Implements Public Access in netcore (#10137)

* Getting new netcore PublicAccessChecker in place

* Adds full test coverage for PublicAccessChecker

* remove PublicAccessComposer

* adjust namespaces, ensure RoleManager works, separate public access controller, reduce content controller

* Implements the required methods on IMemberManager, removes old migrated code

* Updates routing to be able to re-route, Fixes middleware ordering ensuring endpoints are last, refactors pipeline options, adds public access middleware, ensures public access follows all hops

* adds note

* adds note

* Cleans up ext methods, ensures that members identity is added on both front-end and back ends. updates how UmbracoApplicationBuilder works in that it explicitly starts endpoints at the time of calling.

* Changes name to IUmbracoEndpointBuilder

* adds note

* Fixing tests, fixing error describers so there's 2x one for back office, one for members, fixes TryConvertTo, fixes login redirect

* fixing build

* Fixes keepalive, fixes PublicAccessMiddleware to not throw, updates startup code to be more clear and removes magic that registers middleware.

* adds note

* removes unused filter, fixes build

* fixes WebPath and tests

* Looks up entities in one query

* remove usings

* Fix test, remove stylesheet

* Set status code before we write to response to avoid error

* Ensures that users and members are validated when logging in. Shares more code between users and members.

* Fixes RepositoryCacheKeys to ensure the keys are normalized

* oops didn't mean to commit this

* Fix casing issues with caching, stop boxing value types for all cache operations, stop re-creating string keys in DefaultRepositoryCachePolicy

* bah, far out this keeps getting recommitted. sorry

Co-authored-by: Bjarke Berg <mail@bergmania.dk>

src/Umbraco.Web.BackOffice/Controllers/PublicAccessController.cs

@@ -0,0 +1,198 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.Mapping;
+using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models.ContentEditing;
+using Umbraco.Cms.Core.Models.Entities;
+using Umbraco.Cms.Core.Routing;
+using Umbraco.Cms.Core.Security;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
+using Umbraco.Cms.Web.Common.Security;
+using Umbraco.Extensions;
+
+namespace Umbraco.Cms.Web.BackOffice.Controllers
+{
+    [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+    [Authorize(Policy = AuthorizationPolicies.TreeAccessDocuments)]
+    public class PublicAccessController : BackOfficeNotificationsController
+    {
+        private readonly IContentService _contentService;
+        private readonly IPublicAccessService _publicAccessService;
+        private readonly IEntityService _entityService;
+        private readonly IMemberService _memberService;
+        private readonly UmbracoMapper _umbracoMapper;
+        private readonly IMemberRoleManager _memberRoleManager;
+
+        public PublicAccessController(
+            IPublicAccessService publicAccessService,
+            IContentService contentService,
+            IEntityService entityService,
+            IMemberService memberService,
+            UmbracoMapper umbracoMapper,
+            IMemberRoleManager memberRoleManager)
+        {
+            _contentService = contentService;
+            _publicAccessService = publicAccessService;
+            _entityService = entityService;
+            _memberService = memberService;
+            _umbracoMapper = umbracoMapper;
+            _memberRoleManager = memberRoleManager;
+        }
+
+        [Authorize(Policy = AuthorizationPolicies.ContentPermissionProtectById)]
+        [HttpGet]
+        public ActionResult<PublicAccess> GetPublicAccess(int contentId)
+        {
+            IContent content = _contentService.GetById(contentId);
+            if (content == null)
+            {
+                return NotFound();
+            }
+
+            PublicAccessEntry entry = _publicAccessService.GetEntryForContent(content);
+            if (entry == null || entry.ProtectedNodeId != content.Id)
+            {
+                return Ok();
+            }
+
+            var nodes = _entityService
+                .GetAll(UmbracoObjectTypes.Document, entry.LoginNodeId, entry.NoAccessNodeId)
+                .ToDictionary(x => x.Id);
+
+            if (!nodes.TryGetValue(entry.LoginNodeId, out IEntitySlim loginPageEntity))
+            {
+                throw new InvalidOperationException($"Login node with id ${entry.LoginNodeId} was not found");
+            }
+
+            if (!nodes.TryGetValue(entry.NoAccessNodeId, out IEntitySlim errorPageEntity))
+            {
+                throw new InvalidOperationException($"Error node with id ${entry.LoginNodeId} was not found");
+            }
+
+            // unwrap the current public access setup for the client
+            // - this API method is the single point of entry for both "modes" of public access (single user and role based)
+            var usernames = entry.Rules
+                .Where(rule => rule.RuleType == Constants.Conventions.PublicAccess.MemberUsernameRuleType)
+                .Select(rule => rule.RuleValue)
+                .ToArray();
+
+            MemberDisplay[] members = usernames
+                .Select(username => _memberService.GetByUsername(username))
+                .Where(member => member != null)
+                .Select(_umbracoMapper.Map<MemberDisplay>)
+                .ToArray();
+
+            var allGroups = _memberRoleManager.Roles.ToDictionary(x => x.Name);
+            MemberGroupDisplay[] groups = entry.Rules
+                .Where(rule => rule.RuleType == Constants.Conventions.PublicAccess.MemberRoleRuleType)
+                .Select(rule => allGroups.TryGetValue(rule.RuleValue, out UmbracoIdentityRole memberRole) ? memberRole : null)
+                .Where(x => x != null)
+                .Select(_umbracoMapper.Map<MemberGroupDisplay>)
+                .ToArray();
+
+            return new PublicAccess
+            {
+                Members = members,
+                Groups = groups,
+                LoginPage = loginPageEntity != null ? _umbracoMapper.Map<EntityBasic>(loginPageEntity) : null,
+                ErrorPage = errorPageEntity != null ? _umbracoMapper.Map<EntityBasic>(errorPageEntity) : null
+            };
+        }
+
+        // set up public access using role based access
+        [Authorize(Policy = AuthorizationPolicies.ContentPermissionProtectById)]
+        [HttpPost]
+        public IActionResult PostPublicAccess(int contentId, [FromQuery(Name = "groups[]")] string[] groups, [FromQuery(Name = "usernames[]")] string[] usernames, int loginPageId, int errorPageId)
+        {
+            if ((groups == null || groups.Any() == false) && (usernames == null || usernames.Any() == false))
+            {
+                return BadRequest();
+            }
+
+            var content = _contentService.GetById(contentId);
+            var loginPage = _contentService.GetById(loginPageId);
+            var errorPage = _contentService.GetById(errorPageId);
+            if (content == null || loginPage == null || errorPage == null)
+            {
+                return BadRequest();
+            }
+
+            var isGroupBased = groups != null && groups.Any();
+            var candidateRuleValues = isGroupBased
+                ? groups
+                : usernames;
+            var newRuleType = isGroupBased
+                ? Constants.Conventions.PublicAccess.MemberRoleRuleType
+                : Constants.Conventions.PublicAccess.MemberUsernameRuleType;
+
+            var entry = _publicAccessService.GetEntryForContent(content);
+
+            if (entry == null || entry.ProtectedNodeId != content.Id)
+            {
+                entry = new PublicAccessEntry(content, loginPage, errorPage, new List<PublicAccessRule>());
+
+                foreach (var ruleValue in candidateRuleValues)
+                {
+                    entry.AddRule(ruleValue, newRuleType);
+                }
+            }
+            else
+            {
+                entry.LoginNodeId = loginPage.Id;
+                entry.NoAccessNodeId = errorPage.Id;
+
+                var currentRules = entry.Rules.ToArray();
+                var obsoleteRules = currentRules.Where(rule =>
+                    rule.RuleType != newRuleType
+                    || candidateRuleValues.Contains(rule.RuleValue) == false
+                );
+                var newRuleValues = candidateRuleValues.Where(group =>
+                    currentRules.Any(rule =>
+                        rule.RuleType == newRuleType
+                        && rule.RuleValue == group
+                    ) == false
+                );
+                foreach (var rule in obsoleteRules)
+                {
+                    entry.RemoveRule(rule);
+                }
+                foreach (var ruleValue in newRuleValues)
+                {
+                    entry.AddRule(ruleValue, newRuleType);
+                }
+            }
+
+            return _publicAccessService.Save(entry).Success
+                ? Ok()
+                : Problem();
+        }
+
+        [Authorize(Policy = AuthorizationPolicies.ContentPermissionProtectById)]
+        [HttpPost]
+        public IActionResult RemovePublicAccess(int contentId)
+        {
+            var content = _contentService.GetById(contentId);
+            if (content == null)
+            {
+                return NotFound();
+            }
+
+            var entry = _publicAccessService.GetEntryForContent(content);
+            if (entry == null)
+            {
+                return Ok();
+            }
+
+            return _publicAccessService.Delete(entry).Success
+                ? Ok()
+                : Problem();
+        }
+    }
+}