Backport pull request #11873 from jellyfin/release-10.9.z

Fix FirstTimeSetupHandler allowing public access Original-merge: 869dab2ba2 Merged-by: joshuaboniface <joshua@boniface.me> Backported-by: Joshua M. Boniface <joshua@boniface.me>
11 months ago · dc2db22c3d
parent 2599babe31
commit dc2db22c3d
2 changed files with 53 additions and 23 deletions
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@ -1,5 +1,6 @@
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
 using MediaBrowser.Common.Configuration;
 using Microsoft.AspNetCore.Authorization;

@ -24,24 +25,31 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
        /// <inheritdoc />
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, FirstTimeSetupRequirement requirement)
        {
+            // Succeed if the startup wizard / first time setup is not complete
            if (!_configurationManager.CommonConfiguration.IsStartupWizardCompleted)
            {
                context.Succeed(requirement);
            }
-            else if (requirement.RequireAdmin && !context.User.IsInRole(UserRoles.Administrator))
+
+            // Succeed if user is admin
+            else if (context.User.IsInRole(UserRoles.Administrator))
            {
-                context.Fail();
+                context.Succeed(requirement);
            }
-            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+
+            // Fail if admin is required and user is not admin
+            else if (requirement.RequireAdmin)
            {
                context.Fail();
            }
-            else
+
+            // Succeed if admin is not required and user is not guest
+            else if (context.User.IsInRole(UserRoles.User))
            {
-                // Any user-specific checks are handled in the DefaultAuthorizationHandler.
                context.Succeed(requirement);
            }

+            // Any user-specific checks are handled in the DefaultAuthorizationHandler.
            return Task.CompletedTask;
        }
    }
--- a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
@ -1,14 +1,19 @@
+using System;
 using System.Collections.Generic;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using AutoFixture;
 using AutoFixture.AutoMoq;
+using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
 using Jellyfin.Api.Auth.FirstTimeSetupPolicy;
 using Jellyfin.Api.Constants;
+using Jellyfin.Data.Entities;
+using Jellyfin.Data.Enums;
 using MediaBrowser.Common.Configuration;
 using MediaBrowser.Controller.Library;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 using Xunit;

@ -18,7 +23,9 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
    {
        private readonly Mock<IConfigurationManager> _configurationManagerMock;
        private readonly List<IAuthorizationRequirement> _requirements;
+        private readonly DefaultAuthorizationHandler _defaultAuthorizationHandler;
        private readonly FirstTimeSetupHandler _firstTimeSetupHandler;
+        private readonly IAuthorizationService _authorizationService;
        private readonly Mock<IUserManager> _userManagerMock;
        private readonly Mock<IHttpContextAccessor> _httpContextAccessor;

@ -31,6 +38,21 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
            _httpContextAccessor = fixture.Freeze<Mock<IHttpContextAccessor>>();

            _firstTimeSetupHandler = fixture.Create<FirstTimeSetupHandler>();
+            _defaultAuthorizationHandler = fixture.Create<DefaultAuthorizationHandler>();
+
+            var services = new ServiceCollection();
+            services.AddAuthorizationCore();
+            services.AddLogging();
+            services.AddOptions();
+            services.AddSingleton<IAuthorizationHandler>(_defaultAuthorizationHandler);
+            services.AddSingleton<IAuthorizationHandler>(_firstTimeSetupHandler);
+            services.AddAuthorization(options =>
+            {
+                options.AddPolicy("FirstTime", policy => policy.Requirements.Add(new FirstTimeSetupRequirement()));
+                options.AddPolicy("FirstTimeNoAdmin", policy => policy.Requirements.Add(new FirstTimeSetupRequirement(false, false)));
+                options.AddPolicy("FirstTimeSchedule", policy => policy.Requirements.Add(new FirstTimeSetupRequirement(true, false)));
+            });
+            _authorizationService = services.BuildServiceProvider().GetRequiredService<IAuthorizationService>();
        }

        [Theory]
@ -45,10 +67,9 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
                _httpContextAccessor,
                userRole);

-            var context = new AuthorizationHandlerContext(_requirements, claims, null);
+            var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTime");

-            await _firstTimeSetupHandler.HandleAsync(context);
-            Assert.True(context.HasSucceeded);
+            Assert.True(allowed.Succeeded);
        }

        [Theory]
@ -63,17 +84,16 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
                _httpContextAccessor,
                userRole);

-            var context = new AuthorizationHandlerContext(_requirements, claims, null);
+            var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTime");

-            await _firstTimeSetupHandler.HandleAsync(context);
-            Assert.Equal(shouldSucceed, context.HasSucceeded);
+            Assert.Equal(shouldSucceed, allowed.Succeeded);
        }

        [Theory]
        [InlineData(UserRoles.Administrator, true)]
        [InlineData(UserRoles.Guest, false)]
        [InlineData(UserRoles.User, true)]
-        public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
+        public async Task ShouldRequireUserIfNotAdministrator(string userRole, bool shouldSucceed)
        {
            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
            var claims = TestHelpers.SetupUser(
@ -81,24 +101,26 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
                _httpContextAccessor,
                userRole);

-            var context = new AuthorizationHandlerContext(
-                new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
-                claims,
-                null);
+            var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTimeNoAdmin");

-            await _firstTimeSetupHandler.HandleAsync(context);
-            Assert.Equal(shouldSucceed, context.HasSucceeded);
+            Assert.Equal(shouldSucceed, allowed.Succeeded);
        }

        [Fact]
-        public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
+        public async Task ShouldDisallowUserIfOutsideSchedule()
        {
+            AccessSchedule[] accessSchedules = { new AccessSchedule(DynamicDayOfWeek.Everyday, 0, 0, Guid.Empty) };
+
            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
-            var claims = new ClaimsPrincipal(new ClaimsIdentity([new Claim(ClaimTypes.Role, UserRoles.Administrator)]));
-            var context = new AuthorizationHandlerContext(_requirements, claims, null);
+            var claims = TestHelpers.SetupUser(
+                _userManagerMock,
+                _httpContextAccessor,
+                UserRoles.User,
+                accessSchedules);
+
+            var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTimeSchedule");

-            await _firstTimeSetupHandler.HandleAsync(context);
-            Assert.True(context.HasSucceeded);
+            Assert.False(allowed.Succeeded);
        }
    }
 }