New: Setting to disable authentication for local addresses

2022-05-23 14:00:26 -07:00 · 2022-05-23 14:00:26 -07:00 · b154b00c61
parent 05ee4e6449
commit b154b00c61
13 changed files with 116 additions and 12 deletions
--- a/frontend/src/Settings/General/SecuritySettings.js
+++ b/frontend/src/Settings/General/SecuritySettings.js
@ -16,6 +16,11 @@ const authenticationMethodOptions = [
  { key: 'forms', value: 'Forms (Login Page)' }
 ];

+const authenticationRequiredOptions = [
+  { key: 'enabled', value: 'Enabled' },
+  { key: 'disabledForLocalAddresses', value: 'Disabled for Local Addresses' }
+];
+
 const certificateValidationOptions = [
  { key: 'enabled', value: 'Enabled' },
  { key: 'disabledForLocalAddresses', value: 'Disabled for Local Addresses' },
@ -67,6 +72,7 @@ class SecuritySettings extends Component {

    const {
      authenticationMethod,
+      authenticationRequired,
      username,
      password,
      apiKey,
@ -91,7 +97,24 @@ class SecuritySettings extends Component {
        </FormGroup>

        {
-          authenticationEnabled &&
+          authenticationEnabled ?
+            <FormGroup>
+              <FormLabel>Authentication Required</FormLabel>
+
+              <FormInputGroup
+                type={inputTypes.SELECT}
+                name="authenticationRequired"
+                values={authenticationRequiredOptions}
+                helpText="Change which requests authentication is required for. Do not change unless you understand the risks."
+                onChange={onInputChange}
+                {...authenticationRequired}
+              />
+            </FormGroup> :
+            null
+        }
+
+        {
+          authenticationEnabled ?
            <FormGroup>
              <FormLabel>Username</FormLabel>

@ -101,11 +124,12 @@ class SecuritySettings extends Component {
                onChange={onInputChange}
                {...username}
              />
-            </FormGroup>
+            </FormGroup> :
+            null
        }

        {
-          authenticationEnabled &&
+          authenticationEnabled ?
            <FormGroup>
              <FormLabel>Password</FormLabel>

@ -115,7 +139,8 @@ class SecuritySettings extends Component {
                onChange={onInputChange}
                {...password}
              />
-            </FormGroup>
+            </FormGroup> :
+            null
        }

        <FormGroup>
--- a/src/NzbDrone.Automation.Test/AutomationTest.cs
+++ b/src/NzbDrone.Automation.Test/AutomationTest.cs
@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using FluentAssertions;
@ -46,7 +46,7 @@ namespace NzbDrone.Automation.Test

            _runner = new NzbDroneRunner(LogManager.GetCurrentClassLogger());
            _runner.KillAll();
-            _runner.Start();
+            _runner.Start(true);

            driver.Url = "http://localhost:8989";

--- a/src/NzbDrone.Core/Authentication/AuthenticationRequiredType.cs
+++ b/src/NzbDrone.Core/Authentication/AuthenticationRequiredType.cs
@ -0,0 +1,8 @@
+namespace NzbDrone.Core.Authentication
+{
+    public enum AuthenticationRequiredType
+    {
+        Enabled = 0,
+        DisabledForLocalAddresses = 1
+    }
+}
--- a/src/NzbDrone.Core/Authentication/AuthenticationType.cs
+++ b/src/NzbDrone.Core/Authentication/AuthenticationType.cs
@ -1,9 +1,10 @@
-namespace NzbDrone.Core.Authentication
+namespace NzbDrone.Core.Authentication
 {
    public enum AuthenticationType
    {
        None = 0,
        Basic = 1,
-        Forms = 2
+        Forms = 2,
+        External = 3
    }
 }
--- a/src/NzbDrone.Core/Configuration/ConfigFileProvider.cs
+++ b/src/NzbDrone.Core/Configuration/ConfigFileProvider.cs
@ -31,6 +31,7 @@ namespace NzbDrone.Core.Configuration
        bool EnableSsl { get; }
        bool LaunchBrowser { get; }
        AuthenticationType AuthenticationMethod { get; }
+        AuthenticationRequiredType AuthenticationRequired { get; }
        bool AnalyticsEnabled { get; }
        string LogLevel { get; }
        string ConsoleLogLevel { get; }
@ -181,6 +182,8 @@ namespace NzbDrone.Core.Configuration
            }
        }

+        public AuthenticationRequiredType AuthenticationRequired => GetValueEnum("AuthenticationRequired", AuthenticationRequiredType.Enabled);
+
        public bool AnalyticsEnabled => GetValueBoolean("AnalyticsEnabled", true, persist: false);

        public string Branch => GetValue("Branch", "main").ToLowerInvariant();
--- a/src/NzbDrone.Host/Startup.cs
+++ b/src/NzbDrone.Host/Startup.cs
@ -102,6 +102,8 @@ namespace NzbDrone.Host
                .PersistKeysToFileSystem(new DirectoryInfo(Configuration["dataProtectionFolder"]));

            services.AddSingleton<IAuthorizationPolicyProvider, UiAuthorizationPolicyProvider>();
+            services.AddSingleton<IAuthorizationHandler, UiAuthorizationHandler>();
+
            services.AddAuthorization(options =>
            {
                options.AddPolicy("SignalR", policy =>
--- a/src/NzbDrone.Test.Common/NzbDroneRunner.cs
+++ b/src/NzbDrone.Test.Common/NzbDroneRunner.cs
@ -31,12 +31,12 @@ namespace NzbDrone.Test.Common
            Port = port;
        }

-        public void Start()
+        public void Start(bool enableAuth = false)
        {
            AppData = Path.Combine(TestContext.CurrentContext.TestDirectory, "_intg_" + TestBase.GetUID());
            Directory.CreateDirectory(AppData);

-            GenerateConfigFile();
+            GenerateConfigFile(enableAuth);

            string consoleExe;
            if (OsInfo.IsWindows)
@ -146,7 +146,7 @@ namespace NzbDrone.Test.Common
            }
        }

-        private void GenerateConfigFile()
+        private void GenerateConfigFile(bool enableAuth)
        {
            var configFile = Path.Combine(AppData, "config.xml");

@ -159,6 +159,8 @@ namespace NzbDrone.Test.Common
                             new XElement(nameof(ConfigFileProvider.ApiKey), apiKey),
                             new XElement(nameof(ConfigFileProvider.LogLevel), "trace"),
                             new XElement(nameof(ConfigFileProvider.AnalyticsEnabled), false),
+                             new XElement(nameof(ConfigFileProvider.AuthenticationMethod), enableAuth ? "Forms" : "None"),
+                             new XElement(nameof(ConfigFileProvider.AuthenticationRequired), "DisabledForLocalAddresses"),
                             new XElement(nameof(ConfigFileProvider.Port), Port)));

            var data = xDoc.ToString();
--- a/src/Sonarr.Api.V3/Config/HostConfigResource.cs
+++ b/src/Sonarr.Api.V3/Config/HostConfigResource.cs
@ -15,6 +15,7 @@ namespace Sonarr.Api.V3.Config
        public bool EnableSsl { get; set; }
        public bool LaunchBrowser { get; set; }
        public AuthenticationType AuthenticationMethod { get; set; }
+        public AuthenticationRequiredType AuthenticationRequired { get; set; }
        public bool AnalyticsEnabled { get; set; }
        public string Username { get; set; }
        public string Password { get; set; }
@ -56,6 +57,7 @@ namespace Sonarr.Api.V3.Config
                EnableSsl = model.EnableSsl,
                LaunchBrowser = model.LaunchBrowser,
                AuthenticationMethod = model.AuthenticationMethod,
+                AuthenticationRequired = model.AuthenticationRequired,
                AnalyticsEnabled = model.AnalyticsEnabled,

                //Username
--- a/src/Sonarr.Http/Authentication/ApiKeyAuthenticationHandler.cs
+++ b/src/Sonarr.Http/Authentication/ApiKeyAuthenticationHandler.cs
@ -13,6 +13,7 @@ namespace Sonarr.Http.Authentication
    public class ApiKeyAuthenticationOptions : AuthenticationSchemeOptions
    {
        public const string DefaultScheme = "API Key";
+
        public string Scheme => DefaultScheme;
        public string AuthenticationType = DefaultScheme;

--- a/src/Sonarr.Http/Authentication/AuthenticationBuilderExtensions.cs
+++ b/src/Sonarr.Http/Authentication/AuthenticationBuilderExtensions.cs
@ -22,10 +22,16 @@ namespace Sonarr.Http.Authentication
            return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
        }

+        public static AuthenticationBuilder AddExternal(this AuthenticationBuilder authenticationBuilder, string name)
+        {
+            return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
+        }
+
        public static AuthenticationBuilder AddAppAuthentication(this IServiceCollection services)
        {
            return services.AddAuthentication()
                .AddNone(AuthenticationType.None.ToString())
+                .AddExternal(AuthenticationType.External.ToString())
                .AddBasic(AuthenticationType.Basic.ToString())
                .AddCookie(AuthenticationType.Forms.ToString(), options =>
                {
--- a/src/Sonarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
+++ b/src/Sonarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
@ -0,0 +1,8 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace NzbDrone.Http.Authentication
+{
+    public class BypassableDenyAnonymousAuthorizationRequirement : DenyAnonymousAuthorizationRequirement
+    {
+    }
+}
--- a/src/Sonarr.Http/Authentication/UiAuthorizationHandler.cs
+++ b/src/Sonarr.Http/Authentication/UiAuthorizationHandler.cs
@ -0,0 +1,45 @@
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using NzbDrone.Common.Extensions;
+using NzbDrone.Core.Authentication;
+using NzbDrone.Core.Configuration;
+using NzbDrone.Core.Configuration.Events;
+using NzbDrone.Core.Messaging.Events;
+using Sonarr.Http.Extensions;
+
+namespace NzbDrone.Http.Authentication
+{
+    public class UiAuthorizationHandler : AuthorizationHandler<BypassableDenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement, IHandle<ConfigSavedEvent>
+    {
+        private readonly IConfigFileProvider _configService;
+        private static AuthenticationRequiredType _authenticationRequired;
+
+        public UiAuthorizationHandler(IConfigFileProvider configService)
+        {
+            _configService = configService;
+            _authenticationRequired = configService.AuthenticationRequired;
+        }
+
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, BypassableDenyAnonymousAuthorizationRequirement requirement)
+        {
+            if (_authenticationRequired == AuthenticationRequiredType.DisabledForLocalAddresses)
+            {
+                if (context.Resource is HttpContext httpContext &&
+                    IPAddress.TryParse(httpContext.GetRemoteIP(), out var ipAddress) &&
+                    ipAddress.IsLocalAddress())
+                {
+                    context.Succeed(requirement);
+                }
+            }
+
+            return Task.CompletedTask;
+        }
+
+        public void Handle(ConfigSavedEvent message)
+        {
+            _authenticationRequired = _configService.AuthenticationRequired;
+        }
+    }
+}
--- a/src/Sonarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
+++ b/src/Sonarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
@ -29,7 +29,8 @@ namespace NzbDrone.Http.Authentication
            if (policyName.Equals(POLICY_NAME, StringComparison.OrdinalIgnoreCase))
            {
                var policy = new AuthorizationPolicyBuilder(_config.AuthenticationMethod.ToString())
-                    .RequireAuthenticatedUser();
+                    .AddRequirements(new BypassableDenyAnonymousAuthorizationRequirement());
+
                return Task.FromResult(policy.Build());
            }