Changeset 418

Timestamp:

Feb 27, 2023, 9:40:12 PM (21 months ago)

Author:

alloc

Message:

Refactored API authorization to support per-HTTP-method permission levels

Location:

binary-improvements2/WebServer/src

Files:

• Permissions/AdminWebModules.cs (modified) (6 diffs)
• UrlHandlers/ApiHandler.cs (modified) (5 diffs)
• WebAPI/AbsRestApi.cs (modified) (8 diffs)
• WebAPI/AbsWebAPI.cs (modified) (2 diffs)

binary-improvements2/WebServer/src/Permissions/AdminWebModules.cs

@@ -41 +41 @@
 
                 public void AddModule (string _module, int _permissionLevel) {
-                        WebModule p = new WebModule (_module, _permissionLevel);
+                        WebModule p = new WebModule (_module, _permissionLevel, false);
                         lock (this) {
                                 allModulesList.Clear ();
@@ -84 +84 @@
                         public readonly string Name;
                         public readonly int PermissionLevel;
+                        public readonly bool IsDefault;
 
-                        public WebModule (string _name, int _permissionLevel) {
+                        public WebModule (string _name, int _permissionLevel, bool _isDefault) {
                                 Name = _name;
                                 PermissionLevel = _permissionLevel;
+                                IsDefault = _isDefault;
                         }
                         
@@ -116 +118 @@
                                 }
                                 
-                                _result = new WebModule (name, permissionLevel);
+                                _result = new WebModule (name, permissionLevel, false);
                                 return true;
                         }
@@ -139 +141 @@
                         }
 
-                        WebModule p = new WebModule (_module, _defaultPermission);
+                        WebModule p = new WebModule (_module, _defaultPermission, true);
 
                         lock (this) {
@@ -158 +160 @@
 
                 public bool ModuleAllowedWithLevel (string _module, int _level) {
-                        WebModule permInfo = GetModule (_module);
+                        WebModule permInfo = GetModule (_module)!.Value;
                         return permInfo.PermissionLevel >= _level;
                 }
 
-                public WebModule GetModule (string _module) {
+                public WebModule? GetModule (string _module, bool _returnDefaults = true) {
                         if (modules.TryGetValue (_module, out WebModule result)) {
                                 return result;
+                        }
+
+                        if (!_returnDefaults) {
+                                return null;
                         }
 
@@ -170 +176 @@
                 }
 
-                private readonly WebModule defaultModulePermission = new WebModule ("", 0);
+                private readonly WebModule defaultModulePermission = new WebModule ("", 0, true);
                 
 #endregion

binary-improvements2/WebServer/src/UrlHandlers/ApiHandler.cs

@@ -3 +3 @@
 using System.Net;
 using System.Reflection;
-using Webserver.Permissions;
 using Webserver.WebAPI;
 
@@ -47 +46 @@
                 private void addApi (AbsWebAPI _api) {
                         apis.Add (_api.Name, _api);
-                        AdminWebModules.Instance.AddKnownModule ($"webapi.{_api.Name}", _api.DefaultPermissionLevel ());
                 }
 
@@ -71 +69 @@
                         }
 
-                        if (!IsAuthorizedForApi (apiName, _context.PermissionLevel)) {
+                        _context.RequestPath = subPath;
+
+                        if (!api.Authorized (_context)) {
                                 _context.Response.StatusCode = (int) HttpStatusCode.Forbidden;
                                 if (_context.Connection != null) {
@@ -79 +79 @@
                                 return;
                         }
-
-                        _context.RequestPath = subPath;
 
                         try {
@@ -92 +90 @@
                         }
                 }
-
-                private bool IsAuthorizedForApi (string _apiName, int _permissionLevel) {
-                        return AdminWebModules.Instance.ModuleAllowedWithLevel ($"webapi.{_apiName}", _permissionLevel);
-                }
         }
 }

binary-improvements2/WebServer/src/WebAPI/AbsRestApi.cs

@@ -4 +4 @@
 using System.Net;
 using Utf8Json;
+using Webserver.Permissions;
 
 namespace Webserver.WebAPI {
@@ -9 +10 @@
                 private static readonly UnityEngine.Profiling.CustomSampler jsonDeserializeSampler = UnityEngine.Profiling.CustomSampler.Create ("JSON_Deserialize");
 
+                protected readonly string[] CachedPerMethodModuleNames = new string[(int)ERequestMethod.Count];
+
                 protected AbsRestApi (string _name = null) : this(null, _name) {
                 }
 
                 protected AbsRestApi (Web _parentWeb, string _name = null) : base(_parentWeb, _name) {
+                }
+
+                protected override void RegisterPermissions () {
+                        base.RegisterPermissions ();
+                        
+                        for (int i = 0; i < (int)ERequestMethod.Count; i++) {
+                                ERequestMethod method = (ERequestMethod)i;
+
+                                if (method is not (ERequestMethod.GET or ERequestMethod.PUT or ERequestMethod.POST or ERequestMethod.DELETE)) {
+                                        continue;
+                                }
+
+                                CachedPerMethodModuleNames [i] = $"webapi.{Name}:{method.ToStringCached ()}";
+                                AdminWebModules.Instance.AddKnownModule (CachedPerMethodModuleNames [i], DefaultMethodPermissionLevel (method));
+                        }
                 }
 
@@ -44 +62 @@
 
                         try {
-                                switch (_context.Request.HttpMethod) {
-                                        case "GET":
+                                switch (_context.Method) {
+                                        case ERequestMethod.GET:
                                                 if (inputJson != null) {
                                                         SendErrorResult (_context, HttpStatusCode.BadRequest, jsonInputData, "GET_WITH_BODY");
@@ -53 +71 @@
                                                 HandleRestGet (_context);
                                                 return;
-                                        case "POST":
+                                        case ERequestMethod.POST:
                                                 if (!string.IsNullOrEmpty (_context.RequestPath)) {
                                                         SendErrorResult (_context, HttpStatusCode.BadRequest, jsonInputData, "POST_WITH_ID");
@@ -66 +84 @@
                                                 HandleRestPost (_context, inputJson, jsonInputData);
                                                 return;
-                                        case "PUT":
+                                        case ERequestMethod.PUT:
                                                 if (string.IsNullOrEmpty (_context.RequestPath)) {
                                                         SendErrorResult (_context, HttpStatusCode.BadRequest, jsonInputData, "PUT_WITHOUT_ID");
@@ -79 +97 @@
                                                 HandleRestPut (_context, inputJson, jsonInputData);
                                                 return;
-                                        case "DELETE":
+                                        case ERequestMethod.DELETE:
                                                 if (string.IsNullOrEmpty (_context.RequestPath)) {
                                                         SendErrorResult (_context, HttpStatusCode.BadRequest, jsonInputData, "DELETE_WITHOUT_ID");
@@ -101 +119 @@
                 }
 
+                protected virtual void HandleRestGet (RequestContext _context) {
+                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, null, "Unsupported");
+                }
+
+                protected virtual void HandleRestPost (RequestContext _context, IDictionary<string, object> _jsonInput, byte[] _jsonInputData) {
+                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, _jsonInputData, "Unsupported");
+                }
+
+                protected virtual void HandleRestPut (RequestContext _context, IDictionary<string, object> _jsonInput, byte[] _jsonInputData) {
+                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, _jsonInputData, "Unsupported");
+                }
+
+                protected virtual void HandleRestDelete (RequestContext _context) {
+                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, null, "Unsupported");
+                }
+
+                public override bool Authorized (RequestContext _context) {
+                        return ActiveMethodPermissionLevel (_context.Method) >= _context.PermissionLevel;
+                }
+
+                /// <summary>
+                /// Define default permission levels per HTTP method
+                /// </summary>
+                /// <param name="_method">HTTP method to return the default value for</param>
+                /// <returns>Default permission level for the given HTTP method. A value of int.MinValue means no per-method default, use per-API default</returns>
+                public virtual int DefaultMethodPermissionLevel (ERequestMethod _method) => int.MinValue;
+
+                public virtual int ActiveMethodPermissionLevel (ERequestMethod _method) {
+                        string methodApiModuleName = CachedPerMethodModuleNames [(int)_method];
+
+                        if (methodApiModuleName == null) {
+                                return 0;
+                        }
+
+                        AdminWebModules.WebModule? overrideModule = AdminWebModules.Instance.GetModule (methodApiModuleName, false);
+                        if (overrideModule.HasValue) {
+                                return overrideModule.Value.PermissionLevel;
+                        }
+
+                        overrideModule = AdminWebModules.Instance.GetModule (CachedApiModuleName, false);
+                        if (overrideModule.HasValue) {
+                                return overrideModule.Value.PermissionLevel;
+                        }
+
+                        int defaultMethodPermissionLevel = DefaultMethodPermissionLevel (_method);
+                        // ReSharper disable once ConvertIfStatementToReturnStatement
+                        if (defaultMethodPermissionLevel != int.MinValue) {
+                                return defaultMethodPermissionLevel;
+                        }
+
+                        return DefaultPermissionLevel ();
+                }
+
+#region Helpers
+
+                protected static readonly byte[] JsonEmptyData;
+                
                 static AbsRestApi () {
                         JsonWriter writer = new JsonWriter ();
@@ -108 +183 @@
                 }
 
-                protected virtual void HandleRestGet (RequestContext _context) {
-                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, null, "Unsupported");
-                }
-
-                protected virtual void HandleRestPost (RequestContext _context, IDictionary<string, object> _jsonInput, byte[] _jsonInputData) {
-                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, _jsonInputData, "Unsupported");
-                }
-
-                protected virtual void HandleRestPut (RequestContext _context, IDictionary<string, object> _jsonInput, byte[] _jsonInputData) {
-                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, _jsonInputData, "Unsupported");
-                }
-
-                protected virtual void HandleRestDelete (RequestContext _context) {
-                        SendErrorResult (_context, HttpStatusCode.MethodNotAllowed, null, "Unsupported");
-                }
-
-
-#region Helpers
-
-                protected static readonly byte[] JsonEmptyData;
-                
                 protected static void PrepareEnvelopedResult (out JsonWriter _writer) {
                         WebUtils.PrepareEnvelopedResult (out _writer);

binary-improvements2/WebServer/src/WebAPI/AbsWebAPI.cs

@@ +1 @@
+using Webserver.Permissions;
+
 namespace Webserver.WebAPI {
         public abstract class AbsWebAPI {
                 public readonly string Name;
                 protected readonly Web ParentWeb;
+
+                protected readonly string CachedApiModuleName;
 
                 protected AbsWebAPI (string _name = null) : this(null, _name) {
@@ -10 +14 @@
                         Name = _name ?? GetType ().Name;
                         ParentWeb = _parentWeb;
+                        CachedApiModuleName = $"webapi.{Name}";
+                        RegisterPermissions ();
+                }
+
+                protected virtual void RegisterPermissions () {
+                        AdminWebModules.Instance.AddKnownModule ($"webapi.{Name}", DefaultPermissionLevel ());
                 }
 
                 public abstract void HandleRequest (RequestContext _context);
 
+                public virtual bool Authorized (RequestContext _context) {
+                        return AdminWebModules.Instance.ModuleAllowedWithLevel (CachedApiModuleName, _context.PermissionLevel);
+                }
+
                 public virtual int DefaultPermissionLevel () => 0;
         }