Solar/Swarm
2
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

♻️ Moved some services to DysonNetwork.Pass

Browse Source
This commit is contained in:
LittleSheep
2025-07-11 02:00:40 +08:00
parent 2a3918134f
commit e76c80eead
68 changed files with 8913 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
DysonNetwork.Pass/Permission/Permission.cs Normal file
View File

@ -0,0 +1,59 @@
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.EntityFrameworkCore;
using NodaTime;
namespace DysonNetwork.Pass.Permission;
/// The permission node model provides the infrastructure of permission control in Dyson Network.
/// It based on the ABAC permission model.
///
/// The value can be any type, boolean and number for most cases and stored in jsonb.
///
/// The area represents the region this permission affects. For example, the pub:<publisherId>
/// indicates it's a permission node for the publishers managing.
///
/// And the actor shows who owns the permission, in most cases, the user:<userId>
/// and when the permission node has a GroupId, the actor will be set to the group, but it won't work on checking
/// expect the member of that permission group inherent the permission from the group.
[Index(nameof(Key), nameof(Area), nameof(Actor))]
public class PermissionNode : ModelBase, IDisposable
{
public Guid Id { get; set; } = Guid.NewGuid();
[MaxLength(1024)] public string Actor { get; set; } = null!;
[MaxLength(1024)] public string Area { get; set; } = null!;
[MaxLength(1024)] public string Key { get; set; } = null!;
[Column(TypeName = "jsonb")] public JsonDocument Value { get; set; } = null!;
public Instant? ExpiredAt { get; set; } = null;
public Instant? AffectedAt { get; set; } = null;
public Guid? GroupId { get; set; } = null;
[JsonIgnore] public PermissionGroup? Group { get; set; } = null;
public void Dispose()
{
Value.Dispose();
GC.SuppressFinalize(this);
}
}
public class PermissionGroup : ModelBase
{
public Guid Id { get; set; } = Guid.NewGuid();
[MaxLength(1024)] public string Key { get; set; } = null!;
public ICollection<PermissionNode> Nodes { get; set; } = new List<PermissionNode>();
[JsonIgnore] public ICollection<PermissionGroupMember> Members { get; set; } = new List<PermissionGroupMember>();
}
public class PermissionGroupMember : ModelBase
{
public Guid GroupId { get; set; }
public PermissionGroup Group { get; set; } = null!;
[MaxLength(1024)] public string Actor { get; set; } = null!;
public Instant? ExpiredAt { get; set; }
public Instant? AffectedAt { get; set; }
}

51
DysonNetwork.Pass/Permission/PermissionMiddleware.cs Normal file
View File

@ -0,0 +1,51 @@
namespace DysonNetwork.Pass.Permission;
using System;
[AttributeUsage(AttributeTargets.Method, Inherited = true)]
public class RequiredPermissionAttribute(string area, string key) : Attribute
{
public string Area { get; set; } = area;
public string Key { get; } = key;
}
public class PermissionMiddleware(RequestDelegate next)
{
public async Task InvokeAsync(HttpContext httpContext, PermissionService pm)
{
var endpoint = httpContext.GetEndpoint();
var attr = endpoint?.Metadata
.OfType<RequiredPermissionAttribute>()
.FirstOrDefault();
if (attr != null)
{
if (httpContext.Items["CurrentUser"] is not Account.Account currentUser)
{
httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
await httpContext.Response.WriteAsync("Unauthorized");
return;
}
if (currentUser.IsSuperuser)
{
// Bypass the permission check for performance
await next(httpContext);
return;
}
var actor = $"user:{currentUser.Id}";
var permNode = await pm.GetPermissionAsync<bool>(actor, attr.Area, attr.Key);
if (!permNode)
{
httpContext.Response.StatusCode = StatusCodes.Status403Forbidden;
await httpContext.Response.WriteAsync($"Permission {attr.Area}/{attr.Key} = {true} was required.");
return;
}
}
await next(httpContext);
}
}

198
DysonNetwork.Pass/Permission/PermissionService.cs Normal file
View File

@ -0,0 +1,198 @@
using Microsoft.EntityFrameworkCore;
using NodaTime;
using System.Text.Json;
using DysonNetwork.Pass;
using DysonNetwork.Shared.Cache;
namespace DysonNetwork.Pass.Permission;
public class PermissionService(
AppDatabase db,
ICacheService cache
)
{
private static readonly TimeSpan CacheExpiration = TimeSpan.FromMinutes(1);
private const string PermCacheKeyPrefix = "perm:";
private const string PermGroupCacheKeyPrefix = "perm-cg:";
private const string PermissionGroupPrefix = "perm-g:";
private static string _GetPermissionCacheKey(string actor, string area, string key) =>
PermCacheKeyPrefix + actor + ":" + area + ":" + key;
private static string _GetGroupsCacheKey(string actor) =>
PermGroupCacheKeyPrefix + actor;
private static string _GetPermissionGroupKey(string actor) =>
PermissionGroupPrefix + actor;
public async Task<bool> HasPermissionAsync(string actor, string area, string key)
{
var value = await GetPermissionAsync<bool>(actor, area, key);
return value;
}
public async Task<T?> GetPermissionAsync<T>(string actor, string area, string key)
{
var cacheKey = _GetPermissionCacheKey(actor, area, key);
var (hit, cachedValue) = await cache.GetAsyncWithStatus<T>(cacheKey);
if (hit)
return cachedValue;
var now = SystemClock.Instance.GetCurrentInstant();
var groupsKey = _GetGroupsCacheKey(actor);
var groupsId = await cache.GetAsync<List<Guid>>(groupsKey);
if (groupsId == null)
{
groupsId = await db.PermissionGroupMembers
.Where(n => n.Actor == actor)
.Where(n => n.ExpiredAt == null || n.ExpiredAt > now)
.Where(n => n.AffectedAt == null || n.AffectedAt <= now)
.Select(e => e.GroupId)
.ToListAsync();
await cache.SetWithGroupsAsync(groupsKey, groupsId,
[_GetPermissionGroupKey(actor)],
CacheExpiration);
}
var permission = await db.PermissionNodes
.Where(n => (n.GroupId == null && n.Actor == actor) ||
(n.GroupId != null && groupsId.Contains(n.GroupId.Value)))
.Where(n => n.Key == key && n.Area == area)
.Where(n => n.ExpiredAt == null || n.ExpiredAt > now)
.Where(n => n.AffectedAt == null || n.AffectedAt <= now)
.FirstOrDefaultAsync();
var result = permission is not null ? _DeserializePermissionValue<T>(permission.Value) : default;
await cache.SetWithGroupsAsync(cacheKey, result,
[_GetPermissionGroupKey(actor)],
CacheExpiration);
return result;
}
public async Task<PermissionNode> AddPermissionNode<T>(
string actor,
string area,
string key,
T value,
Instant? expiredAt = null,
Instant? affectedAt = null
)
{
if (value is null) throw new ArgumentNullException(nameof(value));
var node = new PermissionNode
{
Actor = actor,
Key = key,
Area = area,
Value = _SerializePermissionValue(value),
ExpiredAt = expiredAt,
AffectedAt = affectedAt
};
db.PermissionNodes.Add(node);
await db.SaveChangesAsync();
// Invalidate related caches
await InvalidatePermissionCacheAsync(actor, area, key);
return node;
}
public async Task<PermissionNode> AddPermissionNodeToGroup<T>(
PermissionGroup group,
string actor,
string area,
string key,
T value,
Instant? expiredAt = null,
Instant? affectedAt = null
)
{
if (value is null) throw new ArgumentNullException(nameof(value));
var node = new PermissionNode
{
Actor = actor,
Key = key,
Area = area,
Value = _SerializePermissionValue(value),
ExpiredAt = expiredAt,
AffectedAt = affectedAt,
Group = group,
GroupId = group.Id
};
db.PermissionNodes.Add(node);
await db.SaveChangesAsync();
// Invalidate related caches
await InvalidatePermissionCacheAsync(actor, area, key);
await cache.RemoveAsync(_GetGroupsCacheKey(actor));
await cache.RemoveGroupAsync(_GetPermissionGroupKey(actor));
return node;
}
public async Task RemovePermissionNode(string actor, string area, string key)
{
var node = await db.PermissionNodes
.Where(n => n.Actor == actor && n.Area == area && n.Key == key)
.FirstOrDefaultAsync();
if (node is not null) db.PermissionNodes.Remove(node);
await db.SaveChangesAsync();
// Invalidate cache
await InvalidatePermissionCacheAsync(actor, area, key);
}
public async Task RemovePermissionNodeFromGroup<T>(PermissionGroup group, string actor, string area, string key)
{
var node = await db.PermissionNodes
.Where(n => n.GroupId == group.Id)
.Where(n => n.Actor == actor && n.Area == area && n.Key == key)
.FirstOrDefaultAsync();
if (node is null) return;
db.PermissionNodes.Remove(node);
await db.SaveChangesAsync();
// Invalidate caches
await InvalidatePermissionCacheAsync(actor, area, key);
await cache.RemoveAsync(_GetGroupsCacheKey(actor));
await cache.RemoveGroupAsync(_GetPermissionGroupKey(actor));
}
private async Task InvalidatePermissionCacheAsync(string actor, string area, string key)
{
var cacheKey = _GetPermissionCacheKey(actor, area, key);
await cache.RemoveAsync(cacheKey);
}
private static T? _DeserializePermissionValue<T>(JsonDocument json)
{
return JsonSerializer.Deserialize<T>(json.RootElement.GetRawText());
}
private static JsonDocument _SerializePermissionValue<T>(T obj)
{
var str = JsonSerializer.Serialize(obj);
return JsonDocument.Parse(str);
}
public static PermissionNode NewPermissionNode<T>(string actor, string area, string key, T value)
{
return new PermissionNode
{
Actor = actor,
Area = area,
Key = key,
Value = _SerializePermissionValue(value),
};
}
}