Create authorization policies for OrganizationAdmin and ServerAdmin. …

…Use these within the routing system via Authorize attribute instead of directly checking on each page.
immense · Jun 14, 2023 · bc690e8 · bc690e8
1 parent 5383343
commit bc690e8
Show file tree

Hide file tree

Showing 18 changed files with 586 additions and 485 deletions.
diff --git a/Server/App.razor b/Server/App.razor
@@ -1,7 +1,13 @@
 <CascadingAuthenticationState>
     <Router AppAssembly="@typeof(Program).Assembly" PreferExactMatches="@true">
         <Found Context="routeData">
-            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
+            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
+                <NotAuthorized>
+                    <div class="jumbotron">
+                        <h3>You are not authorized to access this resource.</h3>
+                    </div>
+                </NotAuthorized>
+            </AuthorizeRouteView>
         </Found>
         <NotFound>
             <LayoutView Layout="@typeof(MainLayout)">

diff --git a/Server/Auth/OrganizationAdminRequirement.cs b/Server/Auth/OrganizationAdminRequirement.cs
@@ -0,0 +1,8 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Remotely.Server.Auth;
+
+public class OrganizationAdminRequirement : IAuthorizationRequirement
+{
+
+}
diff --git a/Server/Auth/OrganizationAdminRequirementHandler.cs b/Server/Auth/OrganizationAdminRequirementHandler.cs
@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Remotely.Shared.Models;
+using System.Threading.Tasks;
+
+namespace Remotely.Server.Auth;
+
+public class OrganizationAdminRequirementHandler : AuthorizationHandler<OrganizationAdminRequirement>
+{
+    private readonly UserManager<RemotelyUser> _userManager;
+
+    public OrganizationAdminRequirementHandler(UserManager<RemotelyUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OrganizationAdminRequirement requirement)
+    {
+        if (context.User.Identity?.IsAuthenticated != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        var user = await _userManager.GetUserAsync(context.User);
+        if (user?.IsAdministrator != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        context.Succeed(requirement);
+    }
+}
diff --git a/Server/Auth/PolicyNames.cs b/Server/Auth/PolicyNames.cs
@@ -0,0 +1,8 @@
+namespace Remotely.Server.Auth;
+
+public static class PolicyNames
+{
+    public const string TwoFactorRequired = nameof(TwoFactorRequired);
+    public const string OrganizationAdminRequired = nameof(OrganizationAdminRequired);
+    public const string ServerAdminRequired = nameof(ServerAdminRequired);
+}
diff --git a/Server/Auth/ServerAdminRequirement.cs b/Server/Auth/ServerAdminRequirement.cs
@@ -0,0 +1,7 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Remotely.Server.Auth;
+
+public class ServerAdminRequirement : IAuthorizationRequirement
+{
+}
diff --git a/Server/Auth/ServerAdminRequirementHandler.cs b/Server/Auth/ServerAdminRequirementHandler.cs
@@ -0,0 +1,36 @@
+#nullable enable
+
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Remotely.Shared.Models;
+using System.Threading.Tasks;
+
+namespace Remotely.Server.Auth;
+
+public class ServerAdminRequirementHandler : AuthorizationHandler<ServerAdminRequirement>
+{
+    private readonly UserManager<RemotelyUser> _userManager;
+
+    public ServerAdminRequirementHandler(UserManager<RemotelyUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ServerAdminRequirement requirement)
+    {
+        if (context.User.Identity?.IsAuthenticated != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        var user = await _userManager.GetUserAsync(context.User);
+        if (user?.IsServerAdmin != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        context.Succeed(requirement);
+    }
+}
diff --git a/Server/Auth/TwoFactorRequiredRequirement.cs b/Server/Auth/TwoFactorRequiredRequirement.cs
@@ -8,6 +8,6 @@ namespace Remotely.Server.Auth
 {
     public class TwoFactorRequiredRequirement : IAuthorizationRequirement
     {
-        public const string PolicyName = "TwoFactorRequired";
+
     }
 }
diff --git a/Server/Components/LoaderHarness.razor b/Server/Components/LoaderHarness.razor
@@ -11,13 +11,10 @@
     private bool _loaderShown;
     private string _statusMessage = string.Empty;
 
-    protected override Task OnAfterRenderAsync(bool firstRender)
+    protected override Task OnInitializedAsync()
     {
-        if (firstRender)
-        {
-            Messenger.Register<ShowLoaderMessage>(this, HandleShowLoaderMessage);
-        }
-        return base.OnAfterRenderAsync(firstRender);
+        Messenger.Register<ShowLoaderMessage>(this, HandleShowLoaderMessage);
+        return base.OnInitializedAsync();
     }
 
     private async Task HandleShowLoaderMessage(ShowLoaderMessage message)

diff --git a/Server/Pages/ApiKeys.razor b/Server/Pages/ApiKeys.razor
@@ -1,5 +1,5 @@
 @page "/api-keys"
-@attribute [Authorize]
+@attribute [Authorize(Policy = PolicyNames.OrganizationAdminRequired)]
 @inherits AuthComponentBase
 
 @inject IDataService DataService

diff --git a/Server/Pages/Branding.razor b/Server/Pages/Branding.razor
@@ -1,5 +1,6 @@
 @page "/branding"
 @inherits AuthComponentBase
+@attribute [Authorize(Policy = PolicyNames.OrganizationAdminRequired)]
 @inject IDataService DataService
 @inject IToastService ToastService
 @inject IJsInterop JsInterop 
@@ -8,70 +9,61 @@
 
 <h3 class="mb-3">Branding</h3>
 
+<AlertBanner Message="@_alertMessage" />
 
-@if (User?.IsAdministrator != true)
-{
-    <h5 class="text-muted">Only organization administrators can view this page.</h5>
-}
-else
-{
-    <AlertBanner Message="@_alertMessage" />
-
-    <div class="row">
-        <div class="col-sm-8 col-lg-6 col-xl-5">
-            <div class="form-group">
-                <label class="mb-1">Branding Areas</label>
-                <br />
-                <img class="img-fluid" src="/images/Remotely_Desktop.png" />
-            </div>
+<div class="row">
+    <div class="col-sm-8 col-lg-6 col-xl-5">
+        <div class="form-group">
+            <label class="mb-1">Branding Areas</label>
+            <br />
+            <img class="img-fluid" src="/images/Remotely_Desktop.png" />
         </div>
     </div>
+</div>
 
-    <div class="row">
-        <div class="col-sm-8 col-lg-6 col-xl-5">
-            <EditForm OnValidSubmit="HandleValidSubmit" Model="_inputModel">
-                <DataAnnotationsValidator />
+<div class="row">
+    <div class="col-sm-8 col-lg-6 col-xl-5">
+        <EditForm OnValidSubmit="HandleValidSubmit" Model="_inputModel">
+            <DataAnnotationsValidator />
 
-                <div class="form-group mb-5">
-                    <label class="text-info font-weight-bold">Product Name</label>
-                    <InputText class="form-control" @bind-Value="_inputModel.ProductName" />
-                    <ValidationMessage For="() => _inputModel.ProductName" />
-                </div>
+            <div class="form-group mb-5">
+                <label class="text-info font-weight-bold">Product Name</label>
+                <InputText class="form-control" @bind-Value="_inputModel.ProductName" />
+                <ValidationMessage For="() => _inputModel.ProductName" />
+            </div>
 
-                @if (!string.IsNullOrWhiteSpace(_base64Icon))
-                {
-                    <div class="form-group mb-4">
-                        <label class="text-info font-weight-bold">Current Icon</label>
-                        <br />
-                        <img class="img-fluid" src="data:image/png;base64,@_base64Icon" />
-                    </div>
-                }
-
-                <div class="form-group mb-5">
-                    <label class="text-info font-weight-bold">New Icon</label>
-                    <InputFile type="file" accept="image/png" class="form-control" OnChange="IconUploadInputChanged" />
-                </div>
-                <div class="form-group mb-5">
-                    <label class="text-info font-weight-bold">Title Foreground</label>
-                    <ColorPicker @bind-Color="_inputModel.TitleForegroundColor" />
+            @if (!string.IsNullOrWhiteSpace(_base64Icon))
+            {
+                <div class="form-group mb-4">
+                    <label class="text-info font-weight-bold">Current Icon</label>
+                    <br />
+                    <img class="img-fluid" src="data:image/png;base64,@_base64Icon" />
                 </div>
-                <div class="form-group mb-5">
-                    <label class="text-info font-weight-bold">Title Background</label>
-                    <ColorPicker @bind-Color="_inputModel.TitleBackgroundColor" />
-                </div>
-                <div class="form-group mb-5">
-                    <label class="text-info font-weight-bold">Button Color</label>
-                    <ColorPicker @bind-Color="_inputModel.TitleButtonColor" />
-                </div>
-                <div class="form-group text-right">
-                    <button class="btn btn-secondary mr-3" type="button" @onclick="ResetBranding">Reset</button>
-                    <button class="btn btn-primary" type="submit">Submit</button>
-                </div>
-            </EditForm>
-        </div>
-    </div>
-}
+            }
 
+            <div class="form-group mb-5">
+                <label class="text-info font-weight-bold">New Icon</label>
+                <InputFile type="file" accept="image/png" class="form-control" OnChange="IconUploadInputChanged" />
+            </div>
+            <div class="form-group mb-5">
+                <label class="text-info font-weight-bold">Title Foreground</label>
+                <ColorPicker @bind-Color="_inputModel.TitleForegroundColor" />
+            </div>
+            <div class="form-group mb-5">
+                <label class="text-info font-weight-bold">Title Background</label>
+                <ColorPicker @bind-Color="_inputModel.TitleBackgroundColor" />
+            </div>
+            <div class="form-group mb-5">
+                <label class="text-info font-weight-bold">Button Color</label>
+                <ColorPicker @bind-Color="_inputModel.TitleButtonColor" />
+            </div>
+            <div class="form-group text-right">
+                <button class="btn btn-secondary mr-3" type="button" @onclick="ResetBranding">Reset</button>
+                <button class="btn btn-primary" type="submit">Submit</button>
+            </div>
+        </EditForm>
+    </div>
+</div>
 @code {
     private string _alertMessage;
     private string _base64Icon;

diff --git a/Server/Pages/ManageOrganization.razor b/Server/Pages/ManageOrganization.razor
@@ -1,5 +1,5 @@
 @page "/manage-organization"
-@attribute [Authorize]
+@attribute [Authorize(Policy = PolicyNames.OrganizationAdminRequired)]
 @inherits AuthComponentBase
 
 <h3 class="mb-3">Manage Organization</h3>

diff --git a/Server/Pages/ScriptsPage.razor b/Server/Pages/ScriptsPage.razor
@@ -1,4 +1,5 @@
 @page "/scripts/{activeTab?}"
+@attribute [Authorize]
 @inherits AuthComponentBase
 @using System.Collections
 @inject IDataService DataService