Beispiel #1
0
        ////-------------------------------------------------------------------------------------------------------------------------------------------------------------
        ///// <summary>
        ///// If deleteExisting groups is true the entered group type will overwrite
        ///// any existing groups assigned to this user. (This is require where
        ///// a user can only belong to one group)
        ///// </summary>
        ///// <param name="updatedUser"></param>
        ///// <param name="groupType"></param>
        ///// <param name="deleteExistingGroups"></param>
        ///// <returns></returns>
        //public bool EditUserPassword(int userID, SecureString Password, MGGroupType groupType, bool p) {
        //    bool result = false;

        //    try {
        //        result = SecurityOperations.UpdateUserPassword(userID, Password, Authorisation.UseMGLRatherThanMySQLPasswordEncryption);

        //        if (result) {
        //            DateTime pWordChangeTimeStamp = DateTime.Now;

        //            SecurityOperations.UpdatePasswordChangeDate(userID, pWordChangeTimeStamp);
        //            // 13-Jul-2015 - lets email the user to confirm that their password has changed!
        //            MGUser u = null;
        //            Authorisation.GetUser(userID, out u);
        //            SecurityOperations.PasswordChangedEmailUser(u, pWordChangeTimeStamp);

        //        }
        //    } catch (Exception ex) {
        //        Logger.Log("Error in UserAdministration.AddUser." + ex.Message);
        //    } finally {
        //        SecurityOperations.Finish();
        //    }

        //    return result;
        //}


        //-------------------------------------------------------------------------------------------------------------------------------------------------------------
        /// <summary>
        /// If deleteExisting groups is true the entered group type will overwrite
        /// any existing groups assigned to this user. (This is require where
        /// a user can only belong to one group)
        /// </summary>
        /// <param name="updatedUser"></param>
        /// <param name="groupType"></param>
        /// <param name="deleteExistingGroups"></param>
        /// <returns></returns>
        public bool EditUserDetails(MGUser updatedUser, MGGroupType groupType, bool p)
        {
            bool result = false;

            try {
                result = SecurityOperations.UpdateUserDetails(updatedUser.ID, updatedUser.Username, updatedUser.Email, updatedUser.JobTitle,
                                                              updatedUser.Organisation, updatedUser.OrganisationID, updatedUser.Telephone);

                //need to add the user to the user_groups xref's
                result = result && SecurityOperations.DeleteUsersGroupXrefs(updatedUser.ID);
                result = result && SecurityOperations.UpdateUserToGroupXref(updatedUser.Username, groupType);

                //need to update the applications user to group to  xref's
                if (result)
                {
                    UserOperations userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

                    Dictionary <int, List <int> > userGroupDict = userOps.UserGroupDictionary();
                    userOps.Finish();

                    MGLApplicationSecurityInterface.Instance().UserGroupXref = userGroupDict;
                }
            } catch (Exception ex) {
                Logger.LogError(8, "Error in UserAdministration.AddUser." + ex.Message);
            } finally {
                SecurityOperations.Finish();
            }

            return(result);
        }
Beispiel #2
0
        //-------------------------------------------------------------------------------------------------------------------------------------------------------------
        public List <MGUser> GetUsers(string filterByType, string filterByValue, string sortColumn, List <string> PreviousSortColumnNames, System.Web.UI.WebControls.SortDirection sortDirection)
        {
            List <MGUser> result = new List <MGUser>();

            UserOperations userOps        = null;
            bool           isLockAcquired = Monitor.TryEnter(USER_ADMIN_LOCK_OBJ, USER_ADMIN_LOCK_TIMEOUT);

            if (isLockAcquired)
            {
                try {
                    userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

                    result = userOps.GetAllUsers(filterByType, filterByValue, sortColumn, PreviousSortColumnNames, sortDirection);
                } catch (Exception ex) {
                    Logger.LogError(8, "Error in UserAdministration.GetUsers." + ex.Message);
                } finally {
                    Monitor.Exit(USER_ADMIN_LOCK_OBJ);
                    if (userOps != null)
                    {
                        userOps.Finish();
                    }
                }
            }

            return(result);
        }
Beispiel #3
0
        //-------------------------------------------------------------------------------------------------------------------------------------------------------------
        public List <MGUser> GetUsers(List <string> fieldsToSearch, string valueToSearch, string sortColumnName, System.Web.UI.WebControls.SortDirection sortDirection)
        {
            List <MGUser> result = new List <MGUser>();

            UserOperations userOps = null;

            bool isLockAcquired = Monitor.TryEnter(USER_ADMIN_LOCK_OBJ, USER_ADMIN_LOCK_TIMEOUT);

            if (isLockAcquired)
            {
                try {
                    userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

                    result = userOps.GetAllUsers(fieldsToSearch, valueToSearch, sortColumnName, sortDirection);
                } catch (Exception ex) {
                    Logger.LogError(8, "Error in UserAdministration.GetUsers (Without PreviousSortColumnNames)." + ex.Message);
                } finally {
                    Monitor.Exit(USER_ADMIN_LOCK_OBJ);
                    if (userOps != null)
                    {
                        userOps.Finish();
                    }
                }
            }
            else
            {
                Logger.LogError(8, "Failed to get exclusive lock in GetUsers to read the Users table!");
                return(result);
            }

            return(result);
        }
Beispiel #4
0
        //---------------------------------------------------------------------------------------------------------------------------------------------------------------
        public static List <MGGroup> AllGroups()
        {
            // Get all the Groups
            List <MGGroup> allGroups = null;

            GroupOperations groupOps = null;

            try
            {
                groupOps  = new GroupOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);
                allGroups = groupOps.GetAllGroups();
            }
            catch (Exception ex)
            {
                Logger.LogError(5, "Problem getting all groups at " + ex);
                return(null);
            }
            finally
            {
                if (groupOps != null)
                {
                    groupOps.Finish();
                }
            }

            return(allGroups);
        }
Beispiel #5
0
        //---------------------------------------------------------------------------------------------------------------------------------------------------------------
        public static List <MGUser> AllUsers()
        {
            // Get all the Users
            List <MGUser>  allUsers = null;
            UserOperations userOps  = null;

            try
            {
                userOps  = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);
                allUsers = userOps.GetAllUsers();
            }
            catch (Exception ex)
            {
                Logger.LogError(9, "Problem getting all users at " + ex);
                return(null);
            }
            finally
            {
                if (userOps != null)
                {
                    userOps.Finish();
                }
            }

            return(allUsers);
        }
Beispiel #6
0
        //-----------------------------------------------------------------------------------------------------------------------------------------------------------
        public List <SecureString> GetEmailsInGroup(string groupName)
        {
            // get a list of all the users emails
            List <SecureString> aUserEmails = new List <SecureString>();

            // get the group ID
            int gID = 0;

            foreach (MGGroup group in MGLApplicationSecurityInterface.Instance().Groups)
            {
                if (group.Name.Equals(groupName, StringComparison.CurrentCultureIgnoreCase))
                {
                    gID = group.ID;
                    break;
                }
            }

            // get the email address of all the users, if they belong to this group
            foreach (int uID in MGLApplicationSecurityInterface.Instance().Users.Keys)
            {
                List <int> groupIDs = null;
                MGLApplicationSecurityInterface.Instance().UserGroupXref.TryGetValue(uID, out groupIDs);

                if (groupIDs != null && groupIDs.Contains(gID))
                {
                    MGUser u;
                    MGLApplicationSecurityInterface.Instance().Users.TryGetValue(uID, out u);
                    aUserEmails.Add(u.Email);
                }
            }

            return(aUserEmails);
        }
Beispiel #7
0
        //-----------------------------------------------------------------------------------------------------------------------------------------------
        /// <summary>
        ///     Called the first time the login page is requested.  For security, on new logins, the current session should be
        ///     abandoned and a new session started.
        ///
        ///     Calls the login page back with the ResetSession and an encrypted CID token which contains the AnonID
        ///     cookie value (a GUID) and a date time stamp
        ///
        /// </summary>
        protected void Step1KillSession()
        {
            string redirectURL = MGLApplicationSecurityInterface.Instance().AppLoginConfig.DefaultPostLoginPage;

            try {
                //-----1----- Abandon the current session
                // 20-Apr-2016 - Before killing the session lets make absolutely sure that the current Session ID has been removed from the HTTPS checks
                // This should be entirely unnecessary and does appear to be so, but lets do it anyway as it is light, fast and important
                //Logger.Log("XXXXX - "+ActionPage+".aspx - removing the session requires https for " + Session.SessionID + " BEFORE Killing the session....");
                if (MGLApplicationInterface.Instance().UseHttpsSessionsIndependently == true)
                {
                    MGLApplicationInterface.Instance().RemoveSessionRequiringHTTPS(Session.SessionID);
                    MGLSessionInterface.Instance().UseHTTPS = false;
                }
                // And then lets abandon the session properly
                Session.Abandon();
                Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

                //-----2----- Build the encrypted string
                StringBuilder authKey = GenerateKey();

                //-----3----- Build the redirectURL, including the special action, next page URL and CID authorisation token
                // For the independent HTTPS in sessions we need to call this page again to configure the new session and then continue
                // otherwise we can just go with it ...
                string redirectPage = (MGLApplicationInterface.Instance().UseHttpsSessionsIndependently == false) ? ActionPage + "Do.aspx" : ActionPage + ".aspx";
                redirectURL = BuildRedirectURL(redirectPage, authKey);
            } catch (Exception ex) {
                Logger.LogError(8, "Problem setting the authorisation redirect url in the login page.  This is serious!  The specific error was: " + ex.ToString());
            }

            //-----4----- Redirect to the loginDo page and commence the login event in anger.
            // Or if this a use-https-in-sessions-independently website, lets come back to the login page to reconfigure.
            Response.Redirect(redirectURL);
        }
Beispiel #8
0
        //-------------------------------------------------------------------------------------------------------------------------------------------------------------
        public MGUser GetUserByEmail(SecureString email)
        {
            MGUser result = new MGUser();

            UserOperations userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

            try {
                result = userOps.GetUserByEmail(email);
            } catch (Exception ex) {
                Logger.LogError(8, "Error in UserAdministration.GetUserByEmail b at " + ex);
            } finally {
                userOps.Finish();
            }

            return(result);
        }
Beispiel #9
0
        //-------------------------------------------------------------------------------------------------------------------------------------------------------------
        public MGUser GetUser(int selectedUserID)
        {
            MGUser result = new MGUser();

            UserOperations userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

            try {
                result = userOps.GetUser(selectedUserID);
            } catch (Exception ex) {
                Logger.LogError(8, "Error in UserAdministration.GetUser by id." + ex.Message);
            } finally {
                userOps.Finish();
            }

            return(result);
        }
Beispiel #10
0
        //--------------------------------------------------------------------------------------------------------------------------------------------------------------
        public bool DeleteUser(int userID)
        {
            bool           result  = false;
            UserOperations userOps = new UserOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);

            try {
                result = userOps.DeleteUser(userID);
                result = result && userOps.DeleteUsersGroupXrefs(userID);
            } catch (Exception ex) {
                Logger.LogError(8, "Error in UserAdministration.DeleteUser." + ex.Message);
            } finally {
                userOps.Finish();
            }

            return(result);
        }
Beispiel #11
0
        //--------------------------------------------------------------------------------------------------------------------------------------------------------------
        //Create as a static method so this can be called using
        // just the class name (no object instance is required).
        // It simplifies other code because it will always return
        // the single instance of this class, either newly created
        // or from the application
        public static MGLApplicationSecurityInterface Instance()
        {
            MGLApplicationSecurityInterface appSingleton;

            //This allows us to switch which application object
            // we are using for secure/non-secure sessions
            string APPLICATION_CACHE = APP_SINGLETON;

            if (null == System.Web.HttpContext.Current.Application[APPLICATION_CACHE])
            {
                //No current Application object exists, use private constructor to
                // create an instance, place it into the Application
                appSingleton = new MGLApplicationSecurityInterface();
                System.Web.HttpContext.Current.Application[APPLICATION_CACHE] = appSingleton;
            }
            else
            {
                //Retrieve the already instance that was already created
                appSingleton = (MGLApplicationSecurityInterface)System.Web.HttpContext.Current.Application[APPLICATION_CACHE];
            }

            return(appSingleton);
        }
Beispiel #12
0
        //-----------------------------------------------------------------------------------------------------------------------------------------------
        /// <summary>
        ///     Called the second time the login page is requested.  For security, on new logins, the current session should be
        ///     abandoned and a new session started.
        ///
        ///     If HTTPS is globally all false or globally all true, this intermediate step is not required as the page requesting the login page will
        ///     have the same protocol (both HTTP or both HTTPS).  However, if the MGLApplicationInterface.UseHttpsSessionsIndependently variable is set, then we need
        ///     an intermediate step - this step - to force the session to use HTTPs and then call LoginDo...
        ///
        ///     Calls the LoginDo page with the ResetSession and an encrypted CID token which contains the AnonID
        ///     cookie value ( a GUID) and a date time stamp.
        ///
        /// </summary>
        protected void Step2SetSecureSession(StringBuilder encryptedKey)
        {
            string redirectURL = MGLApplicationSecurityInterface.Instance().AppLoginConfig.DefaultPostLoginPage;

            try {
                bool keyIsValid = KeyIsValid(encryptedKey);
                //Logger.Log("XXXXX - "+ActionPage+".aspx - Setting the secure session.  And checking that the key is valid: " + keyIsValid);

                //-----a----- Get the AuthKey and check it is legit - if not we do nothing and the user is bounced out to the default page
                if (keyIsValid == true)
                {
                    //-----b----- Setup the new session to be secure - which by now should have been created as this page loads for the second time!
                    // Force this session to use HTTPs as this page has been requested
                    if (MGLSessionInterface.Instance().UseHTTPS == false)
                    {
                        MGLSessionInterface.Instance().SetSessionRequiresHTTPs(Request.Cookies["AnonID"], Session.SessionID, HttpContext.Current.Request.IsLocal);
                    }

                    //-----c----- Build the URL for the LoginDo page - and if HTTPS is enabled, we explicitly set the LoginDo page to use HTTPS
                    // ASSUMPTION is that the action page HAS TO BE IN THE Code/Security folder!!
                    string redirectPage = ActionPage + "Do.aspx";
                    if (MGLSessionInterface.Instance().UseHTTPS == true && HttpContext.Current.Request.IsLocal == false)
                    {
                        redirectPage = "https://" + MGLSessionInterface.Instance().Config.WebProjectPath() + "Code/Security/" + redirectPage;
                    }

                    redirectURL = BuildRedirectURL(redirectPage, encryptedKey);
                }
            } catch (Exception ex) {
                Logger.LogError(8, "Problem setting the secure session in the login page.  This is serious!  The specific error was: " + ex.ToString());
            }
            //Logger.Log("XXXXX - " + ActionPage + ".aspx - https is " + MGLSessionInterface.Instance().UseHTTPS + " and Redirecting to : " + redirectURL);

            //-----d----- Redirect to the LoginDo page and commence the login event in anger ...
            Response.Redirect(redirectURL);
        }
Beispiel #13
0
 //--------------------------------------------------------------------------------------------------------------------------------------------------------------
 public UserAdministration(int timezoneOffset)
 {
     SecurityOperations = new BaseSecurityOperations(MGLApplicationSecurityInterface.Instance().DatabaseConfig);
 }
Beispiel #14
0
        //---------------------------------------------------------------------------------------------------------------------------------------------------------------
        //        public bool Login( User user, string password) {
        public bool Login(SecureString userName, SecureString password)
        {
            bool   loggedIn   = false;
            string loginError = "Username or password not recognised.";

            UserOperations userOps = null;

            try {
                if (userName != null)
                {
                    userOps = new UserOperations(lcf);

                    MGUser user = userOps.GetUser(userName);

                    // check the number of logins has not been exceeded
                    if (user != null)
                    {
                        if (user.IsLockedOut == true)
                        {
                            loginError = "Too many incorrect attempts.  Please contact the web team."; // to unlock your account.";
                        }
                        else
                        {
                            // 30-Nov-2015 - Strip the password out of the user information as this is applied to the session
                            user.Password = null;

                            // Check the password
                            if (MGLApplicationSecurityInterface.Instance().AppLoginConfig.EnableAutomatedLogin == false && password != null)
                            {
                                // check the user name and the encrypted password in the database

                                bool userLoginDetailsCorrect = userOps.UserLoginDetailsCorrect(user.Username, password);
                                // if incorrect, increment the incorrect logins
                                // if correct, increment the total logins

                                userOps.LogLogin(user.ID, userLoginDetailsCorrect);
                                // reextract the user as the LastIP and login date will have changed - better to keep this consistent, if its used for validation in the future ...
                                user = userOps.GetUser(user.ID);

                                if (userLoginDetailsCorrect)
                                {
                                    loggedIn = true;
                                    // Set the current user object in the session
                                    loginError = null;
                                    MGLSessionSecurityInterface.Instance().CurrentUser = user;
                                }
                            }
                            else
                            {
                                loggedIn = true;
                                // Set the current user object in the session
                                loginError = null;
                                MGLSessionSecurityInterface.Instance().CurrentUser = user;
                            }
                        }

                        if (loggedIn)
                        {
                            SecureContentWrapper.LiveDbContextInstance = new SecureContentWrapper(AppSecurityContext.MainDbLcf);
                            // SecureContentWrapper.StagingDbContextInstance = new SecureContentWrapper(AppSecurityContext.StagingDbLcf);
                        }
                    }
                }
            } catch (Exception ex) {
                Logger.LogError(7, "Problem logging in at " + ex);
            } finally {
                if (userOps != null)
                {
                    userOps.Finish();
                }
            }

            MGLSessionSecurityInterface.Instance().SecurityError = loginError;
            return(loggedIn);
        }