1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
using HyperBooru.Util;
using Microsoft.EntityFrameworkCore;
using System.Data;
namespace HyperBooru.Services;
public class SecurityService {
private IDbContextFactory<HBContext> dbFactory;
private MemoryCache<SidStruct, HBPrincipal> principalCache;
private MemoryCache<int, Acl> aclCache;
public SecurityService(IDbContextFactory<HBContext> dbFactory) {
this.dbFactory = dbFactory;
// TODO: preload the principal cache
principalCache = new() {
MaxItems = 10_000,
MaxAge = TimeSpan.FromMinutes(10),
DataSource = (SidStruct sid) => {
using var db = dbFactory.CreateDbContext();
return db.Principals
.Include(p => p.MemberOf)
.FirstOrDefault(p => p.Sid.SidStruct.Equals(sid));
}
};
aclCache = new() {
MaxItems = 1000,
MaxAge = TimeSpan.FromMinutes(10),
DataSource = (int id) => {
using var db = dbFactory.CreateDbContext();
return db.Acls
.Include(a => a.Rules)
.FirstOrDefault(a => a.AclId == id);
}
};
}
public IEnumerable<HBObject> Filter(
IEnumerable<HBObject> objects,
HBPrincipal principal,
ulong permissions) {
foreach(var obj in objects) {
var perms = GetPermissions(obj.Acl, principal);
if((perms & permissions) == permissions)
yield return obj;
}
}
public IEnumerable<HBObject> Filter<T>(
IEnumerable<HBObject> objects,
HBPrincipal principal,
T permissions) where T : Enum =>
Filter(objects, principal, permissions);
/// <summary>
/// Resolve the specified ACL and return a bitmask representing
/// all the permissions the specified principal has.
/// </summary>
/// <param name="acl">
/// ACL to resolve (returns a bitmask consisting of all 1's if this field is null)
/// </param>
private ulong GetPermissions(Acl? acl, HBPrincipal principal) {
if(acl is null)
return ulong.MaxValue;
ulong permissions = 0;
var principals = GetGroupMemberShip(principal)
.Cast<HBPrincipal>()
.Concat(new[] { principal })
.Select(p => p.Sid)
.ToArray();
var allowRules = acl.Rules.Where(r => r.Action == AclRuleAction.Allow);
var denyRules = acl.Rules.Where(r => r.Action == AclRuleAction.Deny);
foreach(var rule in allowRules) {
if(!principals.Contains(rule.Principal))
continue;
permissions |= rule.Permissions;
}
foreach(var rule in denyRules) {
if(!principals.Contains(rule.Principal))
continue;
permissions &= ~rule.Permissions;
}
return permissions;
}
/// <summary>
/// Recursively get all groups of which the specified principal
/// is a member, including implicit memberships.
/// </summary>
private List<Group> GetGroupMemberShip(HBPrincipal principal) {
var groups = principal.MemberOf.ToList();
while(true) {
var toAdd = groups
.SelectMany(g => g.MemberOf)
.Select(g => g.Sid.SidStruct)
.Where(sid => !groups.Select(g => g.Sid.SidStruct).Contains(sid))
.ToArray();
if(toAdd.Count() == 0)
break;
foreach(var sid in toAdd)
groups.Add((Group) principalCache[sid]);
}
return groups;
}
}
|
