2021-12-31 08:36:38 +01:00
|
|
|
using System;
|
2019-10-12 13:35:30 +02:00
|
|
|
using System.Threading.Tasks;
|
2020-11-17 13:46:23 +01:00
|
|
|
using BTCPayServer.Abstractions.Constants;
|
2020-06-28 10:55:27 +02:00
|
|
|
using BTCPayServer.Client;
|
2021-12-31 08:36:38 +01:00
|
|
|
using BTCPayServer.Controllers;
|
2019-10-12 13:35:30 +02:00
|
|
|
using BTCPayServer.Data;
|
2021-12-11 04:32:23 +01:00
|
|
|
using BTCPayServer.Services.Apps;
|
|
|
|
|
using BTCPayServer.Services.Invoices;
|
2021-12-16 17:37:19 +01:00
|
|
|
using BTCPayServer.Services.PaymentRequests;
|
2019-10-12 13:35:30 +02:00
|
|
|
using BTCPayServer.Services.Stores;
|
2020-06-28 10:55:27 +02:00
|
|
|
using Microsoft.AspNetCore.Authorization;
|
|
|
|
|
using Microsoft.AspNetCore.Http;
|
2019-10-12 13:35:30 +02:00
|
|
|
using Microsoft.AspNetCore.Identity;
|
2021-12-11 04:32:23 +01:00
|
|
|
using Microsoft.AspNetCore.Routing;
|
2019-10-12 13:35:30 +02:00
|
|
|
|
|
|
|
|
namespace BTCPayServer.Security
|
|
|
|
|
{
|
|
|
|
|
public class CookieAuthorizationHandler : AuthorizationHandler<PolicyRequirement>
|
|
|
|
|
{
|
2021-12-16 17:37:19 +01:00
|
|
|
private readonly HttpContext _httpContext;
|
2019-10-12 13:35:30 +02:00
|
|
|
private readonly UserManager<ApplicationUser> _userManager;
|
|
|
|
|
private readonly StoreRepository _storeRepository;
|
2021-12-11 04:32:23 +01:00
|
|
|
private readonly AppService _appService;
|
2021-12-16 17:37:19 +01:00
|
|
|
private readonly PaymentRequestRepository _paymentRequestRepository;
|
2021-12-11 04:32:23 +01:00
|
|
|
private readonly InvoiceRepository _invoiceRepository;
|
2019-10-12 13:35:30 +02:00
|
|
|
|
|
|
|
|
public CookieAuthorizationHandler(IHttpContextAccessor httpContextAccessor,
|
|
|
|
|
UserManager<ApplicationUser> userManager,
|
2021-12-11 04:32:23 +01:00
|
|
|
StoreRepository storeRepository,
|
|
|
|
|
AppService appService,
|
|
|
|
|
InvoiceRepository invoiceRepository,
|
2021-12-16 17:37:19 +01:00
|
|
|
PaymentRequestRepository paymentRequestRepository)
|
2019-10-12 13:35:30 +02:00
|
|
|
{
|
2021-12-16 17:37:19 +01:00
|
|
|
_httpContext = httpContextAccessor.HttpContext;
|
2019-10-12 13:35:30 +02:00
|
|
|
_userManager = userManager;
|
2021-12-11 04:32:23 +01:00
|
|
|
_appService = appService;
|
2019-10-12 13:35:30 +02:00
|
|
|
_storeRepository = storeRepository;
|
2021-12-11 04:32:23 +01:00
|
|
|
_invoiceRepository = invoiceRepository;
|
2021-12-16 17:37:19 +01:00
|
|
|
_paymentRequestRepository = paymentRequestRepository;
|
2019-10-12 13:35:30 +02:00
|
|
|
}
|
2021-12-31 08:36:38 +01:00
|
|
|
|
2019-10-12 13:35:30 +02:00
|
|
|
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
|
|
|
|
|
{
|
|
|
|
|
if (context.User.Identity.AuthenticationType != AuthenticationSchemes.Cookie)
|
|
|
|
|
return;
|
2021-12-16 17:37:19 +01:00
|
|
|
|
|
|
|
|
var userId = _userManager.GetUserId(context.User);
|
|
|
|
|
if (string.IsNullOrEmpty(userId))
|
|
|
|
|
return;
|
2019-10-12 13:35:30 +02:00
|
|
|
|
2021-12-31 08:36:38 +01:00
|
|
|
bool success = false;
|
|
|
|
|
var isAdmin = context.User.IsInRole(Roles.ServerAdmin);
|
|
|
|
|
|
2021-12-16 17:37:19 +01:00
|
|
|
AppData app = null;
|
2021-12-31 08:36:38 +01:00
|
|
|
StoreData store = null;
|
2021-12-16 17:37:19 +01:00
|
|
|
InvoiceEntity invoice = null;
|
|
|
|
|
PaymentRequestData paymentRequest = null;
|
2021-12-31 08:36:38 +01:00
|
|
|
string storeId;
|
|
|
|
|
var explicitResource = false;
|
|
|
|
|
if (context.Resource is string s)
|
|
|
|
|
{
|
|
|
|
|
explicitResource = true;
|
|
|
|
|
storeId = s;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
storeId = _httpContext.GetImplicitStoreId();
|
2021-12-16 17:37:19 +01:00
|
|
|
var routeData = _httpContext.GetRouteData();
|
|
|
|
|
if (routeData != null)
|
2021-12-11 04:32:23 +01:00
|
|
|
{
|
2021-12-16 17:37:19 +01:00
|
|
|
// resolve from app
|
|
|
|
|
if (routeData.Values.TryGetValue("appId", out var vAppId))
|
2021-12-11 04:32:23 +01:00
|
|
|
{
|
2021-12-16 17:37:19 +01:00
|
|
|
string appId = vAppId as string;
|
2021-12-26 04:20:46 +01:00
|
|
|
app = await _appService.GetAppDataIfOwner(userId, appId);
|
|
|
|
|
if (storeId == null)
|
|
|
|
|
{
|
|
|
|
|
storeId = app?.StoreDataId;
|
|
|
|
|
}
|
|
|
|
|
else if (app?.StoreDataId != storeId)
|
|
|
|
|
{
|
|
|
|
|
app = null;
|
|
|
|
|
}
|
2021-12-11 04:32:23 +01:00
|
|
|
}
|
2021-12-16 17:37:19 +01:00
|
|
|
// resolve from payment request
|
|
|
|
|
if (routeData.Values.TryGetValue("payReqId", out var vPayReqId))
|
2021-12-11 04:32:23 +01:00
|
|
|
{
|
2021-12-16 17:37:19 +01:00
|
|
|
string payReqId = vPayReqId as string;
|
|
|
|
|
paymentRequest = await _paymentRequestRepository.FindPaymentRequest(payReqId, userId);
|
2021-12-31 08:36:38 +01:00
|
|
|
if (storeId == null)
|
|
|
|
|
{
|
|
|
|
|
storeId = paymentRequest?.StoreDataId;
|
|
|
|
|
}
|
|
|
|
|
else if (paymentRequest?.StoreDataId != storeId)
|
|
|
|
|
{
|
|
|
|
|
paymentRequest = null;
|
|
|
|
|
}
|
2021-12-16 17:37:19 +01:00
|
|
|
}
|
|
|
|
|
// resolve from invoice
|
|
|
|
|
if (routeData.Values.TryGetValue("invoiceId", out var vInvoiceId))
|
|
|
|
|
{
|
|
|
|
|
string invoiceId = vInvoiceId as string;
|
|
|
|
|
invoice = await _invoiceRepository.GetInvoice(invoiceId);
|
2021-12-31 08:36:38 +01:00
|
|
|
if (storeId == null)
|
|
|
|
|
{
|
|
|
|
|
storeId = invoice?.StoreId;
|
|
|
|
|
}
|
|
|
|
|
else if (invoice?.StoreId != storeId)
|
|
|
|
|
{
|
|
|
|
|
invoice = null;
|
|
|
|
|
}
|
2021-12-11 04:32:23 +01:00
|
|
|
}
|
|
|
|
|
}
|
2021-12-16 17:37:19 +01:00
|
|
|
|
2021-12-31 08:36:38 +01:00
|
|
|
// Fall back to user prefs cookie
|
2021-12-16 17:37:19 +01:00
|
|
|
if (storeId == null)
|
|
|
|
|
{
|
2021-12-31 08:36:38 +01:00
|
|
|
storeId = _httpContext.GetUserPrefsCookie()?.CurrentStoreId;
|
2021-12-16 17:37:19 +01:00
|
|
|
}
|
2019-10-12 13:35:30 +02:00
|
|
|
|
2021-12-31 08:36:38 +01:00
|
|
|
if (storeId != null)
|
|
|
|
|
{
|
|
|
|
|
store = await _storeRepository.FindStore(storeId, userId);
|
|
|
|
|
}
|
2021-12-07 16:40:24 +01:00
|
|
|
|
2019-10-12 13:35:30 +02:00
|
|
|
switch (requirement.Policy)
|
|
|
|
|
{
|
2021-12-31 08:36:38 +01:00
|
|
|
case Policies.CanModifyServerSettings:
|
|
|
|
|
if (isAdmin)
|
|
|
|
|
success = true;
|
|
|
|
|
break;
|
|
|
|
|
case Policies.CanViewInvoices:
|
|
|
|
|
if (store == null || store.Role == StoreRoles.Owner || isAdmin)
|
|
|
|
|
success = true;
|
|
|
|
|
break;
|
2020-03-20 06:01:51 +01:00
|
|
|
case Policies.CanModifyStoreSettings:
|
2021-12-07 16:40:24 +01:00
|
|
|
if (store != null && (store.Role == StoreRoles.Owner || isAdmin))
|
|
|
|
|
success = true;
|
|
|
|
|
break;
|
|
|
|
|
case Policies.CanViewStoreSettings:
|
|
|
|
|
if (store != null || isAdmin)
|
2019-10-12 13:35:30 +02:00
|
|
|
success = true;
|
|
|
|
|
break;
|
2020-03-20 06:01:51 +01:00
|
|
|
case Policies.CanCreateInvoice:
|
2021-12-07 16:40:24 +01:00
|
|
|
if (store != null || isAdmin)
|
2019-10-12 13:35:30 +02:00
|
|
|
success = true;
|
|
|
|
|
break;
|
2021-12-31 08:36:38 +01:00
|
|
|
case Policies.CanViewProfile:
|
|
|
|
|
case Policies.CanViewNotificationsForUser:
|
|
|
|
|
case Policies.CanManageNotificationsForUser:
|
|
|
|
|
case Policies.CanModifyStoreSettingsUnscoped:
|
|
|
|
|
if (context.User != null)
|
|
|
|
|
success = true;
|
|
|
|
|
break;
|
2019-10-12 13:35:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (success)
|
|
|
|
|
{
|
|
|
|
|
context.Succeed(requirement);
|
2021-12-31 08:36:38 +01:00
|
|
|
if (!explicitResource)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
if (store != null)
|
|
|
|
|
{
|
|
|
|
|
_httpContext.SetStoreData(store);
|
|
|
|
|
|
|
|
|
|
// cache associated entities if present
|
|
|
|
|
if (app != null) _httpContext.SetAppData(app);
|
|
|
|
|
if (invoice != null) _httpContext.SetInvoiceData(invoice);
|
|
|
|
|
if (paymentRequest != null) _httpContext.SetPaymentRequestData(paymentRequest);
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-10-12 13:35:30 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
