|
|
|
|
@ -1,18 +1,34 @@
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
using System.Linq;
|
|
|
|
|
using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
|
|
|
|
|
using Jellyfin.Api.Constants;
|
|
|
|
|
using Jellyfin.Extensions;
|
|
|
|
|
using Microsoft.AspNetCore.Authorization;
|
|
|
|
|
using Microsoft.OpenApi.Models;
|
|
|
|
|
using Swashbuckle.AspNetCore.SwaggerGen;
|
|
|
|
|
|
|
|
|
|
namespace Jellyfin.Server.Filters
|
|
|
|
|
namespace Jellyfin.Server.Filters;
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// Security requirement operation filter.
|
|
|
|
|
/// </summary>
|
|
|
|
|
public class SecurityRequirementsOperationFilter : IOperationFilter
|
|
|
|
|
{
|
|
|
|
|
private const string DefaultAuthPolicy = "DefaultAuthorization";
|
|
|
|
|
private static readonly Type _attributeType = typeof(AuthorizeAttribute);
|
|
|
|
|
|
|
|
|
|
private readonly IAuthorizationPolicyProvider _authorizationPolicyProvider;
|
|
|
|
|
|
|
|
|
|
/// <summary>
|
|
|
|
|
/// Security requirement operation filter.
|
|
|
|
|
/// Initializes a new instance of the <see cref="SecurityRequirementsOperationFilter"/> class.
|
|
|
|
|
/// </summary>
|
|
|
|
|
public class SecurityRequirementsOperationFilter : IOperationFilter
|
|
|
|
|
/// <param name="authorizationPolicyProvider">The authorization policy provider.</param>
|
|
|
|
|
public SecurityRequirementsOperationFilter(IAuthorizationPolicyProvider authorizationPolicyProvider)
|
|
|
|
|
{
|
|
|
|
|
_authorizationPolicyProvider = authorizationPolicyProvider;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// <inheritdoc />
|
|
|
|
|
public void Apply(OpenApiOperation operation, OperationFilterContext context)
|
|
|
|
|
{
|
|
|
|
|
@ -20,37 +36,27 @@ namespace Jellyfin.Server.Filters
|
|
|
|
|
|
|
|
|
|
var requiresAuth = false;
|
|
|
|
|
// Add all method scopes.
|
|
|
|
|
foreach (var attribute in context.MethodInfo.GetCustomAttributes(true))
|
|
|
|
|
{
|
|
|
|
|
if (attribute is not AuthorizeAttribute authorizeAttribute)
|
|
|
|
|
foreach (var authorizeAttribute in context.MethodInfo.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>())
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requiresAuth = true;
|
|
|
|
|
if (authorizeAttribute.Policy is not null
|
|
|
|
|
&& !requiredScopes.Contains(authorizeAttribute.Policy, StringComparer.Ordinal))
|
|
|
|
|
var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
|
|
|
|
|
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
|
|
|
|
|
{
|
|
|
|
|
requiredScopes.Add(authorizeAttribute.Policy);
|
|
|
|
|
requiredScopes.Add(policy);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add controller scopes if any.
|
|
|
|
|
var controllerAttributes = context.MethodInfo.DeclaringType?.GetCustomAttributes(true);
|
|
|
|
|
var controllerAttributes = context.MethodInfo.DeclaringType?.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>();
|
|
|
|
|
if (controllerAttributes is not null)
|
|
|
|
|
{
|
|
|
|
|
foreach (var attribute in controllerAttributes)
|
|
|
|
|
foreach (var authorizeAttribute in controllerAttributes)
|
|
|
|
|
{
|
|
|
|
|
if (attribute is not AuthorizeAttribute authorizeAttribute)
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
requiresAuth = true;
|
|
|
|
|
if (authorizeAttribute.Policy is not null
|
|
|
|
|
&& !requiredScopes.Contains(authorizeAttribute.Policy, StringComparer.Ordinal))
|
|
|
|
|
var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
|
|
|
|
|
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
|
|
|
|
|
{
|
|
|
|
|
requiredScopes.Add(authorizeAttribute.Policy);
|
|
|
|
|
requiredScopes.Add(policy);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@ -76,16 +82,24 @@ namespace Jellyfin.Server.Filters
|
|
|
|
|
{
|
|
|
|
|
Type = ReferenceType.SecurityScheme,
|
|
|
|
|
Id = AuthenticationSchemes.CustomAuthentication
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
operation.Security = new List<OpenApiSecurityRequirement>
|
|
|
|
|
// Add DefaultAuthorization scope to any endpoint that has a policy with a requirement that is a subset of DefaultAuthorization.
|
|
|
|
|
if (!requiredScopes.Contains(DefaultAuthPolicy.AsSpan(), StringComparison.Ordinal))
|
|
|
|
|
{
|
|
|
|
|
new OpenApiSecurityRequirement
|
|
|
|
|
foreach (var scope in requiredScopes)
|
|
|
|
|
{
|
|
|
|
|
[scheme] = requiredScopes
|
|
|
|
|
var authorizationPolicy = _authorizationPolicyProvider.GetPolicyAsync(scope).GetAwaiter().GetResult();
|
|
|
|
|
if (authorizationPolicy is not null
|
|
|
|
|
&& authorizationPolicy.Requirements.Any(r => r is DefaultAuthorizationRequirement))
|
|
|
|
|
{
|
|
|
|
|
requiredScopes.Add(DefaultAuthPolicy);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
operation.Security = [new OpenApiSecurityRequirement { [scheme] = requiredScopes }];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Cody Robibero
2 months ago
committed by
GitHub