Add ElasticsearchIndexingAuthorizationHandler (Lombiq Technologies: OSOE-925) (OrchardCMS#18855)

---------

Co-authored-by: Mike Alhayek <mike@crestapps.com>

Author: sarahelsaig

src/OrchardCore.Modules/OrchardCore.Search.Elasticsearch/Migrations/PermissionMigrations.cs

@@ -0,0 +1,66 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
+using OrchardCore.Data.Migration;
+using OrchardCore.Environment.Shell;
+using OrchardCore.Environment.Shell.Scope;
+using OrchardCore.Indexing;
+using OrchardCore.Indexing.Core;
+using OrchardCore.Security;
+using OrchardCore.Security.Services;
+using static OrchardCore.Search.Elasticsearch.ElasticsearchIndexPermissionHelper;
+
+namespace OrchardCore.Search.Elasticsearch.Migrations;
+
+internal sealed class PermissionMigrations : DataMigration
+{
+    private readonly ShellSettings _shellSettings;
+
+    public PermissionMigrations(ShellSettings shellSettings) =>
+        _shellSettings = shellSettings;
+
+    public int Create()
+    {
+        if (!_shellSettings.IsInitializing())
+        {
+            ShellScope.AddDeferredTask(ReplaceObsoletePermissionsAsync);
+        }
+
+        return 1;
+    }
+
+    /// <summary>
+    /// Selects the roles that need to be updated, and replaces their <c>QueryElasticsearch{0}Index</c> permissions with
+    /// the equivalent <c>QueryIndex_{0}</c> permissions. 
+    /// </summary>
+    private static async Task ReplaceObsoletePermissionsAsync(ShellScope shellScope)
+    {
+        var indexProfileManager = shellScope.ServiceProvider.GetRequiredService<IIndexProfileManager>();
+        var roleService = shellScope.ServiceProvider.GetRequiredService<IRoleService>();
+        var roleStore = shellScope.ServiceProvider.GetRequiredService<IRoleStore<IRole>>();
+        
+        var allRoles = await roleService.GetRolesAsync();
+        var rolesToUpdate = allRoles
+            .Where(role => role is Role)
+            .Cast<Role>()
+            .Where(role => role.RoleClaims.Any(IsElasticsearchIndexPermissionClaim))
+            .ToList();
+
+        foreach (var role in rolesToUpdate)
+        {
+            foreach (var claim in role.RoleClaims.Where(IsElasticsearchIndexPermissionClaim))
+            {
+                var name = GetIndexNameFromPermissionName(claim.ClaimValue);
+                var indexProfile = await indexProfileManager.FindByNameAndProviderAsync(
+                    name,
+                    ElasticsearchConstants.ProviderName);
+
+                if (indexProfile != null)
+                {
+                    claim.ClaimValue = IndexingPermissions.CreateDynamicPermission(indexProfile).Name;
+                }
+            }
+            
+            await roleStore.UpdateAsync(role, CancellationToken.None);
+        }
+    }
+}

src/OrchardCore.Modules/OrchardCore.Search.Elasticsearch/PermissionProvider.cs

@@ -1,34 +1,17 @@
-using OrchardCore.Indexing;
 using OrchardCore.Security.Permissions;
 
 namespace OrchardCore.Search.Elasticsearch;
 
 public sealed class PermissionProvider : IPermissionProvider
 {
-    private readonly IIndexProfileStore _indexStore;
-
-    public PermissionProvider(IIndexProfileStore indexStore)
-    {
-        _indexStore = indexStore;
-    }
-
-    public async Task<IEnumerable<Permission>> GetPermissionsAsync()
-    {
-        var permissions = new List<Permission>()
-        {
-            ElasticsearchPermissions.ManageElasticIndexes,
-            ElasticsearchPermissions.QueryElasticApi,
-        };
-
-        var elasticIndexSettings = await _indexStore.GetByProviderAsync(ElasticsearchConstants.ProviderName);
-
-        foreach (var index in elasticIndexSettings)
-        {
-            permissions.Add(ElasticsearchIndexPermissionHelper.GetElasticIndexPermission(index.IndexName));
-        }
+    private readonly IEnumerable<Permission> _allPermissions =
+    [
+        ElasticsearchPermissions.ManageElasticIndexes,
+        ElasticsearchPermissions.QueryElasticApi,
+    ];
 
-        return permissions;
-    }
+    public Task<IEnumerable<Permission>> GetPermissionsAsync() =>
+        Task.FromResult(_allPermissions);
 
     public IEnumerable<PermissionStereotype> GetDefaultStereotypes() =>
     [

src/OrchardCore.Modules/OrchardCore.Search.Elasticsearch/Startup.cs

@@ -69,6 +69,7 @@ public override void ConfigureServices(IServiceCollection services)
         services.AddDisplayDriver<IndexProfile, ElasticsearchIndexProfileDisplayDriver>();
 
         services.AddIndexProfileHandler<ElasticsearchIndexProfileHandler>();
+        services.AddDataMigration<PermissionMigrations>();
     }
 }
 

src/OrchardCore/OrchardCore.Indexing.Core/IndexingPermissions.cs

@@ -21,6 +21,7 @@ public static Permission CreateDynamicPermission(IndexProfile indexProfile)
 
         return _permissions.GetOrAdd(indexProfile.Id, indexId => new Permission(
             string.Format(_indexPermissionTemplate.Name, indexProfile.Name),
-            string.Format(_indexPermissionTemplate.Description, indexProfile.Name), _indexPermissionTemplate.ImpliedBy));
+            string.Format(_indexPermissionTemplate.Description, indexProfile.Name),
+            _indexPermissionTemplate.ImpliedBy));
     }
 }

src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/ElasticsearchIndexPermissionHelper.cs

@@ -1,14 +1,22 @@
+using OrchardCore.Indexing.Core;
+using OrchardCore.Modules;
+using OrchardCore.Security;
 using System.Collections.Concurrent;
 using OrchardCore.Security.Permissions;
 
 namespace OrchardCore.Search.Elasticsearch;
 
 public static class ElasticsearchIndexPermissionHelper
 {
-    private static readonly Permission _indexPermissionTemplate = new("QueryElasticsearch{0}Index", "Query Elasticsearch {0} Index", [Permissions.ManageElasticIndexes]);
+    private const string PermissionNamePrefix = "QueryElasticsearch";
+    private const string PermissionNameSuffix = "Index";
+    
+    private static readonly Permission _indexPermissionTemplate = 
+        new(PermissionNamePrefix + "{0}" + PermissionNameSuffix, "Query Elasticsearch {0} Index", [Permissions.ManageElasticIndexes]);
 
     private static readonly ConcurrentDictionary<string, Permission> _permissions = [];
 
+    [Obsolete($"Use {nameof(IndexingPermissions)}.{nameof(IndexingPermissions.CreateDynamicPermission)} instead.")]
     public static Permission GetElasticIndexPermission(string indexName)
     {
         ArgumentException.ThrowIfNullOrEmpty(indexName);
@@ -18,4 +26,12 @@ public static Permission GetElasticIndexPermission(string indexName)
                 string.Format(_indexPermissionTemplate.Description, indexName),
                 _indexPermissionTemplate.ImpliedBy));
     }
+    
+    internal static bool IsElasticsearchIndexPermissionClaim(RoleClaim claim) =>
+        claim.ClaimType == nameof(Permission) &&
+        claim.ClaimValue.StartsWithOrdinalIgnoreCase(PermissionNamePrefix) &&
+        claim.ClaimValue.EndsWithOrdinalIgnoreCase(PermissionNameSuffix);
+
+    internal static string GetIndexNameFromPermissionName(string permissionName) =>
+        permissionName[PermissionNamePrefix.Length .. ^PermissionNameSuffix.Length];
 }

src/OrchardCore/OrchardCore.Search.Elasticsearch.Core/OrchardCore.Search.Elasticsearch.Core.csproj

@@ -30,6 +30,7 @@
     <ProjectReference Include="..\OrchardCore.Indexing.Core\OrchardCore.Indexing.Core.csproj" />
     <ProjectReference Include="..\OrchardCore.Liquid.Abstractions\OrchardCore.Liquid.Abstractions.csproj" />
     <ProjectReference Include="..\OrchardCore.Queries.Abstractions\OrchardCore.Queries.Abstractions.csproj" />
+    <ProjectReference Include="..\OrchardCore.Roles.Abstractions\OrchardCore.Roles.Abstractions.csproj" />
     <ProjectReference Include="..\OrchardCore.Search.Abstractions\OrchardCore.Search.Abstractions.csproj" />
   </ItemGroup>