Services/SecurityService.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

using HyperBooru.Util;
using Microsoft.EntityFrameworkCore;
using System.Data;

namespace HyperBooru.Services;

public class SecurityService {
    private IDbContextFactory<HBContext> dbFactory;

    private MemoryCache<SidStruct, IGroup[]>   membershipCache;
    private MemoryCache<int, Acl>              aclCache;

    IPrincipalProvider principalProvider;

    public SecurityService(
        IDbContextFactory<HBContext> dbFactory,
        IPrincipalProvider principalProvider) {

        this.dbFactory         = dbFactory;
        this.principalProvider = principalProvider;

        // TODO: preload the principal cache
        membershipCache = new() {
            MaxItems   = 1000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (SidStruct sid) => {
            }
        };

        aclCache = new() {
            MaxItems   = 1000,
            MaxAge     = TimeSpan.FromMinutes(10),
            DataSource = (int id) => {
                using var db = dbFactory.CreateDbContext();
                return db.Acls
                    .Include(a => a.Rules)
                    .FirstOrDefault(a => a.AclId == id);
            }
        };
    }

    public IEnumerable<HBObject> Filter(
        IEnumerable<HBObject> objects,
        IPrincipal principal,
        ulong permissions) {

        foreach(var obj in objects) {
            var perms = GetPermissions(obj.Acl, principal);
            if((perms & permissions) == permissions)
                yield return obj;
        }
    }

    public IEnumerable<HBObject> Filter<T>(
        IEnumerable<HBObject> objects,
        IPrincipal principal,
        T permissions) where T : Enum =>
        Filter(objects, principal, permissions);

    /// <summary>
    /// Resolve the specified ACL and return a bitmask representing
    /// all the permissions the specified principal has.
    /// </summary>
    /// <param name="acl">
    /// ACL to resolve (returns a bitmask consisting of all 1's if this field is null)
    /// </param>
    private ulong GetPermissions(Acl? acl, IPrincipal principal) {
        if(acl is null)
            return ulong.MaxValue;

        ulong permissions = 0;

        var principals = GetGroupMemberShip(principal)
            .Cast<IPrincipal>()
            .Concat(new[] { principal })
            .Select(p => p.Sid)
            .ToArray();

        var allowRules = acl.Rules.Where(r => r.Action == AclRuleAction.Allow);
        var denyRules  = acl.Rules.Where(r => r.Action == AclRuleAction.Deny);

        foreach(var rule in allowRules) {
            if(!principals.Contains(rule.Principal))
                continue;
            permissions |= rule.Permissions;
        }

        foreach(var rule in denyRules) {
            if(!principals.Contains(rule.Principal))
                continue;
            permissions &= ~rule.Permissions;
        }

        return permissions;
    }
}