public static bool PasswordAuthentication(String AUserID, String APassword) { TPetraPrincipal PetraPrincipal = null; SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUserID, out PetraPrincipal); string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); if (UserAuthenticationMethod == "OpenPetraDBSUser") { if (TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword, UserDR.PasswordSalt)) != UserDR.PasswordHash) { return(false); } } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); string ErrorMessage; if (!auth.AuthenticateUser(AUserID, APassword, out ErrorMessage)) { return(false); } } return(true); }
internal static void SetNewPasswordHashAndSaltForUser(SUserRow AUserDR, string ANewPassword, string AClientComputerName, string AClientIPAddress, TDBTransaction ATransaction) { byte[] Salt; int PwdSchemeVersionUpTillNow = AUserDR.PwdSchemeVersion; int CurrentPwdSchemeVersion = TPasswordHelper.CurrentPasswordSchemeNumber; EnsurePasswordHashingSchemeChangeIsAllowed(AUserDR.UserId, PwdSchemeVersionUpTillNow); // Note: In this Method we deliberately ignore the present value of the PwdSchemeVersion Column of AUserDR // because we *always* want to save the new password with the password hash of the current (=newest) version! // We always assign a new 'Salt' with every password change (best practice)! Salt = TPasswordHelper.CurrentPasswordScheme.GetNewPasswordSalt(); AUserDR.PasswordSalt = Convert.ToBase64String(Salt); AUserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(ANewPassword, Convert.ToBase64String(Salt), CurrentPwdSchemeVersion); if (PwdSchemeVersionUpTillNow != CurrentPwdSchemeVersion) { // Ensure AUserDR.PwdSchemeVersion gets set to the current (=newest) version! AUserDR.PwdSchemeVersion = CurrentPwdSchemeVersion; TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUserDR.UserId, TUserAccountActivityLog.USER_ACTIVITY_PWD_HASHING_SCHEME_UPGRADED, String.Format(Catalog.GetString( "The Password Scheme of User {0} got upgraded to {1}; previously it was {2}. "), AUserDR.UserId, TPasswordHelper.CurrentPasswordSchemeNumber, PwdSchemeVersionUpTillNow) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), ATransaction); } }
public static bool SetUserPassword(string AUsername, string APassword, bool APasswordNeedsChanged) { string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); if (UserAuthenticationMethod == "OpenPetraDBSUser") { TPetraPrincipal tempPrincipal; SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal); SUserTable UserTable = (SUserTable)UserDR.Table; Random r = new Random(); UserDR.PasswordSalt = r.Next(1000000000).ToString(); UserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword, UserDR.PasswordSalt), "SHA1"); UserDR.PasswordNeedsChange = APasswordNeedsChanged; TDBTransaction Transaction = DBAccess.GDBAccessObj.BeginTransaction(IsolationLevel.Serializable); SUserAccess.SubmitChanges(UserTable, Transaction); DBAccess.GDBAccessObj.CommitTransaction(); return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUsername, APassword)); } }
public static bool SetUserPassword(string AUsername, string APassword, bool APasswordNeedsChanged, bool AUnretireIfRetired) { string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); if (UserAuthenticationMethod == "OpenPetraDBSUser") { TDBTransaction SubmitChangesTransaction = null; bool SubmissionResult = false; TPetraPrincipal tempPrincipal; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal); SUserTable UserTable = (SUserTable)UserDR.Table; Random r = new Random(); UserDR.PasswordSalt = r.Next(1000000000).ToString(); UserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword, UserDR.PasswordSalt), "SHA1"); UserDR.PasswordNeedsChange = APasswordNeedsChanged; // unretire the user if it has been previously retired if (AUnretireIfRetired) { UserDR.Retired = false; } SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); SubmissionResult = true; }); return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUsername, APassword)); } }
/// <summary> /// Compares the new password with existing password - are they the same? /// </summary> /// <param name="ANewPassword">New password.</param> /// <param name="AUserDR">DataRow of the user record in s_user DB Table whose password should be changed.</param> /// <param name="AVerificationResult">Will be null if the new password is not the same than the old password, /// otherwise it will be populated.</param> /// <returns>False if the new password is not the same than the old password, otherwise true.</returns> private static bool IsNewPasswordSameAsExistingPassword(string ANewPassword, SUserRow AUserDR, out TVerificationResult AVerificationResult) { string NewPasswordHashWithOldSalt = TUserManagerWebConnector.CreateHashOfPassword(ANewPassword, AUserDR.PasswordSalt, AUserDR.PwdSchemeVersion); if (TPasswordHelper.EqualsAntiTimingAttack(Convert.FromBase64String(AUserDR.PasswordHash), Convert.FromBase64String(NewPasswordHashWithOldSalt))) { AVerificationResult = new TVerificationResult("Password change", ErrorCodes.GetErrorInfo(PetraErrorCodes.ERR_NEW_PASSWORD_MUST_BE_DIFFERENT)); return(true); } AVerificationResult = null; return(false); }
public static bool SetUserPassword(string AUsername, string APassword, string AOldPassword, bool APasswordNeedsChanged, out TVerificationResultCollection AVerification) { TDBTransaction Transaction; string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); TVerificationResult VerificationResult; AVerification = new TVerificationResultCollection(); if (!TSharedSysManValidation.CheckPasswordQuality(APassword, out VerificationResult)) { return(false); } if (APasswordNeedsChanged && APassword == AOldPassword) { AVerification = new TVerificationResultCollection(); AVerification.Add(new TVerificationResult("\nPassword check.", Catalog.GetString( "Password not changed as the old password was reused. Please use a new password."), TResultSeverity.Resv_Critical)); return(false); } if (UserAuthenticationMethod == "OpenPetraDBSUser") { TPetraPrincipal tempPrincipal; SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal); if (TUserManagerWebConnector.CreateHashOfPassword(String.Concat(AOldPassword, UserDR.PasswordSalt)) != UserDR.PasswordHash) { AVerification = new TVerificationResultCollection(); AVerification.Add(new TVerificationResult("\nPassword quality check.", String.Format( Catalog.GetString( "Old password entered incorrectly. Password not changed.")), TResultSeverity.Resv_Critical)); return(false); } SUserTable UserTable = (SUserTable)UserDR.Table; UserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword, UserDR.PasswordSalt)); UserDR.PasswordNeedsChange = false; Transaction = DBAccess.GDBAccessObj.BeginTransaction(IsolationLevel.Serializable); try { SUserAccess.SubmitChanges(UserTable, Transaction); DBAccess.GDBAccessObj.CommitTransaction(); } catch (Exception Exc) { TLogging.Log("An Exception occured during the setting of the User Password:" + Environment.NewLine + Exc.ToString()); DBAccess.GDBAccessObj.RollbackTransaction(); throw; } return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUsername, APassword, AOldPassword)); } }
public static bool SetUserPassword(string AUserID, string ANewPassword, string ACurrentPassword, bool APasswordNeedsChanged, string AClientComputerName, string AClientIPAddress, out TVerificationResultCollection AVerification) { string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); TVerificationResult VerificationResult; TVerificationResultCollection VerificationResultColl = null; SUserRow UserDR = null; SUserTable UserTable = null; bool BogusPasswordChangeAttempt = false; AVerification = new TVerificationResultCollection(); // Security check: Is the user that is performing the password change request the current user? if (AUserID != UserInfo.GUserInfo.UserID) { throw new EOPAppException( "The setting of a User's Password must only be done by the user itself, but this isn't the case here and therefore the request gets denied"); } // Password quality check if (!TSharedSysManValidation.CheckPasswordQuality(ANewPassword, out VerificationResult)) { AVerification.Add(VerificationResult); return(false); } if (UserAuthenticationMethod == "OpenPetraDBSUser") { TPetraPrincipal tempPrincipal; TDBTransaction SubmitChangesTransaction = null; bool SubmissionResult = false; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { try { UserDR = TUserManagerWebConnector.LoadUser(AUserID.ToUpper(), out tempPrincipal, SubmitChangesTransaction); } catch (EUserNotExistantException) { // Because this cannot happen when a password change gets effected through normal OpenPetra // operation this is treated as a bogus operation that an attacker launches! BogusPasswordChangeAttempt = true; // Logging TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUserID, TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_ATTEMPT_BY_USER_FOR_NONEXISTING_USER, String.Format(Catalog.GetString( "User {0} tried to make an attempt to change a User's password for UserID {1} " + "but that user doesn't exist! "), UserInfo.GUserInfo.UserID, AUserID) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); SubmissionResult = true; // Need to set this so that the DB Transaction gets committed! // Simulate that time is spent on 'authenticating' a user (although the user doesn't exist)...! Reason for that: see Method // SimulatePasswordAuthenticationForNonExistingUser! TUserManagerWebConnector.SimulatePasswordAuthenticationForNonExistingUser(); return; } UserTable = (SUserTable)UserDR.Table; // Security check: Is the supplied current password correct? if (TUserManagerWebConnector.CreateHashOfPassword(ACurrentPassword, UserDR.PasswordSalt, UserDR.PwdSchemeVersion) != UserDR.PasswordHash) { VerificationResultColl = new TVerificationResultCollection(); VerificationResultColl.Add(new TVerificationResult("Password Verification", Catalog.GetString( "The current password was entered incorrectly! The password did not get changed."), TResultSeverity.Resv_Critical)); try { SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId, TUserAccountActivityLog.USER_ACTIVITY_PWD_WRONG_WHILE_PWD_CHANGE, String.Format(Catalog.GetString( "User {0} supplied the wrong current password while attempting to change " + "his/her password! ") + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), UserInfo.GUserInfo.UserID), SubmitChangesTransaction); SubmissionResult = true; } catch (Exception Exc) { TLogging.Log(String.Format( "An Exception occured during the changing of the User Password by user '{0}' (Situation 1):", AUserID) + Environment.NewLine + Exc.ToString()); throw; } } }); if (BogusPasswordChangeAttempt) { // Note: VerificationResultColl will be null in this case because we don't want to disclose to an attackeer // why the password change attempt was denied!!! return(false); } if (VerificationResultColl != null) { AVerification = VerificationResultColl; return(false); } // Security check: Is the supplied new password the same than the current password? if (IsNewPasswordSameAsExistingPassword(ANewPassword, UserDR, out VerificationResult)) { AVerification.Add(VerificationResult); return(false); } // // All checks passed: We go aheand and change the user's password! // SetNewPasswordHashAndSaltForUser(UserDR, ANewPassword, AClientComputerName, AClientIPAddress, SubmitChangesTransaction); UserDR.PasswordNeedsChange = false; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { try { SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId, (APasswordNeedsChanged ? TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER_ENFORCED : TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER), String.Format(Catalog.GetString("User {0} changed his/her password{1}"), UserInfo.GUserInfo.UserID, (APasswordNeedsChanged ? Catalog.GetString(" (enforced password change.) ") : ". ")) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); SubmissionResult = true; } catch (Exception Exc) { TLogging.Log(String.Format("An Exception occured during the changing of the User Password by user '{0}' (Situation 2):", AUserID) + Environment.NewLine + Exc.ToString()); throw; } }); return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUserID, ANewPassword, ACurrentPassword)); } }