public Response Execute(NancyContext context, IResponseFormatter response) { if (!configurationStore.GetIsEnabled()) { return(responseCreator.AsStatusCode(HttpStatusCode.BadRequest)); } var model = modelBinder.Bind <LoginCommand>(context); var attemptedUsername = model.Username; var requestUserHostAddress = context.Request.UserHostAddress; var action = loginTracker.BeforeAttempt(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Ban) { return(responseCreator.BadRequest("You have had too many failed login attempts in a short period of time. Please try again later.")); } var userResult = credentialValidator.ValidateCredentials(attemptedUsername, model.Password); if (!userResult.Succeeded) { loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Slow) { sleep.For(1000); } return(responseCreator.BadRequest(userResult.FailureReason)); } var user = userResult.User; if (user == null || !user.IsActive || user.IsService) { loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress); if (action == InvalidLoginAction.Slow) { sleep.For(1000); } return(responseCreator.BadRequest("Invalid username or password.")); } loginTracker.RecordSucess(attemptedUsername, requestUserHostAddress); var cookie = issuer.CreateAuthCookie(context, user.IdentificationToken, model.RememberMe); return(responseCreator.AsOctopusJson(response, userMapper.MapToResource(user)) .WithCookie(cookie) .WithStatusCode(HttpStatusCode.OK) .WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo))); }
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore) { Get[DirectoryServicesConstants.ChallengePath] = c => { if (Context.CurrentUser == null) { return(responseCreator.Unauthorized(Request)); } var principal = (IOctopusPrincipal)Context.CurrentUser; var tokenCookie = tokenIssuer.CreateAuthCookie(Context, principal.IdentificationToken, false); var directoryPathResult = Request.AbsoluteVirtualDirectoryPath(); if (!directoryPathResult.IsValid) { return(responseCreator.BadRequest(directoryPathResult.InvalidReason)); } var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls(); Response response; if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(directoryPathResult.Path, Request.Query["redirectTo"].Value, whitelist)) { var redirectLocation = Request.Query["redirectTo"].Value; response = new RedirectResponse(redirectLocation).WithCookie(tokenCookie); } else { log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge from the local instance {0} to the non-local url {1}", directoryPathResult.Path, Request.Query["redirectTo"].Value); response = new RedirectResponse(directoryPathResult.Path ?? "/").WithCookie(tokenCookie); } return(response); }; }
public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response) { if (ConfigurationStore.GetIsEnabled() == false) { log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called while the provider was disabled."); return(ResponseCreator.BadRequest(new string[] { "This authentication provider is disabled." })); } var model = modelBinder.Bind <LoginRedirectLinkRequestModel>(context); var state = model.RedirectAfterLoginTo; if (string.IsNullOrWhiteSpace(state)) { state = "/"; } var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls(); if (!Requests.IsLocalUrl(state, whitelist)) { log.WarnFormat("Prevented potential Open Redirection attack on an authentication request, to the non-local url {0}", state); return(ResponseCreator.BadRequest("Request not allowed, due to potential Open Redirection attack")); } var nonce = Nonce.GenerateUrlSafeNonce(); try { var issuer = ConfigurationStore.GetIssuer(); var issuerConfig = await identityProviderConfigDiscoverer.GetConfigurationAsync(issuer); var url = urlBuilder.Build(model.ApiAbsUrl, issuerConfig, nonce, state); return(ResponseCreator.AsOctopusJson(response, new LoginRedirectLinkResponseModel { ExternalAuthenticationUrl = url }) .WithCookie(new NancyCookie("s", State.Protect(state), true, false, DateTime.UtcNow.AddMinutes(20))) .WithCookie(new NancyCookie("n", Nonce.Protect(nonce), true, false, DateTime.UtcNow.AddMinutes(20)))); } catch (Exception ex) { log.Error(ex); return(response.AsRedirect($"{state}?error=Login failed. Please see the Octopus Server logs for more details.")); } }
public Response Execute(NancyContext context, IResponseFormatter response) { var name = context.Request.Query["name"]; if (string.IsNullOrWhiteSpace(name)) { return(responseCreator.BadRequest("Please provide the name of a group to search by, or a team")); } return(responseCreator.AsOctopusJson(response, SearchByName(name))); }
public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response) { if (ConfigurationStore.GetIsEnabled() == false) { log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called while the provider was disabled."); return(ResponseCreator.BadRequest(new string[] { "This authentication provider is disabled." })); } if (context.Request.Url.SiteBase.StartsWith("https://", StringComparison.OrdinalIgnoreCase) == false) { log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called without using https."); } var postLoginRedirectTo = context.Request.Query["redirectTo"]; var state = "~/app"; if (string.IsNullOrWhiteSpace(postLoginRedirectTo) == false) { state = postLoginRedirectTo; } var nonce = Nonce.Generate(); try { var issuer = ConfigurationStore.GetIssuer(); var issuerConfig = await identityProviderConfigDiscoverer.GetConfigurationAsync(issuer); var url = urlBuilder.Build(context.Request.Url.SiteBase, issuerConfig, nonce, state); return(response.AsRedirect(url) .WithCookie(new NancyCookie("s", State.Protect(state), true, false, DateTime.UtcNow.AddMinutes(20))) .WithCookie(new NancyCookie("n", Nonce.Protect(nonce), true, false, DateTime.UtcNow.AddMinutes(20)))); } catch (Exception ex) { log.Error(ex); return(response.AsRedirect($"{state}?error=Login failed. Please see the Octopus Server logs for more details.")); } }
Response BadRequest(string message) { log.Error(message); return(ResponseCreator.BadRequest(message)); }