Merging the authorization branch

2026-05-13 10:52:28 -04:00 · 2021-05-05 22:33:49 +02:00
parent b2151a0dde b6d92a96c1
commit da699c096d
11 changed files with 136 additions and 110 deletions
@@ -1,37 +0,0 @@
-using System.Linq;
-using System.Security.Claims;
-using System.Threading.Tasks;
-using IdentityServer4.Extensions;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.Extensions.Configuration;
-
-namespace Kyoo.Authentication
-{
-	public class AuthorizationValidatorHandler : AuthorizationHandler<AuthorizationValidator>
-	{
-		private readonly IConfiguration _configuration;
-		
-		public AuthorizationValidatorHandler(IConfiguration configuration)
-		{
-			_configuration = configuration;
-		}
-		
-		protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizationValidator requirement)
-		{
-			if (!context.User.IsAuthenticated())
-			{
-				string defaultPerms = _configuration.GetValue<string>("defaultPermissions");
-				if (defaultPerms.Split(',').Contains(requirement.Permission.ToLower()))
-					context.Succeed(requirement);
-			}
-			else
-			{
-				Claim perms = context.User.Claims.FirstOrDefault(x => x.Type == "permissions");
-				if (perms != null && perms.Value.Split(",").Contains(requirement.Permission.ToLower()))
-					context.Succeed(requirement);
-			}
-
-			return Task.CompletedTask;
-		}
-	}
-}
@@ -1,14 +0,0 @@
-using Microsoft.AspNetCore.Authorization;
-
-namespace Kyoo.Authentication
-{
-	public class AuthorizationValidator : IAuthorizationRequirement
-	{
-		public string Permission { get; }
-
-		public AuthorizationValidator(string permission)
-		{
-			Permission = permission;
-		}
-	}
-}
@@ -79,8 +79,10 @@ namespace Kyoo.Authentication
 			// 	.AddDefaultTokenProviders()
 			// 	.AddEntityFrameworkStores<IdentityDatabase>();

+			services.Configure<PermissionOption>(_configuration.GetSection(PermissionOption.Path));
 			CertificateOption certificateOptions = new();
 			_configuration.GetSection(CertificateOption.Path).Bind(certificateOptions);
+
 			services.AddIdentityServer(options =>
 				{
 					options.IssuerUri = publicUrl;
@@ -136,7 +138,7 @@ namespace Kyoo.Authentication
 					{
 						policy.AuthenticationSchemes.Add(IdentityConstants.ApplicationScheme);
 						policy.AuthenticationSchemes.Add(JwtBearerDefaults.AuthenticationScheme);
-						policy.AddRequirements(new AuthorizationValidator(permission));
+						policy.AddRequirements(new AuthRequirement(permission));
 						policy.RequireScope($"kyoo.{permission.ToLower()}");
 					});
 				}
@@ -153,8 +155,6 @@ namespace Kyoo.Authentication
 		/// <inheritdoc />
 		public void ConfigureAspNet(IApplicationBuilder app)
 		{
-			app.UseAuthorization();
-
 			app.UseCookiePolicy(new CookiePolicyOptions
 			{
 				MinimumSameSitePolicy = SameSiteMode.Strict
@@ -166,6 +166,7 @@ namespace Kyoo.Authentication
 				return next();
 			});
 			app.UseIdentityServer();
+			app.UseAuthorization();
 		}
 	}
 }
@@ -0,0 +1,51 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using IdentityServer4.Extensions;
+using Kyoo.Authentication.Models;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.Options;
+
+namespace Kyoo.Authentication
+{
+	/// <summary>
+	/// The default IAuthorizationHandler implementation.
+	/// </summary>
+	public class AuthorizationValidatorHandler : AuthorizationHandler<AuthRequirement>
+	{
+		/// <summary>
+		/// The permissions options to retrieve default permissions.
+		/// </summary>
+		private readonly IOptionsMonitor<PermissionOption> _options;
+		
+		/// <summary>
+		/// Create a new <see cref="AuthorizationValidatorHandler"/>.
+		/// </summary>
+		/// <param name="options">The option containing default values.</param>
+		public AuthorizationValidatorHandler(IOptionsMonitor<PermissionOption> options)
+		{
+			_options = options;
+		}
+
+
+		/// <inheritdoc />
+		protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthRequirement requirement)
+		{
+			if (context.User.IsAuthenticated())
+			{
+				Claim perms = context.User.Claims.FirstOrDefault(x => x.Type == "permissions");
+				if (perms != null && perms.Value.Split(",").Contains(requirement.Permission.ToLower()))
+					context.Succeed(requirement);
+			}
+			else
+			{
+				ICollection<string> defaultPerms = _options.CurrentValue.Default;
+				if (defaultPerms.Contains(requirement.Permission.ToLower()))
+					context.Succeed(requirement);
+			}
+
+			return Task.CompletedTask;
+		}
+	}
+}
@@ -0,0 +1,24 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Kyoo.Authentication
+{
+	/// <summary>
+	/// The requirement of Kyoo's authentication policies.
+	/// </summary>
+	public class AuthRequirement : IAuthorizationRequirement
+	{
+		/// <summary>
+		/// The name of the permission
+		/// </summary>
+		public string Permission { get; }
+
+		/// <summary>
+		/// Create a new <see cref="AuthRequirement"/> for the given permission.
+		/// </summary>
+		/// <param name="permission">The permission needed</param>
+		public AuthRequirement(string permission)
+		{
+			Permission = permission;
+		}
+	}
+}
@@ -0,0 +1,25 @@
+using System.Collections.Generic;
+
+namespace Kyoo.Authentication.Models
+{
+	/// <summary>
+	/// Permission options.
+	/// </summary>
+	public class PermissionOption
+	{
+		/// <summary>
+		/// The path to get this option from the root configuration.
+		/// </summary>
+		public const string Path = "authentication:permissions";
+
+		/// <summary>
+		/// The default permissions that will be given to a non-connected user.
+		/// </summary>
+		public ICollection<string> Default { get; set; }
+		
+		/// <summary>
+		/// Permissions applied to a new user.
+		/// </summary>
+		public ICollection<string> NewUser { get; set; }
+	}
+}
@@ -12,7 +12,6 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.StaticFiles;
 using Microsoft.Extensions.Configuration;
 using SignInResult = Microsoft.AspNetCore.Identity.SignInResult;

@@ -47,29 +46,8 @@ namespace Kyoo.Api
 		[FromForm(Name = "picture")]
 		public IFormFile Picture { get; set; }
 	}
-	
-	[ApiController]
-	public class AccountUiController : Controller
-	{
-		[HttpGet("login")]
-		public IActionResult Index()
-		{
-			return new PhysicalFileResult(Path.GetFullPath("login/login.html"), "text/html");
-		}
-		
-		[HttpGet("login/{*file}")]
-		public IActionResult Index(string file)
-		{
-			string path = Path.Combine(Path.GetFullPath("login/"), file);
-			if (!System.IO.File.Exists(path))
-				return NotFound();
-			FileExtensionContentTypeProvider provider = new FileExtensionContentTypeProvider();
-			if (!provider.TryGetContentType(path, out string contentType))
-				contentType = "text/plain";			
-			return new PhysicalFileResult(path, contentType);
-		}
-	}
-	
+
+
 	[Route("api/[controller]")]
 	[ApiController]
 	public class AccountController : Controller, IProfileService
@@ -100,7 +78,7 @@ namespace Kyoo.Api
 				return BadRequest(new[] {new {code = "username", description = "Username must be at least 4 characters."}});
 			if (!new EmailAddressAttribute().IsValid(user.Email))
 				return BadRequest(new[] {new {code = "email", description = "Email must be valid."}});
-			User account = new User {UserName = user.Username, Email = user.Email};
+			User account = new() {UserName = user.Username, Email = user.Email};
 			IdentityResult result = await _userManager.CreateAsync(account, user.Password);
 			if (!result.Succeeded)
 				return BadRequest(result.Errors);
@@ -151,7 +129,7 @@ namespace Kyoo.Api
 			User user = await _userManager.GetUserAsync(context.Subject);
 			if (user != null)
 			{
-				List<Claim> claims = new List<Claim>
+				List<Claim> claims = new()
 				{
 					new Claim("email", user.Email),
 					new Claim("username", user.UserName),