip(principal)
            .Cast<HBPrincipal>()
            .Concat(new[] { principal })
            .ToArray();

        acl.Rules.IntersectBy(principals, r => r.Principal);

        foreach(var rule in acl.Rules) {
            if(!principals.Contains(rule.Principal))
                continue;

            if(rule.Action == AclRuleAction.Allow)
                permissions |= rule.Permissions;
            else
                permissions &= ~rule.Permissions;
        }

        return permissions;
    }

    /// <summary>
    /// Recursively get all groups of which the specified principal
    /// is a member, including implicit memberships.
    /// </summary>
    private List<Group> GetGroupMemberShip(HBPrincipal principal) {
        var groups = principal.MemberOf.ToList();

        while(true) {
            var toAdd = groups
                .SelectMany(g => g.MemberOf)
                .Select(g => g.ObjectId)
                .Where(id => !groups.Select(g => g.ObjectId).Contains(id))
                .ToArray();

            if(toAdd.Count() == 0)
                break;

            foreach(var id in toAdd)
                groups.Add((Group) principalCache[id]);
        }

        return groups;
    }
}