private void SetPassword(Object Sender, EventArgs e)
{
if (FPreviouslySelectedDetailRow == null)
{
return;
}
if (FPetraUtilsObject.HasChanges)
{
MessageBox.Show(
Catalog.GetString("Please save changes before changing password."),
Catalog.GetString("Change password."),
MessageBoxButtons.OK,
MessageBoxIcon.Stop);
return;
}
string username = GetSelectedDetailRow().UserId;
string MessageTitle = Catalog.GetString("Set Password");
string ErrorMessage = String.Format(Catalog.GetString("There was a problem setting the password for user {0}."), username);
// only request the password once, since this is the sysadmin changing it.
// see http://bazaar.launchpad.net/~openpetracore/openpetraorg/trunkhosted/view/head:/csharp/ICT/Petra/Client/MSysMan/Gui/SysManMain.cs
// for the change password dialog for the normal user
PetraInputBox input = new PetraInputBox(
Catalog.GetString("Change the password"),
String.Format(Catalog.GetString("Please enter the new password for user {0}:"), username),
"", true);
if (input.ShowDialog() == DialogResult.OK)
{
string password = input.GetAnswer();
TVerificationResult VerificationResult;
if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult))
{
if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(username, password, true, true))
{
MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}."), username),
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Information);
// This has been saved on the server so my data is dirty - I need to re-load:
FPreviouslySelectedDetailRow = null;
Int32 rowIdx = GetSelectedRowIndex();
LoadUsers();
grdDetails.SelectRowInGrid(rowIdx);
}
else
{
MessageBox.Show(ErrorMessage, MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine + VerificationResult.ResultText,
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
private void BtnOK_Click(Object Sender, EventArgs e)
{
string MessageTitle = Catalog.GetString("Set Password");
string ErrorMessage = String.Format(Catalog.GetString("There was a problem setting the password for user {0}."), UserName);
if (txtOldPassword.Visible && !TRemote.MSysMan.Maintenance.WebConnectors.PasswordAuthentication(UserName, this.txtOldPassword.Text))
{
MessageBox.Show(Catalog.GetString("Incorrect password entered."),
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
if (txtNewPassword.Text != txtNewPassword2.Text)
{
MessageBox.Show(Catalog.GetString("Passwords do not match! Please try again..."),
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (txtNewPassword.Text == this.txtOldPassword.Text && this.PasswordNeedsChanged)
{
MessageBox.Show(String.Format(Catalog.GetString(
"This password is the same as your old password! Please enter a new password."), UserName),
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
TVerificationResultCollection VerificationResultCollection;
TVerificationResult VerificationResult;
if (!TSharedSysManValidation.CheckPasswordQuality(txtNewPassword.Text, out VerificationResult))
{
MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine +
VerificationResult.ResultText,
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
if (!TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(UserName, txtNewPassword.Text,
txtOldPassword.Text,
PasswordNeedsChanged,
out VerificationResultCollection))
{
MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine +
VerificationResultCollection.BuildVerificationResultString(),
MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}."), UserName),
MessageTitle);
this.DialogResult = DialogResult.OK;
}
private void ValidateDataDetailsManual(SUserRow ARow)
{
if (ARow == null)
{
return;
}
TVerificationResultCollection VerificationResultCollection = FPetraUtilsObject.VerificationResultCollection;
// validate bank account details
TSharedSysManValidation.ValidateSUserDetails(this,
ARow,
ref VerificationResultCollection,
FPetraUtilsObject.ValidationControlsDict);
}
private void BtnOK_Click(Object Sender, EventArgs e)
{
if (txtNewPassword.Text != txtNewPassword2.Text)
{
MessageBox.Show(Catalog.GetString("Passwords do not match! Please try again..."));
return;
}
if (txtNewPassword.Text == this.txtOldPassword.Text && this.PasswordNeedsChanged)
{
MessageBox.Show(String.Format(Catalog.GetString(
"Password not changed as the old password was reused. Please use a new password."), Catalog.GetString("Error")));
return;
}
TVerificationResultCollection VerificationResultCollection;
TVerificationResult VerificationResult;
if (!TSharedSysManValidation.CheckPasswordQuality(txtNewPassword.Text, out VerificationResult))
{
MessageBox.Show(String.Format(Catalog.GetString(
"There was a problem setting the password for user {0}."), UserName) +
Environment.NewLine + VerificationResult.ResultText);
return;
}
if (!TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(UserName, txtNewPassword.Text,
txtOldPassword.Text,
PasswordNeedsChanged,
out VerificationResultCollection))
{
MessageBox.Show(String.Format(Catalog.GetString(
"There was a problem setting the password for user {0}."), UserName) +
Environment.NewLine + VerificationResultCollection.BuildVerificationResultString());
return;
}
MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), UserName),
Catalog.GetString("Success"));
this.DialogResult = DialogResult.OK;
}
private void SetPassword(Object Sender, EventArgs e)
{
string username = GetSelectedDetailRow().UserId;
// only request the password once, since this is the sysadmin changing it.
// see http://bazaar.launchpad.net/~openpetracore/openpetraorg/trunkhosted/view/head:/csharp/ICT/Petra/Client/MSysMan/Gui/SysManMain.cs
// for the change password dialog for the normal user
PetraInputBox input = new PetraInputBox(
Catalog.GetString("Change the password"),
String.Format(Catalog.GetString("Please enter the new password for user {0}:"), username),
"", true);
if (input.ShowDialog() == DialogResult.OK)
{
string password = input.GetAnswer();
TVerificationResult VerificationResult;
if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult))
{
if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(username, password, true, true))
{
MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), username));
// this has already been saved on during the server call to change the password
GetSelectedDetailRow().Retired = false;
}
else
{
MessageBox.Show(String.Format(Catalog.GetString("There was a problem setting the password for user {0}"), username));
}
}
else
{
MessageBox.Show(String.Format(Catalog.GetString(
"There was a problem setting the password for user {0}."), username) +
Environment.NewLine + VerificationResult.ResultText);
}
}
}
public static bool SetUserPassword(string AUsername,
string APassword,
string AOldPassword,
bool APasswordNeedsChanged,
out TVerificationResultCollection AVerification)
{
TDBTransaction Transaction;
string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false);
TVerificationResult VerificationResult;
AVerification = new TVerificationResultCollection();
if (!TSharedSysManValidation.CheckPasswordQuality(APassword, out VerificationResult))
{
return(false);
}
if (APasswordNeedsChanged && APassword == AOldPassword)
{
AVerification = new TVerificationResultCollection();
AVerification.Add(new TVerificationResult("\nPassword check.",
Catalog.GetString(
"Password not changed as the old password was reused. Please use a new password."),
TResultSeverity.Resv_Critical));
return(false);
}
if (UserAuthenticationMethod == "OpenPetraDBSUser")
{
TPetraPrincipal tempPrincipal;
SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal);
if (TUserManagerWebConnector.CreateHashOfPassword(String.Concat(AOldPassword,
UserDR.PasswordSalt)) != UserDR.PasswordHash)
{
AVerification = new TVerificationResultCollection();
AVerification.Add(new TVerificationResult("\nPassword quality check.",
String.Format(
Catalog.GetString(
"Old password entered incorrectly. Password not changed.")),
TResultSeverity.Resv_Critical));
return(false);
}
SUserTable UserTable = (SUserTable)UserDR.Table;
UserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword,
UserDR.PasswordSalt));
UserDR.PasswordNeedsChange = false;
Transaction = DBAccess.GDBAccessObj.BeginTransaction(IsolationLevel.Serializable);
try
{
SUserAccess.SubmitChanges(UserTable, Transaction);
DBAccess.GDBAccessObj.CommitTransaction();
}
catch (Exception Exc)
{
TLogging.Log("An Exception occured during the setting of the User Password:" + Environment.NewLine + Exc.ToString());
DBAccess.GDBAccessObj.RollbackTransaction();
throw;
}
return(true);
}
else
{
IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod);
return(auth.SetPassword(AUsername, APassword, AOldPassword));
}
}
public static bool SetUserPassword(string AUsername,
string ANewPassword,
bool APasswordNeedsChanged,
bool AUnretireIfRetired,
string AClientComputerName, string AClientIPAddress,
out TVerificationResultCollection AVerification)
{
TVerificationResult VerificationResult;
SUserTable UserTable;
SUserRow UserDR;
string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false);
bool BogusPasswordChangeAttempt = false;
AVerification = new TVerificationResultCollection();
// Password quality check
if (!TSharedSysManValidation.CheckPasswordQuality(ANewPassword, out VerificationResult))
{
AVerification.Add(VerificationResult);
return(false);
}
if (UserAuthenticationMethod == "OpenPetraDBSUser")
{
TDBTransaction SubmitChangesTransaction = null;
bool SubmissionResult = false;
TPetraPrincipal tempPrincipal;
DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction,
ref SubmissionResult,
delegate
{
try
{
UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal,
SubmitChangesTransaction);
}
catch (EUserNotExistantException)
{
// Because this cannot happen when a password change gets effected through normal OpenPetra
// operation this is treated as a bogus operation that an attacker launches!
BogusPasswordChangeAttempt = true;
// Logging
TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUsername,
TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_ATTEMPT_BY_SYSADMIN_FOR_NONEXISTING_USER,
String.Format(Catalog.GetString(
"A system administrator, {0}, made an attempt to change a User's password for UserID {1} " +
"but that user doesn't exist! "), UserInfo.GUserInfo.UserID, AUsername) +
String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress),
SubmitChangesTransaction);
SubmissionResult = true; // Need to set this so that the DB Transaction gets committed!
// Simulate that time is spent on 'authenticating' a user (although the user doesn't exist)...! Reason for that: see Method
// SimulatePasswordAuthenticationForNonExistingUser!
TUserManagerWebConnector.SimulatePasswordAuthenticationForNonExistingUser();
return;
}
UserTable = (SUserTable)UserDR.Table;
// Note: We are on purpose NOT checking here whether the new password is the same as the existing
// password (which would be done by calling the IsNewPasswordSameAsExistingPassword Method) because
// if we would do that then the SYSADMIN could try to find out what the password of a user is by
// seeing if (s)he would get a message that the new password must be different from the old password...!
SetNewPasswordHashAndSaltForUser(UserDR, ANewPassword, AClientComputerName, AClientIPAddress, SubmitChangesTransaction);
UserDR.PasswordNeedsChange = APasswordNeedsChanged;
// 'Unretire' the user if the user has been previously 'retired' and also 'unlock' the User Account if
// it has previously been locked
if (AUnretireIfRetired)
{
UserDR.Retired = false;
UserDR.AccountLocked = false;
}
try
{
SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction);
TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId,
TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_SYSADMIN,
String.Format(Catalog.GetString(
"The password of user {0} got changed by user {1} (the latter user has got SYSADMIN " +
"privileges). "), UserDR.UserId, UserInfo.GUserInfo.UserID) +
String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress),
SubmitChangesTransaction);
}
catch (Exception Exc)
{
TLogging.Log("An Exception occured during the saving of the new User Password by the SYSADMIN:" + Environment.NewLine +
Exc.ToString());
throw;
}
SubmissionResult = true;
});
return(!BogusPasswordChangeAttempt);
}
else
{
IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod);
return(auth.SetPassword(AUsername, ANewPassword));
}
}
public static bool SetUserPassword(string AUserID,
string ANewPassword,
string ACurrentPassword,
bool APasswordNeedsChanged,
string AClientComputerName, string AClientIPAddress,
out TVerificationResultCollection AVerification)
{
string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false);
TVerificationResult VerificationResult;
TVerificationResultCollection VerificationResultColl = null;
SUserRow UserDR = null;
SUserTable UserTable = null;
bool BogusPasswordChangeAttempt = false;
AVerification = new TVerificationResultCollection();
// Security check: Is the user that is performing the password change request the current user?
if (AUserID != UserInfo.GUserInfo.UserID)
{
throw new EOPAppException(
"The setting of a User's Password must only be done by the user itself, but this isn't the case here and therefore the request gets denied");
}
// Password quality check
if (!TSharedSysManValidation.CheckPasswordQuality(ANewPassword, out VerificationResult))
{
AVerification.Add(VerificationResult);
return(false);
}
if (UserAuthenticationMethod == "OpenPetraDBSUser")
{
TPetraPrincipal tempPrincipal;
TDBTransaction SubmitChangesTransaction = null;
bool SubmissionResult = false;
DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction,
ref SubmissionResult,
delegate
{
try
{
UserDR = TUserManagerWebConnector.LoadUser(AUserID.ToUpper(), out tempPrincipal,
SubmitChangesTransaction);
}
catch (EUserNotExistantException)
{
// Because this cannot happen when a password change gets effected through normal OpenPetra
// operation this is treated as a bogus operation that an attacker launches!
BogusPasswordChangeAttempt = true;
// Logging
TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUserID,
TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_ATTEMPT_BY_USER_FOR_NONEXISTING_USER,
String.Format(Catalog.GetString(
"User {0} tried to make an attempt to change a User's password for UserID {1} " +
"but that user doesn't exist! "), UserInfo.GUserInfo.UserID, AUserID) +
String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress),
SubmitChangesTransaction);
SubmissionResult = true; // Need to set this so that the DB Transaction gets committed!
// Simulate that time is spent on 'authenticating' a user (although the user doesn't exist)...! Reason for that: see Method
// SimulatePasswordAuthenticationForNonExistingUser!
TUserManagerWebConnector.SimulatePasswordAuthenticationForNonExistingUser();
return;
}
UserTable = (SUserTable)UserDR.Table;
// Security check: Is the supplied current password correct?
if (TUserManagerWebConnector.CreateHashOfPassword(ACurrentPassword,
UserDR.PasswordSalt, UserDR.PwdSchemeVersion) != UserDR.PasswordHash)
{
VerificationResultColl = new TVerificationResultCollection();
VerificationResultColl.Add(new TVerificationResult("Password Verification",
Catalog.GetString(
"The current password was entered incorrectly! The password did not get changed."),
TResultSeverity.Resv_Critical));
try
{
SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction);
TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId,
TUserAccountActivityLog.USER_ACTIVITY_PWD_WRONG_WHILE_PWD_CHANGE,
String.Format(Catalog.GetString(
"User {0} supplied the wrong current password while attempting to change " +
"his/her password! ") +
String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress),
UserInfo.GUserInfo.UserID),
SubmitChangesTransaction);
SubmissionResult = true;
}
catch (Exception Exc)
{
TLogging.Log(String.Format(
"An Exception occured during the changing of the User Password by user '{0}' (Situation 1):", AUserID) +
Environment.NewLine + Exc.ToString());
throw;
}
}
});
if (BogusPasswordChangeAttempt)
{
// Note: VerificationResultColl will be null in this case because we don't want to disclose to an attackeer
// why the password change attempt was denied!!!
return(false);
}
if (VerificationResultColl != null)
{
AVerification = VerificationResultColl;
return(false);
}
// Security check: Is the supplied new password the same than the current password?
if (IsNewPasswordSameAsExistingPassword(ANewPassword, UserDR, out VerificationResult))
{
AVerification.Add(VerificationResult);
return(false);
}
//
// All checks passed: We go aheand and change the user's password!
//
SetNewPasswordHashAndSaltForUser(UserDR, ANewPassword, AClientComputerName, AClientIPAddress, SubmitChangesTransaction);
UserDR.PasswordNeedsChange = false;
DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction,
ref SubmissionResult,
delegate
{
try
{
SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction);
TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId,
(APasswordNeedsChanged ? TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER_ENFORCED :
TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER),
String.Format(Catalog.GetString("User {0} changed his/her password{1}"),
UserInfo.GUserInfo.UserID,
(APasswordNeedsChanged ? Catalog.GetString(" (enforced password change.) ") : ". ")) +
String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress),
SubmitChangesTransaction);
SubmissionResult = true;
}
catch (Exception Exc)
{
TLogging.Log(String.Format("An Exception occured during the changing of the User Password by user '{0}' (Situation 2):",
AUserID) +
Environment.NewLine + Exc.ToString());
throw;
}
});
return(true);
}
else
{
IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod);
return(auth.SetPassword(AUserID, ANewPassword, ACurrentPassword));
}
}
public static bool RunFirstSetup(
string AUserID,
string AFirstName,
string ALastName,
string ALanguageCode,
string AEmailAddress,
List <string> AInitialModulePermissions,
string AInitialPassword,
Int64 ASiteKey,
bool AEnableSelfSignup,
out TVerificationResultCollection AVerificationResult)
{
bool result = true;
AVerificationResult = new TVerificationResultCollection();
TVerificationResult VerificationResult = null;
TVerificationResultCollection VerificationResultCollection = new TVerificationResultCollection();
if (AInitialPassword != String.Empty)
{
// check if password is valid, it meets the criteria
if (!TSharedSysManValidation.CheckPasswordQuality(AInitialPassword, out VerificationResult))
{
AVerificationResult.Add(VerificationResult);
return(false);
}
}
result = TMaintenanceWebConnector.SaveUserAndModulePermissions(
AUserID, AFirstName, ALastName, AEmailAddress, ALanguageCode,
false, false, false, AInitialModulePermissions, 0,
out VerificationResultCollection);
if (result != false)
{
TDBTransaction t = new TDBTransaction();
TDataBase db = DBAccess.Connect("RunFirstSetup");
bool SubmitOK = false;
db.WriteTransaction(ref t,
ref SubmitOK,
delegate
{
if (AInitialPassword != String.Empty)
{
result = TMaintenanceWebConnector.SetUserPassword(AUserID, AInitialPassword, false, false,
String.Empty, String.Empty, out VerificationResultCollection);
}
else
{
// TODO send welcoming Email, with link for setting the password
}
if (result)
{
TSystemDefaults defaults = new TSystemDefaults(db);
defaults.SetSystemDefault(SharedConstants.SYSDEFAULT_SITEKEY, ASiteKey.ToString(), db);
defaults.SetSystemDefault(SharedConstants.SYSDEFAULT_SELFSIGNUPENABLED, AEnableSelfSignup.ToString(), db);
GLSetupTDS GLMainDS = new GLSetupTDS();
SubmitOK = TGLSetupWebConnector.CreateSite(ref GLMainDS, "Default Site", ASiteKey, t);
if (SubmitOK)
{
GLSetupTDSAccess.SubmitChanges(GLMainDS, db, t);
}
}
});
db.CloseDBConnection();
}
if (!result)
{
if (VerificationResultCollection.HasCriticalErrors)
{
AVerificationResult = VerificationResultCollection;
}
else
{
AVerificationResult.Add(VerificationResult);
}
}
return(result);
}
/// <summary>
/// create a new password for the current user
/// </summary>
public static bool CreateNewPassword(string AUserName, string AOldPassword, bool APasswordNeedsChanged)
{
// repeat if an invalid password is entered
while (true)
{
PetraInputBox input = new PetraInputBox(
Catalog.GetString("Change your password"),
Catalog.GetString("Please enter the new password:"******"", true);
if (input.ShowDialog() == DialogResult.OK)
{
string password = input.GetAnswer();
TVerificationResultCollection VerificationResultCollection;
TVerificationResult VerificationResult;
if (password == AOldPassword)
{
MessageBox.Show(String.Format(Catalog.GetString(
"Password not changed as the old password was entered. Please enter a new password."), AUserName));
}
else if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult))
{
// if first password is valid then ask user to enter it again
input = new PetraInputBox(
Catalog.GetString("Change your password"),
Catalog.GetString("Please enter the new password once more:"),
"", true);
if (input.ShowDialog() == DialogResult.OK)
{
// if both passwords are the same then save
if (password == input.GetAnswer())
{
if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(AUserName, password, AOldPassword,
APasswordNeedsChanged,
out VerificationResultCollection))
{
MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), AUserName));
return(true);
}
else
{
MessageBox.Show(String.Format(Catalog.GetString(
"There was a problem setting the password for user {0}."), AUserName) +
Environment.NewLine + VerificationResultCollection.BuildVerificationResultString());
break;
}
}
else
{
MessageBox.Show("Passwords do not match! Please try again...");
}
}
else
{
break;
}
}
else
{
MessageBox.Show(String.Format(Catalog.GetString(
"There was a problem setting the password for user {0}."), AUserName) +
Environment.NewLine + VerificationResult.ResultText);
}
}
else
{
break;
}
}
return(false);
}
