public void PasswordAttemptFailedTest()
{
User user = ClientMembershipService.GetUser("timm");
string passwordSalt = "1U3h6r/tQ+dGWhLm9Unyng==";
PasswordFormat passwordFormat = PasswordFormat.Hashed;
int failedPasswordAttemptCount = 0;
DateTime failedPasswordAttemptWindowStart = DateTime.MinValue;
int failedPasswordAnswerAttemptCount = 0;
DateTime failedPasswordAnswerAttemptWindowStart = DateTime.MinValue;
ClientMembershipUser target = new ClientMembershipUser(user,
passwordSalt, passwordFormat, failedPasswordAttemptCount,
failedPasswordAttemptWindowStart, failedPasswordAnswerAttemptCount,
failedPasswordAnswerAttemptWindowStart);
target.PasswordAttemptSucceeded();
target.PasswordAttemptFailed();
Assert.AreNotEqual(DateTime.MinValue, target.FailedPasswordAttemptWindowStart);
Assert.AreEqual(1, target.FailedPasswordAttemptCount);
Assert.AreEqual(false, target.IsLockedOut);
target.PasswordAttemptFailed();
target.PasswordAttemptFailed();
target.PasswordAttemptFailed();
target.PasswordAttemptFailed();
Assert.AreEqual(true, target.IsLockedOut);
Assert.AreNotEqual(DateTime.MinValue, target.LastLockoutDate);
}
public virtual string GetPassword(string username)
{
User.CheckPasswordRetrieval();
ClientMembershipUser user = this.GetClientMembershipUser(username);
return(this.GetPasswordFromPersistence(user));
}
public virtual void UpdateUser(User user)
{
ClientMembershipUser clientMembershipUser = this.GetUser(user);
this.unitOfWork.RegisterChanged(clientMembershipUser, this);
this.unitOfWork.Commit();
}
protected virtual void ChangePassword(ClientMembershipUser user,
string oldPassword, string newPassword)
{
SecurityHelper.CheckParameter(oldPassword, true, true, false,
this.Application.MaxPasswordSize, "oldPassword");
SecurityHelper.CheckParameter(newPassword, true, true, false,
this.Application.MaxPasswordSize, "newPassword");
// Validate the user before making any changes
this.ValidateUserWithPassword(user, oldPassword, true);
// Make sure the new password is ok
User.ValidatePassword(newPassword);
// encode the new password
string encodedPassword = this.EncodePassword(newPassword,
user.PasswordFormat, user.PasswordSalt);
if (encodedPassword.Length > this.Application.MaxPasswordSize)
{
throw new ArgumentException("Membership password too long",
"newPassword");
}
// Save the new password
this.PersistChangedPassword(user, encodedPassword);
}
protected virtual string ResetPassword(ClientMembershipUser user,
string passwordAnswer)
{
// Are password resets allowed?
User.CheckPasswordReset(passwordAnswer);
// Validate the user's password answer
this.ValidateUserWithPasswordAnswer(user, passwordAnswer, true);
int maxPasswordSize =
(this.Application.MinRequiredPasswordLength <
Constants.PasswordSize)
? Constants.PasswordSize :
this.Application.MinRequiredPasswordLength;
// Create the new password
string newPassword = System.Web.Security.Membership.GeneratePassword(
maxPasswordSize,
this.Application.MinRequiredNonAlphanumericCharacters);
// Encode the password
string newEncodedPassword = this.EncodePassword(newPassword,
user.PasswordFormat, user.PasswordSalt);
// Save the user's new password
this.PersistResetPassword(user, newEncodedPassword);
// return the new password (not the encoded one!)
return(newPassword);
}
protected override string GetPasswordFromPersistence(ClientMembershipUser user)
{
string sql = string.Format("SELECT Password FROM [User] WHERE UserId = '{0}'",
user.UserKey.ToString());
return(this.database.ExecuteScalar(
this.database.GetSqlStringCommand(sql)).ToString());
}
protected override void PersistResetPassword(ClientMembershipUser user, string newEncodedPassword)
{
string sql = string.Format("UPDATE [User] SET Password = '******' WHERE UserId = '{1}'",
newEncodedPassword, user.UserKey.ToString());
this.database.ExecuteNonQuery(
this.database.GetSqlStringCommand(sql));
}
public virtual bool ChangePassword(string username, string oldPassword,
string newPassword)
{
ClientMembershipUser user = this.GetClientMembershipUser(username);
this.ChangePassword(user, oldPassword, newPassword);
return(true);
}
protected override void PersistChangedPasswordQuestionAndAnswer(ClientMembershipUser user,
string password, string newPasswordAnswer)
{
string sql = string.Format("UPDATE [User] SET PasswordQuestion = '{0}', PasswordAnswer = '{1}' WHERE UserId = '{2}'",
user.PasswordQuestion, newPasswordAnswer, user.UserKey.ToString());
this.database.ExecuteNonQuery(
this.database.GetSqlStringCommand(sql));
}
public virtual bool ChangePasswordQuestionAndAnswer(string username,
string password, string newPasswordQuestion,
string newPasswordAnswer)
{
ClientMembershipUser user = this.GetClientMembershipUser(username);
this.ChangePasswordQuestionAndAnswer(user, password,
newPasswordQuestion, newPasswordAnswer);
return(true);
}
protected virtual string GetPassword(ClientMembershipUser user,
string passwordAnswer)
{
// Make sure password retrievals are allowed
User.CheckPasswordRetrieval();
// Validate the user's password answer
this.ValidateUserWithPasswordAnswer(user, passwordAnswer, true);
// Get the user's password from persistence
return(this.GetPasswordFromPersistence(user));
}
protected override void PersistUser(ClientMembershipUser user)
{
StringBuilder builder = new StringBuilder(100);
builder.Append("UPDATE [User] SET ");
builder.Append(string.Format("{0}={1}",
UserFactory.FieldNames.Email,
DataHelper.GetSqlValue(user.Email)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.IsLockedOut,
DataHelper.GetSqlValue(user.IsLockedOut)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.LastActivityDate,
DataHelper.GetSqlValue(user.LastActivityDate)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.LastLockoutDate,
DataHelper.GetSqlValue(user.LastLockoutDate)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.LastLoginDate,
DataHelper.GetSqlValue(user.LastLoginDate)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.LastPasswordChangedDate,
DataHelper.GetSqlValue(user.LastPasswordChangedDate)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.PasswordQuestion,
DataHelper.GetSqlValue(user.PasswordQuestion)));
builder.Append(string.Format(",{0}={1}",
UserFactory.FieldNames.UserName,
DataHelper.GetSqlValue(user.UserName)));
builder.Append(string.Format(",{0}={1}",
ClientMembershipUserFactory.FieldNames.PasswordSalt,
DataHelper.GetSqlValue(user.PasswordSalt)));
builder.Append(string.Format(",{0}={1}",
ClientMembershipUserFactory.FieldNames.PasswordFormat,
DataHelper.GetSqlValue((int)user.PasswordFormat)));
builder.Append(" ");
builder.Append(string.Format("WHERE UserId = '{0}'",
user.UserKey.ToString()));
this.database.ExecuteNonQuery(
this.database.GetSqlStringCommand(builder.ToString()));
}
private string GetEncodedPasswordAnswer(ClientMembershipUser user, string passwordAnswer)
{
if (passwordAnswer != null)
{
passwordAnswer = passwordAnswer.Trim();
}
if (string.IsNullOrEmpty(passwordAnswer))
{
return(passwordAnswer);
}
return(this.EncodePassword(passwordAnswer.ToLower(CultureInfo.InvariantCulture),
user.PasswordFormat, user.PasswordSalt));
}
protected virtual string ResetPassword(ClientMembershipUser user)
{
User.CheckPasswordReset(null);
string newPassword = System.Web.Security.Membership.GeneratePassword(
(this.Application.MinRequiredPasswordLength < Constants.PasswordSize) ?
Constants.PasswordSize : this.Application.MinRequiredPasswordLength,
this.Application.MinRequiredNonAlphanumericCharacters);
string newEncodedPassword = this.EncodePassword(newPassword,
user.PasswordFormat, user.PasswordSalt);
this.PersistResetPassword(user, newEncodedPassword);
return(newPassword);
}
protected virtual void ChangePasswordQuestionAndAnswer(
ClientMembershipUser user, string password,
string newPasswordQuestion, string newPasswordAnswer)
{
SecurityHelper.CheckParameter(newPasswordQuestion,
this.Application.RequiresQuestionAndAnswer,
this.Application.RequiresQuestionAndAnswer, false,
this.Application.MaxPasswordQuestionSize, "newPasswordQuestion");
if (newPasswordAnswer != null)
{
newPasswordAnswer = newPasswordAnswer.Trim();
}
SecurityHelper.CheckParameter(newPasswordAnswer,
this.Application.RequiresQuestionAndAnswer,
this.Application.RequiresQuestionAndAnswer, false,
this.Application.MaxPasswordAnswerSize, "newPasswordAnswer");
// Validate the user before making any changes
this.ValidateUserWithPassword(user, password, true);
string encodedPasswordAnswer;
if (!string.IsNullOrEmpty(newPasswordAnswer))
{
encodedPasswordAnswer = this.EncodePassword(
newPasswordAnswer.ToLower(CultureInfo.InvariantCulture),
user.PasswordFormat, user.PasswordSalt);
}
else
{
encodedPasswordAnswer = newPasswordAnswer;
}
SecurityHelper.CheckParameter(encodedPasswordAnswer,
this.Application.RequiresQuestionAndAnswer,
this.Application.RequiresQuestionAndAnswer, false,
this.Application.MaxPasswordAnswerSize, "newPasswordAnswer");
this.PersistChangedPasswordQuestionAndAnswer(user, password,
encodedPasswordAnswer);
}
protected override ClientMembershipUser GetUser(User user)
{
ClientMembershipUser membershipUser = null;
string sql = string.Format(
"SELECT * FROM [User] WHERE UserId = '{0}'",
user.UserKey.ToString());
using (DbCommand command = this.database.GetSqlStringCommand(sql))
{
using (IDataReader reader = this.database.ExecuteReader(command))
{
if (reader.Read())
{
membershipUser =
ClientMembershipUserFactory.BuildClientMembershipUser(
user, reader);
}
}
}
return(membershipUser);
}
public virtual bool ValidateUser(string username, string password)
{
bool validationResult = false;
// First validate the method parameters
if (SecurityHelper.ValidateParameter(username, true, true, true,
this.Application.MaxUsernameSize) &&
SecurityHelper.ValidateParameter(password, true, true, false,
this.Application.MaxPasswordSize))
{
// Now get the User instance
ClientMembershipUser user = this.GetClientMembershipUser(username);
// Validate the user's password
this.ValidateUserWithPassword(user, password, false);
validationResult = true;
}
// return the result
return(validationResult);
}
private void ValidateUserWithPasswordAnswer(ClientMembershipUser user,
string passwordAnswer, bool throwIfFails)
{
if (passwordAnswer != null)
{
passwordAnswer = passwordAnswer.Trim();
}
SecurityHelper.CheckParameter(passwordAnswer,
this.Application.RequiresQuestionAndAnswer,
this.Application.RequiresQuestionAndAnswer,
false, this.Application.MaxPasswordAnswerSize,
"passwordAnswer");
string passwordAnswerFromPersistence =
this.GetPasswordAnswerFromPersistence(user);
try
{
if (!this.CheckPasswordAnswer(passwordAnswer,
passwordAnswerFromPersistence,
user.PasswordFormat, user.PasswordSalt))
{
user.PasswordAnswerAttemptFailed();
if (throwIfFails)
{
throw new SecurityException
("The password answer supplied was not correct");
}
}
else
{
user.PasswordAnswerAttemptSucceeded();
}
}
finally
{
this.PersistUser(user);
}
}
public void PersistUpdatedItem(IEntity item)
{
ClientMembershipUser user = (ClientMembershipUser)item;
this.PersistUser(user);
}
public virtual string ResetPassword(string username, string answer)
{
ClientMembershipUser user = this.GetClientMembershipUser(username);
return(this.ResetPassword(user, answer));
}
protected abstract void PersistUser(ClientMembershipUser user);
protected abstract void PersistResetPassword(ClientMembershipUser user,
string newEncodedPassword);
protected abstract string GetPasswordAnswerFromPersistence(
ClientMembershipUser user);
protected abstract void PersistChangedPasswordQuestionAndAnswer(
ClientMembershipUser user, string password,
string newPasswordAnswer);
protected abstract void PersistChangedPassword(ClientMembershipUser user,
string newPassword);
