Merge pull request #662 from immense/tech/admin-auth-policies

Use recommended policy-based authorization for Org Admin and Server Admin pages.

Author: bitbound

Server/App.razor

@@ -1,7 +1,13 @@
 <CascadingAuthenticationState>
     <Router AppAssembly="@typeof(Program).Assembly" PreferExactMatches="@true">
         <Found Context="routeData">
-            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
+            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
+                <NotAuthorized>
+                    <div class="jumbotron">
+                        <h3>You are not authorized to access this resource.</h3>
+                    </div>
+                </NotAuthorized>
+            </AuthorizeRouteView>
         </Found>
         <NotFound>
             <LayoutView Layout="@typeof(MainLayout)">

Server/Auth/OrganizationAdminRequirement.cs

@@ -0,0 +1,8 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Remotely.Server.Auth;
+
+public class OrganizationAdminRequirement : IAuthorizationRequirement
+{
+    
+}

Server/Auth/OrganizationAdminRequirementHandler.cs

@@ -0,0 +1,34 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Remotely.Shared.Models;
+using System.Threading.Tasks;
+
+namespace Remotely.Server.Auth;
+
+public class OrganizationAdminRequirementHandler : AuthorizationHandler<OrganizationAdminRequirement>
+{
+    private readonly UserManager<RemotelyUser> _userManager;
+
+    public OrganizationAdminRequirementHandler(UserManager<RemotelyUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OrganizationAdminRequirement requirement)
+    {
+        if (context.User.Identity?.IsAuthenticated != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        var user = await _userManager.GetUserAsync(context.User);
+        if (user?.IsAdministrator != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        context.Succeed(requirement);
+    }
+}

Server/Auth/PolicyNames.cs

@@ -0,0 +1,8 @@
+namespace Remotely.Server.Auth;
+
+public static class PolicyNames
+{
+    public const string TwoFactorRequired = nameof(TwoFactorRequired);
+    public const string OrganizationAdminRequired = nameof(OrganizationAdminRequired);
+    public const string ServerAdminRequired = nameof(ServerAdminRequired);
+}

Server/Auth/ServerAdminRequirement.cs

@@ -0,0 +1,7 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Remotely.Server.Auth;
+
+public class ServerAdminRequirement : IAuthorizationRequirement
+{
+}

Server/Auth/ServerAdminRequirementHandler.cs

@@ -0,0 +1,36 @@
+#nullable enable
+
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Identity;
+using Remotely.Shared.Models;
+using System.Threading.Tasks;
+
+namespace Remotely.Server.Auth;
+
+public class ServerAdminRequirementHandler : AuthorizationHandler<ServerAdminRequirement>
+{
+    private readonly UserManager<RemotelyUser> _userManager;
+
+    public ServerAdminRequirementHandler(UserManager<RemotelyUser> userManager)
+    {
+        _userManager = userManager;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ServerAdminRequirement requirement)
+    {
+        if (context.User.Identity?.IsAuthenticated != true)
+        {
+            context.Fail();
+            return;
+        }
+
+        var user = await _userManager.GetUserAsync(context.User);
+        if (user?.IsServerAdmin != true)
+        {
+            context.Fail();
+            return;
+        }
+        
+        context.Succeed(requirement);
+    }
+}

Server/Auth/TwoFactorRequiredRequirement.cs

@@ -8,6 +8,6 @@ namespace Remotely.Server.Auth
 {
     public class TwoFactorRequiredRequirement : IAuthorizationRequirement
     {
-        public const string PolicyName = "TwoFactorRequired";
+
     }
 }

Server/Components/LoaderHarness.razor

@@ -11,13 +11,10 @@
     private bool _loaderShown;
     private string _statusMessage = string.Empty;
 
-    protected override Task OnAfterRenderAsync(bool firstRender)
+    protected override Task OnInitializedAsync()
     {
-        if (firstRender)
-        {
-            Messenger.Register<ShowLoaderMessage>(this, HandleShowLoaderMessage);
-        }
-        return base.OnAfterRenderAsync(firstRender);
+        Messenger.Register<ShowLoaderMessage>(this, HandleShowLoaderMessage);
+        return base.OnInitializedAsync();
     }
 
     private async Task HandleShowLoaderMessage(ShowLoaderMessage message)

Server/Hubs/AgentHub.cs

@@ -72,7 +72,7 @@ public Task Chat(string message, bool disconnected, string browserConnectionId)
         }
 
 
-        public async Task CheckForPendingSriptRuns()
+        public async Task CheckForPendingScriptRuns()
         {
             var authToken = _expiringTokenService.GetToken(Time.Now.AddMinutes(AppConstants.ScriptRunExpirationMinutes));
             var scriptRuns = await _dataService.GetPendingScriptRuns(Device.ID);
@@ -166,7 +166,7 @@ public async Task DeviceHeartbeat(Device device)
 
             var result = await _dataService.AddOrUpdateDevice(device);
 
-            if (result.IsSuccess)
+            if (!result.IsSuccess)
             {
                 return;
             }
@@ -189,7 +189,7 @@ public async Task DeviceHeartbeat(Device device)
             }
 
 
-            await CheckForPendingSriptRuns();
+            await CheckForPendingScriptRuns();
         }
 
 

Server/Pages/ApiKeys.razor

@@ -1,5 +1,5 @@
 @page "/api-keys"
-@attribute [Authorize]
+@attribute [Authorize(Policy = PolicyNames.OrganizationAdminRequired)]
 @inherits AuthComponentBase
 
 @inject IDataService DataService