Merge pull request #11873 from thornbill/fix-first-time-setup-guest-but-for-real
Fix FirstTimeSetupHandler allowing public access
This commit is contained in:
Joshua M. Boniface
GitHub
commit
869dab2ba2
|
|
@ -1,5 +1,6 @@
|
|||
using System.Threading.Tasks;
|
||||
using Jellyfin.Api.Constants;
|
||||
using Jellyfin.Api.Extensions;
|
||||
using MediaBrowser.Common.Configuration;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
|
|
@ -24,24 +25,31 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
|
|||
/// <inheritdoc />
|
||||
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, FirstTimeSetupRequirement requirement)
|
||||
{
|
||||
// Succeed if the startup wizard / first time setup is not complete
|
||||
if (!_configurationManager.CommonConfiguration.IsStartupWizardCompleted)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
else if (requirement.RequireAdmin && !context.User.IsInRole(UserRoles.Administrator))
|
||||
|
||||
// Succeed if user is admin
|
||||
else if (context.User.IsInRole(UserRoles.Administrator))
|
||||
{
|
||||
context.Fail();
|
||||
}
|
||||
else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
|
||||
{
|
||||
context.Fail();
|
||||
}
|
||||
else
|
||||
{
|
||||
// Any user-specific checks are handled in the DefaultAuthorizationHandler.
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
|
||||
// Fail if admin is required and user is not admin
|
||||
else if (requirement.RequireAdmin)
|
||||
{
|
||||
context.Fail();
|
||||
}
|
||||
|
||||
// Succeed if admin is not required and user is not guest
|
||||
else if (context.User.IsInRole(UserRoles.User))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
|
||||
// Any user-specific checks are handled in the DefaultAuthorizationHandler.
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,19 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Security.Claims;
|
||||
using System.Threading.Tasks;
|
||||
using AutoFixture;
|
||||
using AutoFixture.AutoMoq;
|
||||
using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
|
||||
using Jellyfin.Api.Auth.FirstTimeSetupPolicy;
|
||||
using Jellyfin.Api.Constants;
|
||||
using Jellyfin.Data.Entities;
|
||||
using Jellyfin.Data.Enums;
|
||||
using MediaBrowser.Common.Configuration;
|
||||
using MediaBrowser.Controller.Library;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Moq;
|
||||
using Xunit;
|
||||
|
||||
|
|
@ -18,7 +23,9 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
|||
{
|
||||
private readonly Mock<IConfigurationManager> _configurationManagerMock;
|
||||
private readonly List<IAuthorizationRequirement> _requirements;
|
||||
private readonly DefaultAuthorizationHandler _defaultAuthorizationHandler;
|
||||
private readonly FirstTimeSetupHandler _firstTimeSetupHandler;
|
||||
private readonly IAuthorizationService _authorizationService;
|
||||
private readonly Mock<IUserManager> _userManagerMock;
|
||||
private readonly Mock<IHttpContextAccessor> _httpContextAccessor;
|
||||
|
||||
|
|
@ -31,6 +38,21 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
|||
_httpContextAccessor = fixture.Freeze<Mock<IHttpContextAccessor>>();
|
||||
|
||||
_firstTimeSetupHandler = fixture.Create<FirstTimeSetupHandler>();
|
||||
_defaultAuthorizationHandler = fixture.Create<DefaultAuthorizationHandler>();
|
||||
|
||||
var services = new ServiceCollection();
|
||||
services.AddAuthorizationCore();
|
||||
services.AddLogging();
|
||||
services.AddOptions();
|
||||
services.AddSingleton<IAuthorizationHandler>(_defaultAuthorizationHandler);
|
||||
services.AddSingleton<IAuthorizationHandler>(_firstTimeSetupHandler);
|
||||
services.AddAuthorization(options =>
|
||||
{
|
||||
options.AddPolicy("FirstTime", policy => policy.Requirements.Add(new FirstTimeSetupRequirement()));
|
||||
options.AddPolicy("FirstTimeNoAdmin", policy => policy.Requirements.Add(new FirstTimeSetupRequirement(false, false)));
|
||||
options.AddPolicy("FirstTimeSchedule", policy => policy.Requirements.Add(new FirstTimeSetupRequirement(true, false)));
|
||||
});
|
||||
_authorizationService = services.BuildServiceProvider().GetRequiredService<IAuthorizationService>();
|
||||
}
|
||||
|
||||
[Theory]
|
||||
|
|
@ -45,10 +67,9 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
|||
_httpContextAccessor,
|
||||
userRole);
|
||||
|
||||
var context = new AuthorizationHandlerContext(_requirements, claims, null);
|
||||
var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTime");
|
||||
|
||||
await _firstTimeSetupHandler.HandleAsync(context);
|
||||
Assert.True(context.HasSucceeded);
|
||||
Assert.True(allowed.Succeeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
|
|
@ -63,17 +84,16 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
|||
_httpContextAccessor,
|
||||
userRole);
|
||||
|
||||
var context = new AuthorizationHandlerContext(_requirements, claims, null);
|
||||
var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTime");
|
||||
|
||||
await _firstTimeSetupHandler.HandleAsync(context);
|
||||
Assert.Equal(shouldSucceed, context.HasSucceeded);
|
||||
Assert.Equal(shouldSucceed, allowed.Succeeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(UserRoles.Administrator, true)]
|
||||
[InlineData(UserRoles.Guest, false)]
|
||||
[InlineData(UserRoles.User, true)]
|
||||
public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
|
||||
public async Task ShouldRequireUserIfNotAdministrator(string userRole, bool shouldSucceed)
|
||||
{
|
||||
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
|
||||
var claims = TestHelpers.SetupUser(
|
||||
|
|
@ -81,24 +101,26 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
|||
_httpContextAccessor,
|
||||
userRole);
|
||||
|
||||
var context = new AuthorizationHandlerContext(
|
||||
new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
|
||||
claims,
|
||||
null);
|
||||
var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTimeNoAdmin");
|
||||
|
||||
await _firstTimeSetupHandler.HandleAsync(context);
|
||||
Assert.Equal(shouldSucceed, context.HasSucceeded);
|
||||
Assert.Equal(shouldSucceed, allowed.Succeeded);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
|
||||
public async Task ShouldDisallowUserIfOutsideSchedule()
|
||||
{
|
||||
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
|
||||
var claims = new ClaimsPrincipal(new ClaimsIdentity([new Claim(ClaimTypes.Role, UserRoles.Administrator)]));
|
||||
var context = new AuthorizationHandlerContext(_requirements, claims, null);
|
||||
AccessSchedule[] accessSchedules = { new AccessSchedule(DynamicDayOfWeek.Everyday, 0, 0, Guid.Empty) };
|
||||
|
||||
await _firstTimeSetupHandler.HandleAsync(context);
|
||||
Assert.True(context.HasSucceeded);
|
||||
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
|
||||
var claims = TestHelpers.SetupUser(
|
||||
_userManagerMock,
|
||||
_httpContextAccessor,
|
||||
UserRoles.User,
|
||||
accessSchedules);
|
||||
|
||||
var allowed = await _authorizationService.AuthorizeAsync(claims, "FirstTimeSchedule");
|
||||
|
||||
Assert.False(allowed.Succeeded);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user