open-source-mirrors
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add default auth policy to generated openapi spec (#11181)

Browse Source
pull/11199/head
Cody Robibero 2 months ago committed by GitHub
parent c16135800c
commit d9e35a969f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 73 additions and 59 deletions
Show Stats Download Patch File Download Diff File

132
Jellyfin.Server/Filters/SecurityRequirementsOperationFilter.cs
Unescape View File

@ -1,91 +1,105 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
using Jellyfin.Api.Constants; using Jellyfin.Api.Constants;
using Jellyfin.Extensions;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.OpenApi.Models; using Microsoft.OpenApi.Models;
using Swashbuckle.AspNetCore.SwaggerGen; using Swashbuckle.AspNetCore.SwaggerGen;
namespace Jellyfin.Server.Filters namespace Jellyfin.Server.Filters;
/// <summary>
/// Security requirement operation filter.
/// </summary>
public class SecurityRequirementsOperationFilter : IOperationFilter
{ {
private const string DefaultAuthPolicy = "DefaultAuthorization";
private static readonly Type _attributeType = typeof(AuthorizeAttribute);
private readonly IAuthorizationPolicyProvider _authorizationPolicyProvider;
/// <summary> /// <summary>
/// Security requirement operation filter. /// Initializes a new instance of the <see cref="SecurityRequirementsOperationFilter"/> class.
/// </summary> /// </summary>
public class SecurityRequirementsOperationFilter : IOperationFilter /// <param name="authorizationPolicyProvider">The authorization policy provider.</param>
public SecurityRequirementsOperationFilter(IAuthorizationPolicyProvider authorizationPolicyProvider)
{ {
/// <inheritdoc /> _authorizationPolicyProvider = authorizationPolicyProvider;
public void Apply(OpenApiOperation operation, OperationFilterContext context) }
{
var requiredScopes = new List<string>();
var requiresAuth = false; /// <inheritdoc />
// Add all method scopes. public void Apply(OpenApiOperation operation, OperationFilterContext context)
foreach (var attribute in context.MethodInfo.GetCustomAttributes(true)) {
{ var requiredScopes = new List<string>();
if (attribute is not AuthorizeAttribute authorizeAttribute)
{
continue;
}
requiresAuth = true; var requiresAuth = false;
if (authorizeAttribute.Policy is not null // Add all method scopes.
&& !requiredScopes.Contains(authorizeAttribute.Policy, StringComparer.Ordinal)) foreach (var authorizeAttribute in context.MethodInfo.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>())
{ {
requiredScopes.Add(authorizeAttribute.Policy); requiresAuth = true;
} var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
{
requiredScopes.Add(policy);
} }
}
// Add controller scopes if any. // Add controller scopes if any.
var controllerAttributes = context.MethodInfo.DeclaringType?.GetCustomAttributes(true); var controllerAttributes = context.MethodInfo.DeclaringType?.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>();
if (controllerAttributes is not null) if (controllerAttributes is not null)
{
foreach (var authorizeAttribute in controllerAttributes)
{ {
foreach (var attribute in controllerAttributes) requiresAuth = true;
var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
{ {
if (attribute is not AuthorizeAttribute authorizeAttribute) requiredScopes.Add(policy);
{
continue;
}
requiresAuth = true;
if (authorizeAttribute.Policy is not null
&& !requiredScopes.Contains(authorizeAttribute.Policy, StringComparer.Ordinal))
{
requiredScopes.Add(authorizeAttribute.Policy);
}
} }
} }
}
if (!requiresAuth) if (!requiresAuth)
{ {
return; return;
} }
if (!operation.Responses.ContainsKey("401")) if (!operation.Responses.ContainsKey("401"))
{ {
operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" }); operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" });
} }
if (!operation.Responses.ContainsKey("403")) if (!operation.Responses.ContainsKey("403"))
{ {
operation.Responses.Add("403", new OpenApiResponse { Description = "Forbidden" }); operation.Responses.Add("403", new OpenApiResponse { Description = "Forbidden" });
} }
var scheme = new OpenApiSecurityScheme var scheme = new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{ {
Reference = new OpenApiReference Type = ReferenceType.SecurityScheme,
{ Id = AuthenticationSchemes.CustomAuthentication
Type = ReferenceType.SecurityScheme, },
Id = AuthenticationSchemes.CustomAuthentication };
}
};
operation.Security = new List<OpenApiSecurityRequirement> // Add DefaultAuthorization scope to any endpoint that has a policy with a requirement that is a subset of DefaultAuthorization.
if (!requiredScopes.Contains(DefaultAuthPolicy.AsSpan(), StringComparison.Ordinal))
{
foreach (var scope in requiredScopes)
{ {
new OpenApiSecurityRequirement var authorizationPolicy = _authorizationPolicyProvider.GetPolicyAsync(scope).GetAwaiter().GetResult();
if (authorizationPolicy is not null
&& authorizationPolicy.Requirements.Any(r => r is DefaultAuthorizationRequirement))
{ {
[scheme] = requiredScopes requiredScopes.Add(DefaultAuthPolicy);
break;
} }
}; }
} }
operation.Security = [new OpenApiSecurityRequirement { [scheme] = requiredScopes }];
} }
} }

Write Preview
Loading…
Cancel
Save