public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore) { Get[DirectoryServicesConstants.ChallengePath] = c => { if (Context.CurrentUser == null) { return(responseCreator.Unauthorized(Request)); } var principal = (IOctopusPrincipal)Context.CurrentUser; var authCookies = tokenIssuer.CreateAuthCookies(Context.Request, principal.IdentificationToken, SessionExpiry.TwentyMinutes); var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls(); Response response; if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(Request.Query["redirectTo"].Value, whitelist)) { var redirectLocation = Request.Query["redirectTo"].Value; response = new RedirectResponse(redirectLocation).WithCookies(authCookies); } else { if (Request.Query["redirectTo"].HasValue) { log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge, to the non-local url {0}", Request.Query["redirectTo"].Value); } response = new RedirectResponse(Request.Url.BasePath ?? "/").WithCookies(authCookies); } return(response); }; }
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore) { Get[DirectoryServicesConstants.ChallengePath] = c => { if (Context.CurrentUser == null) { return(responseCreator.Unauthorized(Request)); } var principal = (IOctopusPrincipal)Context.CurrentUser; var tokenCookie = tokenIssuer.CreateAuthCookie(Context, principal.IdentificationToken, false); var directoryPathResult = Request.AbsoluteVirtualDirectoryPath(); if (!directoryPathResult.IsValid) { return(responseCreator.BadRequest(directoryPathResult.InvalidReason)); } var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls(); Response response; if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(directoryPathResult.Path, Request.Query["redirectTo"].Value, whitelist)) { var redirectLocation = Request.Query["redirectTo"].Value; response = new RedirectResponse(redirectLocation).WithCookie(tokenCookie); } else { log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge from the local instance {0} to the non-local url {1}", directoryPathResult.Path, Request.Query["redirectTo"].Value); response = new RedirectResponse(directoryPathResult.Path ?? "/").WithCookie(tokenCookie); } return(response); }; }
public UserLoginAction( IDirectoryServicesConfigurationStore configurationStore, IDirectoryServicesCredentialValidator credentialValidator, IAuthCookieCreator issuer, IInvalidLoginTracker loginTracker, ISleep sleep, IApiActionModelBinder modelBinder, IApiActionResponseCreator responseCreator, IUserMapper userMapper) { this.configurationStore = configurationStore; this.credentialValidator = credentialValidator; this.issuer = issuer; this.loginTracker = loginTracker; this.sleep = sleep; this.modelBinder = modelBinder; this.responseCreator = responseCreator; this.userMapper = userMapper; }
protected UserAuthenticatedAction( ILog log, TAuthTokenHandler authTokenHandler, IPrincipalToUserHandler principalToUserHandler, IUserStore userStore, TStore configurationStore, IAuthCookieCreator authCookieCreator, IInvalidLoginTracker loginTracker, ISleep sleep) { this.log = log; this.authTokenHandler = authTokenHandler; this.principalToUserHandler = principalToUserHandler; this.userStore = userStore; ConfigurationStore = configurationStore; this.authCookieCreator = authCookieCreator; this.loginTracker = loginTracker; this.sleep = sleep; }
public AzureADUserAuthenticatedAction( ILog log, IAzureADAuthTokenHandler authTokenHandler, IAzureADPrincipalToUserResourceMapper principalToUserResourceMapper, IUserStore userStore, IAzureADConfigurationStore configurationStore, IApiActionResponseCreator responseCreator, IAuthCookieCreator authCookieCreator, IInvalidLoginTracker loginTracker, ISleep sleep) : base( log, authTokenHandler, principalToUserResourceMapper, userStore, configurationStore, responseCreator, authCookieCreator, loginTracker, sleep) { }
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IAuthenticationConfigurationStore authenticationConfigurationStore, IUrlEncoder encoder) { Add("GET", DirectoryServicesConstants.ChallengePath, context => { if (context.User == null) { context.Response.StatusCode = 401; return(Task.FromResult(0)); } var principal = (IOctopusPrincipal)context.User; // Decode the state object sent from the client (if there was one) so we can use those hints to build the most appropriate response // If the state can't be interpreted, we will fall back to a safe-by-default behaviour, however: // 1. Deep-links will not work because we don't know where the anonymous request originally wanted to go // 2. Cookies may not have the Secure flag set properly when SSL Offloading is in play LoginState state = null; if (context.Request.Query.TryGetValue("state", out var stateString)) { try { state = JsonConvert.DeserializeObject <LoginState>(stateString); } catch (Exception e) { log.Warn(e, "Invalid login state object passed to the server when setting up the NTLM challenge. Falling back to the default behaviour."); } } // Build the auth cookies to send back with the response var authCookies = tokenIssuer.CreateAuthCookies(principal.IdentificationToken, SessionExpiry.TwentyDays, context.Request.IsHttps, state?.UsingSecureConnection); // If the caller has provided a redirect after successful login, we need to check it is a local address - preventing Open Redirection attacks if (!string.IsNullOrWhiteSpace(state?.RedirectAfterLoginTo)) { var whitelist = authenticationConfigurationStore.GetTrustedRedirectUrls(); if (Requests.IsLocalUrl(state.RedirectAfterLoginTo, whitelist)) { // This is a safe redirect, let's go! context.Response.Redirect(state.RedirectAfterLoginTo); foreach (var cookie in authCookies) { context.Response.WithCookie(cookie); } return(Task.FromResult(0)); } // Just log that we detected a non-local redirect URL, and fall through to the root of the local web site log.WarnFormat( "Prevented potential Open Redirection attack on an NTLM challenge, to the non-local url {0}", state.RedirectAfterLoginTo); } // By default, redirect to the root of the local web site context.Response.Redirect(context.Request.PathBase ?? "/"); foreach (var cookie in authCookies) { context.Response.WithCookie(cookie); } return(Task.FromResult(0)); }); }
public GoogleAppsUserAuthenticatedAction(ILog log, IGoogleAuthTokenHandler authTokenHandler, IPrincipalToUserHandler principalToUserHandler, IUserStore userStore, IGoogleAppsConfigurationStore configurationStore, IAuthCookieCreator authCookieCreator, IInvalidLoginTracker loginTracker, ISleep sleep) : base(log, authTokenHandler, principalToUserHandler, userStore, configurationStore, authCookieCreator, loginTracker, sleep) { }