Authorization Completion & Tests

Author: mckaragoz

src/CodeBeam.UltimateAuth.Core/Abstractions/Stores/InMemoryVersionedStore.cs

@@ -105,7 +105,16 @@ public Task DeleteAsync(TKey key, long expectedVersion, DeleteMode mode, DateTim
         return Task.CompletedTask;
     }
 
+    /// <summary>
+    /// Returns a read-only list containing the current snapshot of all entities stored in memory.
+    /// </summary>
     protected IReadOnlyList<TEntity> Values() => _store.Values.Select(Snapshot).ToList().AsReadOnly();
 
+    /// <summary>
+    /// Returns an enumerable collection of all entities currently stored in memory.
+    /// Useful in hooks when change entity value directly.
+    /// </summary>
+    protected IEnumerable<TEntity> InternalValues() => _store.Values;
+
     protected bool TryGet(TKey key, out TEntity? entity) => _store.TryGetValue(key, out entity);
 }

src/CodeBeam.UltimateAuth.Core/Constants/UAuthConstants.cs

@@ -2,6 +2,17 @@
 
 public static class UAuthConstants
 {
+    public static class Access
+    {
+        public const string Permissions = "permissions";
+    }
+
+    public static class Claims
+    {
+        public const string Tenant = "uauth:tenant";
+        public const string Permission = "uauth:permission";
+    }
+
     public static class HttpItems
     {
         public const string SessionContext = "__UAuth.SessionContext";

src/CodeBeam.UltimateAuth.Core/Contracts/Access/AccessScope.cs

@@ -0,0 +1,9 @@
+namespace CodeBeam.UltimateAuth.Core.Contracts;
+
+public enum ActionScope
+{
+    Anonymous,
+    Self,
+    Admin,
+    System
+}

src/CodeBeam.UltimateAuth.Core/Contracts/Authority/AccessContext.cs

@@ -40,7 +40,7 @@ internal AccessContext(
         bool isAuthenticated,
         bool isSystemActor,
         SessionChainId? actorChainId,
-        string resource,
+        string? resource,
         UserKey? targetUserKey,
         TenantKey resourceTenant,
         string action,

src/CodeBeam.UltimateAuth.Core/Defaults/UAuthActions.cs

@@ -1,7 +1,24 @@
-namespace CodeBeam.UltimateAuth.Core.Defaults;
+using CodeBeam.UltimateAuth.Core.Contracts;
+
+namespace CodeBeam.UltimateAuth.Core.Defaults;
 
 public static class UAuthActions
 {
+    public static string Create(string resource, string operation, ActionScope scope, string? subResource = null)
+    {
+        if (string.IsNullOrWhiteSpace(resource))
+            throw new ArgumentException("resource required");
+
+        if (string.IsNullOrWhiteSpace(operation))
+            throw new ArgumentException("operation required");
+
+        var scopePart = scope.ToString().ToLowerInvariant();
+
+        return subResource is null
+            ? $"{resource}.{operation}.{scopePart}"
+            : $"{resource}.{subResource}.{operation}.{scopePart}";
+    }
+
     public static class Sessions
     {
         public const string GetChainSelf = "sessions.getchain.self";

src/CodeBeam.UltimateAuth.Server/Infrastructure/Orchestrator/UAuthAccessOrchestrator.cs

@@ -1,5 +1,7 @@
 using CodeBeam.UltimateAuth.Authorization;
+using CodeBeam.UltimateAuth.Authorization.Contracts;
 using CodeBeam.UltimateAuth.Core.Abstractions;
+using CodeBeam.UltimateAuth.Core.Constants;
 using CodeBeam.UltimateAuth.Core.Contracts;
 using CodeBeam.UltimateAuth.Core.Errors;
 using CodeBeam.UltimateAuth.Policies.Abstractions;
@@ -61,6 +63,7 @@ private async Task<AccessContext> EnrichAsync(AccessContext context, Cancellatio
             return context;
 
         var perms = await _permissions.GetPermissionsAsync(context.ResourceTenant, context.ActorUserKey.Value, ct);
-        return context.WithAttribute("permissions", perms);
+        var compiled = new CompiledPermissionSet(perms);
+        return context.WithAttribute(UAuthConstants.Access.Permissions, compiled);
     }
 }

src/authorization/CodeBeam.UltimateAuth.Authorization.Contracts/Infrastructure/CompiledPermissionSet.cs

@@ -0,0 +1,47 @@
+namespace CodeBeam.UltimateAuth.Authorization.Contracts;
+
+public sealed class CompiledPermissionSet
+{
+    private readonly HashSet<string> _exact = new();
+    private readonly HashSet<string> _prefix = new();
+    private readonly bool _hasWildcard;
+
+    public CompiledPermissionSet(IEnumerable<Permission> permissions)
+    {
+        foreach (var p in permissions)
+        {
+            var value = p.Value;
+
+            if (value == "*")
+            {
+                _hasWildcard = true;
+                continue;
+            }
+
+            if (value.EndsWith(".*"))
+            {
+                _prefix.Add(value[..^2]);
+                continue;
+            }
+
+            _exact.Add(value);
+        }
+    }
+
+    public bool IsAllowed(string action)
+    {
+        if (_hasWildcard)
+            return true;
+
+        if (_exact.Contains(action))
+            return true;
+
+        foreach (var prefix in _prefix)
+        {
+            if (action.StartsWith(prefix + ".", StringComparison.OrdinalIgnoreCase))
+                return true;
+        }
+
+        return false;
+    }
+}

src/authorization/CodeBeam.UltimateAuth.Authorization.Reference/Services/AuthorizationService.cs

@@ -1,45 +1,36 @@
 using CodeBeam.UltimateAuth.Authorization.Contracts;
-using CodeBeam.UltimateAuth.Authorization.Domain;
-using CodeBeam.UltimateAuth.Core.Abstractions;
 using CodeBeam.UltimateAuth.Core.Contracts;
-using CodeBeam.UltimateAuth.Policies.Abstractions;
+using CodeBeam.UltimateAuth.Core.Errors;
+using CodeBeam.UltimateAuth.Server.Infrastructure;
 
 namespace CodeBeam.UltimateAuth.Authorization.Reference;
 
 internal sealed class AuthorizationService : IAuthorizationService
 {
-    private readonly IUserPermissionStore _permissions;
-    private readonly IAccessPolicyProvider _policyProvider;
-    private readonly IAccessAuthority _accessAuthority;
+    private readonly IAccessOrchestrator _accessOrchestrator;
 
-    public AuthorizationService(IUserPermissionStore permissions, IAccessPolicyProvider policyProvider, IAccessAuthority accessAuthority)
+    public AuthorizationService(IAccessOrchestrator accessOrchestrator)
     {
-        _permissions = permissions;
-        _policyProvider = policyProvider;
-        _accessAuthority = accessAuthority;
+        _accessOrchestrator = accessOrchestrator;
     }
 
     public async Task<AuthorizationResult> AuthorizeAsync(AccessContext context, CancellationToken ct = default)
     {
         ct.ThrowIfCancellationRequested();
 
-        IReadOnlyCollection<Permission> permissions = Array.Empty<Permission>();
+        var cmd = new AccessCommand<AuthorizationResult>(innerCt =>
+        {
+            return Task.FromResult(AuthorizationResult.Allow());
+        });
 
-        if (context.ActorUserKey is not null)
+        try
         {
-            permissions = await _permissions.GetPermissionsAsync(context.ResourceTenant, context.ActorUserKey.Value, ct);
+            await _accessOrchestrator.ExecuteAsync(context, cmd, ct);
+            return AuthorizationResult.Allow();
+        }
+        catch (UAuthAuthorizationException ex)
+        {
+            return AuthorizationResult.Deny(ex.Message);
         }
-
-        var enrichedContext = context.WithAttribute("permissions", permissions);
-
-        var policies = _policyProvider.GetPolicies(enrichedContext);
-        var decision = _accessAuthority.Decide(enrichedContext, policies);
-
-        if (decision.RequiresReauthentication)
-            return AuthorizationResult.ReauthRequired();
-
-        return decision.IsAllowed
-            ? AuthorizationResult.Allow()
-            : AuthorizationResult.Deny(decision.DenyReason);
     }
 }

src/authorization/CodeBeam.UltimateAuth.Authorization/AuthorizationClaimsProvider.cs

@@ -1,4 +1,5 @@
 using CodeBeam.UltimateAuth.Core;
+using CodeBeam.UltimateAuth.Core.Constants;
 using CodeBeam.UltimateAuth.Core.Domain;
 using CodeBeam.UltimateAuth.Core.MultiTenancy;
 using System.Security.Claims;
@@ -26,13 +27,13 @@ public async Task<ClaimsSnapshot> GetClaimsAsync(TenantKey tenant, UserKey userK
 
         var builder = ClaimsSnapshot.Create();
 
-        builder.Add("uauth:tenant", tenant.Value);
+        builder.Add(UAuthConstants.Claims.Tenant, tenant.Value);
 
         foreach (var role in roles)
             builder.Add(ClaimTypes.Role, role.Name);
 
         foreach (var perm in perms)
-            builder.Add("uauth:permission", perm.Value);
+            builder.Add(UAuthConstants.Claims.Permission, perm.Value);
 
         return builder.Build();
     }

src/policies/CodeBeam.UltimateAuth.Policies/Defaults/DefaultPolicySet.cs

@@ -16,8 +16,6 @@ public static void Register(AccessPolicyRegistry registry)
 
         // Intent-based
         registry.Add("", _ => new RequireSelfPolicy());
-        registry.Add("", _ => new RequireAdminPolicy());
-        registry.Add("", _ => new RequireSelfOrAdminPolicy());
         registry.Add("", _ => new RequireSystemPolicy());
 
         // Permission