Moonlight-Panel/Servers
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved share permission parsing to jsonb implementation of ef core. Improved auth handling for shares

Browse Source
This commit is contained in:
ChiaraBm
2025-06-06 14:15:32 +02:00
parent 1ec4450040
commit cfed1aefde
12 changed files with 176 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
MoonlightServers.ApiServer/Database/Entities/ServerShare.cs
View File

@@ -1,4 +1,5 @@
using System.ComponentModel.DataAnnotations.Schema;
using MoonlightServers.ApiServer.Models;
namespace MoonlightServers.ApiServer.Database.Entities;
@@ -9,8 +10,7 @@ public class ServerShare
public int UserId { get; set; }
public Server Server { get; set; }
[Column(TypeName = "jsonb")]
public string Permissions { get; set; }
public ServerShareContent Content { get; set; } = new();
[Column(TypeName="timestamp with time zone")]
public DateTime CreatedAt { get; set; }

52
MoonlightServers.ApiServer/Database/Migrations/20250605210823_AddedServerShares.Designer.cs → MoonlightServers.ApiServer/Database/Migrations/20250606121013_AddedShares.Designer.cs generated
View File

@@ -12,8 +12,8 @@ using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
namespace MoonlightServers.ApiServer.Database.Migrations
{
[DbContext(typeof(ServersDataContext))]
[Migration("20250605210823_AddedServerShares")]
partial class AddedServerShares
[Migration("20250606121013_AddedShares")]
partial class AddedShares
{
/// <inheritdoc />
protected override void BuildTargetModel(ModelBuilder modelBuilder)
@@ -194,10 +194,6 @@ namespace MoonlightServers.ApiServer.Database.Migrations
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("Permissions")
.IsRequired()
.HasColumnType("jsonb");
b.Property<int>("ServerId")
.HasColumnType("integer");
@@ -434,6 +430,50 @@ namespace MoonlightServers.ApiServer.Database.Migrations
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.OwnsOne("MoonlightServers.ApiServer.Models.ServerShareContent", "Content", b1 =>
{
b1.Property<int>("ServerShareId")
.HasColumnType("integer");
b1.HasKey("ServerShareId");
b1.ToTable("Servers_ServerShares");
b1.ToJson("Content");
b1.WithOwner()
.HasForeignKey("ServerShareId");
b1.OwnsMany("MoonlightServers.ApiServer.Models.ServerSharePermission", "Permissions", b2 =>
{
b2.Property<int>("ServerShareContentServerShareId")
.HasColumnType("integer");
b2.Property<int>("__synthesizedOrdinal")
.ValueGeneratedOnAdd()
.HasColumnType("integer");
b2.Property<string>("Name")
.IsRequired()
.HasColumnType("text");
b2.Property<int>("Type")
.HasColumnType("integer");
b2.HasKey("ServerShareContentServerShareId", "__synthesizedOrdinal");
b2.ToTable("Servers_ServerShares");
b2.WithOwner()
.HasForeignKey("ServerShareContentServerShareId");
});
b1.Navigation("Permissions");
});
b.Navigation("Content")
.IsRequired();
b.Navigation("Server");
});

6
MoonlightServers.ApiServer/Database/Migrations/20250605210823_AddedServerShares.cs → MoonlightServers.ApiServer/Database/Migrations/20250606121013_AddedShares.cs
View File

@@ -7,7 +7,7 @@ using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
namespace MoonlightServers.ApiServer.Database.Migrations
{
/// <inheritdoc />
public partial class AddedServerShares : Migration
public partial class AddedShares : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
@@ -20,9 +20,9 @@ namespace MoonlightServers.ApiServer.Database.Migrations
.Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
UserId = table.Column<int>(type: "integer", nullable: false),
ServerId = table.Column<int>(type: "integer", nullable: false),
Permissions = table.Column<string>(type: "jsonb", nullable: false),
CreatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
UpdatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false)
UpdatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
Content = table.Column<string>(type: "jsonb", nullable: false)
},
constraints: table =>
{

48
MoonlightServers.ApiServer/Database/Migrations/ServersDataContextModelSnapshot.cs
View File

@@ -191,10 +191,6 @@ namespace MoonlightServers.ApiServer.Database.Migrations
b.Property<DateTime>("CreatedAt")
.HasColumnType("timestamp with time zone");
b.Property<string>("Permissions")
.IsRequired()
.HasColumnType("jsonb");
b.Property<int>("ServerId")
.HasColumnType("integer");
@@ -431,6 +427,50 @@ namespace MoonlightServers.ApiServer.Database.Migrations
.OnDelete(DeleteBehavior.Cascade)
.IsRequired();
b.OwnsOne("MoonlightServers.ApiServer.Models.ServerShareContent", "Content", b1 =>
{
b1.Property<int>("ServerShareId")
.HasColumnType("integer");
b1.HasKey("ServerShareId");
b1.ToTable("Servers_ServerShares");
b1.ToJson("Content");
b1.WithOwner()
.HasForeignKey("ServerShareId");
b1.OwnsMany("MoonlightServers.ApiServer.Models.ServerSharePermission", "Permissions", b2 =>
{
b2.Property<int>("ServerShareContentServerShareId")
.HasColumnType("integer");
b2.Property<int>("__synthesizedOrdinal")
.ValueGeneratedOnAdd()
.HasColumnType("integer");
b2.Property<string>("Name")
.IsRequired()
.HasColumnType("text");
b2.Property<int>("Type")
.HasColumnType("integer");
b2.HasKey("ServerShareContentServerShareId", "__synthesizedOrdinal");
b2.ToTable("Servers_ServerShares");
b2.WithOwner()
.HasForeignKey("ServerShareContentServerShareId");
});
b1.Navigation("Permissions");
});
b.Navigation("Content")
.IsRequired();
b.Navigation("Server");
});

23
MoonlightServers.ApiServer/Database/ServersDataContext.cs
View File

@@ -2,6 +2,7 @@ using Microsoft.EntityFrameworkCore;
using MoonCore.Extended.SingleDb;
using Moonlight.ApiServer.Configuration;
using MoonlightServers.ApiServer.Database.Entities;
using MoonlightServers.ApiServer.Models;
namespace MoonlightServers.ApiServer.Database;
@@ -30,4 +31,26 @@ public class ServersDataContext : DatabaseContext
Database = configuration.Database.Database
};
}
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
#region Shares
modelBuilder.Ignore<ServerShareContent>();
modelBuilder.Ignore<ServerSharePermission>();
modelBuilder.Entity<ServerShare>(builder =>
{
builder.OwnsOne(x => x.Content, navigationBuilder =>
{
navigationBuilder.ToJson();
navigationBuilder.OwnsMany(x => x.Permissions);
});
});
#endregion
}
}

9
MoonlightServers.ApiServer/Http/Controllers/Client/FilesController.cs
View File

@@ -164,8 +164,13 @@ public class FilesController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server, permission => permission.Name == "files" && permission.Type >= type))
throw new HttpApiException("No server with this id found", 404);
var authorizeResult = await AuthorizeService.Authorize(
User, server,
permission => permission.Name == "files" && permission.Type >= type
);
if (!authorizeResult.Succeeded)
throw new HttpApiException("No permission for the requested resource", 403);
return server;
}

9
MoonlightServers.ApiServer/Http/Controllers/Client/PowerController.cs
View File

@@ -68,8 +68,13 @@ public class PowerController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server, permission => permission is { Name: "power", Type: ServerPermissionType.ReadWrite }))
throw new HttpApiException("No server with this id found", 404);
var authorizeResult = await AuthorizeService.Authorize(
User, server,
permission => permission.Name == "power" && permission.Type >= ServerPermissionType.ReadWrite
);
if (!authorizeResult.Succeeded)
throw new HttpApiException("No permission for the requested resource", 403);
return server;
}

10
MoonlightServers.ApiServer/Http/Controllers/Client/ServersController.cs
View File

@@ -148,7 +148,9 @@ public class ServersController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server))
var authorizationResult = await AuthorizeService.Authorize(User, server);
if (!authorizationResult.Succeeded)
throw new HttpApiException("No server with this id found", 404);
return new ServerDetailResponse()
@@ -256,8 +258,10 @@ public class ServersController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server, filter))
throw new HttpApiException("No server with this id found", 404);
var authorizeResult = await AuthorizeService.Authorize(User, server, filter);
if (!authorizeResult.Succeeded)
throw new HttpApiException("No permission for the requested resource", 403);
return server;
}

9
MoonlightServers.ApiServer/Http/Controllers/Client/SettingsController.cs
View File

@@ -47,8 +47,13 @@ public class SettingsController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server, permission => permission is { Name: "settings", Type: ServerPermissionType.ReadWrite }))
throw new HttpApiException("No server with this id found", 404);
var authorizeResult = await AuthorizeService.Authorize(
User, server,
permission => permission is { Name: "settings", Type: >= ServerPermissionType.ReadWrite }
);
if (!authorizeResult.Succeeded)
throw new HttpApiException("No permission for the requested resource", 403);
return server;
}

10
MoonlightServers.ApiServer/Http/Controllers/Client/VariablesController.cs
View File

@@ -132,9 +132,13 @@ public class VariablesController : Controller
if (server == null)
throw new HttpApiException("No server with this id found", 404);
if (!await AuthorizeService.Authorize(User, server,
permission => permission.Name == "variables" && permission.Type >= type))
throw new HttpApiException("No server with this id found", 404);
var authorizeResult = await AuthorizeService.Authorize(
User, server,
permission => permission.Name == "variables" && permission.Type >= type
);
if (!authorizeResult.Succeeded)
throw new HttpApiException("No permission for the requested resource", 403);
return server;
}

6
MoonlightServers.ApiServer/Models/ServerShareContent.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace MoonlightServers.ApiServer.Models;
public class ServerShareContent
{
public List<ServerSharePermission> Permissions { get; set; } = [];
}

60
MoonlightServers.ApiServer/Services/ServerAuthorizeService.cs
View File

@@ -24,50 +24,54 @@ public class ServerAuthorizeService
ShareRepository = shareRepository;
}
public async Task<bool> Authorize(ClaimsPrincipal user, Server server, Func<ServerSharePermission, bool>? filter = null)
public async Task<AuthorizationResult> Authorize(ClaimsPrincipal user, Server server, Func<ServerSharePermission, bool>? filter = null)
{
var userIdClaim = user.FindFirst("userId");
// User specific authorization
if (userIdClaim != null && await AuthorizeViaUser(userIdClaim, server, filter))
return true;
if (userIdClaim != null)
{
var result = await AuthorizeViaUser(userIdClaim, server, filter);
if (result.Succeeded)
return result;
}
// Permission specific authorization
return await AuthorizeViaPermission(user);
}
private async Task<bool> AuthorizeViaUser(Claim userIdClaim, Server server, Func<ServerSharePermission, bool>? filter = null)
private async Task<AuthorizationResult> AuthorizeViaUser(Claim userIdClaim, Server server, Func<ServerSharePermission, bool>? filter = null)
{
var userId = int.Parse(userIdClaim.Value);
if (server.OwnerId == userId)
return true;
return AuthorizationResult.Success();
var possibleShare = await ShareRepository
.Get()
.FirstOrDefaultAsync(x => x.Server.Id == server.Id && x.UserId == userId);
if (possibleShare == null)
return false;
return AuthorizationResult.Failed();
// If no filter has been specified every server share is valid
// no matter which permission the share actually has
if (filter == null)
return true;
return AuthorizationResult.Success();
var permissionsOfShare = ParsePermissions(possibleShare.Permissions);
if(possibleShare.Content.Permissions.Any(filter))
return AuthorizationResult.Success();
return permissionsOfShare.Any(filter);
return AuthorizationResult.Failed();
}
private async Task<bool> AuthorizeViaPermission(ClaimsPrincipal user)
private async Task<AuthorizationResult> AuthorizeViaPermission(ClaimsPrincipal user)
{
var authorizeResult = await AuthorizationService.AuthorizeAsync(
return await AuthorizationService.AuthorizeAsync(
user,
"permissions:admin.servers.get"
);
return authorizeResult.Succeeded;
}
private ServerSharePermission[] ParsePermissions(string permissionsString)
@@ -96,34 +100,4 @@ public class ServerAuthorizeService
return result.ToArray();
}
private bool CheckSharePermission(ServerShare share, string permission, ServerPermissionType type)
{
if (string.IsNullOrEmpty(share.Permissions))
return false;
var permissions = share.Permissions.Split(';', StringSplitOptions.RemoveEmptyEntries);
foreach (var sharePermission in permissions)
{
if (!sharePermission.StartsWith(permission))
continue;
var typeParts = sharePermission.Split(':', StringSplitOptions.RemoveEmptyEntries);
// Missing permission type
if (typeParts.Length != 2)
return false;
// Parse type id
if (!int.TryParse(typeParts[1], out var typeId))
return false; // Malformed
var requiredId = (int)type;
return typeId >= requiredId;
}
return false;
}
}