Further cleanup and add final tests

tests/Jellyfin.Api.Tests/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandlerTests.cs

@@ -39,11 +39,10 @@ namespace Jellyfin.Api.Tests.Auth.DefaultAuthorizationPolicy
         public async Task ShouldSucceedOnUser(string userRole)
         {
             TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
-            var (_, claims) = TestHelpers.SetupUser(
+            var claims = TestHelpers.SetupUser(
                 _userManagerMock,
                 _httpContextAccessor,
-                userRole,
-                TestHelpers.InternalIp);
+                userRole);
 
             var context = new AuthorizationHandlerContext(_requirements, claims, null);
 

tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupOrElevatedPolicy/FirstTimeSetupOrElevatedHandlerTests.cs

@@ -39,11 +39,10 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupOrElevatedPolicy
         public async Task ShouldSucceedIfStartupWizardIncomplete(string userRole)
         {
             TestHelpers.SetupConfigurationManager(_configurationManagerMock, false);
-            var (_, claims) = TestHelpers.SetupUser(
+            var claims = TestHelpers.SetupUser(
                 _userManagerMock,
                 _httpContextAccessor,
-                userRole,
-                TestHelpers.InternalIp);
+                userRole);
 
             var context = new AuthorizationHandlerContext(_requirements, claims, null);
 
@@ -58,11 +57,10 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupOrElevatedPolicy
         public async Task ShouldRequireAdministratorIfStartupWizardComplete(string userRole, bool shouldSucceed)
         {
             TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
-            var (_, claims) = TestHelpers.SetupUser(
+            var claims = TestHelpers.SetupUser(
                 _userManagerMock,
                 _httpContextAccessor,
-                userRole,
-                TestHelpers.InternalIp);
+                userRole);
 
             var context = new AuthorizationHandlerContext(_requirements, claims, null);
 

tests/Jellyfin.Api.Tests/Auth/IgnoreSchedulePolicy/IgnoreScheduleHandlerTests.cs

@@ -24,6 +24,9 @@ namespace Jellyfin.Api.Tests.Auth.IgnoreSchedulePolicy
         private readonly Mock<IUserManager> _userManagerMock;
         private readonly Mock<IHttpContextAccessor> _httpContextAccessor;
 
+        /// <summary>
+        /// Globally disallow access.
+        /// </summary>
         private readonly AccessSchedule[] _accessSchedules = { new AccessSchedule(DynamicDayOfWeek.Everyday, 0, 0, Guid.Empty) };
 
         public IgnoreScheduleHandlerTests()
@@ -44,11 +47,10 @@ namespace Jellyfin.Api.Tests.Auth.IgnoreSchedulePolicy
         public async Task ShouldAllowScheduleCorrectly(string role, bool shouldSucceed)
         {
             TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
-            var (_, claims) = TestHelpers.SetupUser(
+            var claims = TestHelpers.SetupUser(
                 _userManagerMock,
                 _httpContextAccessor,
                 role,
-                TestHelpers.InternalIp,
                 _accessSchedules);
 
             var context = new AuthorizationHandlerContext(_requirements, claims, null);

tests/Jellyfin.Api.Tests/Auth/LocalAccessPolicy/LocalAccessHandlerTests.cs

@@ -0,0 +1,58 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using AutoFixture;
+using AutoFixture.AutoMoq;
+using Jellyfin.Api.Auth.LocalAccessPolicy;
+using Jellyfin.Api.Constants;
+using MediaBrowser.Common.Configuration;
+using MediaBrowser.Common.Net;
+using MediaBrowser.Controller.Library;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Moq;
+using Xunit;
+
+namespace Jellyfin.Api.Tests.Auth.LocalAccessPolicy
+{
+    public class LocalAccessHandlerTests
+    {
+        private readonly Mock<IConfigurationManager> _configurationManagerMock;
+        private readonly List<IAuthorizationRequirement> _requirements;
+        private readonly LocalAccessHandler _sut;
+        private readonly Mock<IUserManager> _userManagerMock;
+        private readonly Mock<IHttpContextAccessor> _httpContextAccessor;
+        private readonly Mock<INetworkManager> _networkManagerMock;
+
+        public LocalAccessHandlerTests()
+        {
+            var fixture = new Fixture().Customize(new AutoMoqCustomization());
+            _configurationManagerMock = fixture.Freeze<Mock<IConfigurationManager>>();
+            _requirements = new List<IAuthorizationRequirement> { new LocalAccessRequirement() };
+            _userManagerMock = fixture.Freeze<Mock<IUserManager>>();
+            _httpContextAccessor = fixture.Freeze<Mock<IHttpContextAccessor>>();
+            _networkManagerMock = fixture.Freeze<Mock<INetworkManager>>();
+
+            _sut = fixture.Create<LocalAccessHandler>();
+        }
+
+        [Theory]
+        [InlineData(true, true)]
+        [InlineData(false, false)]
+        public async Task LocalAccessOnly(bool isInLocalNetwork, bool shouldSucceed)
+        {
+            _networkManagerMock
+                .Setup(n => n.IsInLocalNetwork(It.IsAny<string>()))
+                .Returns(isInLocalNetwork);
+
+            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
+            var claims = TestHelpers.SetupUser(
+                _userManagerMock,
+                _httpContextAccessor,
+                UserRoles.User);
+
+            var context = new AuthorizationHandlerContext(_requirements, claims, null);
+            await _sut.HandleAsync(context);
+            Assert.Equal(shouldSucceed, context.HasSucceeded);
+        }
+    }
+}

tests/Jellyfin.Api.Tests/Auth/RequiresElevationPolicy/RequiresElevationHandlerTests.cs

@@ -39,11 +39,10 @@ namespace Jellyfin.Api.Tests.Auth.RequiresElevationPolicy
         public async Task ShouldHandleRolesCorrectly(string role, bool shouldSucceed)
         {
             TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
-            var (_, claims) = TestHelpers.SetupUser(
+            var claims = TestHelpers.SetupUser(
                 _userManagerMock,
                 _httpContextAccessor,
-                role,
-                TestHelpers.InternalIp);
+                role);
 
             var context = new AuthorizationHandlerContext(_requirements, claims, null);
 

tests/Jellyfin.Api.Tests/TestHelpers.cs

@@ -18,21 +18,10 @@ namespace Jellyfin.Api.Tests
 {
     public static class TestHelpers
     {
-        /// <summary>
-        /// 127.0.0.1.
-        /// </summary>
-        public const long InternalIp = 16777343;
-
-        /// <summary>
-        /// 1.1.1.1.
-        /// </summary>
-        public const long ExternalIp = 16843009;
-
-        public static (User, ClaimsPrincipal) SetupUser(
+        public static ClaimsPrincipal SetupUser(
             Mock<IUserManager> userManagerMock,
             Mock<IHttpContextAccessor> httpContextAccessorMock,
             string role,
-            long ip,
             IEnumerable<AccessSchedule>? accessSchedules = null)
         {
             var user = new User(
@@ -72,9 +61,9 @@ namespace Jellyfin.Api.Tests
 
             httpContextAccessorMock
                 .Setup(h => h.HttpContext.Connection.RemoteIpAddress)
-                .Returns(new IPAddress(ip));
+                .Returns(new IPAddress(0));
 
-            return (user, new ClaimsPrincipal(identity));
+            return new ClaimsPrincipal(identity);
         }
 
         public static void SetupConfigurationManager(in Mock<IConfigurationManager> configurationManagerMock, bool startupWizardCompleted)