api key unprotected

2021-05-09 03:06:23 +01:00
parent d063f10da5
commit 93394b3e82
2 changed files with 15 additions and 5 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -44,4 +44,5 @@ pack:
    paths:
      - bin/Release/nuget-host.*.nupkg
  script:
-    - dotnet pack --version-suffix ci --configuration Release --no-restore
+    - dotnet pack --configuration Release --no-restore
+    - nuget push -Source $NUGETSOURCE -ApiKey $NUGETSOURCEAPIKEY bin/Release/nuget-host.*.nupkg
--- a/Controllers/PackagesController.cs
+++ b/Controllers/PackagesController.cs
@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.IO;
 using System.IO.Compression;
 using System.Linq;
+using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Mvc;
@ -10,26 +11,32 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using NuGet.Packaging;
 using NuGet.Packaging.Core;
+using nuget_host.Data;
 using nuget_host.Entities;
 using nuget_host.Helpers;

 namespace nuget_host.Controllers
 {
+
+    [AllowAnonymous]
    public class PackagesController : Controller
    {
        private readonly ILogger<PackagesController> logger;
        private readonly IDataProtector protector;

        private readonly NugetSettings nugetSettings;
+        ApplicationDbContext dbContext;

        public PackagesController(
            ILoggerFactory loggerFactory,
            IDataProtectionProvider provider,
-            IOptions<NugetSettings> nugetOptions)
+            IOptions<NugetSettings> nugetOptions,
+            ApplicationDbContext dbContext)
        {
            logger = loggerFactory.CreateLogger<PackagesController>();
            nugetSettings = nugetOptions.Value;
            protector = provider.CreateProtector(nugetSettings.ProtectionTitle);
+            this.dbContext = dbContext;
        }

        [HttpPut("packages/{*spec}")]
@ -44,8 +51,10 @@ namespace nuget_host.Controllers
                ViewData["nuget client"] = "nuget {clientVersionId}";
                
                var clearkey = protector.Unprotect(apiKey);
-                if (clearkey!= Startup.RootApiKeySecret)
-                    return Unauthorized();
+                var userId =  User.FindFirstValue(ClaimTypes.NameIdentifier);
+                var apikey = dbContext.ApiKeys.SingleOrDefault(k => k.Id == clearkey);
+                if (apikey == null)
+                    return new BadRequestObjectResult(new {error = "api-key"});

                foreach (var file in Request.Form.Files)
                {
@ -95,7 +104,7 @@ namespace nuget_host.Controllers
            }
            else
            {
-                return BadRequest();
+                return new BadRequestObjectResult(ViewData);
            }
            return Ok(ViewData);
        }