//--- Class Methods ---
public static UserBE Authenticate(DreamContext context, DreamMessage request, uint serviceId, bool autoCreateExternalUser, bool allowAnon, out bool altPassword)
{
UserBE user = null;
altPassword = false;
// Case 1: username/fullname, password, provider (login window)
// 1. Validate & retrieve fullname using credentials
// Failed -> return null
// 2. Populate user object
// A. Populates user info
// B. Populates group info in user object
// 3. Does fullname exist?
// Yes -> Update user (email, fullname, ...)
// No -> Create user
// 4. Update Group information
// 5. return user object
//
// Case 2: fullname, password (http, api, ...)
// 1. Lookup full name, exist?
// Yes -> return user
// No -> return null
//
// Case 3: auth-token (header auth)
// 0. Valid auth token?
// No -> return null
// 1. Lookup user by name
// Found -> return user
// Else -> return null
string userName = null;
string password = null;
UserBE userFromToken = null;
ServiceBE authService = null;
// Extract authtoken and impersonation authtoken from request.
// AllowAnon is false when in GET/POST: users/authenticate or when ?authenticate=true.
// Standard user authtokens are ignored when AllowAnon=false but impersonation tokens are accepted.
bool impersonationOnly = !allowAnon;
userFromToken = UserFromAuthTokenInRequest(context, impersonationOnly);
if (userFromToken == null)
{
HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out userName, out password);
}
// check if we need to retrieve authentication service information
if (serviceId > 0)
{
authService = ServiceBL.GetServiceById(serviceId);
if (authService == null)
{
throw new AuthServiceIdInvalidArgumentException(serviceId);
}
if (authService.Type != ServiceType.AUTH)
{
throw new AuthNotAnAuthServiceInvalidArgumentException(serviceId);
}
}
// check if a username was provided
if (!string.IsNullOrEmpty(userName))
{
//Case 2: Given username + password
if (authService == null)
{
//Assuming local user or existing external account
user = DbUtils.CurrentSession.Users_GetByName(userName);
if (user != null)
{
serviceId = user.ServiceId;
authService = ServiceBL.GetServiceById(serviceId);
}
else
{
LoginAccessDenied(context, request, userName, null, password);
}
}
if (authService == null)
{
throw new AuthServiceIdInvalidArgumentException(serviceId);
}
if (authService.Type != ServiceType.AUTH)
{
throw new AuthNotAnAuthServiceInvalidArgumentException(serviceId);
}
if (user == null)
{
//Performing auth on local account
if (ServiceBL.IsLocalAuthService(authService))
{
user = DbUtils.CurrentSession.Users_GetByName(userName);
}
else
{
//Performing external auth. Lookup by external user name
user = DbUtils.CurrentSession.Users_GetByExternalName(userName, authService.Id);
}
if (user != null && user.ServiceId != authService.Id)
{
ServiceBE currentUsersAuthService = ServiceBL.GetServiceById(user.ServiceId);
if (currentUsersAuthService != null)
{
throw new AuthLoginExternalUserConflictException(currentUsersAuthService.Description);
}
throw new LoginExternalUserUnknownConflictException();
}
}
//Local account in the db.
if (user != null && ServiceBL.IsLocalAuthService(authService))
{
//Validate password for local account or validate the apikey
if (!IsValidAuthenticationForLocalUser(user, password, out altPassword))
{
// try impersonation using the ApiKey
if (string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey())
{
DekiContext.Current.Instance.Log.InfoFormat("user '{0}' authenticated via apikey impersonation", userName);
}
else
{
LoginAccessDenied(context, request, userName, user.ID, password);
}
}
}
// User was not found in the db and not being asked to create it.
if (user == null && !autoCreateExternalUser)
{
LoginAccessDenied(context, request, userName, null, password);
}
// Creating local account if apikey checks out and our authservice is local
if (user == null && string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey() && ServiceBL.IsLocalAuthService(authService))
{
XDoc newUserDoc = new XDoc("user")
.Elem("username", userName);
DreamMessage newUserResponse = DekiContext.Current.ApiPlug.At("users")
.With("apikey", DreamContext.Current.GetParam("apikey", string.Empty))
.Post(newUserDoc);
user = UserBL.GetUserById(newUserResponse.ToDocument()["/user/@id"].AsUInt ?? 0);
if (user != null && !string.IsNullOrEmpty(password))
{
user = UserBL.SetPassword(user, password, false);
}
}
// Got an external account
// Passing in the user object from db if it was found.
List <GroupBE> externalGroups = null;
if (!ServiceBL.IsLocalAuthService(authService))
{
bool bypassAuthentication = false;
string externalName;
if (user == null || string.IsNullOrEmpty(user.ExternalName))
{
externalName = userName;
}
else
{
externalName = user.ExternalName;
}
// If apikey is valid, try to bypass auth with the external provider
// and only lookup user/group details.
if (string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey())
{
DekiContext.Current.Instance.Log.InfoFormat("user '{0}' authenticating being bypassed via apikey impersonation", userName);
bypassAuthentication = true;
}
user = ExternalServiceSA.BuildUserFromAuthService(authService, user, userName, bypassAuthentication, externalName, password, out externalGroups);
}
// User was not found or did not authenticate with external provider
if (user == null)
{
LoginAccessDenied(context, request, userName, null, password);
}
else
{
//New user creation from external provider
if (user.ID == 0)
{
if (!autoCreateExternalUser)
{
LoginAccessDenied(context, request, userName, null, password);
}
}
else
{
//user exists
// TODO (steveb): ???
}
if (user.UserActive)
{
user = UserBL.CreateOrUpdateUser(user);
if (externalGroups != null)
{
UserBL.UpdateUsersGroups(user, externalGroups.ToArray());
}
}
}
}
else if (userFromToken != null)
{
// valid token exists that resolved to a user
user = userFromToken;
}
else if (allowAnon)
{
// Anonymous user
user = DbUtils.CurrentSession.Users_GetByName(DekiWikiService.ANON_USERNAME);
}
if (user == null)
{
//No credentials. Or token not provided or is invalid.
LoginAccessDenied(context, request, null, null, password);
}
else if (!user.UserActive && !PermissionsBL.ValidateRequestApiKey())
{
//If a valid api key is provided, override the disabled account flag
throw new AuthUserDisabledForbiddenException(user.Name);
}
return(user);
}
/// <summary>
/// Get a user out of an authtoken from a request if it's valid.
/// </summary>
/// <returns></returns>
private static UserBE UserFromAuthTokenInRequest(DreamContext context, bool impersonationOnly)
{
DreamMessage request = context.Request;
string authToken = context.Uri.GetParam(DekiWikiService.AUTHTOKEN_URIPARAM, null);
UserBE user = null;
// Check if auth token is in a cookie
if ((authToken == null) && request.HasCookies)
{
DreamCookie authCookie = DreamCookie.GetCookie(request.Cookies, DekiWikiService.AUTHTOKEN_COOKIENAME);
if ((authCookie != null) && (!authCookie.Expired))
{
authToken = authCookie.Value;
}
}
// Check if auth token is in a header or passed in as query parameter
authToken = authToken ?? request.Headers[DekiWikiService.AUTHTOKEN_HEADERNAME];
// Extract user name from auth token if it's valid
if (authToken != null)
{
user = ValidateAuthToken(authToken, impersonationOnly);
// check whether licensestate prevents user from being authenticated
var license = DekiContext.Current.LicenseManager;
LicenseStateType licensestate = license.LicenseState;
if ((licensestate == LicenseStateType.EXPIRED || licensestate == LicenseStateType.INVALID || licensestate == LicenseStateType.INACTIVE) &&
!PermissionsBL.IsUserAllowed(user, Permissions.ADMIN)
)
{
if (DekiContext.Current.Instance.Log.IsWarnEnabled)
{
switch (licensestate)
{
case LicenseStateType.EXPIRED:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Expired license {0}, reverting non-admin user to anonymous", license.LicenseExpiration);
break;
case LicenseStateType.INVALID:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Invalid license, reverting non-admin user to anonymous");
break;
case LicenseStateType.INACTIVE:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Inactive license, reverting non-admin user to anonymous");
break;
}
}
user = null;
}
else
{
DekiContext.Current.AuthToken = authToken;
}
}
if (PermissionsBL.ValidateRequestApiKey())
{
uint userIdOverride = 0;
if (uint.TryParse(context.GetParam(DekiWikiService.IMPERSONATE_USER_QUERYNAME, null), out userIdOverride))
{
UserBE userOverride = UserBL.GetUserById(userIdOverride);
if (userOverride != null)
{
user = userOverride;
DekiContext.Current.Instance.Log.InfoFormat("APIKEY provided. Impersonating user id '{0}': {1}", user.ID, user.Name);
}
}
}
return(user);
}
