public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore)
{
Get[DirectoryServicesConstants.ChallengePath] = c =>
{
if (Context.CurrentUser == null)
{
return(responseCreator.Unauthorized(Request));
}
var principal = (IOctopusPrincipal)Context.CurrentUser;
var authCookies = tokenIssuer.CreateAuthCookies(Context.Request, principal.IdentificationToken, SessionExpiry.TwentyMinutes);
var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls();
Response response;
if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(Request.Query["redirectTo"].Value, whitelist))
{
var redirectLocation = Request.Query["redirectTo"].Value;
response = new RedirectResponse(redirectLocation).WithCookies(authCookies);
}
else
{
if (Request.Query["redirectTo"].HasValue)
{
log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge, to the non-local url {0}", Request.Query["redirectTo"].Value);
}
response = new RedirectResponse(Request.Url.BasePath ?? "/").WithCookies(authCookies);
}
return(response);
};
}
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore)
{
Get[DirectoryServicesConstants.ChallengePath] = c =>
{
if (Context.CurrentUser == null)
{
return(responseCreator.Unauthorized(Request));
}
var principal = (IOctopusPrincipal)Context.CurrentUser;
var tokenCookie = tokenIssuer.CreateAuthCookie(Context, principal.IdentificationToken, false);
var directoryPathResult = Request.AbsoluteVirtualDirectoryPath();
if (!directoryPathResult.IsValid)
{
return(responseCreator.BadRequest(directoryPathResult.InvalidReason));
}
var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls();
Response response;
if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(directoryPathResult.Path, Request.Query["redirectTo"].Value, whitelist))
{
var redirectLocation = Request.Query["redirectTo"].Value;
response = new RedirectResponse(redirectLocation).WithCookie(tokenCookie);
}
else
{
log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge from the local instance {0} to the non-local url {1}", directoryPathResult.Path, Request.Query["redirectTo"].Value);
response = new RedirectResponse(directoryPathResult.Path ?? "/").WithCookie(tokenCookie);
}
return(response);
};
}
public UserLoginAction(
IDirectoryServicesConfigurationStore configurationStore,
IDirectoryServicesCredentialValidator credentialValidator,
IAuthCookieCreator issuer,
IInvalidLoginTracker loginTracker,
ISleep sleep,
IApiActionModelBinder modelBinder,
IApiActionResponseCreator responseCreator,
IUserMapper userMapper)
{
this.configurationStore = configurationStore;
this.credentialValidator = credentialValidator;
this.issuer = issuer;
this.loginTracker = loginTracker;
this.sleep = sleep;
this.modelBinder = modelBinder;
this.responseCreator = responseCreator;
this.userMapper = userMapper;
}
protected UserAuthenticatedAction(
ILog log,
TAuthTokenHandler authTokenHandler,
IPrincipalToUserHandler principalToUserHandler,
IUserStore userStore,
TStore configurationStore,
IAuthCookieCreator authCookieCreator,
IInvalidLoginTracker loginTracker,
ISleep sleep)
{
this.log = log;
this.authTokenHandler = authTokenHandler;
this.principalToUserHandler = principalToUserHandler;
this.userStore = userStore;
ConfigurationStore = configurationStore;
this.authCookieCreator = authCookieCreator;
this.loginTracker = loginTracker;
this.sleep = sleep;
}
public AzureADUserAuthenticatedAction(
ILog log,
IAzureADAuthTokenHandler authTokenHandler,
IAzureADPrincipalToUserResourceMapper principalToUserResourceMapper,
IUserStore userStore,
IAzureADConfigurationStore configurationStore,
IApiActionResponseCreator responseCreator,
IAuthCookieCreator authCookieCreator,
IInvalidLoginTracker loginTracker,
ISleep sleep) :
base(
log,
authTokenHandler,
principalToUserResourceMapper,
userStore,
configurationStore,
responseCreator,
authCookieCreator,
loginTracker,
sleep)
{
}
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IAuthenticationConfigurationStore authenticationConfigurationStore, IUrlEncoder encoder)
{
Add("GET", DirectoryServicesConstants.ChallengePath, context =>
{
if (context.User == null)
{
context.Response.StatusCode = 401;
return(Task.FromResult(0));
}
var principal = (IOctopusPrincipal)context.User;
// Decode the state object sent from the client (if there was one) so we can use those hints to build the most appropriate response
// If the state can't be interpreted, we will fall back to a safe-by-default behaviour, however:
// 1. Deep-links will not work because we don't know where the anonymous request originally wanted to go
// 2. Cookies may not have the Secure flag set properly when SSL Offloading is in play
LoginState state = null;
if (context.Request.Query.TryGetValue("state", out var stateString))
{
try
{
state = JsonConvert.DeserializeObject <LoginState>(stateString);
}
catch (Exception e)
{
log.Warn(e, "Invalid login state object passed to the server when setting up the NTLM challenge. Falling back to the default behaviour.");
}
}
// Build the auth cookies to send back with the response
var authCookies = tokenIssuer.CreateAuthCookies(principal.IdentificationToken, SessionExpiry.TwentyDays, context.Request.IsHttps, state?.UsingSecureConnection);
// If the caller has provided a redirect after successful login, we need to check it is a local address - preventing Open Redirection attacks
if (!string.IsNullOrWhiteSpace(state?.RedirectAfterLoginTo))
{
var whitelist = authenticationConfigurationStore.GetTrustedRedirectUrls();
if (Requests.IsLocalUrl(state.RedirectAfterLoginTo, whitelist))
{
// This is a safe redirect, let's go!
context.Response.Redirect(state.RedirectAfterLoginTo);
foreach (var cookie in authCookies)
{
context.Response.WithCookie(cookie);
}
return(Task.FromResult(0));
}
// Just log that we detected a non-local redirect URL, and fall through to the root of the local web site
log.WarnFormat(
"Prevented potential Open Redirection attack on an NTLM challenge, to the non-local url {0}",
state.RedirectAfterLoginTo);
}
// By default, redirect to the root of the local web site
context.Response.Redirect(context.Request.PathBase ?? "/");
foreach (var cookie in authCookies)
{
context.Response.WithCookie(cookie);
}
return(Task.FromResult(0));
});
}
public GoogleAppsUserAuthenticatedAction(ILog log, IGoogleAuthTokenHandler authTokenHandler, IPrincipalToUserHandler principalToUserHandler, IUserStore userStore, IGoogleAppsConfigurationStore configurationStore, IAuthCookieCreator authCookieCreator, IInvalidLoginTracker loginTracker, ISleep sleep) : base(log, authTokenHandler, principalToUserHandler, userStore, configurationStore, authCookieCreator, loginTracker, sleep)
{
}
