private LdapConnection Bind(string hostname, string bindDN, string bindPW)
{
LdapConnection conn = null;
try {
//Establish ldap bind
conn = GetLdapConnectionFromBindingDN(hostname, bindDN, bindPW);
if (!conn.Bound)
{
UnBind(conn);
conn = null;
//Sometimes it doesn't throw an exception but ramains unbound.
throw new DreamAbortException(DreamMessage.AccessDenied("Deki LDAP Service", string.Format("An LDAP bind was not established. Server: '{0}'. BindingDN: '{1}'. Password provided? '{2}'", hostname, bindDN, string.IsNullOrEmpty(bindPW) ? "No." : "Yes.")));
}
} catch (LdapException x) {
UnBind(conn);
if (x.ResultCode == LdapException.INVALID_CREDENTIALS)
{
throw new DreamAbortException(DreamMessage.AccessDenied("Deki LDAP Service", string.Format("Invalid LDAP credentials. Server: '{0}'. BindingDN: '{1}'. Password provided? '{2}'", hostname, bindDN, string.IsNullOrEmpty(bindPW) ? "No." : "Yes.")));
}
else
{
throw;
}
}
return(conn);
}
/// <summary>
/// Returns a connected/authenticated ldapclient. Authentication info either comes from
/// the standard authentication header or from local configuration.
/// Default scope and domain controller IP/Host must be in service configuration.
/// </summary>
/// <param name="requireHeaderAuth">Will only accept authenticate from request header</param>
/// <returns></returns>
private LdapClient GetLdapClient(DreamContext context, DreamMessage request, bool requireAuth)
{
string authuser = string.Empty;
string authpassword = string.Empty;
HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out authuser, out authpassword);
if (_config.VerboseLogging)
{
LogUtils.LogTrace(_log, context.Feature.VerbSignature, string.Format("Performing LDAP lookup uri: '{0}' username: '******' pw: '{2}'", context.Feature.VerbSignature, authuser, authpassword));
}
if (string.IsNullOrEmpty(authuser) && requireAuth)
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "Provide credentials to authenticate with ldap"));
}
LdapClient ldap = new LdapClient(_config, authuser, authpassword, _log);
ldap.TimeLimit = context.GetParam <int>("timelimit", _config.LdapTimeOut);
if (requireAuth)
{
bool authenticated = ldap.Authenticate();
if (!authenticated)
{
string msg = string.Format("Invalid LDAP username or password. Login DN used: '{0}'", ldap.BuildBindDn(authuser));
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, msg));
}
}
return(ldap);
}
protected page Authorize(DreamContext context, user user, DekiAccessLevel access, string pageIdName)
{
page result;
long id = context.Uri.GetParam <long>(pageIdName, 0);
if (id == 0)
{
string title = context.Uri.GetParam("title", "");
if (string.IsNullOrEmpty(title))
{
throw new DreamAbortException(DreamMessage.NotFound(""));
}
result = page.GetCurByTitle(title);
}
else
{
result = page.GetCurByID((ulong)id);
}
// check that page was found
if ((result == null) || (result.ID <= 0))
{
throw new DreamAbortException(DreamMessage.NotFound(""));
}
// check if action is allowed
string action;
switch (access)
{
case DekiAccessLevel.Read:
action = DekiWikiConstants.ACTION_READ;
break;
case DekiAccessLevel.Write:
action = DekiWikiConstants.ACTION_EDIT;
break;
case DekiAccessLevel.Destroy:
action = DekiWikiConstants.ACTION_DELETE;
break;
default:
throw new DreamAbortException(DreamMessage.BadRequest(string.Format("unknown action {0}", access)));
}
if (!result.userCan(action, user))
{
throw new DreamAbortException(DreamMessage.AccessDenied(DekiWikiService.AUTHREALM, ""));
}
// return page
return(result);
}
//--- Methods ---
/// <summary>
/// Authenticate the current request.
/// </summary>
/// <param name="context">Context of current request</param>
/// <param name="request">Current request</param>
/// <returns>Authenticatd user name</returns>
/// <exception cref="DreamAbortException">Throws a DreamAbortException with Access Denied response if authentication fails</exception>
public virtual string Authenticate(DreamContext context, DreamMessage request)
{
string user;
string password;
HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out user, out password);
if (string.IsNullOrEmpty(user) || string.IsNullOrEmpty(password) || !CheckUserPassword(user, password))
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "Missing or invalid credentials"));
}
return(user);
}
protected user Authenticate(DreamContext context, DreamMessage request, DekiUserLevel level)
{
user result = null;
// get username and password
string user;
string password;
if (!DreamUtil.GetAuthentication(context, request, out user, out password))
{
// anonymous access is always granted
if (level == DekiUserLevel.Anonymous)
{
// TODO (steveb): missing code
throw new NotImplementedException("return anonymous user");
}
else
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
}
}
// validate username and password
result = MindTouch.Deki.user.GetUserByName(user);
if (result == null)
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
}
if (!result.checkPassword(password))
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
}
if ((level == DekiUserLevel.Admin) && !result.isSysop())
{
throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
}
return(result);
}
private static DreamMessage Map(MindTouchAccessDeniedException e, DekiResources resources)
{
return(DreamMessage.AccessDenied(e.AuthRealm, resources.Localize(e.Resource)));
}