Radarr/src/Radarr.Http/Authentication/AuthenticationService.cs

using System;
using System.Linq;
using System.Net;
using System.Security.Claims;
using System.Security.Principal;
using Nancy;
using Nancy.Authentication.Basic;
using Nancy.Authentication.Forms;
using NLog;
using NzbDrone.Common.Extensions;
using NzbDrone.Core.Authentication;
using NzbDrone.Core.Configuration;
using Radarr.Http.Extensions;

namespace Radarr.Http.Authentication
{
    public interface IAuthenticationService : IUserValidator, IUserMapper
    {
        void SetContext(NancyContext context);

        void LogUnauthorized(NancyContext context);
        User Login(NancyContext context, string username, string password);
        void Logout(NancyContext context);
        bool IsAuthenticated(NancyContext context);
    }

    public class AuthenticationService : IAuthenticationService
    {
        private const string AnonymousUser = "Anonymous";
        private static readonly Logger _authLogger = LogManager.GetLogger("Auth");
        private readonly IUserService _userService;

        private static string API_KEY;
        private static AuthenticationType AUTH_METHOD;

        [ThreadStatic]
        private static NancyContext _context;

        public AuthenticationService(IConfigFileProvider configFileProvider, IUserService userService)
        {
            _userService = userService;
            API_KEY = configFileProvider.ApiKey;
            AUTH_METHOD = configFileProvider.AuthenticationMethod;
        }

        public void SetContext(NancyContext context)
        {
            // Validate and GetUserIdentifier don't have access to the NancyContext so get it from the pipeline earlier
            _context = context;
        }

        public User Login(NancyContext context, string username, string password)
        {
            if (AUTH_METHOD == AuthenticationType.None)
            {
                return null;
            }

            var user = _userService.FindUser(username, password);

            if (user != null)
            {
                LogSuccess(context, username);

                return user;
            }

            LogFailure(context, username);

            return null;
        }

        public void Logout(NancyContext context)
        {
            if (AUTH_METHOD == AuthenticationType.None)
            {
                return;
            }

            if (context.CurrentUser != null)
            {
                LogLogout(context, context.CurrentUser.Identity.Name);
            }
        }

        public ClaimsPrincipal Validate(string username, string password)
        {
            if (AUTH_METHOD == AuthenticationType.None)
            {
                return new ClaimsPrincipal(new GenericIdentity(AnonymousUser));
            }

            var user = _userService.FindUser(username, password);

            if (user != null)
            {
                if (AUTH_METHOD != AuthenticationType.Basic)
                {
                    // Don't log success for basic auth
                    LogSuccess(_context, username);
                }

                return new ClaimsPrincipal(new GenericIdentity(user.Username));
            }

            LogFailure(_context, username);

            return null;
        }

        public ClaimsPrincipal GetUserFromIdentifier(Guid identifier, NancyContext context)
        {
            if (AUTH_METHOD == AuthenticationType.None)
            {
                return new ClaimsPrincipal(new GenericIdentity(AnonymousUser));
            }

            var user = _userService.FindUser(identifier);

            if (user != null)
            {
                return new ClaimsPrincipal(new GenericIdentity(user.Username));
            }

            LogInvalidated(_context);

            return null;
        }

        public bool IsAuthenticated(NancyContext context)
        {
            var apiKey = GetApiKey(context);

            if (context.Request.IsApiRequest())
            {
                return ValidApiKey(apiKey);
            }

            if (AUTH_METHOD == AuthenticationType.None)
            {
                return true;
            }

            if (context.Request.IsFeedRequest())
            {
                if (ValidUser(context) || ValidApiKey(apiKey))
                {
                    return true;
                }

                return false;
            }

            if (context.Request.IsLoginRequest())
            {
                return true;
            }

            if (context.Request.IsContentRequest())
            {
                return true;
            }

            if (ValidUser(context))
            {
                return true;
            }

            return false;
        }

        private bool ValidUser(NancyContext context)
        {
            if (context.CurrentUser != null)
            {
                return true;
            }

            return false;
        }

        private bool ValidApiKey(string apiKey)
        {
            if (API_KEY.Equals(apiKey))
            {
                return true;
            }

            return false;
        }

        private string GetApiKey(NancyContext context)
        {
            var apiKeyHeader = context.Request.Headers["X-Api-Key"].FirstOrDefault();
            var apiKeyQueryString = context.Request.Query["ApiKey"];

            if (!apiKeyHeader.IsNullOrWhiteSpace())
            {
                return apiKeyHeader;
            }

            if (apiKeyQueryString.HasValue)
            {
                return apiKeyQueryString.Value;
            }

            return context.Request.Headers.Authorization;
        }

        public void LogUnauthorized(NancyContext context)
        {
            _authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", GetRemoteIP(context), context.Request.Url.ToString());
        }

        private void LogInvalidated(NancyContext context)
        {
            _authLogger.Info("Auth-Invalidated ip {0}", GetRemoteIP(context));
        }

        private void LogFailure(NancyContext context, string username)
        {
            _authLogger.Warn("Auth-Failure ip {0} username '{1}'", GetRemoteIP(context), username);
        }

        private void LogSuccess(NancyContext context, string username)
        {
            _authLogger.Info("Auth-Success ip {0} username '{1}'", GetRemoteIP(context), username);
        }

        private void LogLogout(NancyContext context, string username)
        {
            _authLogger.Info("Auth-Logout ip {0} username '{1}'", GetRemoteIP(context), username);
        }

        private string GetRemoteIP(NancyContext context)
        {
            if (context == null || context.Request == null)
            {
                return "Unknown";
            }

            var remoteAddress = context.Request.UserHostAddress;
            IPAddress remoteIP;

            // Only check if forwarded by a local network reverse proxy
            if (IPAddress.TryParse(remoteAddress, out remoteIP) && remoteIP.IsLocalAddress())
            {
                var realIPHeader = context.Request.Headers["X-Real-IP"];
                if (realIPHeader.Any())
                {
                    return realIPHeader.First().ToString();
                }

                var forwardedForHeader = context.Request.Headers["X-Forwarded-For"];
                if (forwardedForHeader.Any())
                {
                    // Get the first address that was forwarded by a local IP to prevent remote clients faking another proxy
                    foreach (var forwardedForAddress in forwardedForHeader.SelectMany(v => v.Split(',')).Select(v => v.Trim()).Reverse())
                    {
                        if (!IPAddress.TryParse(forwardedForAddress, out remoteIP))
                        {
                            return remoteAddress;
                        }

                        if (!remoteIP.IsLocalAddress())
                        {
                            return forwardedForAddress;
                        }

                        remoteAddress = forwardedForAddress;
                    }
                }
            }

            return remoteAddress;
        }
    }
}
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`using System;`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`using System.Linq;`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`using System.Net;`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`using System.Security.Claims;`
			`using System.Security.Principal;`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`using Nancy;`
Allow Basic Auth on API 2013-09-23 22:31:50 +00:00			`using Nancy.Authentication.Basic;`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`using Nancy.Authentication.Forms;`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`using NLog;`
Moved Extension methods in common to subfolder 2014-12-02 06:26:25 +00:00			`using NzbDrone.Common.Extensions;`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`using NzbDrone.Core.Authentication;`
Added Auth, startup options to UI Added caching to ConfigFileProvider, 2013-05-23 05:12:01 +00:00			`using NzbDrone.Core.Configuration;`
New: Backend changes for new UI 2018-11-23 07:03:32 +00:00			`using Radarr.Http.Extensions;`
Basic Authentication Added 2013-05-22 00:58:57 +00:00
New: Backend changes for new UI 2018-11-23 07:03:32 +00:00			`namespace Radarr.Http.Authentication`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`{`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`public interface IAuthenticationService : IUserValidator, IUserMapper`
fixed authentication. at least locally. need to test remote. 2013-05-23 02:10:02 +00:00			`{`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`void SetContext(NancyContext context);`

			`void LogUnauthorized(NancyContext context);`
			`User Login(NancyContext context, string username, string password);`
			`void Logout(NancyContext context);`
Allow Basic Auth on API 2013-09-23 22:31:50 +00:00			`bool IsAuthenticated(NancyContext context);`
fixed authentication. at least locally. need to test remote. 2013-05-23 02:10:02 +00:00			`}`

			`public class AuthenticationService : IAuthenticationService`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`{`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`private const string AnonymousUser = "Anonymous";`
Reformat and apply Stylecop rules 2019-12-22 22:08:53 +00:00			`private static readonly Logger _authLogger = LogManager.GetLogger("Auth");`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`private readonly IUserService _userService;`

Replaced built-in valuetypes with language keywords. 2015-10-03 17:45:26 +00:00			`private static string API_KEY;`
Reloading the page before restarting won't break the UI when changing authentication method 2015-02-02 19:54:49 +00:00			`private static AuthenticationType AUTH_METHOD;`
fixed authentication. at least locally. need to test remote. 2013-05-23 02:10:02 +00:00
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`[ThreadStatic]`
Remove trailing whitespace 2019-12-22 21:24:11 +00:00			`private static NancyContext _context;`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00
Removed obsolete code. 2019-09-01 09:28:07 +00:00			`public AuthenticationService(IConfigFileProvider configFileProvider, IUserService userService)`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`{`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`_userService = userService;`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`API_KEY = configFileProvider.ApiKey;`
Reloading the page before restarting won't break the UI when changing authentication method 2015-02-02 19:54:49 +00:00			`AUTH_METHOD = configFileProvider.AuthenticationMethod;`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`}`

New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`public void SetContext(NancyContext context)`
			`{`
			`// Validate and GetUserIdentifier don't have access to the NancyContext so get it from the pipeline earlier`
			`_context = context;`
			`}`

			`public User Login(NancyContext context, string username, string password)`
			`{`
			`if (AUTH_METHOD == AuthenticationType.None)`
			`{`
			`return null;`
			`}`

			`var user = _userService.FindUser(username, password);`

			`if (user != null)`
			`{`
			`LogSuccess(context, username);`

			`return user;`
			`}`

			`LogFailure(context, username);`

			`return null;`
			`}`

			`public void Logout(NancyContext context)`
			`{`
			`if (AUTH_METHOD == AuthenticationType.None)`
			`{`
			`return;`
			`}`

			`if (context.CurrentUser != null)`
			`{`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`LogLogout(context, context.CurrentUser.Identity.Name);`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`
			`}`

Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`public ClaimsPrincipal Validate(string username, string password)`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`{`
Reloading the page before restarting won't break the UI when changing authentication method 2015-02-02 19:54:49 +00:00			`if (AUTH_METHOD == AuthenticationType.None)`
fixed authentication. 2013-05-22 05:55:53 +00:00			`{`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`return new ClaimsPrincipal(new GenericIdentity(AnonymousUser));`
fixed authentication. 2013-05-22 05:55:53 +00:00			`}`

New: Forms authentication 2015-01-26 02:03:21 +00:00			`var user = _userService.FindUser(username, password);`

			`if (user != null)`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`{`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`if (AUTH_METHOD != AuthenticationType.Basic)`
			`{`
			`// Don't log success for basic auth`
			`LogSuccess(_context, username);`
			`}`

Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`return new ClaimsPrincipal(new GenericIdentity(user.Username));`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`}`

New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`LogFailure(_context, username);`

Basic Authentication Added 2013-05-22 00:58:57 +00:00			`return null;`
			`}`
Cleaned up auth settings 2013-07-14 07:00:50 +00:00
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`public ClaimsPrincipal GetUserFromIdentifier(Guid identifier, NancyContext context)`
Cleaned up auth settings 2013-07-14 07:00:50 +00:00			`{`
Reloading the page before restarting won't break the UI when changing authentication method 2015-02-02 19:54:49 +00:00			`if (AUTH_METHOD == AuthenticationType.None)`
Cleaned up auth settings 2013-07-14 07:00:50 +00:00			`{`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`return new ClaimsPrincipal(new GenericIdentity(AnonymousUser));`
Cleaned up auth settings 2013-07-14 07:00:50 +00:00			`}`
New: Forms authentication 2015-01-26 02:03:21 +00:00
			`var user = _userService.FindUser(identifier);`

			`if (user != null)`
			`{`
Updated Nancy to 2.0 2019-08-28 21:43:55 +00:00			`return new ClaimsPrincipal(new GenericIdentity(user.Username));`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`}`

New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`LogInvalidated(_context);`

New: Forms authentication 2015-01-26 02:03:21 +00:00			`return null;`
Cleaned up auth settings 2013-07-14 07:00:50 +00:00			`}`
Allow Basic Auth on API 2013-09-23 22:31:50 +00:00
			`public bool IsAuthenticated(NancyContext context)`
			`{`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`var apiKey = GetApiKey(context);`
Allow Basic Auth on API 2013-09-23 22:31:50 +00:00
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`if (context.Request.IsApiRequest())`
			`{`
			`return ValidApiKey(apiKey);`
			`}`

Reloading the page before restarting won't break the UI when changing authentication method 2015-02-02 19:54:49 +00:00			`if (AUTH_METHOD == AuthenticationType.None)`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`{`
New: Forms authentication 2015-01-26 02:03:21 +00:00			`return true;`
			`}`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00
New: Forms authentication 2015-01-26 02:03:21 +00:00			`if (context.Request.IsFeedRequest())`
			`{`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`if (ValidUser(context) \|\| ValidApiKey(apiKey))`
			`{`
			`return true;`
			`}`

			`return false;`
			`}`

New: Forms authentication 2015-01-26 02:03:21 +00:00			`if (context.Request.IsLoginRequest())`
			`{`
			`return true;`
			`}`

			`if (context.Request.IsContentRequest())`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00			`{`
			`return true;`
			`}`

			`if (ValidUser(context))`
			`{`
			`return true;`
			`}`

			`return false;`
			`}`

			`private bool ValidUser(NancyContext context)`
			`{`
Reformat and apply Stylecop rules 2019-12-22 22:08:53 +00:00			`if (context.CurrentUser != null)`
			`{`
			`return true;`
			`}`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00
			`return false;`
			`}`

			`private bool ValidApiKey(string apiKey)`
			`{`
Reformat and apply Stylecop rules 2019-12-22 22:08:53 +00:00			`if (API_KEY.Equals(apiKey))`
			`{`
			`return true;`
			`}`
Merged authentication so they don't step on eachother Fixed: iCal authentication with API Key 2014-05-10 22:24:29 +00:00
			`return false;`
			`}`

			`private string GetApiKey(NancyContext context)`
			`{`
			`var apiKeyHeader = context.Request.Headers["X-Api-Key"].FirstOrDefault();`
			`var apiKeyQueryString = context.Request.Query["ApiKey"];`

			`if (!apiKeyHeader.IsNullOrWhiteSpace())`
			`{`
			`return apiKeyHeader;`
			`}`

			`if (apiKeyQueryString.HasValue)`
			`{`
			`return apiKeyQueryString.Value;`
			`}`

			`return context.Request.Headers.Authorization;`
Allow Basic Auth on API 2013-09-23 22:31:50 +00:00			`}`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00
			`public void LogUnauthorized(NancyContext context)`
			`{`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`_authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", GetRemoteIP(context), context.Request.Url.ToString());`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`

			`private void LogInvalidated(NancyContext context)`
			`{`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`_authLogger.Info("Auth-Invalidated ip {0}", GetRemoteIP(context));`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`

			`private void LogFailure(NancyContext context, string username)`
			`{`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`_authLogger.Warn("Auth-Failure ip {0} username '{1}'", GetRemoteIP(context), username);`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`

			`private void LogSuccess(NancyContext context, string username)`
			`{`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`_authLogger.Info("Auth-Success ip {0} username '{1}'", GetRemoteIP(context), username);`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`

			`private void LogLogout(NancyContext context, string username)`
			`{`
Log Real IP on Authentication failure in case of a reverse proxy closes #3711 2020-04-27 21:58:35 +00:00			`_authLogger.Info("Auth-Logout ip {0} username '{1}'", GetRemoteIP(context), username);`
			`}`

			`private string GetRemoteIP(NancyContext context)`
			`{`
			`if (context == null \|\| context.Request == null)`
			`{`
			`return "Unknown";`
			`}`

			`var remoteAddress = context.Request.UserHostAddress;`
			`IPAddress remoteIP;`

			`// Only check if forwarded by a local network reverse proxy`
			`if (IPAddress.TryParse(remoteAddress, out remoteIP) && remoteIP.IsLocalAddress())`
			`{`
			`var realIPHeader = context.Request.Headers["X-Real-IP"];`
			`if (realIPHeader.Any())`
			`{`
			`return realIPHeader.First().ToString();`
			`}`

			`var forwardedForHeader = context.Request.Headers["X-Forwarded-For"];`
			`if (forwardedForHeader.Any())`
			`{`
			`// Get the first address that was forwarded by a local IP to prevent remote clients faking another proxy`
			`foreach (var forwardedForAddress in forwardedForHeader.SelectMany(v => v.Split(',')).Select(v => v.Trim()).Reverse())`
			`{`
			`if (!IPAddress.TryParse(forwardedForAddress, out remoteIP))`
			`{`
			`return remoteAddress;`
			`}`

			`if (!remoteIP.IsLocalAddress())`
			`{`
			`return forwardedForAddress;`
			`}`

			`remoteAddress = forwardedForAddress;`
			`}`
			`}`
			`}`

			`return remoteAddress;`
New: Added Auth-* log entries for fail2ban purposes 2019-08-27 21:29:16 +00:00			`}`
Basic Authentication Added 2013-05-22 00:58:57 +00:00			`}`
			`}`