private static void CreateThreadPrincipalAndAuthCookie(AuthenticationDataDto currentUser, SecurityConfig settings)
{
//create the cookie
Identity identity = new Identity(new Guid(currentUser.SessionId), currentUser.Username, currentUser.Roles, currentUser.FullName, currentUser.BranchCode, currentUser.AccountType);
Principal principal = new Principal(identity, identity.Roles, identity.AccountType);
System.Web.HttpContext.Current.User = principal;
System.Threading.Thread.CurrentPrincipal = principal;
var cookie = new AuthCookie();
{
cookie.SessionUid = currentUser.SessionId;
if (settings.Cookie.CookieOnlyCheck)
{
cookie.Username = currentUser.Username;
cookie.UserRoles = currentUser.Roles;
cookie.BranchCode = currentUser.BranchCode;
cookie.AccountType = currentUser.AccountType;
cookie.AuthExpiry = Helper.GetLocalDate().AddMinutes(settings.Cookie.Timeout);
}
cookie.Save();
}
if (!settings.Cookie.CookieOnlyCheck)
{
HttpContext.Current.Cache.Insert(currentUser.SessionId, currentUser, null, DateTime.UtcNow.AddSeconds(30), System.Web.Caching.Cache.NoSlidingExpiration);
}
}
private static void SetAuthMode(AuthenticationDataDto currentUser, ref bool validateWithAD, ref bool useFinacleRole)
{
if (currentUser == null)
{
validateWithAD = true;
useFinacleRole = true;
}
if (currentUser != null && !currentUser.IsPasswordSet && !currentUser.IsRoleSet)
{
validateWithAD = true;
useFinacleRole = true;
}
if (currentUser != null && !currentUser.IsPasswordSet && currentUser.IsRoleSet)
{
validateWithAD = true;
useFinacleRole = false;
}
if (currentUser != null && currentUser.IsPasswordSet && !currentUser.IsRoleSet)
{
validateWithAD = false;
useFinacleRole = true;
}
if (currentUser != null && currentUser.IsPasswordSet && currentUser.IsRoleSet)
{
validateWithAD = false;
useFinacleRole = false;
}
}
public static string CheckAccessByCookie()
{
var current = AuthCookie.GetCurrent();
var settings = SecurityConfig.GetCurrent();
var cookieNotFound = (current == null || current.SessionUid == null);
AuthenticationDataDto dto = null;
if (cookieNotFound || (settings.Cookie.CookieOnlyCheck && current.AuthExpiry < Helper.GetLocalDate()))
{
return(null);
}
else if (!settings.Cookie.CookieOnlyCheck)
{
dto = Access.Renew(current.SessionUid);
if (dto == null)
{
return(null);
}
else
{
return(string.Format("{0}||{1}", dto.Username.Trim(), dto.Roles.Trim()));
}
}
else if (settings.Cookie.CookieOnlyCheck)
{
return(string.Format("{0}||{1}", current.Username.Trim(), current.UserRoles.Trim()));
}
return(null);
}
public AuthenticationDataDto Renew(string sessionId)
{
var userObject = repositoryInstance.GetUserBySessionId(sessionId);
if (userObject == null)
{
return(null);
}
var settings = SecurityConfig.GetCurrent();
bool renewSucceed = true;
if ((!userObject.CurrentSessionId.HasValue || sessionId != userObject.CurrentSessionId.ToString()) ||
(userObject.LastActivityDate.Value.AddMinutes(settings.Cookie.Timeout) < Helper.GetLocalDate()) ||
((userObject.ApprovalStatus != Constants.ApprovalStatus.Approved) || userObject.IsLockedOut || userObject.IsDeleted))
{
if (userObject.LastActivityDate.Value.AddMinutes(settings.Cookie.Timeout) < Helper.GetLocalDate())
{
userObject.IsOnline = false;
userObject.CurrentSessionId = null;
}
renewSucceed = false;
}
else
{
if (settings.Cookie.SlidingExpiration)
{
userObject.LastActivityDate = Helper.GetLocalDate();
}
}
UpdateRenewSucceed(userObject);
AuthenticationDataDto auth = null;
if (renewSucceed)
{
auth = new AuthenticationDataDto();
{
auth.SessionId = userObject.CurrentSessionId.Value.ToString();
auth.Username = userObject.Username;
auth.BranchCode = userObject.BranchID;
auth.Roles = userObject.UserRole == null ? null : userObject.UserRole.RoleName;
auth.FullName = string.Format("{0} {1}", userObject.FirstName, userObject.LastName);
auth.IsRoleSet = !(userObject.AccountType == Constants.AccountType.ADFinacle || userObject.AccountType == Constants.AccountType.LocalFinacle);
}
}
return(auth);
}
private static bool ValidateLocalUserRole(ValidationStateDictionary states, AuthenticationDataDto currentUser)
{
bool finalStatus = true;
if (currentUser != null)
{
if (string.IsNullOrEmpty(currentUser.Roles))
{
ValidationState v = new ValidationState();
v.Errors.Add(new ValidationError("General.InvalidRole", currentUser.Roles, string.Format("User role {0} does not exist on this application, contact the administrator", currentUser.Roles)));
states.Add(typeof(LogInDto), v);
return(finalStatus);
}
}
else
{
ValidationState v = new ValidationState();
v.Errors.Add(new ValidationError("General.InvalidRole", currentUser.Roles, string.Format("User role {0} does not exist on this application, contact the administrator", currentUser.Roles)));
states.Add(typeof(LogInDto), v);
return(finalStatus);
}
return(finalStatus);
}
public AuthenticationDataDto SignIn(string username, string password, bool sessionBased, ref ValidationStateDictionary states)
{
ValidationState v = new ValidationState();
if (string.IsNullOrEmpty(username))
{
v.Errors.Add(new ValidationError("Username.UsernameRequiredError", username, "Username is not set."));
}
if (string.IsNullOrEmpty(password))
{
v.Errors.Add(new ValidationError("Password.PasswordRequiredError", password, "Password is not set"));
}
if (v.Errors.Count > 0)
{
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
var userObject = repositoryInstance.GetUser(username);
if (userObject == null)
{
v.Errors.Add(new ValidationError("Password.InvalidUsername", username, "Invalid Username or Password"));
states.Add(typeof(LogInDto), v);
return(null);
}
string lastLogin = userObject.LastLogInDate.HasValue ?
userObject.LastLogInDate.Value.ToString("dd-MM-yyyy HH:mm:ss")
: Helper.GetLocalDate().ToString("dd-MM-yyyy HH:mm:ss");
cacheService.AddAndTieToSession(string.Format("UserLastLogIn-{0}", userObject.Username), lastLogin);
var roleID = GetRoleList().Where(f => f.RoleName == Constants.General.AdministratorRoleName).Select(r => r.RoleId).FirstOrDefault();
if (!IsBusinessHour())
{
//allow administrator log in outside business hours.
if (roleID != userObject.RoleId)
{
v.Errors.Add(new ValidationError("User.NonBusinessHoursLoginError", username, "Login outside business hours is not allowed, Please try logging in during business hours."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
//Check if account is not locked,is approved and not deleted.
if ((userObject.ApprovalStatus != Constants.ApprovalStatus.Approved) || userObject.IsLockedOut || userObject.IsDeleted)
{
v.Errors.Add(new ValidationError("Username.AccountLocked", username, "This account is inactive, has been locked or has been Deleted."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
//check if user is Dormented.
if (userObject.LastLogInDate == null)
{
//exclude administrator account from being dormant
if (roleID != userObject.RoleId)
{
int dormentNumberOfDays = NewUserIDDormentNumberDays();
if ((Helper.GetLocalDate() - (DateTime)userObject.CreationDate).Days >= dormentNumberOfDays)
{
UpdateUserDetails(userObject, isDorment: true);
v.Errors.Add(new ValidationError("Username.AccountDormented", username, "This account is Dormant as user has not logged for " + dormentNumberOfDays + " days from the day of account creation. Please contact the administrator."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
}
//prevent multi terminal login
if (userObject.IsOnline)
{
var settings = SecurityConfig.GetCurrent();
var timeOutDate = Helper.GetLocalDate().AddMinutes(settings.Cookie.Timeout * -1);
if (userObject.LastActivityDate.HasValue && userObject.LastActivityDate.Value >= timeOutDate)
{
v.Errors.Add(new ValidationError("Username.MultiTeminalLogin", username, "You are currently logged in on another terminal. Kindly log out there and retry."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
//if last log in date/last activity date more than 90 days ago, refuse log in and lock the account
if (userObject.LastLogInDate.HasValue && userObject.LastLogInDate.Value.Date < Helper.GetLocalDate().AddDays(ActiveUserIDDormentNumberDays()))
{
//exclude administrator account from being dormant
if (roleID != userObject.RoleId)
{
repositoryInstance.UpdateBadPasswordCount(username, true);
UpdateUserDetails(userObject, isDorment: true);
v.Errors.Add(new ValidationError("Username.AccountDormented", username, "This account is Dormant. Please contact the administrator."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
//Check if the Account is Expired
if (userObject.AccountExpiryDate != null)
{
if (userObject.AccountExpiryDate < DateTime.Now)
{
//exclude administrator account from expiring
if (roleID != userObject.RoleId)
{
UpdateUserDetails(userObject, isAccountExpired: true);
v.Errors.Add(new ValidationError("Username.AccountExpired", username, "This account is Expired. Please contact the administrator."));
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
}
if (userObject.Password != "Dummy" && (userObject.AccountType == Constants.AccountType.LocalLocal || userObject.AccountType == Constants.AccountType.LocalFinacle))
{
//check the password match
if (userObject.Password != password)
{
//v.Errors.Add(new ValidationError("Username.InvalidUsername", username, "Invalid Username or Password"));
v.Errors.Add(new ValidationError("Password.InvalidPassword", password, "Invalid Username or Password"));
var settings = SecurityConfig.GetCurrent();
var lockAccount = userObject.BadPasswordCount + 1 >= settings.Cookie.MaximumPasswordRetries;
repositoryInstance.UpdateBadPasswordCount(username, lockAccount);
states.Add(typeof(LogInDto), v);
return(new AuthenticationDataDto()
{
AppAuthenticationFailed = true
});
}
}
AuthenticationDataDto auth = new AuthenticationDataDto();
{
auth.SessionId = Helper.GetNextGuid().ToString();
auth.Username = username;
auth.Roles = userObject.UserRole != null ? userObject.UserRole.RoleName : null;
auth.BranchCode = userObject.BranchID;
auth.IsFirstLogIn = userObject.IsFirstLogIn;
auth.FullName = string.Format("{0} {1}", userObject.FirstName, userObject.LastName);
auth.IsPasswordSet = userObject.Password != "Dummy" && (userObject.AccountType == Constants.AccountType.LocalLocal || userObject.AccountType == Constants.AccountType.LocalFinacle);
auth.IsRoleSet = userObject.AccountType == Constants.AccountType.ADLocal || userObject.AccountType == Constants.AccountType.LocalLocal; // userObject.UserRole != null && !string.IsNullOrEmpty(userObject.UserRole.RoleName);
auth.AccountType = userObject.AccountType;
}
if (sessionBased)
{
UpdateLogInSucceed(username, auth.SessionId);
}
return(auth);
}
private static ISecurityService PerfomAccessCheck(HttpContextBase context)
{
var settings = SecurityConfig.GetCurrent();
var current = AuthCookie.GetCurrent();
ISecurityService authenticationService = ((IContainer)System.Web.HttpContext.Current.Application["container"]).Resolve <ISecurityService>();
var cookieNotFound = (current == null || current.SessionUid == null);
var cookiedDeleted = false;
AuthenticationDataDto dto = null;
if (cookieNotFound)
{
if (current != null)
{
current.Delete();
cookiedDeleted = true;
}
}
else if (settings.Cookie.CookieOnlyCheck && current.AuthExpiry < Helper.GetLocalDate())
{
current.Delete();
cookiedDeleted = true;
}
else if (!settings.Cookie.CookieOnlyCheck)
{
dto = Access.Renew(current.SessionUid, authenticationService);
if (dto == null)
{
current.Delete();
cookiedDeleted = true;
}
}
if (!cookiedDeleted)
{
if (dto == null)
{
dto = new AuthenticationDataDto();
}
Identity identity = new Identity(new Guid(current.SessionUid),
settings.Cookie.CookieOnlyCheck ? current.Username : dto.Username,
settings.Cookie.CookieOnlyCheck ? current.UserRoles : dto.Roles, dto.FullName,
settings.Cookie.CookieOnlyCheck ? current.BranchCode : dto.BranchCode,
settings.Cookie.CookieOnlyCheck ? current.AccountType : dto.AccountType);
var principal = new Principal(identity, identity.Roles, identity.AccountType);
context.User = principal;
Thread.CurrentPrincipal = principal;
if (settings.Cookie.SlidingExpiration && settings.Cookie.CookieOnlyCheck)
{
current.AuthExpiry = Helper.GetLocalDate().AddMinutes(settings.Cookie.Timeout);
current.Save();
}
}
var ip = context.Request.UserHostAddress;
return(authenticationService);
}
private static AuthenticationDataDto FinacleAuthorization(string username, ISecurityService authenticationService, IFinacleRepository finacleRepository, AuthenticationDataDto currentUser, AuthenticationResponse result)
{
//get finacle role
FinacleRole finacleRole = finacleRepository.GetUserRoleFromFlexcube(username);
if (finacleRole == null)
{
finacleRole = new FinacleRole()
{
UserID = username, BranchCode = null, ApplicationName = string.Empty
}
}
;
var roleId = authenticationService.GetRoleList().Where(r => r.RoleName.ToLower() == finacleRole.ApplicationName.ToLower()).Select(k => k.RoleId).FirstOrDefault();
if (currentUser == null)
{
//create the user record for session management purpose, only for AD/Finacle users logging in for the first time,
//if role is recognised in this application
var userObject = new User()
{
BadPasswordCount = 0,
CreationDate = Helper.GetLocalDate(),
CurrentSessionId = Helper.GetNextGuid(),
Email = result.Email,
FirstName = result.FirstName,
//ApprovalStatus = true,
IsFirstLogIn = false,
Initial = string.Empty,
LastLogInDate = Helper.GetLocalDate(),
IsLockedOut = false,
IsOnline = true,
LastActivityDate = Helper.GetLocalDate(),
LastName = result.LastName,
InitiatedBy = username,
//ApprovedBy = "NULL",
Username = username,
Telephone = "N/A",
Password = "******",
AccountType = Constants.AccountType.ADFinacle,
ApprovalStatus = Constants.ApprovalStatus.Approved,
BranchID = finacleRole.BranchCode,
IsDeleted = false,
UserRole = new Role()
{
RoleId = roleId
}
};
if (roleId != Guid.Empty)
{
authenticationService.AddUserForSessionMgmt(userObject);
}
currentUser = new AuthenticationDataDto();
{
currentUser.SessionId = userObject.CurrentSessionId.ToString();
currentUser.Username = username;
currentUser.Roles = finacleRole.ApplicationName;
currentUser.IsFirstLogIn = false;
currentUser.FullName = string.Format("{0} {1}", userObject.FirstName, userObject.LastName);
currentUser.IsPasswordSet = false;
currentUser.BranchCode = finacleRole.BranchCode;
}
}
//with finacle authorization, we check whether the locally saved role
//is the same as we got from Finacle, if not we update the local db.
//and we always override local role even if available
//this ensure if the role changed in Finacle it is inherited in the application.
//we also ensure if user branch in finacle has changed, is changed here too
if ((currentUser.Roles.ToLower() != finacleRole.ApplicationName.ToLower() && roleId != Guid.Empty) || (currentUser.BranchCode != finacleRole.BranchCode && !string.IsNullOrEmpty(finacleRole.BranchCode)))
{
authenticationService.UpdateUserRoleUserBranch(currentUser.Username, roleId, finacleRole.BranchCode);
currentUser.Roles = finacleRole.ApplicationName;
currentUser.BranchCode = finacleRole.BranchCode;
}
return(currentUser);
}
public static bool SignIn(string username, string password, string tokenCode, ISecurityService authenticationService, IFinacleRepository finacleRepository, out bool isFirstLogIn, ref ValidationStateDictionary states)
{
isFirstLogIn = false;
AuthenticationDataDto currentUser = null;
bool validateWithAD = false;
bool useFinacleRole = false;
var hashedPassword = string.Empty;
var settings = SecurityConfig.GetCurrent();
if (settings.Cookie.PasswordHashed && !string.IsNullOrEmpty(password))
{
var lowerUsername = string.Empty;
if (!string.IsNullOrEmpty(username))
{
lowerUsername = username.ToLower();
}
hashedPassword = PasswordHash.Hash(lowerUsername, password);
}
currentUser = authenticationService.SignIn(username, hashedPassword, true, ref states);
if (currentUser != null)
{
if (currentUser.AppAuthenticationFailed)
{
return(false);
}
}
states.Clear();
SetAuthMode(currentUser, ref validateWithAD, ref useFinacleRole);
AuthenticationResponse result = new AuthenticationResponse();
if (validateWithAD)
{
var ADResult = ADAuthentication(username, password, tokenCode, authenticationService, finacleRepository, states, settings, ref result);
if (!ADResult)
{
if (currentUser != null)
{
authenticationService.SignOut(currentUser.SessionId);
}
return(false);
}
}
if (useFinacleRole)
{
currentUser = FinacleAuthorization(username, authenticationService, finacleRepository, currentUser, result);
}
else
{
if (!ValidateLocalUserRole(states, currentUser))
{
if (currentUser != null)
{
authenticationService.SignOut(currentUser.SessionId);
}
return(false);
}
}
if (!ValidateRoleAndUser(username, authenticationService, states, currentUser))
{
if (currentUser != null)
{
authenticationService.SignOut(currentUser.SessionId);
}
return(false);
}
if (!Check2FA(username, tokenCode, states, currentUser, settings))
{
if (currentUser != null)
{
authenticationService.SignOut(currentUser.SessionId);
}
return(false);
}
CreateThreadPrincipalAndAuthCookie(currentUser, settings);
isFirstLogIn = validateWithAD == true ? false : currentUser.IsFirstLogIn;
//if (useFinacleRole) /no longer needed.
//{
// //cache the role, so that we don't go back to finacle on every session renewal
// ICacheService cacheService = ((IContainer)System.Web.HttpContext.Current.Application["container"]).Resolve<ICacheService>();
// CacheItemPolicy policy = new CacheItemPolicy() { SlidingExpiration = new TimeSpan(0, settings.Cookie.Timeout + 1, 0) };
// cacheService.Add(string.Format("UserSessionID:{0}", currentUser.SessionId), currentUser.Roles, policy);
//}
return(true);
}
private static bool Check2FA(string username, string tokenCode, ValidationStateDictionary states, AuthenticationDataDto currentUser, SecurityConfig settings)
{
bool status2 = true;
if (settings.Cookie.Enable2FA)
{
var status = (currentUser.IsPasswordSet) && settings.Cookie.ExemptLocalAccountFrom2FA;
if (!status)
{
var response = Auth2FAresponse(new Authentication2FARequest()
{
TokenCode = tokenCode, UserID = username
});
if (response.ResponseCode != "0")
{
ValidationState v = new ValidationState();
v.Errors.Add(new ValidationError("TokenCode.InvalidTokenCode", tokenCode, response.ResponseDescription)); //"Invalid token code"
states.Add(typeof(LogInDto), v);
status2 = false;
}
}
}
return(status2);
}
private static bool ValidateRoleAndUser(string username, ISecurityService authenticationService, ValidationStateDictionary states, AuthenticationDataDto currentUser)
{
if (currentUser == null)
{
ValidationState v = new ValidationState();
v.Errors.Add(new ValidationError("Username.InvalidUsername", username, "Invalid Username or Password"));
states.Add(typeof(LogInDto), v);
return(false);
}
var localRole = authenticationService.GetRoleList().Where(f => f.RoleName.ToLower() == currentUser.Roles.ToLower()).Select(j => j.RoleName).FirstOrDefault();
if (string.IsNullOrEmpty(localRole))
{
ValidationState v = new ValidationState();
v.Errors.Add(new ValidationError("General.InvalidRole", currentUser.Roles, string.Format("User role {0} does not exist on this application, contact the administrator", currentUser.Roles)));
states.Add(typeof(LogInDto), v);
return(false);
}
return(true);
}
