mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2024-11-19 18:11:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
e5a2aeb145
btcpayserver/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
Andrew Camilleri 783e4ccb35
Store Custom Roles (#4940)
2023-05-26 23:49:32 +09:00

157 lines
6.9 KiB
C#
Raw Blame History

using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using BTCPayServer.Abstractions.Contracts;
using BTCPayServer.Client;
using BTCPayServer.Data;
using BTCPayServer.Services.Stores;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using StoreData = BTCPayServer.Data.StoreData;
namespace BTCPayServer.Security.Greenfield
{
public class LocalGreenfieldAuthorizationHandler : AuthorizationHandler<PolicyRequirement>
{
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly UserManager<ApplicationUser> _userManager;
private readonly StoreRepository _storeRepository;
private readonly IPluginHookService _pluginHookService;
public LocalGreenfieldAuthorizationHandler(IHttpContextAccessor httpContextAccessor,
UserManager<ApplicationUser> userManager,
StoreRepository storeRepository,
IPluginHookService pluginHookService)
{
_httpContextAccessor = httpContextAccessor;
_userManager = userManager;
_storeRepository = storeRepository;
_pluginHookService = pluginHookService;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
{
var withuser = context.User.Identity?.AuthenticationType == $"Local{GreenfieldConstants.AuthenticationType}WithUser";
if (withuser)
{
var newUser = new ClaimsPrincipal(new ClaimsIdentity(context.User.Claims,
$"{GreenfieldConstants.AuthenticationType}"));
var newContext = new AuthorizationHandlerContext(context.Requirements, newUser, null);
return new GreenfieldAuthorizationHandler(
_httpContextAccessor, _userManager, _storeRepository, _pluginHookService).HandleAsync(newContext);
}
var succeed = context.User.Identity.AuthenticationType == $"Local{GreenfieldConstants.AuthenticationType}";
if (succeed)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
public class GreenfieldAuthorizationHandler : AuthorizationHandler<PolicyRequirement>
{
private readonly HttpContext _httpContext;
private readonly UserManager<ApplicationUser> _userManager;
private readonly StoreRepository _storeRepository;
private readonly IPluginHookService _pluginHookService;
public GreenfieldAuthorizationHandler(IHttpContextAccessor httpContextAccessor,
UserManager<ApplicationUser> userManager,
StoreRepository storeRepository,
IPluginHookService pluginHookService)
{
_httpContext = httpContextAccessor.HttpContext;
_userManager = userManager;
_storeRepository = storeRepository;
_pluginHookService = pluginHookService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
PolicyRequirement requirement)
{
if (context.User.Identity.AuthenticationType != GreenfieldConstants.AuthenticationType)
return;
var userid = _userManager.GetUserId(context.User);
bool success = false;
var policy = requirement.Policy;
var requiredUnscoped = false;
if (policy.EndsWith(':'))
{
policy = policy.Substring(0, policy.Length - 1);
requiredUnscoped = true;
}
switch (policy)
{
case { } when Policies.IsStorePolicy(policy):
var storeId = requiredUnscoped ? null : _httpContext.GetImplicitStoreId();
// Specific store action
if (storeId != null)
{
if (context.HasPermission(Permission.Create(policy, storeId)))
{
if (string.IsNullOrEmpty(userid))
break;
var store = await _storeRepository.FindStore(storeId, userid);
if (store == null)
break;
if (!store.HasPermission(userid, policy))
break;
success = true;
_httpContext.SetStoreData(store);
}
}
else
{
if (requiredUnscoped && !context.HasPermission(Permission.Create(policy)))
break;
var stores = await _storeRepository.GetStoresByUserId(userid);
List<StoreData> permissionedStores = new List<StoreData>();
foreach (var store in stores)
{
if (context.HasPermission(Permission.Create(policy, store.Id)))
permissionedStores.Add(store);
}
_httpContext.SetStoresData(permissionedStores.ToArray());
success = true;
}
break;
case { } when Policies.IsServerPolicy(policy):
if (context.HasPermission(Permission.Create(policy)))
{
var user = await _userManager.GetUserAsync(context.User);
if (user == null)
break;
if (!await _userManager.IsInRoleAsync(user, Roles.ServerAdmin))
break;
success = true;
}
break;
case { } when Policies.IsPluginPolicy(requirement.Policy):
var handle = (AuthorizationFilterHandle)await _pluginHookService.ApplyFilter("handle-authorization-requirement",
new AuthorizationFilterHandle(context, requirement, _httpContext));
success = handle.Success;
break;
case Policies.CanManageNotificationsForUser:
case Policies.CanViewNotificationsForUser:
case Policies.CanModifyProfile:
case Policies.CanViewProfile:
case Policies.CanDeleteUser:
case Policies.Unrestricted:
success = context.HasPermission(Permission.Create(policy));
break;
}
if (success)
{
context.Succeed(requirement);
}
_httpContext.Items[RequestedPermissionKey] = policy;
}
public const string RequestedPermissionKey = nameof(RequestedPermissionKey);
}
}
Reference in New Issue View Git Blame Copy Permalink