Exemplo n.º 1
0
        private LdapConnection Bind(string hostname, string bindDN, string bindPW)
        {
            LdapConnection conn = null;

            try {
                //Establish ldap bind
                conn = GetLdapConnectionFromBindingDN(hostname, bindDN, bindPW);

                if (!conn.Bound)
                {
                    UnBind(conn);
                    conn = null;

                    //Sometimes it doesn't throw an exception but ramains unbound.
                    throw new DreamAbortException(DreamMessage.AccessDenied("Deki LDAP Service", string.Format("An LDAP bind was not established. Server: '{0}'. BindingDN: '{1}'. Password provided? '{2}'", hostname, bindDN, string.IsNullOrEmpty(bindPW) ? "No." : "Yes.")));
                }
            } catch (LdapException x) {
                UnBind(conn);

                if (x.ResultCode == LdapException.INVALID_CREDENTIALS)
                {
                    throw new DreamAbortException(DreamMessage.AccessDenied("Deki LDAP Service", string.Format("Invalid LDAP credentials. Server: '{0}'. BindingDN: '{1}'. Password provided? '{2}'", hostname, bindDN, string.IsNullOrEmpty(bindPW) ? "No." : "Yes.")));
                }
                else
                {
                    throw;
                }
            }
            return(conn);
        }
Exemplo n.º 2
0
        /// <summary>
        /// Returns a connected/authenticated ldapclient. Authentication info either comes from
        /// the standard authentication header or from local configuration.
        /// Default scope and domain controller IP/Host must be in service configuration.
        /// </summary>
        /// <param name="requireHeaderAuth">Will only accept authenticate from request header</param>
        /// <returns></returns>
        private LdapClient GetLdapClient(DreamContext context, DreamMessage request, bool requireAuth)
        {
            string authuser     = string.Empty;
            string authpassword = string.Empty;

            HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out authuser, out authpassword);
            if (_config.VerboseLogging)
            {
                LogUtils.LogTrace(_log, context.Feature.VerbSignature, string.Format("Performing LDAP lookup uri: '{0}' username: '******' pw: '{2}'", context.Feature.VerbSignature, authuser, authpassword));
            }

            if (string.IsNullOrEmpty(authuser) && requireAuth)
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "Provide credentials to authenticate with ldap"));
            }

            LdapClient ldap = new LdapClient(_config, authuser, authpassword, _log);

            ldap.TimeLimit = context.GetParam <int>("timelimit", _config.LdapTimeOut);
            if (requireAuth)
            {
                bool authenticated = ldap.Authenticate();

                if (!authenticated)
                {
                    string msg = string.Format("Invalid LDAP username or password. Login DN used: '{0}'", ldap.BuildBindDn(authuser));
                    throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, msg));
                }
            }
            return(ldap);
        }
        protected page Authorize(DreamContext context, user user, DekiAccessLevel access, string pageIdName)
        {
            page result;
            long id = context.Uri.GetParam <long>(pageIdName, 0);

            if (id == 0)
            {
                string title = context.Uri.GetParam("title", "");
                if (string.IsNullOrEmpty(title))
                {
                    throw new DreamAbortException(DreamMessage.NotFound(""));
                }

                result = page.GetCurByTitle(title);
            }
            else
            {
                result = page.GetCurByID((ulong)id);
            }

            // check that page was found
            if ((result == null) || (result.ID <= 0))
            {
                throw new DreamAbortException(DreamMessage.NotFound(""));
            }

            // check if action is allowed
            string action;

            switch (access)
            {
            case DekiAccessLevel.Read:
                action = DekiWikiConstants.ACTION_READ;
                break;

            case DekiAccessLevel.Write:
                action = DekiWikiConstants.ACTION_EDIT;
                break;

            case DekiAccessLevel.Destroy:
                action = DekiWikiConstants.ACTION_DELETE;
                break;

            default:
                throw new DreamAbortException(DreamMessage.BadRequest(string.Format("unknown action {0}", access)));
            }
            if (!result.userCan(action, user))
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(DekiWikiService.AUTHREALM, ""));
            }

            // return page
            return(result);
        }
        //--- Methods ---

        /// <summary>
        /// Authenticate the current request.
        /// </summary>
        /// <param name="context">Context of current request</param>
        /// <param name="request">Current request</param>
        /// <returns>Authenticatd user name</returns>
        /// <exception cref="DreamAbortException">Throws a DreamAbortException with Access Denied response if authentication fails</exception>
        public virtual string Authenticate(DreamContext context, DreamMessage request)
        {
            string user;
            string password;

            HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out user, out password);
            if (string.IsNullOrEmpty(user) || string.IsNullOrEmpty(password) || !CheckUserPassword(user, password))
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "Missing or invalid credentials"));
            }
            return(user);
        }
        protected user Authenticate(DreamContext context, DreamMessage request, DekiUserLevel level)
        {
            user result = null;

            // get username and password
            string user;
            string password;

            if (!DreamUtil.GetAuthentication(context, request, out user, out password))
            {
                // anonymous access is always granted
                if (level == DekiUserLevel.Anonymous)
                {
                    // TODO (steveb): missing code
                    throw new NotImplementedException("return anonymous user");
                }
                else
                {
                    throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
                }
            }

            // validate username and password
            result = MindTouch.Deki.user.GetUserByName(user);
            if (result == null)
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
            }
            if (!result.checkPassword(password))
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
            }
            if ((level == DekiUserLevel.Admin) && !result.isSysop())
            {
                throw new DreamAbortException(DreamMessage.AccessDenied(AuthenticationRealm, "authentication failed"));
            }
            return(result);
        }
 private static DreamMessage Map(MindTouchAccessDeniedException e, DekiResources resources)
 {
     return(DreamMessage.AccessDenied(e.AuthRealm, resources.Localize(e.Resource)));
 }