blob: 401392a633ae5eb7d315665549a51cfa7e1fee02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
using System;
using System.Collections.Generic;
using System.Linq;
using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
using Jellyfin.Api.Constants;
using Jellyfin.Extensions;
using Microsoft.AspNetCore.Authorization;
using Microsoft.OpenApi.Models;
using Swashbuckle.AspNetCore.SwaggerGen;
namespace Jellyfin.Server.Filters;
/// <summary>
/// Security requirement operation filter.
/// </summary>
public class SecurityRequirementsOperationFilter : IOperationFilter
{
private const string DefaultAuthPolicy = "DefaultAuthorization";
private static readonly Type _attributeType = typeof(AuthorizeAttribute);
private readonly IAuthorizationPolicyProvider _authorizationPolicyProvider;
/// <summary>
/// Initializes a new instance of the <see cref="SecurityRequirementsOperationFilter"/> class.
/// </summary>
/// <param name="authorizationPolicyProvider">The authorization policy provider.</param>
public SecurityRequirementsOperationFilter(IAuthorizationPolicyProvider authorizationPolicyProvider)
{
_authorizationPolicyProvider = authorizationPolicyProvider;
}
/// <inheritdoc />
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
var requiredScopes = new List<string>();
var requiresAuth = false;
// Add all method scopes.
foreach (var authorizeAttribute in context.MethodInfo.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>())
{
requiresAuth = true;
var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
{
requiredScopes.Add(policy);
}
}
// Add controller scopes if any.
var controllerAttributes = context.MethodInfo.DeclaringType?.GetCustomAttributes(_attributeType, true).Cast<AuthorizeAttribute>();
if (controllerAttributes is not null)
{
foreach (var authorizeAttribute in controllerAttributes)
{
requiresAuth = true;
var policy = authorizeAttribute.Policy ?? DefaultAuthPolicy;
if (!requiredScopes.Contains(policy, StringComparer.Ordinal))
{
requiredScopes.Add(policy);
}
}
}
if (!requiresAuth)
{
return;
}
if (!operation.Responses.ContainsKey("401"))
{
operation.Responses.Add("401", new OpenApiResponse { Description = "Unauthorized" });
}
if (!operation.Responses.ContainsKey("403"))
{
operation.Responses.Add("403", new OpenApiResponse { Description = "Forbidden" });
}
var scheme = new OpenApiSecurityScheme
{
Reference = new OpenApiReference
{
Type = ReferenceType.SecurityScheme,
Id = AuthenticationSchemes.CustomAuthentication
},
};
// Add DefaultAuthorization scope to any endpoint that has a policy with a requirement that is a subset of DefaultAuthorization.
if (!requiredScopes.Contains(DefaultAuthPolicy.AsSpan(), StringComparison.Ordinal))
{
foreach (var scope in requiredScopes)
{
var authorizationPolicy = _authorizationPolicyProvider.GetPolicyAsync(scope).GetAwaiter().GetResult();
if (authorizationPolicy is not null
&& authorizationPolicy.Requirements.Any(r => r is DefaultAuthorizationRequirement))
{
requiredScopes.Add(DefaultAuthPolicy);
break;
}
}
}
operation.Security = [new OpenApiSecurityRequirement { [scheme] = requiredScopes }];
}
}
|
