Exemplo n.º 1
0
        public override bool AuthorizeAdmin(AuthorizationFilterContext context)
        {
            bool result = base.AuthorizeAdmin(context);

            if (!result)
            {
                return(false);
            }

            string sessionId = context.HttpContext.Request.Cookies["SessionId"];
            string userName  = EncoderUtils.Base64Decode(sessionId.Split("-")[USER_NAME_INDEX]);

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            UserDBModel user = userDAO.GetUser(userName);

            if (user.Role < ADMIN_ROLE)
            {
                CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

                CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
                                                 .Single();

                context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
            }

            return(true);
        }
Exemplo n.º 2
0
        public CtfUserBL(ITransactionDAO transactionDAO, IWebHostEnvironment webHostEnvironment, IUserDAO userDAO,
                         IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions) : base(transactionDAO, userDAO, webHostEnvironment)
        {
            _userDAO = userDAO;

            _httpContextAccessor = httpContextAccessor;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 3
0
        public CtfAuthBL(IUserDAO userDAO, ITransactionDAO transactionDAO, IEmailSender emailSender,
                         IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> options,
                         IUrlHelperFactory urlHelperFactory, IActionContextAccessor actionContextAccessor, IOptions <AppSettings> appSettings)
            : base(userDAO, transactionDAO, emailSender, httpContextAccessor, appSettings)
        {
            _urlHelperFactory      = urlHelperFactory;
            _actionContextAccessor = actionContextAccessor;

            _ctfOptions = options.Value;
        }
Exemplo n.º 4
0
        public CtfStoreBL(
            ITransactionDAO transactionDAO,
            StoreAPICalls storeAPICalls,
            IHttpContextAccessor httpContextAccessor,
            IOptions <CtfOptions> ctfOptions,
            IMemoryCache memoryCache)
            : base(transactionDAO, storeAPICalls)
        {
            _httpContextAccessor = httpContextAccessor;
            _memoryCache         = memoryCache;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 5
0
        public CtfTransactionBL(
            ITransactionDAO transactionDAO,
            IUserDAO userDAO,
            IHttpContextAccessor httpContextAccessor,
            IActionContextAccessor actionContextAccessor,
            IOptions <CtfOptions> ctfOptions) : base(transactionDAO)
        {
            _userDAO = userDAO;

            _httpContextAccessor   = httpContextAccessor;
            _actionContextAccessor = actionContextAccessor;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 6
0
        public void OnActionExecuting(ActionExecutingContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            if (ctfOptions.CtfChallengeOptions.UnknownGeneration)
            {
                CtfChallangeModel unkonwChallange = ctfOptions.CtfChallanges
                                                    .Where(x => x.Type == CtfChallengeTypes.UnknownGeneration)
                                                    .Single();

                context.HttpContext.Response.Headers.Add(unkonwChallange.FlagKey, unkonwChallange.Flag);
            }
            else if (ctfOptions.IsCtfEnabled)
            {
                context.Result = new NotFoundResult();
            }
        }
        public override bool AuthorizeAdmin(AuthorizationFilterContext context)
        {
            bool result = base.AuthorizeAdmin(context);

            if (!result)
            {
                return(false);
            }

            IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);

            string userName = claims
                              .Where(x => x.Type == CookieConstants.USERNAME_CALIM_TYPE)
                              .Select(x => x.Value)
                              .SingleOrDefault();

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            UserDBModel user = userDAO.GetUser(userName);

            if (_ctfOptions.CtfChallengeOptions.ChangeRoleInCookie)
            {
                if (user.Role < 50)
                {
                    CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

                    CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
                                                     .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
                                                     .Single();

                    context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
                }
            }
            else
            {
                if (user.Role < 50)
                {
                    return(false);
                }
            }

            return(true);
        }
        public void OnActionExecuting(ActionExecutingContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            if (!ctfOptions.IsCtfEnabled)
            {
                context.Result = new OkObjectResult("Admin Registration");
            }
            else if (ctfOptions.CtfChallengeOptions.HiddenPageRegisterAdmin)
            {
                CtfChallangeModel hiddenPageChallange = ctfOptions.CtfChallanges
                                                        .Where(x => x.Type == CtfChallengeTypes.HiddenPage)
                                                        .Single();

                context.Result = new OkObjectResult(hiddenPageChallange.Flag);
            }
            else
            {
                context.Result = new NotFoundResult();
            }
        }
Exemplo n.º 9
0
        public void OnException(ExceptionContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            List <string> allowdErrors = new List <string>();

            if (ctfOptions.IsCtfEnabled)
            {
                if (ctfOptions.CtfChallengeOptions.ExceptionHandlingTransactionCreate)
                {
                    allowdErrors.Add("/api/Transaction/Create");
                }

                if (ctfOptions.CtfChallengeOptions.ExceptionHandlingTransactionUpload)
                {
                    allowdErrors.Add("/Upload/UploadTansactions");
                }
            }
            else
            {
                allowdErrors.Add("/api/Transaction/Create");
                allowdErrors.Add("/Upload/UploadTansactions");
            }


            if (allowdErrors.Any(x => x == context.HttpContext.Request.Path))
            {
                //Allow developer page exception
                return;
            }

            _logger.Error(context.Exception, "There was an exception");

            ViewResult result = new ViewResult {
                ViewName = "Error"
            };

            context.Result = result;
        }
Exemplo n.º 10
0
        public override bool AuthorizeMissing(AuthorizationFilterContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            ICookieService cookieService = context.HttpContext.RequestServices.GetRequiredService <ICookieService>();
            bool           isCookieValid = cookieService.ValidateCookie(context.HttpContext);

            if (ctfOptions.CtfChallengeOptions.MissingAuthentication)
            {
                CtfChallangeModel missingAuth = ctfOptions.CtfChallanges
                                                .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication)
                                                .Single();

                context.HttpContext.Response.Headers.Add(missingAuth.FlagKey, missingAuth.Flag);
            }
            else
            {
                if (!isCookieValid)
                {
                    return(false);
                }
                else
                {
                    IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);
                    if (claims == null)
                    {
                        return(false);
                    }

                    GenericPrincipal tmpUser = new GenericPrincipal(new ClaimsIdentity(claims), Array.Empty <string>());

                    context.HttpContext.User = tmpUser;
                }
            }

            return(true);
        }
Exemplo n.º 11
0
        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();

            CtfOptions ctfOptions = app.ApplicationServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            app.UseDeveloperExceptionPage();

            app.UseSwagger();
            app.UseSwaggerUI(x =>
            {
                x.SwaggerEndpoint("/swagger/v1/swagger.json", "SecureBank API");

                if (ctfOptions.CtfChallengeOptions.Swagger)
                {
                    CtfChallangeModel swaggerChallange = ctfOptions.CtfChallanges
                                                         .Where(x => x.Type == CtfChallengeTypes.Swagger)
                                                         .Single();

                    string swaggerCssPath = "css/swagger.css";
                    string css            = @$ "
                    .topbar-wrapper img[alt='Swagger UI'], .topbar-wrapper span {{
                        visibility: hidden;
                    }}
Exemplo n.º 12
0
        public CtfPortalSearchBL(IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions)
        {
            _httpContextAccessor = httpContextAccessor;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 13
0
 public CtfAuthorizeService(ICookieService cookieService, IOptions <CtfOptions> ctfOptions) : base(cookieService)
 {
     _ctfOptions = ctfOptions.Value;
 }
Exemplo n.º 14
0
        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();

            if (appSettings != null)
            {
                services.Configure <AppSettings>(options =>
                {
                    options.StoreEndpoint   = appSettings.StoreEndpoint;
                    options.SmtpCredentials = appSettings.SmtpCredentials;
                    options.LegalURL        = appSettings.LegalURL;
                    options.IgnoreEmails    = appSettings.SmtpCredentials == null || string.IsNullOrEmpty(appSettings.SmtpCredentials.Ip) ? true : false;
                });
            }

            DatabaseSettings customerDbSettings = Configuration.GetSection("DatabaseConnections:SecureBankMSSQL").Get <DatabaseSettings>();

            if (customerDbSettings != null)
            {
                string customerConnectionString = string.Format("Server={0},{1};Database={2};User Id={3};Password={4}",
                                                                customerDbSettings.Server,
                                                                customerDbSettings.ServerPort,
                                                                customerDbSettings.Database,
                                                                customerDbSettings.UserId,
                                                                customerDbSettings.UserPass);
                _logger.Info(customerConnectionString);
                // configure mssql
                services.AddDbContext <PortalDBContext>(options => options.UseSqlServer(customerConnectionString));
            }
            else
            {
                //configure sqlite
                services.AddDbContext <PortalDBContext>(options => options.UseSqlite("Filename=./customerDB.db"));
            }

            services.AddTransient <IActionContextAccessor, ActionContextAccessor>();

            services.AddTransient <ITransactionDAO, TransactionDAO>();
            services.AddTransient <IUserDAO, UserDAO>();
            services.AddTransient <IDbInitializer, DbInitializer>();

            services.AddScoped <StoreAPICalls>();
            services.AddTransient <IEmailSender, EmailSender>();

            services.AddScoped <IUserBL, UserBL>();
            services.AddScoped <ITransactionBL, TransactionBL>();
            services.AddScoped <IStoreBL, StoreBL>();
            services.AddScoped <IPortalSearchBL, PortalSearchBL>();
            services.AddScoped <IAuthBL, AuthBL>();
            services.AddScoped <IUploadFileBL, UploadFileBL>();
            services.AddScoped <IAdminBL, AdminBL>();
            services.AddScoped <IAdminStoreBL, AdminStoreBL>();

            services.AddAuthorization(options =>
            {
                AuthorizationPolicyBuilder defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder();
                defaultAuthorizationPolicyBuilder.RequireAssertion(x => true);

                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

            services.AddSingleton <IAuthorizeService, AuthorizeService>();
            services.AddSingleton <IUserExtensions, UserExtensions>();

            if (appSettings?.Ctf?.Enabled ?? false)
            {
                services.ConfigureCtf(Configuration);
            }

            services.AddControllersWithViews();

            services.AddSwaggerGen(x =>
            {
                if (appSettings?.Ctf?.Enabled ?? false)
                {
                    //TO DO: Try to change this so singelton services are not created

#pragma warning disable ASP0000
                    IServiceProvider serviceProvider = services.BuildServiceProvider();
                    CtfOptions ctfOptions            = serviceProvider.GetService <IOptions <CtfOptions> >()?.Value;

                    CtfChallangeModel swaggerChallange = ctfOptions?.CtfChallanges
                                                         .Where(x => x.Type == CtfChallengeTypes.Swagger)
                                                         .Single();

                    x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
                        Title = "BankWeb API", Version = "v1", Description = swaggerChallange?.Flag
                    });
                }
                else
                {
                    x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
                        Title = "BankWeb API", Version = "v1"
                    });
                }

                string xmlPath = System.IO.Path.Combine(AppContext.BaseDirectory, $"{System.Reflection.Assembly.GetExecutingAssembly().GetName().Name}.xml");
                x.IncludeXmlComments(xmlPath);
            });
        }
Exemplo n.º 15
0
        public UserExtensions(ICookieService cookieService, IOptions <CtfOptions> ctfOptions)
        {
            _cookieService = cookieService;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 16
0
        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            AppSettings appSettings = Configuration.GetSection("AppSettings").Get <AppSettings>();

            if (appSettings != null)
            {
                services.Configure <AppSettings>(options =>
                {
                    options.StoreEndpoint   = appSettings.StoreEndpoint;
                    options.SmtpCredentials = appSettings.SmtpCredentials;
                    options.IgnoreEmails    = string.IsNullOrEmpty(appSettings.SmtpCredentials.Ip);
                    options.BaseUrl         = appSettings.BaseUrl;
                });
            }
            else
            {
                throw new Exception("Appsettings cannot be null");
            }


            DatabaseSettings customerDbSettings = Configuration.GetSection("DatabaseConnections:SecureBankMSSQL").Get <DatabaseSettings>();

            if (customerDbSettings != null)
            {
                string customerConnectionString = string.Format("Server={0},{1};Database={2};User Id={3};Password={4}",
                                                                customerDbSettings.Server,
                                                                customerDbSettings.ServerPort,
                                                                customerDbSettings.Database,
                                                                customerDbSettings.UserId,
                                                                customerDbSettings.UserPass);
                _logger.Info(customerConnectionString);
                // configure mssql
                services.AddDbContext <PortalDBContext>(options => options.UseSqlServer(customerConnectionString));
            }
            else
            {
                //configure sqlite
                services.AddDbContext <PortalDBContext>(options => options.UseSqlite("Filename=./customerDB.db"));
            }

            services.AddTransient <IActionContextAccessor, ActionContextAccessor>();

            services.AddTransient <ITransactionDAO, TransactionDAO>();
            services.AddTransient <IUserDAO, UserDAO>();
            services.AddTransient <IDbInitializer, DbInitializer>();

            services.AddScoped <StoreAPICalls>();
            services.AddTransient <IEmailSender, EmailSender>();

            services.AddScoped <IUserBL, UserBL>();
            services.AddScoped <ITransactionBL, TransactionBL>();
            services.AddScoped <IStoreBL, StoreBL>();
            services.AddScoped <IPortalSearchBL, PortalSearchBL>();
            services.AddScoped <IAuthBL, AuthBL>();
            services.AddScoped <IUploadFileBL, UploadFileBL>();
            services.AddScoped <IAdminBL, AdminBL>();
            services.AddScoped <IAdminStoreBL, AdminStoreBL>();

            services.AddAuthorization(options =>
            {
                AuthorizationPolicyBuilder defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder();
                defaultAuthorizationPolicyBuilder.RequireAssertion(x => true);

                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });

            services.AddSingleton <IAuthorizeService, AuthorizeService>();
            services.AddSingleton <IUserExtensions, UserExtensions>();

            services.AddSingleton <ICookieService, CookieService>();

            CtfOptions ctfOptions = null;

            if (appSettings?.Ctf?.Enabled ?? false)
            {
                ctfOptions = services.ConfigureCtf(Configuration);
            }
            else
            {
                ctfOptions = services.ConfigureWithoutCtf(Configuration);
            }

            services.AddControllersWithViews(options =>
            {
                options.Filters.Add(new GlobalExceptionFilter());
            });

            services.AddDirectoryBrowser();

            services.AddSwaggerGen(x =>
            {
                x.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo {
                    Title = "BankWeb API", Version = "v1"
                });

                string xmlPath = Path.Combine(AppContext.BaseDirectory, $"{System.Reflection.Assembly.GetExecutingAssembly().GetName().Name}.xml");
                x.IncludeXmlComments(xmlPath);
            });
        }
Exemplo n.º 17
0
 public CtfUploadFileBL(IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> options) : base()
 {
     _httpContextAccessor = httpContextAccessor;
     _ctfOptions          = options.Value;
 }
Exemplo n.º 18
0
 public HomeController(IOptions <CtfOptions> options)
 {
     _ctfOptions = options.Value;
 }
Exemplo n.º 19
0
 public CtfAdminBL(ITransactionDAO transactionDao, IUserDAO userDAO, IOptions <CtfOptions> ctfOptions, IHttpContextAccessor httpContextAccessor)
     : base(transactionDao, userDAO)
 {
     _ctfOptions          = ctfOptions.Value;
     _httpContextAccessor = httpContextAccessor;
 }
Exemplo n.º 20
0
        public CtfTransactionBL(ITransactionDAO transactionDAO, IHttpContextAccessor httpContextAccessor, IOptions <CtfOptions> ctfOptions) : base(transactionDAO)
        {
            _httpContextAccessor = httpContextAccessor;

            _ctfOptions = ctfOptions.Value;
        }
Exemplo n.º 21
0
 public CtfAdminStoreBL(StoreAPICalls storeAPICalls, IOptions <CtfOptions> ctfOptions, IHttpContextAccessor httpContextAccessor) : base(storeAPICalls)
 {
     _ctfOptions          = ctfOptions.Value;
     _httpContextAccessor = httpContextAccessor;
 }