Enforce permissions on websocket connections

This commit is contained in:
Shadowghost 2023-06-09 17:11:22 +02:00
parent 46a6755e65
commit 05d98fe24c
7 changed files with 58 additions and 26 deletions

View File

@ -12,6 +12,7 @@ using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Net.WebSocketMessages;
using MediaBrowser.Controller.Net.WebSocketMessages.Outbound;
using MediaBrowser.Model.Session;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
namespace Emby.Server.Implementations.HttpServer
@ -43,14 +44,17 @@ namespace Emby.Server.Implementations.HttpServer
/// </summary>
/// <param name="logger">The logger.</param>
/// <param name="socket">The socket.</param>
/// <param name="authorizationInfo">The authorization information.</param>
/// <param name="remoteEndPoint">The remote end point.</param>
public WebSocketConnection(
ILogger<WebSocketConnection> logger,
WebSocket socket,
AuthorizationInfo authorizationInfo,
IPAddress? remoteEndPoint)
{
_logger = logger;
_socket = socket;
AuthorizationInfo = authorizationInfo;
RemoteEndPoint = remoteEndPoint;
_jsonOptions = JsonDefaults.Options;
@ -60,30 +64,22 @@ namespace Emby.Server.Implementations.HttpServer
/// <inheritdoc />
public event EventHandler<EventArgs>? Closed;
/// <summary>
/// Gets the remote end point.
/// </summary>
/// <inheritdoc />
public AuthorizationInfo AuthorizationInfo { get; }
/// <inheritdoc />
public IPAddress? RemoteEndPoint { get; }
/// <summary>
/// Gets or sets the receive action.
/// </summary>
/// <value>The receive action.</value>
/// <inheritdoc />
public Func<WebSocketMessageInfo, Task>? OnReceive { get; set; }
/// <summary>
/// Gets the last activity date.
/// </summary>
/// <value>The last activity date.</value>
/// <inheritdoc />
public DateTime LastActivityDate { get; private set; }
/// <inheritdoc />
public DateTime LastKeepAliveDate { get; set; }
/// <summary>
/// Gets the state.
/// </summary>
/// <value>The state.</value>
/// <inheritdoc />
public WebSocketState State => _socket.State;
/// <inheritdoc />
@ -101,7 +97,7 @@ namespace Emby.Server.Implementations.HttpServer
}
/// <inheritdoc />
public async Task ProcessAsync(CancellationToken cancellationToken = default)
public async Task ReceiveAsync(CancellationToken cancellationToken = default)
{
var pipe = new Pipe();
var writer = pipe.Writer;

View File

@ -51,6 +51,7 @@ namespace Emby.Server.Implementations.HttpServer
using var connection = new WebSocketConnection(
_loggerFactory.CreateLogger<WebSocketConnection>(),
webSocket,
authorizationInfo,
context.GetNormalizedRemoteIP())
{
OnReceive = ProcessWebSocketMessageReceived
@ -64,7 +65,7 @@ namespace Emby.Server.Implementations.HttpServer
await Task.WhenAll(tasks).ConfigureAwait(false);
await connection.ProcessAsync().ConfigureAwait(false);
await connection.ReceiveAsync().ConfigureAwait(false);
_logger.LogInformation("WS {IP} closed", context.Connection.RemoteIpAddress);
}
catch (Exception ex) // Otherwise ASP.Net will ignore the exception

View File

@ -1,6 +1,8 @@
using System;
using System.Threading.Tasks;
using Jellyfin.Data.Enums;
using Jellyfin.Data.Events;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Net;
using MediaBrowser.Model.Activity;
using MediaBrowser.Model.Session;
@ -9,7 +11,7 @@ using Microsoft.Extensions.Logging;
namespace Jellyfin.Api.WebSocketListeners;
/// <summary>
/// Class SessionInfoWebSocketListener.
/// Class ActivityLogWebSocketListener.
/// </summary>
public class ActivityLogWebSocketListener : BasePeriodicWebSocketListener<ActivityLogEntry[], WebSocketListenerState>
{
@ -56,6 +58,16 @@ public class ActivityLogWebSocketListener : BasePeriodicWebSocketListener<Activi
base.Dispose(dispose);
}
private new void Start(WebSocketMessageInfo message)
{
if (!message.Connection.AuthorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
{
throw new AuthenticationException("Only admin users can retrieve the activity log.");
}
base.Start(message);
}
private async void OnEntryCreated(object? sender, GenericEventArgs<ActivityLogEntry> e)
{
await SendData(true).ConfigureAwait(false);

View File

@ -1,5 +1,7 @@
using System.Collections.Generic;
using System.Threading.Tasks;
using Jellyfin.Data.Enums;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Session;
@ -66,6 +68,16 @@ public class SessionInfoWebSocketListener : BasePeriodicWebSocketListener<IEnume
base.Dispose(dispose);
}
private new void Start(WebSocketMessageInfo message)
{
if (!message.Connection.AuthorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
{
throw new AuthenticationException("Only admin users can subscribe to session information.");
}
base.Start(message);
}
private async void OnSessionManagerSessionActivity(object? sender, SessionEventArgs e)
{
await SendData(false).ConfigureAwait(false);

View File

@ -96,7 +96,7 @@ namespace MediaBrowser.Controller.Net
/// Starts sending messages over a web socket.
/// </summary>
/// <param name="message">The message.</param>
private void Start(WebSocketMessageInfo message)
protected void Start(WebSocketMessageInfo message)
{
var vals = message.Data.Split(',');

View File

@ -1,5 +1,3 @@
#pragma warning disable CS1591
using System;
using System.Net;
using System.Net.WebSockets;
@ -9,6 +7,9 @@ using MediaBrowser.Controller.Net.WebSocketMessages;
namespace MediaBrowser.Controller.Net
{
/// <summary>
/// Interface for WebSocket connections.
/// </summary>
public interface IWebSocketConnection : IAsyncDisposable, IDisposable
{
/// <summary>
@ -40,6 +41,11 @@ namespace MediaBrowser.Controller.Net
/// <value>The state.</value>
WebSocketState State { get; }
/// <summary>
/// Gets the authorization information.
/// </summary>
public AuthorizationInfo AuthorizationInfo { get; }
/// <summary>
/// Gets the remote end point.
/// </summary>
@ -65,6 +71,11 @@ namespace MediaBrowser.Controller.Net
/// <exception cref="ArgumentNullException">The message is null.</exception>
Task SendAsync<T>(OutboundWebSocketMessage<T> message, CancellationToken cancellationToken);
Task ProcessAsync(CancellationToken cancellationToken = default);
/// <summary>
/// Receives a message asynchronously.
/// </summary>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>Task.</returns>
Task ReceiveAsync(CancellationToken cancellationToken = default);
}
}

View File

@ -13,7 +13,7 @@ namespace Jellyfin.Server.Implementations.Tests.HttpServer
[Fact]
public void DeserializeWebSocketMessage_SingleSegment_Success()
{
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!);
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!, null!);
var bytes = File.ReadAllBytes("Test Data/HttpServer/ForceKeepAlive.json");
con.DeserializeWebSocketMessage(new ReadOnlySequence<byte>(bytes), out var bytesConsumed);
Assert.Equal(109, bytesConsumed);
@ -23,7 +23,7 @@ namespace Jellyfin.Server.Implementations.Tests.HttpServer
public void DeserializeWebSocketMessage_MultipleSegments_Success()
{
const int SplitPos = 64;
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!);
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!, null!);
var bytes = File.ReadAllBytes("Test Data/HttpServer/ForceKeepAlive.json");
var seg1 = new BufferSegment(new Memory<byte>(bytes, 0, SplitPos));
var seg2 = seg1.Append(new Memory<byte>(bytes, SplitPos, bytes.Length - SplitPos));
@ -34,7 +34,7 @@ namespace Jellyfin.Server.Implementations.Tests.HttpServer
[Fact]
public void DeserializeWebSocketMessage_ValidPartial_Success()
{
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!);
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!, null!);
var bytes = File.ReadAllBytes("Test Data/HttpServer/ValidPartial.json");
con.DeserializeWebSocketMessage(new ReadOnlySequence<byte>(bytes), out var bytesConsumed);
Assert.Equal(109, bytesConsumed);
@ -43,7 +43,7 @@ namespace Jellyfin.Server.Implementations.Tests.HttpServer
[Fact]
public void DeserializeWebSocketMessage_Partial_ThrowJsonException()
{
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!);
var con = new WebSocketConnection(new NullLogger<WebSocketConnection>(), null!, null!, null!);
var bytes = File.ReadAllBytes("Test Data/HttpServer/Partial.json");
Assert.Throws<JsonException>(() => con.DeserializeWebSocketMessage(new ReadOnlySequence<byte>(bytes), out var bytesConsumed));
}