protected void DemandAdministratorPermissions() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { try { acls[securityGuid].DemandPermission(); } catch (KeyNotFoundException) { Logger.Fatal("SecurityManager did not register to itself."); throw; } catch (System.Security.SecurityException e) { Logger.Error("User " + GetCurrentUser() + " was denied administrator permissions.", e); throw; } catch (Exception e) { Logger.Error("Unexpected exception occurred while demanding administrator permissions.", e); throw new System.Security.SecurityException("An unexpected exception occurred while demanding administrator permissions. Operation was denied.", e); } } }
public void Authenticate(string user, string password) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (!users.ContainsKey(user)) { Logger.Error("Local login failed for username " + user); throw new System.Security.SecurityException("Invalid authentication. User or password incorrect."); } if (users[user].Password == password) { if (users[user].LastConnect < DateTime.Now - new TimeSpan(0, 10, 0)) { Logger.Info("User " + user + " authenticated locally"); } users[user].SetUserConnected(); System.Threading.Thread.CurrentPrincipal = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(user), new string[] { USER_ROLE }); } else { Logger.Error("User " + user + " failed to authenticate locally."); throw new System.Security.SecurityException("Invalid authentication. User or password incorrect."); } } }
private void FixAdministrator() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (users.Count == 0) { Logger.Warn("No users found, adding Administrator account with default password"); l.UpgradeToWriterLock(); UserInfo adminInfo = new UserInfo("Administrator", "ServerChecker4"); users.Add(adminInfo.Username, adminInfo); l.DowngradeToReaderLock(); } SecuritySubject me = acls[securityGuid]; System.Collections.Specialized.StringCollection permissions = new System.Collections.Specialized.StringCollection(); permissions.AddRange(me.GetPermissions()); if (permissions.Count == 0) { Logger.Warn("No permissions found for SecurityManager. Adding permission for Administrator account"); l.UpgradeToWriterLock(); me.AddPermission("Administrator"); l.DowngradeToReaderLock(); } } }
public void UnregisterSubject(Guid guid, bool remove) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { try { SecuritySubject subject = acls[guid]; acls.Remove(guid); if (remove) { l.UpgradeToWriterLock(); subjects.Remove(subject.Name); l.DowngradeToReaderLock(); } } catch (KeyNotFoundException) { Logger.Error("Tried unregistering subject that never registered."); throw; } catch (Exception e) { Logger.Error("An unexpected error occurred during unregistering of a subject.", e); throw; } } SaveSettings(); }
public void Authenticate(string user, string base64HMAC, byte[] nonce, System.IO.MemoryStream stream) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (!users.ContainsKey(user)) { Logger.Error("Someone tried to login with username " + user); throw new System.Security.SecurityException("Invalid authentication. Check your username and password."); } string password = users[user].Password; byte[] key = new System.Security.Cryptography.Rfc2898DeriveBytes(password, nonce, 997).GetBytes(64); System.Security.Cryptography.HMACSHA512 hmac = new System.Security.Cryptography.HMACSHA512(key); string computedBase64HMAC = Convert.ToBase64String(hmac.ComputeHash(stream.ToArray())); stream.Seek(0, System.IO.SeekOrigin.Begin); if (base64HMAC == computedBase64HMAC) { if (users[user].LastConnect < DateTime.Now - new TimeSpan(0, 10, 0)) { Logger.Info("User " + user + " authenticated."); } users[user].SetUserConnected(); System.Threading.Thread.CurrentPrincipal = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(user), new string[] { USER_ROLE }); } else { Logger.Error("User " + user + " failed to authenticate."); throw new System.Security.SecurityException("Invalid authentication. Check your username and password."); } } }
public void DemandPermissions(Guid guid, string operation) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { try { acls[guid].DemandPermission(operation); } catch (System.Security.SecurityException) { Logger.Error("User " + GetCurrentUser() + " was denied access to subject " + acls[guid].Name + " for operation " + operation); throw; } catch (KeyNotFoundException e) { Logger.Error("Subject was not registered."); throw new System.Security.SecurityException("The subject is not registered. Permission was denied.", e); } catch (Exception e) { Logger.Error("An unexpected error occurred while demanding permissions for subject " + acls[guid].Name + " and operation " + operation + ".", e); throw new System.Security.SecurityException("An unexpected error occurred.", e); } } }
private void SaveSettings() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { settingsProviders.SaveSettings(Settings); } }
public bool HavePermission(Guid guid, string operation) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return(acls[guid].HavePermission(operation)); } }
public SC.Interfaces.INetwork[] GetAllowedClientNetworks() { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return(clients.ToArray()); } }
public string[] GetSubjects() { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return(new List <string>(subjects.Keys).ToArray()); } }
public string[] GetPermissions(string subject, string operation) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return(subjects[subject].GetPermissions(operation)); } }
public void AddPermission(string subject, string username) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { Logger.Info("User " + GetCurrentUser() + " gave user " + username + " access to subject " + subject); subjects[subject].AddPermission(username); } SaveSettings(); }
public void RemovePermission(string subject, string username, string operation) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { Logger.Info("User " + GetCurrentUser() + " removed permissions for user " + username + " to subject " + subject + " for operation " + operation); subjects[subject].RemovePermission(username, operation); } SaveSettings(); }
private Guid RegisterSubject(string name, string[] additionalOperations, string username) { Logger.Debug("Registered subject " + name); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { SecuritySubject subject; if (!subjects.ContainsKey(name)) { if (username == null) { subjects[name] = new SecuritySubject(name); } else { subjects[name] = new SecuritySubject(name, username); } } subject = subjects[name]; Guid guid = Guid.NewGuid(); while (acls.ContainsKey(guid)) { guid = Guid.NewGuid(); } acls.Add(guid, subject); if (additionalOperations != null) { Logger.Debug("Additional operations " + string.Join(", ", additionalOperations)); System.Collections.Specialized.StringCollection operations = new System.Collections.Specialized.StringCollection(); operations.AddRange(additionalOperations); foreach (string op in operations) { if (!subject.HaveOperation(op)) { subject.AddOperation(op); } } operations.Add(Operation.DEFAULT_OPERATION); foreach (string op in subject.GetOperations()) { if (!operations.Contains(op)) { subject.RemoveOperation(op); } } } return(guid); } }
private void RestoreSettings() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { SecuritySettings mysettings = settingsProviders.RestoreSettings(typeof(SecuritySettings)) as SecuritySettings; if (mysettings != null) { Settings = mysettings; } } }
internal string[] GetDefaultAccess() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (subjects.ContainsKey("SecurityManager")) { return(subjects["SecurityManager"].GetPermissions()); // current admin permissions } else { return(new string[] { "Administrator" }); } } }
public bool IsClientIPAllowed(System.Net.IPAddress address) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { foreach (SC.Security.Network net in clients) { if (net.IsHostInNet(address)) { return(true); } } return(false); } }
public void RemoveAllowedClientNetwork(SC.Interfaces.INetwork network) { SC.Security.Network net = new Network(network.Address, network.Netmask); DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { if (!clients.Remove(net)) { Logger.Error("Removal of network " + net.ToString() + " failed because it is not in the access list."); throw new ArgumentException("Given network is not present in list"); } Logger.Info("Network " + net.ToString() + " was removed from the access list."); } }
public void RemoveUser(string username) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { Logger.Info("User " + username + " was removed."); users.Remove(username); foreach (SecuritySubject subject in subjects.Values) { subject.RemovePermission(username); } } SaveSettings(); }
public void SetPassword(string username, string password) { bool canSet = false; // if (!canSet) // { try { new System.Security.Permissions.PrincipalPermission(username, USER_ROLE).Demand(); canSet = true; } catch (System.Security.SecurityException) { // We're not the user } // } if (!canSet) { try { DemandAdministratorPermissions(); canSet = true; } catch (System.Security.SecurityException) { // We're not an administrator } } if (!canSet) { Logger.Error("User " + GetCurrentUser() + " tried settings password for user " + username + ". The operation was denied."); throw new System.Security.SecurityException("You cannot set other users' password without administrator privileges. Your action will be reported."); } using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { if (!users.ContainsKey(username)) { throw new SC.Interfaces.SCException("The given username doesn't exist."); } Logger.Info("User " + username + " changed password."); users[username].Password = password; } }
private void AddAllowedClientNetwork(Network network) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { foreach (SC.Security.Network net in clients) { if (net.IsHostInNet(network.Address) || network.IsHostInNet(net.Address)) { Logger.Error("Network add failed because network " + network.ToString() + " is contained in " + net.ToString()); throw new ArgumentException("Cannot add network because it contains or is contained in another network: " + net.ToString()); } } l.UpgradeToWriterLock(); Logger.Info("Adding network " + network.ToString() + " to the access list."); clients.Add(network); } }
public void AddUser(string username, string password) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { if (users.ContainsKey(username)) { throw new SC.Interfaces.SCException("A user with name " + username + " already exists."); } if (username == SYSTEM_ACCOUNT) { throw new SC.Interfaces.SCException("Invalid username."); } UserInfo newUser = new UserInfo(username, password); Logger.Info("Adding user " + username); users.Add(newUser.Username, newUser); } SaveSettings(); }
private Guid RegisterSubject(string name, string[] additionalOperations, string username) { Logger.Debug("Registered subject " + name); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { SecuritySubject subject; if (!subjects.ContainsKey(name)) { if (username == null) subjects[name] = new SecuritySubject(name); else subjects[name] = new SecuritySubject(name, username); } subject = subjects[name]; Guid guid = Guid.NewGuid(); while (acls.ContainsKey(guid)) guid = Guid.NewGuid(); acls.Add(guid, subject); if (additionalOperations != null) { Logger.Debug("Additional operations " + string.Join(", ", additionalOperations)); System.Collections.Specialized.StringCollection operations = new System.Collections.Specialized.StringCollection(); operations.AddRange(additionalOperations); foreach (string op in operations) { if (!subject.HaveOperation(op)) subject.AddOperation(op); } operations.Add(Operation.DEFAULT_OPERATION); foreach (string op in subject.GetOperations()) { if (!operations.Contains(op)) subject.RemoveOperation(op); } } return guid; } }
public string[] GetUsers() { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return new List<string>(users.Keys).ToArray(); } }
public string[] GetPermissions(string subject, string operation) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return subjects[subject].GetPermissions(operation); } }
public void Authenticate(string user, string password) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (!users.ContainsKey(user)) { Logger.Error("Local login failed for username " + user); throw new System.Security.SecurityException("Invalid authentication. User or password incorrect."); } if (users[user].Password == password) { if (users[user].LastConnect < DateTime.Now - new TimeSpan(0, 10, 0)) Logger.Info("User " + user + " authenticated locally"); users[user].SetUserConnected(); System.Threading.Thread.CurrentPrincipal = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(user), new string[] { USER_ROLE }); } else { Logger.Error("User " + user + " failed to authenticate locally."); throw new System.Security.SecurityException("Invalid authentication. User or password incorrect."); } } }
public void SetPassword(string username, string password) { bool canSet = false; // if (!canSet) // { try { new System.Security.Permissions.PrincipalPermission(username, USER_ROLE).Demand(); canSet = true; } catch (System.Security.SecurityException) { // We're not the user } // } if (!canSet) { try { DemandAdministratorPermissions(); canSet = true; } catch (System.Security.SecurityException) { // We're not an administrator } } if (!canSet) { Logger.Error("User " + GetCurrentUser() + " tried settings password for user " + username + ". The operation was denied."); throw new System.Security.SecurityException("You cannot set other users' password without administrator privileges. Your action will be reported."); } using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { if (!users.ContainsKey(username)) throw new SC.Interfaces.SCException("The given username doesn't exist."); Logger.Info("User " + username + " changed password."); users[username].Password = password; } }
public bool IsClientIPAllowed(System.Net.IPAddress address) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { foreach (SC.Security.Network net in clients) { if (net.IsHostInNet(address)) return true; } return false; } }
public SC.Interfaces.INetwork[] GetAllowedClientNetworks() { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return clients.ToArray(); } }
public bool HavePermission(Guid guid, string operation) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { return acls[guid].HavePermission(operation); } }
public void Authenticate(string user, string base64HMAC, byte[] nonce, System.IO.MemoryStream stream) { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (!users.ContainsKey(user)) { Logger.Error("Someone tried to login with username " + user); throw new System.Security.SecurityException("Invalid authentication. Check your username and password."); } string password = users[user].Password; byte[] key = new System.Security.Cryptography.Rfc2898DeriveBytes(password, nonce, 997).GetBytes(64); System.Security.Cryptography.HMACSHA512 hmac = new System.Security.Cryptography.HMACSHA512(key); string computedBase64HMAC = Convert.ToBase64String(hmac.ComputeHash(stream.ToArray())); stream.Seek(0, System.IO.SeekOrigin.Begin); if (base64HMAC == computedBase64HMAC) { if (users[user].LastConnect < DateTime.Now - new TimeSpan(0, 10, 0)) Logger.Info("User " + user + " authenticated."); users[user].SetUserConnected(); System.Threading.Thread.CurrentPrincipal = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(user), new string[] { USER_ROLE }); } else { Logger.Error("User " + user + " failed to authenticate."); throw new System.Security.SecurityException("Invalid authentication. Check your username and password."); } } }
public void AddUser(string username, string password) { DemandAdministratorPermissions(); using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForWriting)) { if (users.ContainsKey(username)) throw new SC.Interfaces.SCException("A user with name " + username + " already exists."); if (username == SYSTEM_ACCOUNT) throw new SC.Interfaces.SCException("Invalid username."); UserInfo newUser = new UserInfo(username, password); Logger.Info("Adding user " + username); users.Add(newUser.Username, newUser); } SaveSettings(); }
internal string[] GetDefaultAccess() { using (SC.Utility.Lock l = new SC.Utility.Lock(secLock, SC.Utility.Lock.LockType.ForReading)) { if (subjects.ContainsKey("SecurityManager")) return subjects["SecurityManager"].GetPermissions(); // current admin permissions else { return new string[] { "Administrator" }; } } }