file dl auth

6 years ago · 8eddb95fa5
parent e71f598bd3
commit 8eddb95fa5
5 changed files with 81 additions and 41 deletions
--- a/src/Yavsc/AuthorizationHandlers/ViewFileHandler.cs
+++ b/src/Yavsc/AuthorizationHandlers/ViewFileHandler.cs
@ -1,18 +1,30 @@
 using Microsoft.AspNet.Authorization;
+using Yavsc.Services;
 using Yavsc.ViewModels.Auth;

-namespace Yavsc.AuthorizationHandlers
-{
-    public class ViewFileHandler : AuthorizationHandler<ViewRequirement, ViewFileContext>
-    {
-        protected override void Handle(AuthorizationContext context, ViewRequirement requirement,  ViewFileContext fileContext)
-        {
+namespace Yavsc.AuthorizationHandlers {
+
+    public class ViewFileHandler : AuthorizationHandler<ViewRequirement, ViewFileContext> {
+
+        IFileSystemAuthManager _authManager;
+
+        public ViewFileHandler (IFileSystemAuthManager authManager) {
+            _authManager = authManager;
+        }
+
+        protected override void Handle (AuthorizationContext context, ViewRequirement requirement, ViewFileContext fileContext) {
            // TODO file access rules
            if (fileContext.Path.StartsWith ("/pub/"))
                context.Succeed (requirement);
            else {
-                // TODO use "/blog/{num}/" path to link to blog access list
+                if (!fileContext.Path.StartsWith ("/"))
+                    context.Fail ();
+                else {
+                    var rights = _authManager.GetFilePathAccess (context.User, fileContext.Path.Substring (1));
+                    if ((rights & FileAccessRight.Read) > 0)
                        context.Succeed (requirement);
+                    else context.Fail ();
+                }
            }
        }
    }
--- a/src/Yavsc/Services/FileSystemAuthManager.cs
+++ b/src/Yavsc/Services/FileSystemAuthManager.cs
@ -0,0 +1,44 @@
+using System;
+using System.Linq;
+using System.Security.Principal;
+using System.Security.Claims;
+using Yavsc.Models;
+
+namespace Yavsc.Services
+{
+    public class FileSystemAuthManager : IFileSystemAuthManager
+    {
+        ApplicationDbContext _dbContext;
+
+        public FileSystemAuthManager(ApplicationDbContext dbContext)
+        {
+            _dbContext = dbContext;
+        }
+
+        public FileAccessRight GetFilePathAccess(ClaimsPrincipal user, string normalizedFullPath)
+        {
+            // Assert (normalizedFullPath!=null)
+            var parts = normalizedFullPath.Split('/');
+            if (parts.Length<2) return FileAccessRight.None;
+            var funame = parts[0];
+            if (funame == user.GetUserName()) return FileAccessRight.Read | FileAccessRight.Write;
+
+            var ucl = user.Claims.Where(c => c.Type == YavscClaimTypes.CircleMembership).Select(c => long.Parse(c.Value)).ToArray();
+
+            if (_dbContext.CircleAuthorizationToFile.Any(
+                r => r.FullPath == normalizedFullPath && ucl.Contains(r.CircleId)
+            )) return FileAccessRight.Read;
+            return FileAccessRight.None;
+        }
+
+        public string NormalizePath(string path)
+        {
+            throw new NotImplementedException();
+        }
+
+        public void SetAccess(long circleId, string normalizedFullPath, FileAccessRight access)
+        {
+            throw new NotImplementedException();
+        }
+    }
+}
--- a/src/Yavsc/Services/IFileSystemAuthManager.cs
+++ b/src/Yavsc/Services/IFileSystemAuthManager.cs
@ -1,8 +1,9 @@
 using System;
+using System.Security.Claims;
 using System.Security.Principal;
-using Yavsc.Models;

-namespace Yavsc.Services {
+namespace Yavsc.Services
+{
    [Flags]
    public enum FileAccessRight {
        None = 0,
@ -22,34 +23,9 @@ namespace Yavsc.Services {
        /// <param name="user"></param>
        /// <param name="normalizedFullPath"></param>
        /// <returns></returns>
-        FileAccessRight GetFilePathAccess(IPrincipal user, string normalizedFullPath);
+        FileAccessRight GetFilePathAccess(ClaimsPrincipal user, string normalizedFullPath);

        void SetAccess (long circleId, string normalizedFullPath, FileAccessRight access);

    }
-
-    public class FileSystemAuthManager : IFileSystemAuthManager
-    {
-        ApplicationDbContext _dbContext;
-
-        public FileSystemAuthManager(ApplicationDbContext dbContext)
-        {
-            _dbContext = dbContext;
-        }
-
-        public FileAccessRight GetFilePathAccess(IPrincipal user, string normalizedFullPath)
-        {
-            throw new NotImplementedException();
-        }
-
-        public string NormalizePath(string path)
-        {
-            throw new NotImplementedException();
-        }
-
-        public void SetAccess(long circleId, string normalizedFullPath, FileAccessRight access)
-        {
-            throw new NotImplementedException();
-        }
-    }
 }
--- a/src/Yavsc/Startup/Startup.FileServer.cs
+++ b/src/Yavsc/Startup/Startup.FileServer.cs
@ -1,4 +1,5 @@
 using System.IO;
+using System.Security.Claims;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.FileProviders;
@ -7,6 +8,8 @@ using Microsoft.AspNet.Http;
 using Microsoft.AspNet.StaticFiles;
 using Microsoft.Extensions.Logging;
 using Yavsc.Abstract.FileSystem;
+using Yavsc.Services;
+using Yavsc.ViewModels.Auth;

 namespace Yavsc
 {
@ -17,7 +20,8 @@ namespace Yavsc

        public static FileServerOptions AvatarsOptions { get; set; }
        public void ConfigureFileServerApp(IApplicationBuilder app,
-                SiteSettings siteSettings, IHostingEnvironment env, IAuthorizationService authorizationService)
+                SiteSettings siteSettings, IHostingEnvironment env,
+                 IAuthorizationService authorizationService)
        {
            var userFilesDirInfo = new DirectoryInfo( siteSettings.Blog );
            AbstractFileSystemHelpers.UserFilesDirName =  userFilesDirInfo.FullName;
@ -33,15 +37,18 @@ namespace Yavsc
            UserFilesOptions.EnableDefaultFiles=true;
            UserFilesOptions.StaticFileOptions.ServeUnknownFileTypes=true;

-            /* TODO needs a better design, at implementation time (don't use database, but in memory data) 
+            /* TODO needs a better design, at implementation time (don't use database, but in memory data) */
             UserFilesOptions.StaticFileOptions.OnPrepareResponse += async context =>
             {
                 var uname = context.Context.User.GetUserName();
                 var path = context.Context.Request.Path;
                 var result = await authorizationService.AuthorizeAsync(context.Context.User, new ViewFileContext
                 { UserName = uname, File = context.File, Path = path } , new ViewRequirement());
+                 if (!result) {
+                     context.Context.Response.StatusCode = 403;
+                     context.Context.Abort();
+                 }
             };
-             */
            var avatarsDirInfo = new DirectoryInfo(Startup.SiteSetup.Avatars);
            if (!avatarsDirInfo.Exists) avatarsDirInfo.Create();
            AvatarsDirName = avatarsDirInfo.FullName;
--- a/src/Yavsc/Startup/Startup.cs
+++ b/src/Yavsc/Startup/Startup.cs
@ -232,6 +232,7 @@ namespace Yavsc
            services.AddSingleton<IAuthorizationHandler, SendMessageHandler>();
            services.AddSingleton<IConnexionManager, HubConnectionManager>();
            services.AddSingleton<ILiveProcessor, LiveProcessor>();
+            services.AddSingleton<IFileSystemAuthManager, FileSystemAuthManager>();

            services.AddMvc(config =>
            {