friendlynamazu/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adjust Auth on server (#15)

Browse Source 
* add auth that verifies identity is marked online

* few changes for testing

* handle identity with requirements

* remove unnecessary logging from auth handler

* change to UserRequirements

* fixes to checks

* fixes to UserRequirementHandler

Co-authored-by: rootdarkarchon <root.darkarchon@outlook.com>
This commit is contained in:
rootdarkarchon
2022-10-10 19:44:30 +02:00
committed by GitHub
parent 0d8a401f13
commit d37c1208fe
11 changed files with 163 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.Admin.cs
View File

@@ -2,7 +2,6 @@
using System.Linq;
using System.Threading.Tasks;
using MareSynchronos.API;
using MareSynchronosShared.Authentication;
using MareSynchronosShared.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.SignalR;
@@ -12,16 +11,11 @@ namespace MareSynchronosServer.Hubs;
public partial class MareHub
{
private bool IsAdmin => _dbContext.Users.Single(b => b.UID == AuthenticatedUserId).IsAdmin;
private bool IsModerator => _dbContext.Users.Single(b => b.UID == AuthenticatedUserId).IsModerator || IsAdmin;
private List<string> OnlineAdmins => _dbContext.Users.Where(u => (u.IsModerator || u.IsAdmin)).Select(u => u.UID).ToList();
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Admin")]
public async Task AdminChangeModeratorStatus(string uid, bool isModerator)
{
if (!IsAdmin) return;
var user = await _dbContext.Users.SingleOrDefaultAsync(u => u.UID == uid).ConfigureAwait(false);
if (user == null) return;
@@ -32,10 +26,10 @@ public partial class MareHub
await Clients.Users(user.UID).Client_AdminForcedReconnect().ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Moderator")]
public async Task AdminDeleteBannedUser(BannedUserDto dto)
{
if (!IsModerator || string.IsNullOrEmpty(dto.CharacterHash)) return;
if (string.IsNullOrEmpty(dto.CharacterHash)) return;
var existingUser =
await _dbContext.BannedUsers.SingleOrDefaultAsync(b => b.CharacterIdentification == dto.CharacterHash).ConfigureAwait(false);
@@ -49,10 +43,10 @@ public partial class MareHub
await Clients.Users(OnlineAdmins).Client_AdminDeleteBannedUser(dto).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Admin")]
public async Task AdminDeleteForbiddenFile(ForbiddenFileDto dto)
{
if (!IsAdmin || string.IsNullOrEmpty(dto.Hash)) return;
if (string.IsNullOrEmpty(dto.Hash)) return;
var existingFile =
await _dbContext.ForbiddenUploadEntries.SingleOrDefaultAsync(b => b.Hash == dto.Hash).ConfigureAwait(false);
@@ -66,11 +60,9 @@ public partial class MareHub
await Clients.Users(OnlineAdmins).Client_AdminDeleteForbiddenFile(dto).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Moderator")]
public async Task<List<BannedUserDto>> AdminGetBannedUsers()
{
if (!IsModerator) return null;
return await _dbContext.BannedUsers.AsNoTracking().Select(b => new BannedUserDto()
{
CharacterHash = b.CharacterIdentification,
@@ -78,11 +70,9 @@ public partial class MareHub
}).ToListAsync().ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Moderator")]
public async Task<List<ForbiddenFileDto>> AdminGetForbiddenFiles()
{
if (!IsModerator) return null;
return await _dbContext.ForbiddenUploadEntries.AsNoTracking().Select(b => new ForbiddenFileDto()
{
Hash = b.Hash,
@@ -90,11 +80,9 @@ public partial class MareHub
}).ToListAsync().ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Moderator")]
public async Task<List<OnlineUserDto>> AdminGetOnlineUsers()
{
if (!IsModerator) return null;
var users = await _dbContext.Users.AsNoTracking().ToListAsync().ConfigureAwait(false);
return users.Where(c => !string.IsNullOrEmpty(_clientIdentService.GetCharacterIdentForUid(c.UID))).Select(b => new OnlineUserDto
{
@@ -105,10 +93,10 @@ public partial class MareHub
}).ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Moderator")]
public async Task AdminUpdateOrAddBannedUser(BannedUserDto dto)
{
if (!IsModerator || string.IsNullOrEmpty(dto.CharacterHash)) return;
if (string.IsNullOrEmpty(dto.CharacterHash)) return;
var existingUser =
await _dbContext.BannedUsers.SingleOrDefaultAsync(b => b.CharacterIdentification == dto.CharacterHash).ConfigureAwait(false);
@@ -135,10 +123,10 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Admin")]
public async Task AdminUpdateOrAddForbiddenFile(ForbiddenFileDto dto)
{
if (!IsAdmin || string.IsNullOrEmpty(dto.Hash)) return;
if (string.IsNullOrEmpty(dto.Hash)) return;
var existingForbiddenFile =
await _dbContext.ForbiddenUploadEntries.SingleOrDefaultAsync(b => b.Hash == dto.Hash).ConfigureAwait(false);

15
MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.Files.cs
View File

@@ -9,19 +9,16 @@ using Google.Protobuf;
using Grpc.Core;
using MareSynchronos.API;
using MareSynchronosServer.Utils;
using MareSynchronosShared.Authentication;
using MareSynchronosShared.Models;
using MareSynchronosShared.Protos;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.SignalR;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging;
namespace MareSynchronosServer.Hubs;
public partial class MareHub
{
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task FilesAbortUpload()
{
_logger.LogCallInfo();
@@ -31,7 +28,7 @@ public partial class MareHub
await _dbContext.SaveChangesAsync().ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task FilesDeleteAll()
{
_logger.LogCallInfo();
@@ -46,7 +43,7 @@ public partial class MareHub
_ = await _fileServiceClient.DeleteFilesAsync(request, headers).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<DownloadFileDto>> FilesGetSizes(List<string> hashes)
{
_logger.LogCallInfo(MareHubLogger.Args(hashes.Count.ToString()));
@@ -83,7 +80,7 @@ public partial class MareHub
return response;
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<bool> FilesIsUploadFinished()
{
_logger.LogCallInfo();
@@ -92,7 +89,7 @@ public partial class MareHub
.AnyAsync(f => f.Uploader.UID == userUid && !f.Uploaded).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<UploadFileDto>> FilesSend(List<string> fileListHashes)
{
var userSentHashes = new HashSet<string>(fileListHashes.Distinct(StringComparer.Ordinal), StringComparer.Ordinal);
@@ -142,7 +139,7 @@ public partial class MareHub
return notCoveredFiles.Values.ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task FilesUploadStreamAsync(string hash, IAsyncEnumerable<byte[]> fileContent)
{
_logger.LogCallInfo(MareHubLogger.Args(hash));

32
MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.Groups.cs
View File

@@ -16,7 +16,7 @@ namespace MareSynchronosServer.Hubs;
public partial class MareHub
{
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<GroupCreatedDto> GroupCreate()
{
_logger.LogCallInfo();
@@ -78,7 +78,7 @@ public partial class MareHub
};
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<GroupDto>> GroupsGetAll()
{
_logger.LogCallInfo();
@@ -96,7 +96,7 @@ public partial class MareHub
}).ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<GroupPairDto>> GroupsGetUsersInGroup(string gid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));
@@ -117,7 +117,7 @@ public partial class MareHub
}).ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupChangeInviteState(string gid, bool enabled)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, enabled.ToString()));
@@ -138,7 +138,7 @@ public partial class MareHub
}).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupDelete(string gid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));
@@ -162,7 +162,7 @@ public partial class MareHub
await SendGroupDeletedToAll(groupPairs).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<bool> GroupJoin(string gid, string password)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));
@@ -239,7 +239,7 @@ public partial class MareHub
return true;
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupLeave(string gid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));
@@ -322,7 +322,7 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupChangePauseState(string gid, bool isPaused)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, isPaused));
@@ -370,7 +370,7 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupRemoveUser(string gid, string uid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid));
@@ -412,7 +412,7 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupBanUser(string gid, string uid, string reason)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid));
@@ -443,7 +443,7 @@ public partial class MareHub
_logger.LogCallInfo(MareHubLogger.Args(gid, uid, "Success"));
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupUnbanUser(string gid, string uid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid));
@@ -484,7 +484,7 @@ public partial class MareHub
return bannedGroupUsers;
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupSetModerator(string gid, string uid, bool isGroupModerator)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid, isGroupModerator));
@@ -517,7 +517,7 @@ public partial class MareHub
_logger.LogCallInfo(MareHubLogger.Args(gid, uid, isGroupModerator, "Success"));
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupChangeOwnership(string gid, string uid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid));
@@ -567,7 +567,7 @@ public partial class MareHub
}).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<bool> GroupChangePassword(string gid, string password)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));
@@ -583,7 +583,7 @@ public partial class MareHub
return true;
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupChangePinned(string gid, string uid, bool isPinned)
{
_logger.LogCallInfo(MareHubLogger.Args(gid, uid, isPinned));
@@ -609,7 +609,7 @@ public partial class MareHub
}).ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task GroupClear(string gid)
{
_logger.LogCallInfo(MareHubLogger.Args(gid));

14
MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.User.cs
View File

@@ -15,7 +15,7 @@ namespace MareSynchronosServer.Hubs;
public partial class MareHub
{
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task UserDelete()
{
_logger.LogCallInfo();
@@ -66,7 +66,7 @@ public partial class MareHub
await _dbContext.SaveChangesAsync().ConfigureAwait(false);
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<string>> UserGetOnlineCharacters()
{
_logger.LogCallInfo();
@@ -77,7 +77,7 @@ public partial class MareHub
return usersToSendOnlineTo.Select(e => _clientIdentService.GetCharacterIdentForUid(e)).Where(t => !string.IsNullOrEmpty(t)).Distinct(System.StringComparer.Ordinal).ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task<List<ClientPairDto>> UserGetPairedClients()
{
_logger.LogCallInfo();
@@ -118,7 +118,7 @@ public partial class MareHub
}).ToList();
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task UserPushData(CharacterCacheDto characterCache, List<string> visibleCharacterIds)
{
_logger.LogCallInfo(MareHubLogger.Args(visibleCharacterIds.Count));
@@ -138,7 +138,7 @@ public partial class MareHub
_mareMetrics.IncCounter(MetricsAPI.CounterUserPushDataTo, allPairedUsersDict.Count());
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task UserAddPair(string uid)
{
_logger.LogCallInfo(MareHubLogger.Args(uid));
@@ -211,7 +211,7 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task UserChangePairPauseStatus(string otherUserUid, bool isPaused)
{
_logger.LogCallInfo(MareHubLogger.Args(otherUserUid, isPaused));
@@ -256,7 +256,7 @@ public partial class MareHub
}
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Identified")]
public async Task UserRemovePair(string otherUserUid)
{
_logger.LogCallInfo(MareHubLogger.Args(otherUserUid));

11
MareSynchronosServer/MareSynchronosServer/Hubs/MareHub.cs
View File

@@ -18,6 +18,7 @@ using Microsoft.Extensions.Logging;
namespace MareSynchronosServer.Hubs;
[Authorize]
public partial class MareHub : Hub<IMareHub>, IMareHub
{
private readonly MareMetrics _mareMetrics;
@@ -54,7 +55,7 @@ public partial class MareHub : Hub<IMareHub>, IMareHub
_dbContext = mareDbContext;
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Authenticated")]
public async Task<ConnectionDto> Heartbeat(string characterIdentification)
{
_mareMetrics.IncCounter(MetricsAPI.CounterInitializedConnections);
@@ -111,14 +112,12 @@ public partial class MareHub : Hub<IMareHub>, IMareHub
};
}
[Authorize(AuthenticationSchemes = SecretKeyGrpcAuthenticationHandler.AuthScheme)]
[Authorize(Policy = "Authenticated")]
public async Task<bool> CheckClientHealth()
{
var serverId = _clientIdentService.GetServerForUid(AuthenticatedUserId);
bool needsReconnect = false;
if (string.IsNullOrEmpty(serverId) || !string.Equals(serverId, _shardName, StringComparison.Ordinal))
var needsReconnect = !_clientIdentService.IsOnCurrentServer(AuthenticatedUserId);
if (needsReconnect)
{
needsReconnect = true;
_logger.LogCallWarning(MareHubLogger.Args(needsReconnect));
}
return needsReconnect;