private static ClaimsIdentity CreateIdentity(int accountId, string userName, ApplicationListItem[] apps)
{
var claims = new List <Claim>
{
new Claim(ClaimTypes.NameIdentifier, accountId.ToString(), ClaimValueTypes.Integer32),
new Claim(ClaimTypes.Name, userName, ClaimValueTypes.String)
};
foreach (var app in apps)
{
claims.Add(new Claim(OneTrueClaims.Application, app.Id.ToString(), ClaimValueTypes.Integer32));
claims.Add(new Claim(OneTrueClaims.ApplicationName, app.Name, ClaimValueTypes.String));
if (app.IsAdmin)
{
claims.Add(new Claim(OneTrueClaims.ApplicationAdmin, app.Id.ToString(), ClaimValueTypes.Integer32));
}
}
var roles = accountId == 1 ? new[] { OneTrueClaims.RoleSysAdmin } : new string[0];
var context = new PrincipalFactoryContext(accountId, userName, roles)
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Claims = claims.ToArray()
};
return((ClaimsIdentity)PrincipalFactory.CreateAsync(context).Result.Identity);
}
private void ConfigureAuth(IAppBuilder app)
{
var type = ConfigurationManager.AppSettings["PrincipalFactoryType"];
if (type != null)
{
PrincipalFactory.Configure(type);
}
var provider = new CookieAuthenticationProvider
{
OnApplyRedirect = ctx =>
{
if (!IsApiRequest(ctx.Request) && !ctx.Request.Headers.ContainsKey("X-Requested-With"))
{
ctx.Response.Redirect(ctx.RedirectUri);
}
}
};
var loginUrl = "/Account/Login"; //VirtualPathUtility.ToAbsolute("~/Account/Login");
BaseViewPage.LoginUrl = loginUrl;
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
ExpireTimeSpan = TimeSpan.FromDays(14),
LoginPath = new PathString(loginUrl),
Provider = provider,
SessionStore = new SessionStoreMediator()
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}
public AttachCustomPrincipal(GetTheCurrentTicket ticket_factory, PrincipalFactory principal_factory,
GetTheCurrentUserIDFromTicket id_mapper, PrincipalSwitch principal_switch)
{
this.ticket_factory = ticket_factory;
this.principal_factory = principal_factory;
this.id_mapper = id_mapper;
this.principal_switch = principal_switch;
}
#pragma warning disable 1998
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
#pragma warning restore 1998
{
var p = context.Principal as ClaimsPrincipal;
if (p != null && p.Identity.IsAuthenticated)
{
return;
}
IEnumerable <string> apiKeys;
IEnumerable <string> tokens;
if (!context.Request.Headers.TryGetValues("X-Api-Key", out apiKeys) ||
!context.Request.Headers.TryGetValues("X-Api-Signature", out tokens))
{
return;
}
using (var scope = GlobalConfiguration.Configuration.DependencyResolver.BeginScope())
{
var repos = (IApiKeyRepository)scope.GetService(typeof(IApiKeyRepository));
ApiKey key;
try
{
key = await repos.GetByKeyAsync(apiKeys.First());
}
catch (EntityNotFoundException)
{
context.ErrorResult = new AuthenticationFailureResult("Invalid/unknown API key", context.Request);
return;
}
var content = await context.Request.Content.ReadAsByteArrayAsync();
if (!key.ValidateSignature(tokens.First(), content))
{
context.ErrorResult =
new AuthenticationFailureResult(
"Body could not be signed by the shared secret. Verify your client configuration.",
context.Request);
return;
}
var claims = key.Claims;
var factoryContext = new PrincipalFactoryContext(0, key.GeneratedKey, new[] { CoderrClaims.RoleSystem })
{
AuthenticationType = "ApiKey",
Claims = claims
};
var principal = await PrincipalFactory.CreateAsync(factoryContext);
context.Principal = principal;
Thread.CurrentPrincipal = principal;
}
}
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var user = await UserService.GetUserAsync(context.Subject);
var principal = await PrincipalFactory.CreateAsync(user);
foreach (var claim in principal.Claims)
{
context.IssuedClaims.Add(claim);
}
}
private bool AuthenticateUser(ITcpChannel channel, HttpRequest request)
{
if (channel.Data["Principal"] != null)
{
Thread.CurrentPrincipal = (IPrincipal)channel.Data["Principal"];
return(true);
}
try
{
var user = Authenticator.Authenticate(request);
if (user == null)
{
return(true);
}
if (PrincipalFactory != null)
{
var ctx = new PrincipalFactoryContext(request, user);
Thread.CurrentPrincipal = PrincipalFactory.Create(ctx);
channel.Data["Principal"] = Thread.CurrentPrincipal;
return(true);
}
var roles = user as IUserWithRoles;
if (roles == null)
{
throw new InvalidOperationException(
"You must specify a PrincipalFactory if you do not return a IUserWithRoles from your IAccountService.");
}
Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity(user.Username), roles.RoleNames);
channel.Data["Principal"] = Thread.CurrentPrincipal;
}
catch (HttpException ex)
{
if (Logger != null)
{
Logger("Authentication failed.\r\nException:\r\n" + ex.ToString());
}
var response = request.CreateResponse();
response.StatusCode = ex.HttpCode;
response.ReasonPhrase = FirstLine(ex.Message);
channel.Send(response);
return(false);
}
return(true);
}
public void Constructs_principal_with_roles()
{
MockRepository mocks = new MockRepository();
IIdentity identity = mocks.CreateMock <IIdentity>();
mocks.ReplayAll();
using (mocks.Playback())
{
IPrincipalFactory factory = new PrincipalFactory();
IPrincipal principal = factory.CreatePrincipal(identity, "Administrator", "Other Role");
Assert.That(principal.IsInRole("Administrator"));
Assert.That(principal.IsInRole("Other Role"));
Assert.That(!principal.IsInRole("MyRole"));
}
mocks.VerifyAll();
}
protected override async Task <AuthenticationTicket> HandleAuthenticateAsync()
{
var header = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(header) || !header.StartsWith("Bearer "))
{
return(null);
}
var user = header.Substring(7);
var principal = PrincipalFactory.Get(user);
if (principal == null)
{
return(null);
}
return(new AuthenticationTicket(new ClaimsPrincipal(principal), new AuthenticationProperties(), "Bearer"));
}
/// <summary>
/// Execute the request and generate a reply.
/// </summary>
/// <param name="request">Request to execute</param>
/// <returns>
/// Task which will contain the reply once completed.
/// </returns>
public async Task <ActivateAccountReply> ExecuteAsync(ActivateAccount request)
{
var account = await _repository.FindByActivationKeyAsync(request.ActivationKey);
if (account == null)
{
throw new ArgumentOutOfRangeException("ActivationKey", request.ActivationKey,
"Key was not found.");
}
account.Activate();
await _repository.UpdateAsync(account);
var query = new GetApplicationList {
AccountId = account.Id
};
var apps = await _queryBus.QueryAsync(query);
var claims =
apps.Select(x => new Claim(OneTrueClaims.Application, x.Id.ToString(), ClaimValueTypes.Integer32))
.ToArray();
if (ClaimsPrincipal.Current.IsAccount(account.Id))
{
var context = new PrincipalFactoryContext(account.Id, account.UserName, new string[0])
{
Claims = claims
};
var identity = await PrincipalFactory.CreateAsync(context);
identity.AddUpdateCredentialClaim();
Thread.CurrentPrincipal = identity;
}
var evt = new AccountActivated(account.Id, account.UserName)
{
EmailAddress = account.Email
};
await _eventBus.PublishAsync(evt);
return(new ActivateAccountReply(account.Id, account.UserName));
}
// Based on https://stackoverflow.com/a/44322425/1249506
public async Task <IdentityServerToken> GetIdentityServerTokenForUserAsync(User user)
{
var request = new TokenCreationRequest();
var identityPricipal = await PrincipalFactory.CreateAsync(user);
var identityUser =
new IdentityServerUser(user.Id.ToString())
{
AdditionalClaims = identityPricipal.Claims.ToArray(),
DisplayName = user.UserName,
AuthenticationTime = DateTime.UtcNow,
IdentityProvider = IdentityServerConstants.LocalIdentityProvider
};
request.Subject = identityUser.CreatePrincipal();
request.IncludeAllIdentityClaims = true;
request.ValidatedRequest = new ValidatedRequest
{
Subject = request.Subject,
};
var client = await ClientStore.FindClientByIdAsync(ClientId);
request.ValidatedRequest.SetClient(client);
request.Resources =
new Resources(await ResourceStore.FindEnabledIdentityResourcesByScopeAsync(client.AllowedScopes),
await ResourceStore.FindApiResourcesByScopeAsync(client.AllowedScopes))
{
OfflineAccess = client.AllowOfflineAccess
};
request.ValidatedRequest.Options = Options;
request.ValidatedRequest.ClientClaims = identityUser.AdditionalClaims;
var token = await TokenService.CreateAccessTokenAsync(request);
var accessToken = await TokenService.CreateSecurityTokenAsync(token);
var refreshToken = await RefreshTokenService.CreateRefreshTokenAsync(request.Subject, token, client);
return(new IdentityServerToken(token, accessToken, refreshToken));
}
protected override Task <AuthenticateResult> HandleAuthenticateAsync()
{
var header = Request.Headers["Authorization"].ToString();
if (string.IsNullOrEmpty(header) || !header.StartsWith("Bearer "))
{
return(Task.FromResult(AuthenticateResult.Skip()));
}
var user = header.Substring(7);
var principal = PrincipalFactory.Get(user);
if (principal == null)
{
return(Task.FromResult(AuthenticateResult.Fail("No such user")));
}
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(), Options.AuthenticationScheme);
return(Task.FromResult(AuthenticateResult.Success(ticket)));
}
public async Task <AcceptInvitationReply> ExecuteAsync(AcceptInvitation request)
{
var invitation = await _repository.GetByInvitationKeyAsync(request.InvitationKey);
if (invitation == null)
{
_logger.Error("Failed to find invitation key" + request.InvitationKey);
return(null);
}
await _repository.DeleteAsync(request.InvitationKey);
Account account;
if (request.AccountId == 0)
{
account = new Account(request.UserName, request.Password);
account.SetVerifiedEmail(request.AcceptedEmail);
account.Activate();
account.Login(request.Password);
await _accountRepository.CreateAsync(account);
}
else
{
account = await _accountRepository.GetByIdAsync(request.AccountId);
account.SetVerifiedEmail(request.AcceptedEmail);
}
var inviter = await _accountRepository.FindByUserNameAsync(invitation.InvitedBy);
if (ClaimsPrincipal.Current.IsAccount(account.Id))
{
var claims = invitation.Invitations
.Select(
x => new Claim(OneTrueClaims.Application, x.ApplicationId.ToString(), ClaimValueTypes.Integer32))
.ToList();
var context = new PrincipalFactoryContext(account.Id, account.UserName, new string[0])
{
Claims = claims.ToArray(),
AuthenticationType = "Invite"
};
var principal = await PrincipalFactory.CreateAsync(context);
principal.AddUpdateCredentialClaim();
Thread.CurrentPrincipal = principal;
}
// Account have not been created before the invitation was accepted.
if (request.AccountId == 0)
{
await _eventBus.PublishAsync(new AccountRegistered(account.Id, account.UserName));
await _eventBus.PublishAsync(new AccountActivated(account.Id, account.UserName)
{
EmailAddress = account.Email
});
}
var e = new InvitationAccepted(account.Id, invitation.InvitedBy, account.UserName)
{
InvitedEmailAddress = invitation.EmailToInvitedUser,
AcceptedEmailAddress = request.AcceptedEmail,
ApplicationIds = invitation.Invitations.Select(x => x.ApplicationId).ToArray()
};
await _eventBus.PublishAsync(e);
return(new AcceptInvitationReply(account.Id, account.UserName));
}
public IEnumerable <ClaimsIdentity> Get(string name)
{
return(PrincipalFactory.Get(name).Identities);
}
public override async void Create()
{
this.mainWindow.RemoveAll();
this.mainWindow.Title = Strings.WindowTitle;
var result = await this.messageBoxService.Show(@$ "No encrypted profile found! Do you want to create a new XDS ID?
We were searching in:
{this.cancellation.DataDirRoot}
",
Strings.WindowTitle, RequestButton.YesNo, RequestImage.None);
if (result == RequestResult.No)
{
Application.Top.Running = false;
return;
}
this.stopwatch.Reset();
// Demo #1 - Use System.Timer (and threading)
var idGenerationControl = new IdGenerationControl("Generate XDS ID")
{
Width = Dim.Percent(100),
};
idGenerationControl.OnCaptureEntropyButtonClick = async() =>
{
if (!this.stopwatch.IsRunning)
{
RandomCapture.Reset();
this.stopwatch.Restart();
idGenerationControl.ActivityProgressBar.Fraction = 0f;
idGenerationControl.LabelProgress.Text = "0 %";
}
for (var i = 0; i < 50; i++)
{
if (RandomCapture.BytesGenerated == RandomCapture.BytesNeeded)
{
break;
}
var data = RandomCapture.CaputureFromPointer(Math.Abs(DateTime.Now.Ticks.GetHashCode() + Guid.NewGuid().GetHashCode()), this.stopwatch.ElapsedMilliseconds);
idGenerationControl.ActivityProgressBar.Fraction = (float)data.Percent / 100f;
idGenerationControl.LabelProgress.Text = data.Progress;
}
if (RandomCapture.BytesGenerated == RandomCapture.BytesNeeded)
{
idGenerationControl.LabelDone.Text = "Complete. Creating your XDS ID...";
var entropy96 = this.xdsSecService.CombinePseudoRandomWithRandom(RandomCapture.GeneratedBytes, 3 * 32).Result;
var principalFactory = new PrincipalFactory(this.xdsSecService);
principalFactory.CreateMnemonics(entropy96);
var principal = principalFactory.GetXDSPrincipal();
this.onboardingViewModel.OnboardingGenerateIdentity(principal, principalFactory.MasterSentence);
await Task.Delay(600);
idGenerationControl.LabelDone.Text = "Complete. Creating your XDS ID...done.";
idGenerationControl.TextFieldYourId.Text = $"{this.onboardingViewModel.ChatId}";
idGenerationControl.TextFieldYourId.Width = Dim.Fill(); // has zero width, make it visible now
idGenerationControl.TextFieldYourAddress.Text = $"{this.onboardingViewModel.DefaultAddress}";
idGenerationControl.TextFieldYourAddress.Width = Dim.Fill();
idGenerationControl.TextFieldYourId.ReadOnly = true;
idGenerationControl.TextFieldYourAddress.ReadOnly = true;
idGenerationControl.LabelRecovery.Text = "Recovery Sentence:";
var textFieldRecoveryCode = new TextField
{
X = idGenerationControl.LabelRecovery.X,
Y = idGenerationControl.LabelRecovery.Y + 1,
Width = Dim.Fill(),
Height = 5,
};
textFieldRecoveryCode.ReadOnly = true;
textFieldRecoveryCode.LayoutStyle = LayoutStyle.Computed;
textFieldRecoveryCode.Text = principalFactory.MasterSentence;
idGenerationControl.Add(textFieldRecoveryCode);
textFieldRecoveryCode.KeyPress += args =>
{
if (!textFieldRecoveryCode.HasFocus)
{
return;
}
if (args.KeyEvent.Key == Key.ControlA)
{
textFieldRecoveryCode.SelectedStart = 0;
textFieldRecoveryCode.SelectedLength = textFieldRecoveryCode.Text.Length;
textFieldRecoveryCode.SelectedText = principalFactory.MasterSentence;
textFieldRecoveryCode.SetNeedsDisplay(textFieldRecoveryCode.Bounds);
args.Handled = true;
}
};
var labelYourName =
new Label("Your Name (not visible to others):")
{
X = textFieldRecoveryCode.X,
Y = textFieldRecoveryCode.Y + 2,
};
idGenerationControl.Add(labelYourName);
var textFieldName = new TextField("Anonymous")
{
X = labelYourName.X,
Y = labelYourName.Y + 1,
Width = Dim.Fill()
};
idGenerationControl.Add(textFieldName);
var buttonContinue = new Button("Continue")
{
X = textFieldName.X,
Y = textFieldName.Y + 3,
Clicked = () =>
{
this.onboardingViewModel.Name = string.IsNullOrWhiteSpace(textFieldName.Text.ToString())
? "Anonymous"
: textFieldName.Text.ToString();
this.onboardingViewModel.PictureBytes =
Guid.NewGuid().ToByteArray(); // pass the checks for null and all-bytes-zero
NavigationService.ShowSetPassphraseView();
}
};
idGenerationControl.Add(buttonContinue);
buttonContinue.SetFocus();
var buttonBackup = new Button("Backup")
{
X = Pos.Right(buttonContinue) + Style.SpaceBetweenButtons,
Y = textFieldName.Y + 3,
Clicked = () =>
{
var exportFilePath = Path.Combine(this.cancellation.GetTempDir(true), this.onboardingViewModel.ChatId + ".txt");
var choice = MessageBox.ErrorQuery("Cleartext Export",
$"Export your XDS ID, XDS Address and Recovery Sentence? Path: {exportFilePath}", "YES", "NO");
if (choice == 0)
{
var sb = new StringBuilder();
sb.AppendLine("WARNING - THIS FILE CONTAINS SENSITIVE PRIVATE INFORMATION DESCRIBING YOUR XDS ID AND WALLET PRIVATE KEYS.");
sb.AppendLine("Using this information, an attacker can decrypt your messages, impersonate and steal your identity and access the XDS coins in your wallet.");
sb.AppendLine("It's strongly recommended you create your XDS identity on an air-gapped system and keep this information always offline in a safe place. When you do not need your XDS identity any more, you should destroy this information, so that nobody else can pretend to be you.");
sb.AppendLine("====================================");
sb.AppendLine($"XDS ID={this.onboardingViewModel.ChatId}");
sb.AppendLine($"XDS Address={this.onboardingViewModel.DefaultAddress}");
sb.AppendLine($"Recovery Sentence={this.onboardingViewModel.MasterSentence}");
File.WriteAllText(exportFilePath, sb.ToString());
}
if (choice == 0)
{
MessageBox.ErrorQuery("Success",
$"Recovery sentence saved to: {exportFilePath}\nPlease move this file to a safe place (e.g. USB stick).\nWE WILL DELETE THE TEMP DIRECTORY WHEN YOU QUIT THE APP!", "OK");
}
}
};
idGenerationControl.Add(buttonBackup);
}
};
this.mainWindow.Add(idGenerationControl);
idGenerationControl.EntropyButton.SetFocus();
}
public SessionController(IServiceBus bus, PrincipalFactory principalFactory)
{
this.bus = bus;
this.principalFactory = principalFactory;
}
