Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cache VirtualPermission validation #502

Merged
merged 2 commits into from
Oct 1, 2024
Merged

cache VirtualPermission validation #502

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7ff3a3
cache VirtualPermission validation
iatsuta Oct 1, 2024
061ffc3
Merge branch 'main' into iatsuta/cache-VirtualPermission-validation
iatsuta Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions src/_Authorization/Framework.Authorization.Environment/ServiceCollectionExtensions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ private static IServiceCollection RegisterGeneralAuthorizationSystem(this IServi
.AddScoped<IAuthorizationBusinessRoleInitializer, AuthorizationBusinessRoleInitializer>()

.AddScoped<IPrincipalDomainService, PrincipalDomainService>()
.AddScoped<AuthorizationPermissionSystemFactory>()

.AddScoped<IPrincipalGeneralValidator, PrincipalGeneralValidator>()
.AddScoped<IPermissionGeneralValidator, PermissionGeneralValidator>()
Expand Down Expand Up @@ -99,7 +98,7 @@ private static IServiceCollection RegistryGenericDatabaseVisitors(this IServiceC

private static IServiceCollection UpdateSecuritySystem(this IServiceCollection services)
{
return services.AddScopedFrom<IPermissionSystemFactory, AuthorizationPermissionSystemFactory>()
return services.AddScoped<IPermissionSystemFactory, AuthorizationPermissionSystemFactory>()
.AddScoped<AuthorizationPrincipalManagementService>()
.AddScopedFrom<IPrincipalSourceService, AuthorizationPrincipalManagementService>()
.ReplaceScopedFrom<IPrincipalManagementService, AuthorizationPrincipalManagementService>();
Expand Down
6 changes: 6 additions & 0 deletions ...Driven/Framework.DomainDriven.VirtualPermission/IVirtualPermissionBindingInfoValidator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
namespace Framework.DomainDriven.VirtualPermission;

public interface IVirtualPermissionBindingInfoValidator
{
void Validate<TPrincipal, TPermission>(VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo);
}
18 changes: 12 additions & 6 deletions ...DomainDriven/Framework.DomainDriven.VirtualPermission/SecuritySystemSettingsExtensions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,29 @@
using Framework.SecuritySystem.ExternalSystem.Management;

using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;

namespace Framework.DomainDriven.VirtualPermission;

public static class SecuritySystemSettingsExtensions
{
public static ISecuritySystemSettings AddVirtualPermission<TPrincipal, TPermission>(
this ISecuritySystemSettings securitySystemSettings,
Func<IServiceProvider, VirtualPermissionBindingInfo<TPrincipal, TPermission>> getBindingInfo)
VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo)
where TPrincipal : IIdentityObject<Guid>
where TPermission : IIdentityObject<Guid> =>
securitySystemSettings

.AddPermissionSystem(
sp => ActivatorUtilities.CreateInstance<VirtualPermissionSystemFactory<TPrincipal, TPermission>>(sp, getBindingInfo(sp)))
sp => ActivatorUtilities.CreateInstance<VirtualPermissionSystemFactory<TPrincipal, TPermission>>(sp, bindingInfo))

.AddExtensions(
sc => sc
.AddScoped<IPrincipalSourceService>(
sp => ActivatorUtilities.CreateInstance<VirtualPrincipalSourceService<TPrincipal, TPermission>>(sp, getBindingInfo(sp))));
sc => sc.AddScoped<IPrincipalSourceService>(
sp => ActivatorUtilities.CreateInstance<VirtualPrincipalSourceService<TPrincipal, TPermission>>(
sp,
bindingInfo))

.TryAddSingleton<IVirtualPermissionBindingInfoValidator, VirtualPermissionBindingInfoValidator>());

public static ISecuritySystemSettings AddVirtualPermission<TPrincipal, TPermission>(
this ISecuritySystemSettings securitySystemSettings,
Expand All @@ -37,6 +43,6 @@ public static ISecuritySystemSettings AddVirtualPermission<TPrincipal, TPermissi
(initFunc ?? (v => v)).Invoke(
new VirtualPermissionBindingInfo<TPrincipal, TPermission>(securityRole, principalPath, principalNamePath));

return securitySystemSettings.AddVirtualPermission(_ => bindingInfo);
return securitySystemSettings.AddVirtualPermission(bindingInfo);
}
}
45 changes: 9 additions & 36 deletions src/_DomainDriven/Framework.DomainDriven.VirtualPermission/VirtualPermissionBindingInfo.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,19 @@ public record VirtualPermissionBindingInfo<TPrincipal, TPermission>(
Expression<Func<TPermission, TPrincipal>> PrincipalPath,
Expression<Func<TPrincipal, string>> PrincipalNamePath,
IReadOnlyList<LambdaExpression> RestrictionPaths,
Expression<Func<TPermission, bool>> Filter,
Func<IServiceProvider, Expression<Func<TPermission, bool>>> GetFilter,
Expression<Func<TPermission, Period>>? PeriodFilter = null)
{
public VirtualPermissionBindingInfo(
SecurityRole securityRole,
Expression<Func<TPermission, TPrincipal>> principalPath,
Expression<Func<TPrincipal, string>> principalNamePath)
: this(securityRole, principalPath, principalNamePath, [], _ => true)
: this(securityRole, principalPath, principalNamePath, [], _ => _ => true)
{
}

public Guid Id { get; } = Guid.NewGuid();

public VirtualPermissionBindingInfo<TPrincipal, TPermission> AddRestriction<TSecurityContext>(
Expression<Func<TPermission, IEnumerable<TSecurityContext>>> path)
where TSecurityContext : ISecurityContext =>
Expand All @@ -35,46 +37,17 @@ public VirtualPermissionBindingInfo<TPrincipal, TPermission> AddRestriction<TSec
this with { RestrictionPaths = this.RestrictionPaths.Concat([path]).ToList() };

public VirtualPermissionBindingInfo<TPrincipal, TPermission> AddFilter(
Expression<Func<TPermission, bool>> filter) =>
Expression<Func<TPermission, bool>> filter) => this.AddFilter(_ => filter);

public VirtualPermissionBindingInfo<TPrincipal, TPermission> AddFilter(
Func<IServiceProvider, Expression<Func<TPermission, bool>>> getFilter) =>

this with { Filter = this.Filter.BuildAnd(filter) };
this with { GetFilter = sp => this.GetFilter(sp).BuildAnd(getFilter(sp)) };

public VirtualPermissionBindingInfo<TPrincipal, TPermission> SetPeriodFilter(
Expression<Func<TPermission, Period>> periodFilter) =>
this with { PeriodFilter = periodFilter };

public void Validate(ISecurityRoleSource securityRoleSource)
{
var securityContextRestrictions = securityRoleSource
.GetSecurityRole(this.SecurityRole)
.Information
.Restriction
.SecurityContextRestrictions;

if (securityContextRestrictions != null)
{
var bindingContextTypes = this.GetSecurityContextTypes().ToList();

var invalidTypes = bindingContextTypes.Except(securityContextRestrictions.Select(r => r.Type)).ToList();

if (invalidTypes.Any())
{
throw new Exception($"Invalid restriction types: {invalidTypes.Join(", ", t => t.Name)}");
}

var missedTypes = securityContextRestrictions
.Where(r => r.Required)
.Select(r => r.Type)
.Except(bindingContextTypes)
.ToList();

if (missedTypes.Any())
{
throw new Exception($"Missed required restriction types: {missedTypes.Join(", ", t => t.Name)}");
}
}
}

public IEnumerable<Type> GetSecurityContextTypes()
{
return this.RestrictionPaths
Expand Down
53 changes: 53 additions & 0 deletions ...nDriven/Framework.DomainDriven.VirtualPermission/VirtualPermissionBindingInfoValidator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
using Framework.Core;
using Framework.SecuritySystem;

namespace Framework.DomainDriven.VirtualPermission;

public class VirtualPermissionBindingInfoValidator(ISecurityRoleSource securityRoleSource) : IVirtualPermissionBindingInfoValidator
{
private readonly HashSet<Guid> validated = new();

public void Validate<TPrincipal, TPermission>(VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo)
{
if (this.validated.Contains(bindingInfo.Id))
{
return;
}

this.InternalValidate(bindingInfo);

this.validated.Add(bindingInfo.Id);
}

private void InternalValidate<TPrincipal, TPermission>(VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo)
{
var securityContextRestrictions = securityRoleSource
.GetSecurityRole(bindingInfo.SecurityRole)
.Information
.Restriction
.SecurityContextRestrictions;

if (securityContextRestrictions != null)
{
var bindingContextTypes = bindingInfo.GetSecurityContextTypes().ToList();

var invalidTypes = bindingContextTypes.Except(securityContextRestrictions.Select(r => r.Type)).ToList();

if (invalidTypes.Any())
{
throw new Exception($"Invalid restriction types: {invalidTypes.Join(", ", t => t.Name)}");
}

var missedTypes = securityContextRestrictions
.Where(r => r.Required)
.Select(r => r.Type)
.Except(bindingContextTypes)
.ToList();

if (missedTypes.Any())
{
throw new Exception($"Missed required restriction types: {missedTypes.Join(", ", t => t.Name)}");
}
}
}
}
3 changes: 2 additions & 1 deletion src/_DomainDriven/Framework.DomainDriven.VirtualPermission/VirtualPermissionSource.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
namespace Framework.DomainDriven.VirtualPermission;

public class VirtualPermissionSource<TPrincipal, TPermission>(
IServiceProvider serviceProvider,
IUserNameResolver userNameResolver,
IQueryableSource queryableSource,
TimeProvider timeProvider,
Expand All @@ -31,7 +32,7 @@ private IQueryable<TPermission> GetPermissionQuery(SecurityRuleCredential? custo
{
return queryableSource
.GetQueryable<TPermission>()
.Where(bindingInfo.Filter)
.Where(bindingInfo.GetFilter(serviceProvider))
.PipeMaybe(bindingInfo.PeriodFilter, (q, filter) =>
{
var today = timeProvider.GetToday();
Expand Down
4 changes: 3 additions & 1 deletion src/_DomainDriven/Framework.DomainDriven.VirtualPermission/VirtualPermissionSystem.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Framework.DomainDriven.VirtualPermission;

public class VirtualPermissionSystem<TPrincipal, TPermission>(
IServiceProvider serviceProvider,
ISecurityRuleExpander securityRuleExpander,
IUserNameResolver userNameResolver,
IQueryableSource queryableSource,
Expand All @@ -24,7 +25,7 @@ public class VirtualPermissionSystem<TPrincipal, TPermission>(
where TPermission : IIdentityObject<Guid>
{
public Type PermissionType { get; } = typeof(TPermission);

public Expression<Func<TPermission, IEnumerable<Guid>>> GetPermissionRestrictionsExpr<TSecurityContext>()
where TSecurityContext : ISecurityContext =>
bindingInfo.GetRestrictionsExpr<TSecurityContext>();
Expand All @@ -42,6 +43,7 @@ public IPermissionSource<TPermission> GetPermissionSource(DomainSecurityRule.Rol
if (securityRuleExpander.FullExpand(securityRule).SecurityRoles.Contains(bindingInfo.SecurityRole))
{
return new VirtualPermissionSource<TPrincipal, TPermission>(
serviceProvider,
userNameResolver,
queryableSource,
timeProvider,
Expand Down
6 changes: 3 additions & 3 deletions src/_DomainDriven/Framework.DomainDriven.VirtualPermission/VirtualPermissionSystemFactory.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@ public class VirtualPermissionSystemFactory<TPrincipal, TPermission> : IPermissi

public VirtualPermissionSystemFactory(
IServiceProvider serviceProvider,
ISecurityRoleSource securityRoleSource,
VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo)
VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo,
IVirtualPermissionBindingInfoValidator validator)
{
this.serviceProvider = serviceProvider;
this.bindingInfo = bindingInfo;

this.bindingInfo.Validate(securityRoleSource);
validator.Validate(this.bindingInfo);
}

public IPermissionSystem Create(SecurityRuleCredential securityRuleCredential) =>
Expand Down
7 changes: 4 additions & 3 deletions src/_DomainDriven/Framework.DomainDriven.VirtualPermission/VirtualPrincipalSourceService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Framework.DomainDriven.VirtualPermission;

public class VirtualPrincipalSourceService<TPrincipal, TPermission>(
IServiceProvider serviceProvider,
IQueryableSource queryableSource,
VirtualPermissionBindingInfo<TPrincipal, TPermission> bindingInfo) : IPrincipalSourceService

Expand All @@ -33,7 +34,7 @@ public async Task<IEnumerable<TypedPrincipalHeader>> GetPrincipalsAsync(

var anonHeaders = await queryableSource
.GetQueryable<TPermission>()
.Where(bindingInfo.Filter)
.Where(bindingInfo.GetFilter(serviceProvider))
.Select(bindingInfo.PrincipalPath)
.Where(
string.IsNullOrWhiteSpace(nameFilter)
Expand Down Expand Up @@ -69,7 +70,7 @@ public async Task<IEnumerable<TypedPrincipalHeader>> GetPrincipalsAsync(
var header = new TypedPrincipalHeader(principal.Id, bindingInfo.PrincipalNamePath.Eval(principal), true);

var permissions = await queryableSource.GetQueryable<TPermission>()
.Where(bindingInfo.Filter)
.Where(bindingInfo.GetFilter(serviceProvider))
.Where(bindingInfo.PrincipalPath.Select(filter))
.ToListAsync(cancellationToken);

Expand Down Expand Up @@ -106,7 +107,7 @@ public async Task<IEnumerable<string>> GetLinkedPrincipalsAsync(
if (securityRoles.Contains(bindingInfo.SecurityRole))
{
return await queryableSource.GetQueryable<TPermission>()
.Where(bindingInfo.Filter)
.Where(bindingInfo.GetFilter(serviceProvider))
.Select(bindingInfo.PrincipalPath)
.Select(bindingInfo.PrincipalNamePath)
.ToListAsync(cancellationToken);
Expand Down
Loading