aboutsummaryrefslogtreecommitdiff
path: root/Emby.Server.Implementations/HttpServer/Security
diff options
context:
space:
mode:
Diffstat (limited to 'Emby.Server.Implementations/HttpServer/Security')
-rw-r--r--Emby.Server.Implementations/HttpServer/Security/AuthService.cs213
-rw-r--r--Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs24
-rw-r--r--Emby.Server.Implementations/HttpServer/Security/SessionContext.cs20
3 files changed, 17 insertions, 240 deletions
diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
index 76c1d9bac..68d981ad1 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
@@ -1,17 +1,7 @@
#pragma warning disable CS1591
-using System;
-using System.Linq;
-using Emby.Server.Implementations.SocketSharp;
-using Jellyfin.Data.Entities;
using Jellyfin.Data.Enums;
-using MediaBrowser.Common.Net;
-using MediaBrowser.Controller.Authentication;
-using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Net;
-using MediaBrowser.Controller.Security;
-using MediaBrowser.Controller.Session;
-using MediaBrowser.Model.Services;
using Microsoft.AspNetCore.Http;
namespace Emby.Server.Implementations.HttpServer.Security
@@ -19,32 +9,11 @@ namespace Emby.Server.Implementations.HttpServer.Security
public class AuthService : IAuthService
{
private readonly IAuthorizationContext _authorizationContext;
- private readonly ISessionManager _sessionManager;
- private readonly IServerConfigurationManager _config;
- private readonly INetworkManager _networkManager;
public AuthService(
- IAuthorizationContext authorizationContext,
- IServerConfigurationManager config,
- ISessionManager sessionManager,
- INetworkManager networkManager)
+ IAuthorizationContext authorizationContext)
{
_authorizationContext = authorizationContext;
- _config = config;
- _sessionManager = sessionManager;
- _networkManager = networkManager;
- }
-
- public void Authenticate(IRequest request, IAuthenticationAttributes authAttributes)
- {
- ValidateUser(request, authAttributes);
- }
-
- public User Authenticate(HttpRequest request, IAuthenticationAttributes authAttributes)
- {
- var req = new WebSocketSharpRequest(request, null, request.Path);
- var user = ValidateUser(req, authAttributes);
- return user;
}
public AuthorizationInfo Authenticate(HttpRequest request)
@@ -62,185 +31,5 @@ namespace Emby.Server.Implementations.HttpServer.Security
return auth;
}
-
- private User ValidateUser(IRequest request, IAuthenticationAttributes authAttributes)
- {
- // This code is executed before the service
- var auth = _authorizationContext.GetAuthorizationInfo(request);
-
- if (!IsExemptFromAuthenticationToken(authAttributes, request))
- {
- ValidateSecurityToken(request, auth.Token);
- }
-
- if (authAttributes.AllowLocalOnly && !request.IsLocal)
- {
- throw new SecurityException("Operation not found.");
- }
-
- var user = auth.User;
-
- if (user == null && auth.UserId != Guid.Empty)
- {
- throw new AuthenticationException("User with Id " + auth.UserId + " not found");
- }
-
- if (user != null)
- {
- ValidateUserAccess(user, request, authAttributes);
- }
-
- var info = GetTokenInfo(request);
-
- if (!IsExemptFromRoles(auth, authAttributes, request, info))
- {
- var roles = authAttributes.GetRoles();
-
- ValidateRoles(roles, user);
- }
-
- if (!string.IsNullOrEmpty(auth.DeviceId) &&
- !string.IsNullOrEmpty(auth.Client) &&
- !string.IsNullOrEmpty(auth.Device))
- {
- _sessionManager.LogSessionActivity(
- auth.Client,
- auth.Version,
- auth.DeviceId,
- auth.Device,
- request.RemoteIp,
- user);
- }
-
- return user;
- }
-
- private void ValidateUserAccess(
- User user,
- IRequest request,
- IAuthenticationAttributes authAttributes)
- {
- if (user.HasPermission(PermissionKind.IsDisabled))
- {
- throw new SecurityException("User account has been disabled.");
- }
-
- if (!user.HasPermission(PermissionKind.EnableRemoteAccess) && !_networkManager.IsInLocalNetwork(request.RemoteIp))
- {
- throw new SecurityException("User account has been disabled.");
- }
-
- if (!user.HasPermission(PermissionKind.IsAdministrator)
- && !authAttributes.EscapeParentalControl
- && !user.IsParentalScheduleAllowed())
- {
- request.Response.Headers.Add("X-Application-Error-Code", "ParentalControl");
-
- throw new SecurityException("This user account is not allowed access at this time.");
- }
- }
-
- private bool IsExemptFromAuthenticationToken(IAuthenticationAttributes authAttribtues, IRequest request)
- {
- if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocal && request.IsLocal)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocalOnly && request.IsLocal)
- {
- return true;
- }
-
- if (authAttribtues.IgnoreLegacyAuth)
- {
- return true;
- }
-
- return false;
- }
-
- private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
- {
- if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocal && request.IsLocal)
- {
- return true;
- }
-
- if (authAttribtues.AllowLocalOnly && request.IsLocal)
- {
- return true;
- }
-
- if (string.IsNullOrEmpty(auth.Token))
- {
- return true;
- }
-
- if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))
- {
- return true;
- }
-
- return false;
- }
-
- private static void ValidateRoles(string[] roles, User user)
- {
- if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.HasPermission(PermissionKind.IsAdministrator))
- {
- throw new SecurityException("User does not have admin access.");
- }
- }
-
- if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.HasPermission(PermissionKind.EnableContentDeletion))
- {
- throw new SecurityException("User does not have delete access.");
- }
- }
-
- if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
- {
- if (user == null || !user.HasPermission(PermissionKind.EnableContentDownloading))
- {
- throw new SecurityException("User does not have download access.");
- }
- }
- }
-
- private static AuthenticationInfo GetTokenInfo(IRequest request)
- {
- request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);
- return info as AuthenticationInfo;
- }
-
- private void ValidateSecurityToken(IRequest request, string token)
- {
- if (string.IsNullOrEmpty(token))
- {
- throw new AuthenticationException("Access token is required.");
- }
-
- var info = GetTokenInfo(request);
-
- if (info == null)
- {
- throw new AuthenticationException("Access token is invalid or expired.");
- }
- }
}
}
diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index fb93fae3e..4b407dd9d 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -7,7 +7,6 @@ using System.Net;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Security;
-using MediaBrowser.Model.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.Net.Http.Headers;
@@ -24,14 +23,9 @@ namespace Emby.Server.Implementations.HttpServer.Security
_userManager = userManager;
}
- public AuthorizationInfo GetAuthorizationInfo(object requestContext)
+ public AuthorizationInfo GetAuthorizationInfo(HttpContext requestContext)
{
- return GetAuthorizationInfo((IRequest)requestContext);
- }
-
- public AuthorizationInfo GetAuthorizationInfo(IRequest requestContext)
- {
- if (requestContext.Items.TryGetValue("AuthorizationInfo", out var cached))
+ if (requestContext.Request.HttpContext.Items.TryGetValue("AuthorizationInfo", out var cached))
{
return (AuthorizationInfo)cached;
}
@@ -52,18 +46,18 @@ namespace Emby.Server.Implementations.HttpServer.Security
/// </summary>
/// <param name="httpReq">The HTTP req.</param>
/// <returns>Dictionary{System.StringSystem.String}.</returns>
- private AuthorizationInfo GetAuthorization(IRequest httpReq)
+ private AuthorizationInfo GetAuthorization(HttpContext httpReq)
{
var auth = GetAuthorizationDictionary(httpReq);
var (authInfo, originalAuthInfo) =
- GetAuthorizationInfoFromDictionary(auth, httpReq.Headers, httpReq.QueryString);
+ GetAuthorizationInfoFromDictionary(auth, httpReq.Request.Headers, httpReq.Request.Query);
if (originalAuthInfo != null)
{
- httpReq.Items["OriginalAuthenticationInfo"] = originalAuthInfo;
+ httpReq.Request.HttpContext.Items["OriginalAuthenticationInfo"] = originalAuthInfo;
}
- httpReq.Items["AuthorizationInfo"] = authInfo;
+ httpReq.Request.HttpContext.Items["AuthorizationInfo"] = authInfo;
return authInfo;
}
@@ -203,13 +197,13 @@ namespace Emby.Server.Implementations.HttpServer.Security
/// </summary>
/// <param name="httpReq">The HTTP req.</param>
/// <returns>Dictionary{System.StringSystem.String}.</returns>
- private Dictionary<string, string> GetAuthorizationDictionary(IRequest httpReq)
+ private Dictionary<string, string> GetAuthorizationDictionary(HttpContext httpReq)
{
- var auth = httpReq.Headers["X-Emby-Authorization"];
+ var auth = httpReq.Request.Headers["X-Emby-Authorization"];
if (string.IsNullOrEmpty(auth))
{
- auth = httpReq.Headers[HeaderNames.Authorization];
+ auth = httpReq.Request.Headers[HeaderNames.Authorization];
}
return GetAuthorization(auth);
diff --git a/Emby.Server.Implementations/HttpServer/Security/SessionContext.cs b/Emby.Server.Implementations/HttpServer/Security/SessionContext.cs
index 03fcfa53d..8777c59b7 100644
--- a/Emby.Server.Implementations/HttpServer/Security/SessionContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/SessionContext.cs
@@ -2,11 +2,11 @@
using System;
using Jellyfin.Data.Entities;
+using MediaBrowser.Common.Extensions;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
-using MediaBrowser.Controller.Security;
using MediaBrowser.Controller.Session;
-using MediaBrowser.Model.Services;
+using Microsoft.AspNetCore.Http;
namespace Emby.Server.Implementations.HttpServer.Security
{
@@ -23,26 +23,20 @@ namespace Emby.Server.Implementations.HttpServer.Security
_sessionManager = sessionManager;
}
- public SessionInfo GetSession(IRequest requestContext)
+ public SessionInfo GetSession(HttpContext requestContext)
{
var authorization = _authContext.GetAuthorizationInfo(requestContext);
var user = authorization.User;
- return _sessionManager.LogSessionActivity(authorization.Client, authorization.Version, authorization.DeviceId, authorization.Device, requestContext.RemoteIp, user);
- }
-
- private AuthenticationInfo GetTokenInfo(IRequest request)
- {
- request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);
- return info as AuthenticationInfo;
+ return _sessionManager.LogSessionActivity(authorization.Client, authorization.Version, authorization.DeviceId, authorization.Device, requestContext.Request.RemoteIp(), user);
}
public SessionInfo GetSession(object requestContext)
{
- return GetSession((IRequest)requestContext);
+ return GetSession((HttpContext)requestContext);
}
- public User GetUser(IRequest requestContext)
+ public User GetUser(HttpContext requestContext)
{
var session = GetSession(requestContext);
@@ -51,7 +45,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
public User GetUser(object requestContext)
{
- return GetUser((IRequest)requestContext);
+ return GetUser((HttpContext)requestContext);
}
}
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-06 19:40:36 +0000