|
|
|
|
using System;
|
|
|
|
|
using System.Linq;
|
|
|
|
|
using System.Security.Principal;
|
|
|
|
|
using System.Security.Claims;
|
|
|
|
|
using Yavsc.Models;
|
|
|
|
|
using Microsoft.Extensions.Logging;
|
|
|
|
|
using Microsoft.Extensions.OptionsModel;
|
|
|
|
|
using System.IO;
|
|
|
|
|
using rules;
|
|
|
|
|
|
|
|
|
|
namespace Yavsc.Services
|
|
|
|
|
{
|
|
|
|
|
public class FileSystemAuthManager : IFileSystemAuthManager
|
|
|
|
|
{
|
|
|
|
|
readonly ApplicationDbContext _dbContext;
|
|
|
|
|
readonly ILogger _logger;
|
|
|
|
|
|
|
|
|
|
readonly SiteSettings SiteSettings;
|
|
|
|
|
|
|
|
|
|
readonly string aclfileName;
|
|
|
|
|
|
|
|
|
|
readonly RuleSetParser ruleSetParser;
|
|
|
|
|
|
|
|
|
|
public FileSystemAuthManager(ApplicationDbContext dbContext, ILoggerFactory loggerFactory,
|
|
|
|
|
IOptions<SiteSettings> sitesOptions)
|
|
|
|
|
{
|
|
|
|
|
_dbContext = dbContext;
|
|
|
|
|
_logger = loggerFactory.CreateLogger<FileSystemAuthManager>();
|
|
|
|
|
SiteSettings = sitesOptions.Value;
|
|
|
|
|
aclfileName = SiteSettings.AccessListFileName;
|
|
|
|
|
ruleSetParser = new RuleSetParser(true);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public FileAccessRight GetFilePathAccess(ClaimsPrincipal user, string normalizedFullPath)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
// Assert (normalizedFullPath!=null)
|
|
|
|
|
var parts = normalizedFullPath.Split('/');
|
|
|
|
|
|
|
|
|
|
// below 4 parts, no file name.
|
|
|
|
|
if (parts.Length < 4) return FileAccessRight.None;
|
|
|
|
|
|
|
|
|
|
var fileDir = string.Join("/", parts.Take(parts.Length - 1));
|
|
|
|
|
|
|
|
|
|
var firstFileNamePart = parts[3];
|
|
|
|
|
if (firstFileNamePart == "pub")
|
|
|
|
|
{
|
|
|
|
|
_logger.LogInformation("Serving public file.");
|
|
|
|
|
return FileAccessRight.Read;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var funame = parts[2];
|
|
|
|
|
_logger.LogInformation($"Accessing {normalizedFullPath} from {funame}");
|
|
|
|
|
|
|
|
|
|
if (funame == user?.GetUserName())
|
|
|
|
|
{
|
|
|
|
|
_logger.LogInformation("Serving file to owner.");
|
|
|
|
|
return FileAccessRight.Read | FileAccessRight.Write;
|
|
|
|
|
}
|
|
|
|
|
var aclfi = new FileInfo(Path.Combine(Environment.CurrentDirectory, fileDir, aclfileName));
|
|
|
|
|
// TODO default user scoped file access policy
|
|
|
|
|
if (!aclfi.Exists) return FileAccessRight.Read;
|
|
|
|
|
ruleSetParser.Reset();
|
|
|
|
|
ruleSetParser.ParseFile(aclfi.FullName);
|
|
|
|
|
if (ruleSetParser.Rules.Allow(user.GetUserName()))
|
|
|
|
|
return FileAccessRight.Read;
|
|
|
|
|
|
|
|
|
|
var ucl = user.Claims.Where(c => c.Type == YavscClaimTypes.CircleMembership).Select(c => long.Parse(c.Value)).Distinct().ToArray();
|
|
|
|
|
|
|
|
|
|
var uclString = string.Join(",", ucl);
|
|
|
|
|
_logger.LogInformation($"{uclString} ");
|
|
|
|
|
foreach (
|
|
|
|
|
var cid in ucl
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
var ok = _dbContext.CircleAuthorizationToFile.Any(a => a.CircleId == cid && a.FullPath == fileDir);
|
|
|
|
|
if (ok) return FileAccessRight.Read;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return FileAccessRight.None;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public string NormalizePath(string path)
|
|
|
|
|
{
|
|
|
|
|
throw new NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void SetAccess(long circleId, string normalizedFullPath, FileAccessRight access)
|
|
|
|
|
{
|
|
|
|
|
throw new NotImplementedException();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
