public override bool AuthorizeAdmin(AuthorizationFilterContext context)
{
bool result = base.AuthorizeAdmin(context);
if (!result)
{
return(false);
}
string sessionId = context.HttpContext.Request.Cookies["SessionId"];
string userName = EncoderUtils.Base64Decode(sessionId.Split("-")[USER_NAME_INDEX]);
IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();
UserDBModel user = userDAO.GetUser(userName);
if (user.Role < ADMIN_ROLE)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
.Single();
context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
}
return(true);
}
public CtfUserBL(ITransactionDAO transactionDAO, IWebHostEnvironment webHostEnvironment, IUserDAO userDAO,
IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions) : base(transactionDAO, userDAO, webHostEnvironment)
{
_userDAO = userDAO;
_httpContextAccessor = httpContextAccessor;
_ctfOptions = ctfOptions.Value;
}
public CtfAuthBL(IUserDAO userDAO, ITransactionDAO transactionDAO, IEmailSender emailSender,
IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> options,
IUrlHelperFactory urlHelperFactory, IActionContextAccessor actionContextAccessor, IOptions <AppSettings> appSettings)
: base(userDAO, transactionDAO, emailSender, httpContextAccessor, appSettings)
{
_urlHelperFactory = urlHelperFactory;
_actionContextAccessor = actionContextAccessor;
_ctfOptions = options.Value;
}
public CtfStoreBL(
ITransactionDAO transactionDAO,
StoreAPICalls storeAPICalls,
IHttpContextAccessor httpContextAccessor,
IOptions <CtfOptions> ctfOptions,
IMemoryCache memoryCache)
: base(transactionDAO, storeAPICalls)
{
_httpContextAccessor = httpContextAccessor;
_memoryCache = memoryCache;
_ctfOptions = ctfOptions.Value;
}
public CtfTransactionBL(
ITransactionDAO transactionDAO,
IUserDAO userDAO,
IHttpContextAccessor httpContextAccessor,
IActionContextAccessor actionContextAccessor,
IOptions <CtfOptions> ctfOptions) : base(transactionDAO)
{
_userDAO = userDAO;
_httpContextAccessor = httpContextAccessor;
_actionContextAccessor = actionContextAccessor;
_ctfOptions = ctfOptions.Value;
}
public void OnActionExecuting(ActionExecutingContext context)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
if (ctfOptions.CtfChallengeOptions.UnknownGeneration)
{
CtfChallangeModel unkonwChallange = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.UnknownGeneration)
.Single();
context.HttpContext.Response.Headers.Add(unkonwChallange.FlagKey, unkonwChallange.Flag);
}
else if (ctfOptions.IsCtfEnabled)
{
context.Result = new NotFoundResult();
}
}
public override bool AuthorizeAdmin(AuthorizationFilterContext context)
{
bool result = base.AuthorizeAdmin(context);
if (!result)
{
return(false);
}
IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);
string userName = claims
.Where(x => x.Type == CookieConstants.USERNAME_CALIM_TYPE)
.Select(x => x.Value)
.SingleOrDefault();
IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();
UserDBModel user = userDAO.GetUser(userName);
if (_ctfOptions.CtfChallengeOptions.ChangeRoleInCookie)
{
if (user.Role < 50)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
.Single();
context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
}
}
else
{
if (user.Role < 50)
{
return(false);
}
}
return(true);
}
public void OnActionExecuting(ActionExecutingContext context)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
if (!ctfOptions.IsCtfEnabled)
{
context.Result = new OkObjectResult("Admin Registration");
}
else if (ctfOptions.CtfChallengeOptions.HiddenPageRegisterAdmin)
{
CtfChallangeModel hiddenPageChallange = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.HiddenPage)
.Single();
context.Result = new OkObjectResult(hiddenPageChallange.Flag);
}
else
{
context.Result = new NotFoundResult();
}
}
public void OnException(ExceptionContext context)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
List <string> allowdErrors = new List <string>();
if (ctfOptions.IsCtfEnabled)
{
if (ctfOptions.CtfChallengeOptions.ExceptionHandlingTransactionCreate)
{
allowdErrors.Add("/api/Transaction/Create");
}
if (ctfOptions.CtfChallengeOptions.ExceptionHandlingTransactionUpload)
{
allowdErrors.Add("/Upload/UploadTansactions");
}
}
else
{
allowdErrors.Add("/api/Transaction/Create");
allowdErrors.Add("/Upload/UploadTansactions");
}
if (allowdErrors.Any(x => x == context.HttpContext.Request.Path))
{
//Allow developer page exception
return;
}
_logger.Error(context.Exception, "There was an exception");
ViewResult result = new ViewResult {
ViewName = "Error"
};
context.Result = result;
}
public override bool AuthorizeMissing(AuthorizationFilterContext context)
{
CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;
ICookieService cookieService = context.HttpContext.RequestServices.GetRequiredService <ICookieService>();
bool isCookieValid = cookieService.ValidateCookie(context.HttpContext);
if (ctfOptions.CtfChallengeOptions.MissingAuthentication)
{
CtfChallangeModel missingAuth = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.MissingAuthentication)
.Single();
context.HttpContext.Response.Headers.Add(missingAuth.FlagKey, missingAuth.Flag);
}
else
{
if (!isCookieValid)
{
return(false);
}
else
{
IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);
if (claims == null)
{
return(false);
}
GenericPrincipal tmpUser = new GenericPrincipal(new ClaimsIdentity(claims), Array.Empty <string>());
context.HttpContext.User = tmpUser;
}
}
return(true);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();
CtfOptions ctfOptions = app.ApplicationServices.GetRequiredService <IOptions <CtfOptions> >().Value;
app.UseDeveloperExceptionPage();
app.UseSwagger();
app.UseSwaggerUI(x =>
{
x.SwaggerEndpoint("/swagger/v1/swagger.json", "SecureBank API");
if (ctfOptions.CtfChallengeOptions.Swagger)
{
CtfChallangeModel swaggerChallange = ctfOptions.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.Swagger)
.Single();
string swaggerCssPath = "css/swagger.css";
string css = @$ "
.topbar-wrapper img[alt='Swagger UI'], .topbar-wrapper span {{
visibility: hidden;
}}
public CtfPortalSearchBL(IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions)
{
_httpContextAccessor = httpContextAccessor;
_ctfOptions = ctfOptions.Value;
}
public CtfAuthorizeService(ICookieService cookieService, IOptions <CtfOptions> ctfOptions) : base(cookieService)
{
_ctfOptions = ctfOptions.Value;
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();
if (appSettings != null)
{
services.Configure <AppSettings>(options =>
{
options.StoreEndpoint = appSettings.StoreEndpoint;
options.SmtpCredentials = appSettings.SmtpCredentials;
options.LegalURL = appSettings.LegalURL;
options.IgnoreEmails = appSettings.SmtpCredentials == null || string.IsNullOrEmpty(appSettings.SmtpCredentials.Ip) ? true : false;
});
}
DatabaseSettings customerDbSettings = Configuration.GetSection("DatabaseConnections:SecureBankMSSQL").Get <DatabaseSettings>();
if (customerDbSettings != null)
{
string customerConnectionString = string.Format("Server={0},{1};Database={2};User Id={3};Password={4}",
customerDbSettings.Server,
customerDbSettings.ServerPort,
customerDbSettings.Database,
customerDbSettings.UserId,
customerDbSettings.UserPass);
_logger.Info(customerConnectionString);
// configure mssql
services.AddDbContext <PortalDBContext>(options => options.UseSqlServer(customerConnectionString));
}
else
{
//configure sqlite
services.AddDbContext <PortalDBContext>(options => options.UseSqlite("Filename=./customerDB.db"));
}
services.AddTransient <IActionContextAccessor, ActionContextAccessor>();
services.AddTransient <ITransactionDAO, TransactionDAO>();
services.AddTransient <IUserDAO, UserDAO>();
services.AddTransient <IDbInitializer, DbInitializer>();
services.AddScoped <StoreAPICalls>();
services.AddTransient <IEmailSender, EmailSender>();
services.AddScoped <IUserBL, UserBL>();
services.AddScoped <ITransactionBL, TransactionBL>();
services.AddScoped <IStoreBL, StoreBL>();
services.AddScoped <IPortalSearchBL, PortalSearchBL>();
services.AddScoped <IAuthBL, AuthBL>();
services.AddScoped <IUploadFileBL, UploadFileBL>();
services.AddScoped <IAdminBL, AdminBL>();
services.AddScoped <IAdminStoreBL, AdminStoreBL>();
services.AddAuthorization(options =>
{
AuthorizationPolicyBuilder defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder();
defaultAuthorizationPolicyBuilder.RequireAssertion(x => true);
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
services.AddSingleton <IAuthorizeService, AuthorizeService>();
services.AddSingleton <IUserExtensions, UserExtensions>();
if (appSettings?.Ctf?.Enabled ?? false)
{
services.ConfigureCtf(Configuration);
}
services.AddControllersWithViews();
services.AddSwaggerGen(x =>
{
if (appSettings?.Ctf?.Enabled ?? false)
{
//TO DO: Try to change this so singelton services are not created
#pragma warning disable ASP0000
IServiceProvider serviceProvider = services.BuildServiceProvider();
CtfOptions ctfOptions = serviceProvider.GetService <IOptions <CtfOptions> >()?.Value;
CtfChallangeModel swaggerChallange = ctfOptions?.CtfChallanges
.Where(x => x.Type == CtfChallengeTypes.Swagger)
.Single();
x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
Title = "BankWeb API", Version = "v1", Description = swaggerChallange?.Flag
});
}
else
{
x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
Title = "BankWeb API", Version = "v1"
});
}
string xmlPath = System.IO.Path.Combine(AppContext.BaseDirectory, $"{System.Reflection.Assembly.GetExecutingAssembly().GetName().Name}.xml");
x.IncludeXmlComments(xmlPath);
});
}
public UserExtensions(ICookieService cookieService, IOptions <CtfOptions> ctfOptions)
{
_cookieService = cookieService;
_ctfOptions = ctfOptions.Value;
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();
if (appSettings != null)
{
services.Configure <AppSettings>(options =>
{
options.StoreEndpoint = appSettings.StoreEndpoint;
options.SmtpCredentials = appSettings.SmtpCredentials;
options.IgnoreEmails = string.IsNullOrEmpty(appSettings.SmtpCredentials.Ip);
options.BaseUrl = appSettings.BaseUrl;
});
}
else
{
throw new Exception("Appsettings cannot be null");
}
DatabaseSettings customerDbSettings = Configuration.GetSection("DatabaseConnections:SecureBankMSSQL").Get <DatabaseSettings>();
if (customerDbSettings != null)
{
string customerConnectionString = string.Format("Server={0},{1};Database={2};User Id={3};Password={4}",
customerDbSettings.Server,
customerDbSettings.ServerPort,
customerDbSettings.Database,
customerDbSettings.UserId,
customerDbSettings.UserPass);
_logger.Info(customerConnectionString);
// configure mssql
services.AddDbContext <PortalDBContext>(options => options.UseSqlServer(customerConnectionString));
}
else
{
//configure sqlite
services.AddDbContext <PortalDBContext>(options => options.UseSqlite("Filename=./customerDB.db"));
}
services.AddTransient <IActionContextAccessor, ActionContextAccessor>();
services.AddTransient <ITransactionDAO, TransactionDAO>();
services.AddTransient <IUserDAO, UserDAO>();
services.AddTransient <IDbInitializer, DbInitializer>();
services.AddScoped <StoreAPICalls>();
services.AddTransient <IEmailSender, EmailSender>();
services.AddScoped <IUserBL, UserBL>();
services.AddScoped <ITransactionBL, TransactionBL>();
services.AddScoped <IStoreBL, StoreBL>();
services.AddScoped <IPortalSearchBL, PortalSearchBL>();
services.AddScoped <IAuthBL, AuthBL>();
services.AddScoped <IUploadFileBL, UploadFileBL>();
services.AddScoped <IAdminBL, AdminBL>();
services.AddScoped <IAdminStoreBL, AdminStoreBL>();
services.AddAuthorization(options =>
{
AuthorizationPolicyBuilder defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder();
defaultAuthorizationPolicyBuilder.RequireAssertion(x => true);
options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
});
services.AddSingleton <IAuthorizeService, AuthorizeService>();
services.AddSingleton <IUserExtensions, UserExtensions>();
services.AddSingleton <ICookieService, CookieService>();
CtfOptions ctfOptions = null;
if (appSettings?.Ctf?.Enabled ?? false)
{
ctfOptions = services.ConfigureCtf(Configuration);
}
else
{
ctfOptions = services.ConfigureWithoutCtf(Configuration);
}
services.AddControllersWithViews(options =>
{
options.Filters.Add(new GlobalExceptionFilter());
});
services.AddDirectoryBrowser();
services.AddSwaggerGen(x =>
{
x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
Title = "BankWeb API", Version = "v1"
});
string xmlPath = Path.Combine(AppContext.BaseDirectory, $"{System.Reflection.Assembly.GetExecutingAssembly().GetName().Name}.xml");
x.IncludeXmlComments(xmlPath);
});
}
public CtfUploadFileBL(IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> options) : base()
{
_httpContextAccessor = httpContextAccessor;
_ctfOptions = options.Value;
}
public HomeController(IOptions <CtfOptions> options)
{
_ctfOptions = options.Value;
}
public CtfAdminBL(ITransactionDAO transactionDao, IUserDAO userDAO, IOptions <CtfOptions> ctfOptions, IHttpContextAccessor httpContextAccessor)
: base(transactionDao, userDAO)
{
_ctfOptions = ctfOptions.Value;
_httpContextAccessor = httpContextAccessor;
}
public CtfTransactionBL(ITransactionDAO transactionDAO, IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions) : base(transactionDAO)
{
_httpContextAccessor = httpContextAccessor;
_ctfOptions = ctfOptions.Value;
}
public CtfAdminStoreBL(StoreAPICalls storeAPICalls, IOptions <CtfOptions> ctfOptions, IHttpContextAccessor httpContextAccessor) : base(storeAPICalls)
{
_ctfOptions = ctfOptions.Value;
_httpContextAccessor = httpContextAccessor;
}
