PermissionsService 2.0 (just implementation)

[scottbommarito]

This is the implementation of the new version of the Permissions Service, without changes to the existing code.

You may have seen this code before in #5097

[scottbommarito]

This file is mostly identical to the existent PermissionsService except:
1 - IsActionAllowed is now IsRequirementSatisfied
2 - Added a method for ReservedNamespaces
3 - Made some performance checks as suggested by @cristinamanum (specifically, we now check if having a specific kind of ownership would satisfy the requirement before checking if we have that ownership)

[joelverhagen]

PermissionsRequirement.SiteAdmin [](start = 47, length = 32)

This one is wrong. Admins shouldn't be able to upload new versions.

[scottbommarito]

fixed

[joelverhagen]

IEnumerable [](start = 43, length = 30)

Might be worth leaving a comment about why this is multiple namespaces, i.e. multiple namespaces could apply to a single ID.

[scottbommarito]

done

[joelverhagen]

Union [](start = 21, length = 5)

Are set semantics necessary here? Are we sure comparison of user instances is working? Concat may be simpler.

[scottbommarito]

I wanted to get rid of duplicates. I will replace this with Concat and Distinct

[joelverhagen]

Do you really care about duplicates here? Like most of the time it will be unique right? Distinct uses default comparer which is likely reference equals (or did we implement GetHashCode and Equals?)

[scottbommarito]

yes, the values calculated here will be piped directly to the UI for upload and API key scenarios.

[joelverhagen]

Concat [](start = 74, length = 6)

Use List, don't need LINQ for everything

[scottbommarito]

makes sense

[joelverhagen]

[](start = 85, length = 1)

!= unless this is an unsigned flags or if you have tests asserting never negative flag values

[scottbommarito]

== and != work with Flags?

I'm using the int logic here because the second parameter is a combination of multiple enum values, so I want to compare that they just have at least one value in common.

[joelverhagen]

[Flags] is just an attribute. The important details is that the enum is an int (unless you changed that...)

[scottbommarito]

No what I mean is we'll be comparing 0b0010 and 0b1010 and expect it to return true. I didn't think enum or Flags made this comparison return true.

[scottbommarito]

Oh I see now

[joelverhagen]

This breaks admin permissions (on things they would otherwise do)

[scottbommarito]

fixed--it was not only a logic issue but a tests issues

[joelverhagen]

ToArray [](start = 17, length = 7)

ToList requires fewer allocations and is a better default for these one-off lists

[scottbommarito]

done

[joelverhagen]

false [](start = 19, length = 5)

This is such a generic code path, I have a hard time thinking of cases that would fall through here. Might be worth commenting about that.

[scottbommarito]

i did some restructuring that should make this clearer to understand

[joelverhagen]

⌚️

Very nice PR. Thanks for the break-down.

[skofman1]

perf nit: always put the cheaper condition first so the 'and' operation will fail if it's false

[scottbommarito]

nice catch

[cristinamanum]

Is it ok to add the currentUser if the currentUser == null ?

[scottbommarito]

yup, it's necessary--if the current user is logged out but still able to perform the action, we still want to return true

[cristinamanum]

Why is it fine to have Any? Should not be permissions allowed for All the namespaces?

[scottbommarito]

You only need one--see https://github.com/NuGet/NuGetGallery/blob/master/src/NuGetGallery/Services/ReservedNamespaceService.cs#L381

[agr]

There is a multiple enumeration of an IEnumerable (between here and lines 124 and 129). Since it is unlikely could be fixed, please use something else (ICollection at least).

[scottbommarito]

switched all methods in this class to use ICollection

[agr]

If it's not returning bool it shouldn't be called IsAllowed, same for overload below

[scottbommarito]

renamed to CheckPermissions

[agr]

Same comment as above: method name should be different.

[scottbommarito]

renamed to CheckPermissions

[agr]

Multiple enumeration of IEnumerable

[scottbommarito]

changed to IReadOnlyCollection

[agr]

Replace values with 1 << 0, 1 << 1, 1 << 2, etc. maybe to emphasize bit masking?

[scottbommarito]

done

[agr]

Should be != instead of >, strictly speaking, but wouldn't be an issue unless we have more stuff in the ReturnsSatisfiedRequirementWhenExpected_State

[scottbommarito]

got it

[chenriksson]

There are 2 WouldSatisfy checks when prinipal is non-null. Recommend changing to:

if (currentPrincipal == null) {
    return WouldSatisfy(PermissionsRequirement.None, permissionsRequirement);
}

[scottbommarito]

done

[chenriksson]

see comment above about the WouldSatisfy check...

[scottbommarito]

done

[chenriksson]

Shouldn't need to check IsAllowed on currentUser, right?

Also, can you just do the IsAllowed check on org owners when populating the original list? i.e., GetOwners(entity).Where(o => IsAllowed(currentUser, o, entity))

[scottbommarito]

currentUser is required in all scenarios now--"can currentUser perform this action on entity on behalf of accountOnBehalfOf" is how this function call should be read

I tried to make it all LINQ, but since I have to split the initial population of the list into two pieces (see the currentUser != null check) I think this is cleaner.

[chenriksson]

Seems unusual that the base class generic parameter is the package registration, but the interface parameter is the package version. Should/could both use package as the generic parameter?

[scottbommarito]

base class extends the interface for PackageRegistration and provides the actual implementation

by extending the interface for Package here we allow users to pass in Package instead of PackageRegistration for convenience

[chenriksson]

nit: might be nice if these used named args, assuming shorter arg names:

new ActionRequiringPackagePermissions(
    onBehalfOfRequirement: PermissionsRequirement.Owner
         | PermissionsRequirement.OrganizationAdmin
         | PermissionsRequirement.OrganizationCollaborator,
    actionRequirement: PermissionsRequirement.Owner
        | PermissionsRequirement.SiteAdmin);

[chenriksson]

Or, maybe improve readability by introducing private fields for OnBehalfOf combinations:

static PermissionsRequirement OnBehalfOfOwnerOrOrganizationMember;
static PermissionsRequirement OnBehalfOfOwnerOrOrganizationAdmin;

new ActionRequiringPackagePermissions(
    OnBehalfOfOwnerOrOrganizationMember,
    PermissionsRequirement.Owner | PermissionsRequirement.SiteAdmin);

[scottbommarito]

I like both of these--will do both

[chenriksson]

Is this used outside tests?

[scottbommarito]

it initially was, but is no longer. will remove

[chenriksson]

Do we need this class, or is a bool (success/failure) sufficient?

Seems intended to provide 4 possible results:

1. allowed
2. exception
3. on-behalf-of operation not allowed
4. entity operation not allowed

I'm not sure we need to distinguish 3 & 4, and 2 seems like it should be normal exception handling.

[scottbommarito]

I think this enum is necessary to provide the necessary messaging to the user.

"You don't have permission to upload new versions on behalf of 'y'." or "User 'y' does not have permissions to upload new versions of 'x'." are much more descriptive than "You don't have permissions to do something but we don't know what."

[chenriksson]

How will this be used? If a requirement can't be satisfied, then we don't support it?

[scottbommarito]

exists for syntactical cleanliness

[skofman1]

null check

[scottbommarito]

good catch

[scottbommarito]

@joelverhagen @chenriksson @skofman1 @agr

All feedback was addressed.

[joelverhagen]

one class per file. makes github search by file much easier

[chenriksson]

Why do you need AsReadOnly? Seems like an unnecessary allocation for a collection only used internally.

[scottbommarito]

I was thinking it might be cleaner if we guaranteed this was read-only but I suppose it doesn't really matter.

[chenriksson]

nit: wrap lines?

[chenriksson]

why do you need the local variable?

[scottbommarito]

the out parameter is an IEnumerable<User> and not a List<User>, so I need to either store this local variable or cast the out parameter.

I'll switch to casting the out parameter instead of having another local variable, it looks cleaner.

[chenriksson]

nit: failure sounds odd; maybe permissionsResult?

[scottbommarito]

the enum used to be named PermissionsFailure and was renamed PermissionsCheckResult but this variable was never updated. It is now updated to result.

[chenriksson]

Why do we need Distinct here?

The membership table has PK of (OrganizationKey, MemberKey), so I don't think a User can have multiple memberships in the same Organization.

[scottbommarito]

This is a distinct on not only the user's organizations, but also the owners of the entity we are checking permissions of (e.g. the owners of the package). Therefore, there can be duplicates.

[chenriksson]

Should this be TryGetAccountsAllowedOnBehalfOf?

[chenriksson]

@scottbommarito My only remaining feedback is with the distinct call... please look at that, then I'm good.