private void AddHardWatch(IJob job, BackofficeAccessConfiguration config) { var hardLocationRegex = new Regex("^((" + ApplicationSettings.UmbracoPath.TrimEnd('/') + "(/)?)|(" + ApplicationSettings.UmbracoPath + "[\\w-/]+\\.[\\w.]{2,5}))$", RegexOptions.IgnoreCase); foreach (var error in _ipAccessControlService.InitIpAccessControl(config.IpAccessRules)) { job.WriteJournal(new JournalMessage($"Error: Invalid IP Address {error}, unable to add to exception list")); } //Add watch on the on-disk UmbracoPath location to do the security checking of the user's ip job.ExceptionWebRequest(config.Unauthorized.Url); job.WatchWebRequests(PipeLineStages.AuthenticateRequest, hardLocationRegex, 21000, (count, httpApp) => { if (AccessHelper.IsRequestAuthenticatedUmbracoUser(httpApp)) { return(new WatchResponse(WatchResponse.Cycles.Continue)); } if (_ipAccessControlService.IsValid(config.IpAccessRules, httpApp.Context.Request.UserHostAddress)) { return(new WatchResponse(WatchResponse.Cycles.Continue)); } var url = new UmbracoUrlService().Url(config.Unauthorized.Url); if (url == null) { return(new WatchResponse(WatchResponse.Cycles.Stop)); } if (!string.IsNullOrEmpty(httpApp.Context.Request.CurrentExecutionFilePathExtension) && (httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".css") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".map") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".js") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".png") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".jpg") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".jpeg") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".gif") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".woff") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".woff2") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".ttf") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".otf") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".eot") || httpApp.Context.Request.CurrentExecutionFilePathExtension.Equals(".svg"))) { httpApp.Context.Response.StatusCode = (int)HttpStatusCode.NotFound; return(new WatchResponse(WatchResponse.Cycles.Stop)); } job.WriteJournal(new JournalMessage($"User with IP Address: {httpApp.Context.Request.UserHostAddress}; tried to access the backoffice access url. Access was denied")); return(new WatchResponse(config.Unauthorized)); }); }
/// <inheritdoc /> public override bool Execute(IJob job, IAppConfiguration c) { job.UnwatchWebRequests(); job.UnexceptionWebRequest(); if (!(c is FrontendAccessConfiguration config)) { job.WriteJournal(new JournalMessage("Error: Config passed into Frontend Access was not of the correct type")); return(false); } if (!c.Enable || !job.Environment.Enable) { return(true); } foreach (var error in _ipAccessControlService.InitIpAccessControl(config.IpAccessRules)) { job.WriteJournal(new JournalMessage($"Error: Invalid IP Address {error}, unable to add to exception list")); } if (config.Unauthorized.TransferType != TransferTypes.PlayDead) { job.ExceptionWebRequest(config.Unauthorized.Url); } //var ignores = // umbracoReservedUrls var regex = new Regex(@"^/([a-z0-9-_~&\+%/])*(\?([^\?])*)?$", RegexOptions.IgnoreCase); job.WatchWebRequests(PipeLineStages.AuthenticateRequest, regex, 400000, (count, httpApp) => { if (_ipAccessControlService.IsValid(config.IpAccessRules, httpApp.Context.Request)) { httpApp.Context.Items.Add(_allowKey, true); } return(new WatchResponse(WatchResponse.Cycles.Continue)); }); job.WatchWebRequests(PipeLineStages.AuthenticateRequest, regex, 400500, (count, httpApp) => { if ((bool?)httpApp.Context.Items[_allowKey] == true || (config.UmbracoUserEnable && AccessHelper.IsRequestAuthenticatedUmbracoUser(httpApp))) { return(new WatchResponse(WatchResponse.Cycles.Continue)); } var url = new UmbracoUrlService().Url(config.Unauthorized.Url); if (url == null) { return(new WatchResponse(WatchResponse.Cycles.Error)); } if (httpApp.Context.Request.Url.LocalPath.Equals(url)) { return(new WatchResponse(WatchResponse.Cycles.Continue)); } job.WriteJournal(new JournalMessage($"User with IP Address: {httpApp.Context.Request.UserHostAddress}; tried to access Page: {httpApp.Context.Request.Url}. Access was denied")); return(new WatchResponse(config.Unauthorized)); }); return(true); }