public Response Execute(NancyContext context, IResponseFormatter response)
{
if (!configurationStore.GetIsEnabled())
{
return(responseCreator.AsStatusCode(HttpStatusCode.BadRequest));
}
var model = modelBinder.Bind <LoginCommand>(context);
var attemptedUsername = model.Username;
var requestUserHostAddress = context.Request.UserHostAddress;
var action = loginTracker.BeforeAttempt(attemptedUsername, requestUserHostAddress);
if (action == InvalidLoginAction.Ban)
{
return(responseCreator.BadRequest("You have had too many failed login attempts in a short period of time. Please try again later."));
}
var userResult = credentialValidator.ValidateCredentials(attemptedUsername, model.Password);
if (!userResult.Succeeded)
{
loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress);
if (action == InvalidLoginAction.Slow)
{
sleep.For(1000);
}
return(responseCreator.BadRequest(userResult.FailureReason));
}
var user = userResult.User;
if (user == null || !user.IsActive || user.IsService)
{
loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress);
if (action == InvalidLoginAction.Slow)
{
sleep.For(1000);
}
return(responseCreator.BadRequest("Invalid username or password."));
}
loginTracker.RecordSucess(attemptedUsername, requestUserHostAddress);
var cookie = issuer.CreateAuthCookie(context, user.IdentificationToken, model.RememberMe);
return(responseCreator.AsOctopusJson(response, userMapper.MapToResource(user))
.WithCookie(cookie)
.WithStatusCode(HttpStatusCode.OK)
.WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo)));
}
public IntegratedAuthenticationModule(ILog log, IAuthCookieCreator tokenIssuer, IApiActionResponseCreator responseCreator, IWebPortalConfigurationStore webPortalConfigurationStore)
{
Get[DirectoryServicesConstants.ChallengePath] = c =>
{
if (Context.CurrentUser == null)
{
return(responseCreator.Unauthorized(Request));
}
var principal = (IOctopusPrincipal)Context.CurrentUser;
var tokenCookie = tokenIssuer.CreateAuthCookie(Context, principal.IdentificationToken, false);
var directoryPathResult = Request.AbsoluteVirtualDirectoryPath();
if (!directoryPathResult.IsValid)
{
return(responseCreator.BadRequest(directoryPathResult.InvalidReason));
}
var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls();
Response response;
if (Request.Query["redirectTo"].HasValue && Requests.IsLocalUrl(directoryPathResult.Path, Request.Query["redirectTo"].Value, whitelist))
{
var redirectLocation = Request.Query["redirectTo"].Value;
response = new RedirectResponse(redirectLocation).WithCookie(tokenCookie);
}
else
{
log.WarnFormat("Prevented potential Open Redirection attack on an NTLM challenge from the local instance {0} to the non-local url {1}", directoryPathResult.Path, Request.Query["redirectTo"].Value);
response = new RedirectResponse(directoryPathResult.Path ?? "/").WithCookie(tokenCookie);
}
return(response);
};
}
public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response)
{
if (ConfigurationStore.GetIsEnabled() == false)
{
log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called while the provider was disabled.");
return(ResponseCreator.BadRequest(new string[] { "This authentication provider is disabled." }));
}
var model = modelBinder.Bind <LoginRedirectLinkRequestModel>(context);
var state = model.RedirectAfterLoginTo;
if (string.IsNullOrWhiteSpace(state))
{
state = "/";
}
var whitelist = webPortalConfigurationStore.GetTrustedRedirectUrls();
if (!Requests.IsLocalUrl(state, whitelist))
{
log.WarnFormat("Prevented potential Open Redirection attack on an authentication request, to the non-local url {0}", state);
return(ResponseCreator.BadRequest("Request not allowed, due to potential Open Redirection attack"));
}
var nonce = Nonce.GenerateUrlSafeNonce();
try
{
var issuer = ConfigurationStore.GetIssuer();
var issuerConfig = await identityProviderConfigDiscoverer.GetConfigurationAsync(issuer);
var url = urlBuilder.Build(model.ApiAbsUrl, issuerConfig, nonce, state);
return(ResponseCreator.AsOctopusJson(response, new LoginRedirectLinkResponseModel {
ExternalAuthenticationUrl = url
})
.WithCookie(new NancyCookie("s", State.Protect(state), true, false, DateTime.UtcNow.AddMinutes(20)))
.WithCookie(new NancyCookie("n", Nonce.Protect(nonce), true, false, DateTime.UtcNow.AddMinutes(20))));
}
catch (Exception ex)
{
log.Error(ex);
return(response.AsRedirect($"{state}?error=Login failed. Please see the Octopus Server logs for more details."));
}
}
public Response Execute(NancyContext context, IResponseFormatter response)
{
var name = context.Request.Query["name"];
if (string.IsNullOrWhiteSpace(name))
{
return(responseCreator.BadRequest("Please provide the name of a group to search by, or a team"));
}
return(responseCreator.AsOctopusJson(response, SearchByName(name)));
}
public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response)
{
if (ConfigurationStore.GetIsEnabled() == false)
{
log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called while the provider was disabled.");
return(ResponseCreator.BadRequest(new string[] { "This authentication provider is disabled." }));
}
if (context.Request.Url.SiteBase.StartsWith("https://", StringComparison.OrdinalIgnoreCase) == false)
{
log.Warn($"{ConfigurationStore.ConfigurationSettingsName} user authentication API was called without using https.");
}
var postLoginRedirectTo = context.Request.Query["redirectTo"];
var state = "~/app";
if (string.IsNullOrWhiteSpace(postLoginRedirectTo) == false)
{
state = postLoginRedirectTo;
}
var nonce = Nonce.Generate();
try
{
var issuer = ConfigurationStore.GetIssuer();
var issuerConfig = await identityProviderConfigDiscoverer.GetConfigurationAsync(issuer);
var url = urlBuilder.Build(context.Request.Url.SiteBase, issuerConfig, nonce, state);
return(response.AsRedirect(url)
.WithCookie(new NancyCookie("s", State.Protect(state), true, false, DateTime.UtcNow.AddMinutes(20)))
.WithCookie(new NancyCookie("n", Nonce.Protect(nonce), true, false, DateTime.UtcNow.AddMinutes(20))));
}
catch (Exception ex)
{
log.Error(ex);
return(response.AsRedirect($"{state}?error=Login failed. Please see the Octopus Server logs for more details."));
}
}
Response BadRequest(string message)
{
log.Error(message);
return(ResponseCreator.BadRequest(message));
}
