Resource based authorization

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/AbpPermissionOptions.cs

@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using Volo.Abp.Authorization.Permissions.Resources;
 using Volo.Abp.Collections;
 
 namespace Volo.Abp.Authorization.Permissions;
@@ -9,6 +10,8 @@ public class AbpPermissionOptions
 
     public ITypeList<IPermissionValueProvider> ValueProviders { get; }
 
+    public ITypeList<IResourcePermissionValueProvider> ResourceValueProviders { get; }
+
     public HashSet<string> DeletedPermissions { get; }
 
     public HashSet<string> DeletedPermissionGroups { get; }
@@ -17,6 +20,7 @@ public AbpPermissionOptions()
     {
         DefinitionProviders = new TypeList<IPermissionDefinitionProvider>();
         ValueProviders = new TypeList<IPermissionValueProvider>();
+        ResourceValueProviders = new TypeList<IResourcePermissionValueProvider>();
 
         DeletedPermissions = new HashSet<string>();
         DeletedPermissionGroups = new HashSet<string>();

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/ICanAddChildPermission.cs

@@ -11,4 +11,4 @@ PermissionDefinition AddPermission(
         ILocalizableString? displayName = null,
         MultiTenancySides multiTenancySide = MultiTenancySides.Both,
         bool isEnabled = true);
-}
+}

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/IPermissionDefinitionContext.cs

@@ -1,5 +1,7 @@
 using System;
+using JetBrains.Annotations;
 using Volo.Abp.Localization;
+using Volo.Abp.MultiTenancy;
 
 namespace Volo.Abp.Authorization.Permissions;
 
@@ -46,4 +48,16 @@ PermissionGroupDefinition AddGroup(
     /// <param name="name">Name of the permission</param>
     /// </summary>
     PermissionDefinition? GetPermissionOrNull(string name);
+
+    PermissionDefinition AddResourcePermission(
+        string name,
+        string resourceName,
+        string managementPermissionName,
+        ILocalizableString? displayName = null,
+        MultiTenancySides multiTenancySide = MultiTenancySides.Both,
+        bool isEnabled = true);
+
+    PermissionDefinition? GetResourcePermissionOrNull([NotNull] string resourceName, [NotNull] string name);
+
+    void RemoveResourcePermission([NotNull] string resourceName, [NotNull] string name);
 }

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/IPermissionDefinitionManager.cs

@@ -11,7 +11,14 @@ public interface IPermissionDefinitionManager
 
     Task<PermissionDefinition?> GetOrNullAsync([NotNull] string name);
 
+    [ItemNotNull]
+    Task<PermissionDefinition> GetResourcePermissionAsync([NotNull]string resourceName, [NotNull] string name);
+
+    Task<PermissionDefinition?> GetResourcePermissionOrNullAsync([NotNull]string resourceName, [NotNull] string name);
+
     Task<IReadOnlyList<PermissionDefinition>> GetPermissionsAsync();
 
+    Task<IReadOnlyList<PermissionDefinition>> GetResourcePermissionsAsync();
+
     Task<IReadOnlyList<PermissionGroupDefinition>> GetGroupsAsync();
 }

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/IPermissionValueProvider.cs

@@ -6,7 +6,6 @@ public interface IPermissionValueProvider
 {
     string Name { get; }
 
-    //TODO: Rename to GetResult? (CheckAsync throws exception by naming convention)
     Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context);
 
     Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context);

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinition.cs

@@ -7,7 +7,7 @@
 
 namespace Volo.Abp.Authorization.Permissions;
 
-public class PermissionDefinition : 
+public class PermissionDefinition :
     IHasSimpleStateCheckers<PermissionDefinition>,
     ICanAddChildPermission
 {
@@ -16,6 +16,16 @@ public class PermissionDefinition :
     /// </summary>
     public string Name { get; }
 
+    /// <summary>
+    /// Resource name of the permission.
+    /// </summary>
+    public string? ResourceName { get; set; }
+
+    /// <summary>
+    ///  Management permission of the resource permission.
+    /// </summary>
+    public string? ManagementPermissionName { get; set; }
+
     /// <summary>
     /// Parent of this permission if one exists.
     /// If set, this permission can be granted only if parent is granted.
@@ -76,6 +86,19 @@ public object? this[string name] {
         set => Properties[name] = value;
     }
 
+    protected internal PermissionDefinition(
+        [NotNull] string name,
+        string resourceName,
+        string managementPermissionName,
+        ILocalizableString? displayName = null,
+        MultiTenancySides multiTenancySide = MultiTenancySides.Both,
+        bool isEnabled = true)
+        : this(name, displayName, multiTenancySide, isEnabled)
+    {
+        ResourceName = Check.NotNull(resourceName, nameof(resourceName));
+        ManagementPermissionName = Check.NotNull(managementPermissionName, nameof(managementPermissionName));
+    }
+
     protected internal PermissionDefinition(
         [NotNull] string name,
         ILocalizableString? displayName = null,
@@ -99,6 +122,11 @@ public virtual PermissionDefinition AddChild(
         MultiTenancySides multiTenancySide = MultiTenancySides.Both,
         bool isEnabled = true)
     {
+        if (ResourceName != null)
+        {
+            throw new AbpException($"Resource permission cannot have child permissions. Resource: {ResourceName}");
+        }
+
         var child = new PermissionDefinition(
             name,
             displayName,
@@ -109,12 +137,12 @@ public virtual PermissionDefinition AddChild(
         };
 
         child[PermissionDefinitionContext.KnownPropertyNames.CurrentProviderName] = this[PermissionDefinitionContext.KnownPropertyNames.CurrentProviderName];
-       
+
         _children.Add(child);
 
         return child;
     }
-    
+
     PermissionDefinition ICanAddChildPermission.AddPermission(
         string name,
         ILocalizableString? displayName = null,
@@ -124,7 +152,6 @@ PermissionDefinition ICanAddChildPermission.AddPermission(
         return this.AddChild(name, displayName, multiTenancySide, isEnabled);
     }
 
-
     /// <summary>
     /// Sets a property in the <see cref="Properties"/> dictionary.
     /// This is a shortcut for nested calls on this object.

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/PermissionDefinitionContext.cs

@@ -1,7 +1,9 @@
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using JetBrains.Annotations;
 using Volo.Abp.Localization;
+using Volo.Abp.MultiTenancy;
 
 namespace Volo.Abp.Authorization.Permissions;
 
@@ -11,17 +13,20 @@ public class PermissionDefinitionContext : IPermissionDefinitionContext
 
     public Dictionary<string, PermissionGroupDefinition> Groups { get; }
 
+    public List<PermissionDefinition> ResourcePermissions { get; }
+
     internal IPermissionDefinitionProvider? CurrentProvider { get; set; }
 
     public static class KnownPropertyNames
     {
         public const string CurrentProviderName = "_CurrentProviderName";
     }
-    
+
     public PermissionDefinitionContext(IServiceProvider serviceProvider)
     {
         ServiceProvider = serviceProvider;
         Groups = new Dictionary<string, PermissionGroupDefinition>();
+        ResourcePermissions = new List<PermissionDefinition>();
     }
 
     public virtual PermissionGroupDefinition AddGroup(
@@ -43,45 +48,31 @@ public virtual PermissionGroupDefinition AddGroup(
         }
 
         Groups[name] = group;
-        
+
         return group;
     }
 
     [NotNull]
     public virtual PermissionGroupDefinition GetGroup([NotNull] string name)
     {
         var group = GetGroupOrNull(name);
-
-        if (group == null)
-        {
-            throw new AbpException($"Could not find a permission definition group with the given name: {name}");
-        }
-
-        return group;
+        return group ?? throw new AbpException($"Could not find a permission definition group with the given name: {name}");
     }
 
     public virtual PermissionGroupDefinition? GetGroupOrNull([NotNull] string name)
     {
         Check.NotNull(name, nameof(name));
-
-        if (!Groups.ContainsKey(name))
-        {
-            return null;
-        }
-
-        return Groups[name];
+        return Groups.GetOrDefault(name);
     }
 
     public virtual void RemoveGroup(string name)
     {
         Check.NotNull(name, nameof(name));
 
-        if (!Groups.ContainsKey(name))
+        if (!Groups.Remove(name))
         {
             throw new AbpException($"Not found permission group with name: {name}");
         }
-
-        Groups.Remove(name);
     }
 
     public virtual PermissionDefinition? GetPermissionOrNull([NotNull] string name)
@@ -100,4 +91,58 @@ public virtual void RemoveGroup(string name)
 
         return null;
     }
+
+    public virtual PermissionDefinition AddResourcePermission(
+        string name,
+        string resourceName,
+        string managementPermissionName,
+        ILocalizableString? displayName = null,
+        MultiTenancySides multiTenancySide = MultiTenancySides.Both,
+        bool isEnabled = true)
+    {
+        Check.NotNull(name, nameof(name));
+        Check.NotNull(resourceName, nameof(resourceName));
+        Check.NotNull(managementPermissionName, nameof(managementPermissionName));
+
+        if (ResourcePermissions.Any(x => x.ResourceName == resourceName && x.Name == name))
+        {
+            throw new AbpException($"There is already an existing resource permission with name: {name} for resource: {resourceName}");
+        }
+
+        var permission = new PermissionDefinition(
+            name,
+            resourceName,
+            managementPermissionName,
+            displayName,
+            multiTenancySide,
+            isEnabled)
+        {
+            [KnownPropertyNames.CurrentProviderName] = CurrentProvider?.GetType().FullName
+        };
+
+        ResourcePermissions.Add(permission);
+
+        return permission;
+    }
+
+    public virtual PermissionDefinition? GetResourcePermissionOrNull([NotNull] string resourceName, [NotNull] string name)
+    {
+        Check.NotNull(resourceName, nameof(resourceName));
+        Check.NotNull(name, nameof(name));
+
+        return ResourcePermissions.FirstOrDefault(p => p.ResourceName == resourceName && p.Name == name);
+    }
+
+    public virtual void RemoveResourcePermission([NotNull] string resourceName, [NotNull] string name)
+    {
+        Check.NotNull(resourceName, nameof(resourceName));
+        Check.NotNull(name, nameof(name));
+
+        var resourcePermission = GetResourcePermissionOrNull(resourceName, name);
+        if (resourcePermission == null)
+        {
+            throw new AbpException($"Not found resource permission with name: {name} for resource: {resourceName}");
+        }
+        ResourcePermissions.Remove(resourcePermission);
+    }
 }

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/Resources/IHasResourcePermissions.cs

@@ -0,0 +1,8 @@
+using System.Collections.Generic;
+
+namespace Volo.Abp.Authorization.Permissions.Resources;
+
+public interface IHasResourcePermissions : IKeyedObject
+{
+    Dictionary<string, bool> ResourcePermissions { get; }
+}

framework/src/Volo.Abp.Authorization.Abstractions/Volo/Abp/Authorization/Permissions/Resources/IResourcePermissionChecker.cs

@@ -0,0 +1,33 @@
+using System.Security.Claims;
+using System.Threading.Tasks;
+
+namespace Volo.Abp.Authorization.Permissions.Resources;
+
+public interface IResourcePermissionChecker
+{
+    Task<bool> IsGrantedAsync(
+        string name,
+        string resourceName,
+        string resourceKey
+    );
+
+    Task<bool> IsGrantedAsync(
+        ClaimsPrincipal? claimsPrincipal,
+        string name,
+        string resourceName,
+        string resourceKey
+    );
+
+    Task<MultiplePermissionGrantResult> IsGrantedAsync(
+        string[] names, 
+        string resourceName,
+        string resourceKey
+    );
+
+    Task<MultiplePermissionGrantResult> IsGrantedAsync(
+        ClaimsPrincipal? claimsPrincipal,
+        string[] names,
+        string resourceName,
+        string resourceKey
+    );
+}