From 1cc32fa5c4c174aa131a2f2db8ea2acadbc9b70c Mon Sep 17 00:00:00 2001 From: Baumgartner Marcel Date: Wed, 5 Jun 2024 16:20:24 +0200 Subject: [PATCH] Started adding api permission check --- .../Core/Attributes/ApiPermissionAttribute.cs | 11 ++++ Moonlight/Core/CoreFeature.cs | 3 + .../Middleware/ApiPermissionMiddleware.cs | 55 +++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 Moonlight/Core/Attributes/ApiPermissionAttribute.cs create mode 100644 Moonlight/Core/Http/Middleware/ApiPermissionMiddleware.cs diff --git a/Moonlight/Core/Attributes/ApiPermissionAttribute.cs b/Moonlight/Core/Attributes/ApiPermissionAttribute.cs new file mode 100644 index 00000000..c0b8ea1b --- /dev/null +++ b/Moonlight/Core/Attributes/ApiPermissionAttribute.cs @@ -0,0 +1,11 @@ +namespace Moonlight.Core.Attributes; + +public class ApiPermissionAttribute : Attribute +{ + public string Permission { get; set; } + + public ApiPermissionAttribute(string permission) + { + Permission = permission; + } +} \ No newline at end of file diff --git a/Moonlight/Core/CoreFeature.cs b/Moonlight/Core/CoreFeature.cs index e100d481..7165ee44 100644 --- a/Moonlight/Core/CoreFeature.cs +++ b/Moonlight/Core/CoreFeature.cs @@ -22,6 +22,7 @@ using Moonlight.Core.Repositories; using Moonlight.Core.Services; using Microsoft.OpenApi.Models; using Moonlight.Core.Attributes; +using Moonlight.Core.Http.Middleware; using Moonlight.Core.Implementations.ApiDefinition; using Swashbuckle.AspNetCore.SwaggerGen; @@ -252,6 +253,8 @@ public class CoreFeature : MoonlightFeature // Api if (config.Development.EnableApiReference) app.MapSwagger("/api/core/reference/openapi/{documentName}"); + + app.UseMiddleware(); await pluginService.RegisterImplementation(new InternalApiDefinition()); } diff --git a/Moonlight/Core/Http/Middleware/ApiPermissionMiddleware.cs b/Moonlight/Core/Http/Middleware/ApiPermissionMiddleware.cs new file mode 100644 index 00000000..176586a1 --- /dev/null +++ b/Moonlight/Core/Http/Middleware/ApiPermissionMiddleware.cs @@ -0,0 +1,55 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.Controllers; +using MoonCore.Helpers; +using Moonlight.Core.Attributes; + +namespace Moonlight.Core.Http.Middleware; + +public class ApiPermissionMiddleware +{ + private RequestDelegate Next; + + public ApiPermissionMiddleware(RequestDelegate next) + { + Next = next; + } + + public async Task Invoke(HttpContext context) + { + if (CheckRequest(context)) + await Next(context); + else + { + context.Response.StatusCode = 403; + await context.Response.WriteAsync("Permission denied"); + } + } + + private bool CheckRequest(HttpContext context) + { + var endpoint = context.GetEndpoint(); + + if (endpoint == null) + return true; + + var metadata = endpoint + .Metadata + .GetMetadata(); + + if (metadata == null) + return true; + + if (metadata.ControllerTypeInfo.CustomAttributes + .All(x => x.AttributeType != typeof(ApiControllerAttribute))) + return true; + + var permissionAttr = + metadata.ControllerTypeInfo.CustomAttributes.FirstOrDefault(x => + x.AttributeType == typeof(ApiPermissionAttribute)); + + if (permissionAttr == null) + return true; + + if(metadata.) + } +} \ No newline at end of file