public HttpResponseMessage Update()
{
JavaScriptSerializer jsonSer = new JavaScriptSerializer();
string json = Request.Content.ReadAsStringAsync().Result;
APIUser apiUser;
try
{
apiUser = jsonSer.Deserialize <APIUser>(json);
}
catch (Exception ex)
{
return(Request.CreateErrorResponse(HttpStatusCode.BadRequest, "Deserialization failure."));
}
try
{
apiUser = APIUserManager.Update(apiUser);
}
catch (Exception ex)
{
return(Request.CreateErrorResponse(HttpStatusCode.InternalServerError, "Failed to update API user."));
}
return(Request.CreateResponse(HttpStatusCode.OK, apiUser));
}
public HttpResponseMessage GetAll()
{
List <APIUser> apiUsers = APIUserManager.GetAll().ToList();
foreach (APIUser apiUser in apiUsers)
{
apiUser.APIKey = string.Format("****************************{0}", apiUser.APIKey.Substring(apiUser.APIKey.Length - 4));
apiUser.EncryptionKey = string.Format("****************************{0}", apiUser.EncryptionKey.Substring(apiUser.EncryptionKey.Length - 4));
}
return(Request.CreateResponse(HttpStatusCode.OK, apiUsers));
}
public async Task <HttpResponseMessage> AddPackages(string sessionGuid)
{
if (!SessionManager.SessionExists(sessionGuid))
{
// Session doesn't exist.
return(Request.CreateErrorResponse(HttpStatusCode.NotFound, "Invalid session."));
}
try
{
// Does the request contain multipart/form-data?
if (!Request.Content.IsMimeMultipartContent())
{
throw new HttpResponseException(HttpStatusCode.UnsupportedMediaType);
}
// Get the api key from the header.
string apiKey = Request.Headers.GetValues("x-api-key").FirstOrDefault();
// Get the api user.
APIUser apiUser = APIUserManager.FindAndPrepare(apiKey);
// Receive files.
MultipartMemoryStreamProvider provider = await Request.Content.ReadAsMultipartAsync();
foreach (HttpContent file in provider.Contents)
{
EventLogManager.Log("httpcontent filename: ", EventLogSeverity.Warning, "hard coded", null);
//EventLogManager.Log("httpcontent filename: ", EventLogSeverity.Warning, file.Headers.ContentDisposition.FileName.ToString(), null);
//string filename = file.Headers.ContentDisposition.FileName.Replace("\"", "");
string filename = "DonorsTrust_Install.zip";
using (MemoryStream ms = new MemoryStream(await file.ReadAsByteArrayAsync()))
{
EventLogManager.Log("MemoryStream ms length: ", EventLogSeverity.Warning, ms.Length.ToString(), null);
EventLogManager.Log("apiUser.EncryptionKey: ", EventLogSeverity.Warning, apiUser.EncryptionKey.ToString(), null);
using (Stream ds = Crypto.Decrypt(ms, apiUser.EncryptionKey))
{
SessionManager.AddPackage(sessionGuid, ds, filename);
}
}
}
}
catch (Exception ex)
{
EventLogManager.Log("REMOTE_EXCEPTION", EventLogSeverity.Warning, null, ex);
return(Request.CreateErrorResponse(HttpStatusCode.InternalServerError, ex.Message));
}
return(Request.CreateResponse(HttpStatusCode.Created));
}
public HttpResponseMessage Create(string name, bool bypass = false)
{
// Check we have a name.
if (string.IsNullOrEmpty(name))
{
return(Request.CreateResponse(HttpStatusCode.BadRequest));
}
// Create user.
APIUser apiUser = APIUserManager.Create(name, bypass);
return(Request.CreateResponse(HttpStatusCode.Created, apiUser));
}
public HttpResponseMessage GetAll()
{
List <APIUser> apiUsers = APIUserManager.GetAll().ToList();
// Loop and remove sensitive information.
foreach (APIUser apiUser in apiUsers)
{
apiUser.APIKey_Sha = null;
apiUser.EncryptionKey_Enc = null;
apiUser.Salt = null;
}
return(Request.CreateResponse(HttpStatusCode.OK, apiUsers));
}
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
bool authenticated = false;
string message = "Access denied.";
string apiKey = null;
try
{
// Is there an api key header present?
if (actionContext.Request.Headers.Contains("x-api-key"))
{
// Get the api key from the header.
apiKey = actionContext.Request.Headers.GetValues("x-api-key").FirstOrDefault();
// Make sure it's not null and it's 32 characters or we're wasting our time.
if (apiKey != null && apiKey.Length == 32)
{
// Attempt to look up the api user.
APIUser apiUser = APIUserManager.GetByAPIKey(apiKey);
// Did we find one and double check the api key.
if (apiUser != null && apiUser.APIKey == apiKey)
{
// Genuine API user.
authenticated = true;
}
}
}
}
catch (Exception ex)
{
// Set appropriate message.
message = "An error occurred while trying to authenticate this request.";
EventLogManager.Log("AUTH_EXCEPTION", EventLogSeverity.Info, null, ex);
}
// If authentication failure occurs, return a response without carrying on executing actions.
if (!authenticated)
{
EventLogManager.Log("AUTH_BAD_APIKEY", EventLogSeverity.Warning, string.Format("Authentication failed for API key: {0}.", apiKey));
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, message);
}
}
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
bool authenticated = false;
string message = "Access denied.";
string apiKey = null;
try
{
apiKey = actionContext.Request.GetApiKey();
EventLogManager.Log("api-key is", EventLogSeverity.Info, apiKey);
// Make sure it's not null and it's 32 characters or we're wasting our time.
if (apiKey != null && apiKey.Length == 32)
{
EventLogManager.Log("Find APIUSER using key", EventLogSeverity.Info, apiKey);
// Attempt to look up the api user.
APIUser apiUser = APIUserManager.FindAndPrepare(apiKey);
EventLogManager.Log("APIUSER.prepared ", EventLogSeverity.Info, apiUser.Prepared.ToString());
// Did we find one and is it ready to use?
if (apiUser != null && apiUser.Prepared)
{
EventLogManager.Log("Authenticated URI: ", EventLogSeverity.Info, "True: " + actionContext.Request.RequestUri);
// Genuine API user.
authenticated = true;
}
}
}
catch (Exception ex)
{
// Set appropriate message.
message = "An error occurred while trying to authenticate this request.";
EventLogManager.Log("AUTH_EXCEPTION", EventLogSeverity.Info, null, ex);
}
// If authentication failure occurs, return a response without carrying on executing actions.
if (!authenticated)
{
EventLogManager.Log("AUTH_BAD_APIKEY", EventLogSeverity.Warning, string.Format("Authentication failed for API key: {0}.", apiKey));
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, message);
}
}
public HttpResponseMessage Delete(int id)
{
APIUser apiUser = APIUserManager.GetById(id);
if (apiUser == null)
{
return(Request.CreateErrorResponse(HttpStatusCode.NotFound, "API user not found."));
}
try
{
APIUserManager.Delete(apiUser);
}
catch (Exception ex)
{
return(Request.CreateErrorResponse(HttpStatusCode.InternalServerError, "Failed to delete API user."));
}
return(Request.CreateResponse(HttpStatusCode.NoContent));
}
public override void OnActionExecuting(HttpActionContext actionContext)
{
base.OnActionExecuting(actionContext);
// Get whitelist state.
bool whitelistDisabled;
try
{
// Attempt to retrieve disabled state.
whitelistDisabled = SettingManager.GetSetting("WHITELIST", "STATE").Value.ToLower() == "false";
}
catch (SettingNotFoundException ex)
{
// Setting not set, default to off.
whitelistDisabled = true;
}
// Get api user.
string apiKey = actionContext.Request.GetApiKey();
APIUser apiUser = APIUserManager.GetByAPIKey(apiKey);
// Is the whitelist disabled or does the api user have permission to
// bypass it?
if (whitelistDisabled || (apiUser != null && apiUser.BypassIPWhitelist))
{
// No need to perform whitelisting checks, return early.
return;
}
bool authenticated = false;
string message = "Access denied.";
string forwardingAddress = null;
string clientIpAddress = null;
try
{
// There is a strong possibility that this is not the ip address of the machine
// that sent the request. Being behind a load balancer with transparancy switched
// off or being served through CloudFlare will both affect this value.
clientIpAddress = HttpContext.Current.Request.UserHostAddress;
// We need to get the X-Forwarded-For header from the request, if this is set we
// should use it instead of the ip address from the request.
string forwardedFor = HttpContext.Current.Request.Headers.Get("X-Forwarded-For");
// Forwarded for set?
if (forwardedFor != null)
{
forwardingAddress = clientIpAddress;
clientIpAddress = forwardedFor;
}
// Got the ip address?
if (!string.IsNullOrEmpty(clientIpAddress))
{
// Is it whitelisted or localhost?
if (IPSpecManager.IsWhitelisted(clientIpAddress) || clientIpAddress.Equals("127.0.0.1"))
{
authenticated = true;
}
}
}
catch (Exception ex)
{
// Set appropriate message.
message = "An error occurred while trying to authenticate this request.";
EventLogManager.Log("AUTH_EXCEPTION", EventLogSeverity.Info, null, ex);
}
// If authentication failure occurs, return a response without carrying on executing actions.
if (!authenticated)
{
string log = string.Format("Whitelist check failed for IP address: {0}.", clientIpAddress);
// Was it forwarded?
if (forwardingAddress != null)
{
log = string.Format("Whitelist check failed for IP address: {0}, forwarded by: {1}.", clientIpAddress, forwardingAddress);
}
EventLogManager.Log("AUTH_BAD_IPADDRESS", EventLogSeverity.Warning, log);
actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, message);
}
}
