Exemplo n.º 1
0
        public Response Execute(NancyContext context, IResponseFormatter response)
        {
            if (!configurationStore.GetIsEnabled())
            {
                return(responseCreator.AsStatusCode(HttpStatusCode.BadRequest));
            }

            var model = modelBinder.Bind <LoginCommand>(context);

            var attemptedUsername      = model.Username;
            var requestUserHostAddress = context.Request.UserHostAddress;

            var action = loginTracker.BeforeAttempt(attemptedUsername, requestUserHostAddress);

            if (action == InvalidLoginAction.Ban)
            {
                return(responseCreator.BadRequest("You have had too many failed login attempts in a short period of time. Please try again later."));
            }

            var userResult = credentialValidator.ValidateCredentials(attemptedUsername, model.Password);

            if (!userResult.Succeeded)
            {
                loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress);

                if (action == InvalidLoginAction.Slow)
                {
                    sleep.For(1000);
                }

                return(responseCreator.BadRequest(userResult.FailureReason));
            }

            var user = userResult.User;

            if (user == null || !user.IsActive || user.IsService)
            {
                loginTracker.RecordFailure(attemptedUsername, requestUserHostAddress);

                if (action == InvalidLoginAction.Slow)
                {
                    sleep.For(1000);
                }

                return(responseCreator.BadRequest("Invalid username or password."));
            }

            loginTracker.RecordSucess(attemptedUsername, requestUserHostAddress);

            var cookie = issuer.CreateAuthCookie(context, user.IdentificationToken, model.RememberMe);

            return(responseCreator.AsOctopusJson(response, userMapper.MapToResource(user))
                   .WithCookie(cookie)
                   .WithStatusCode(HttpStatusCode.OK)
                   .WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo)));
        }
Exemplo n.º 2
0
        public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response)
        {
            // Step 1: Try and get all of the details from the request making sure there are no errors passed back from the external identity provider
            string stateFromRequest;
            var    principalContainer = await authTokenHandler.GetPrincipalAsync(context.Request, out stateFromRequest);

            var principal = principalContainer.principal;

            if (principal == null || !string.IsNullOrEmpty(principalContainer.error))
            {
                return(BadRequest($"The response from the external identity provider contained an error: {principalContainer.error}"));
            }

            // Step 2: Validate the state object we passed wasn't tampered with
            const string stateDescription  = "As a security precaution, Octopus ensures the state object returned from the external identity provider matches what it expected.";
            var          expectedStateHash = string.Empty;

            if (context.Request.Cookies.ContainsKey("s"))
            {
                expectedStateHash = HttpUtility.UrlDecode(context.Request.Cookies["s"]);
            }
            if (string.IsNullOrWhiteSpace(expectedStateHash))
            {
                return(BadRequest($"User login failed: Missing State Hash Cookie. {stateDescription} In this case the Cookie containing the SHA256 hash of the state object is missing from the request."));
            }

            var stateFromRequestHash = State.Protect(stateFromRequest);

            if (stateFromRequestHash != expectedStateHash)
            {
                return(BadRequest($"User login failed: Tampered State. {stateDescription} In this case the state object looks like it has been tampered with. The state object is '{stateFromRequest}'. The SHA256 hash of the state was expected to be '{expectedStateHash}' but was '{stateFromRequestHash}'."));
            }

            // Step 3: Validate the nonce is as we expected to prevent replay attacks
            const string nonceDescription = "As a security precaution to prevent replay attacks, Octopus ensures the nonce returned in the claims from the external identity provider matches what it expected.";

            var expectedNonceHash = string.Empty;

            if (context.Request.Cookies.ContainsKey("n"))
            {
                expectedNonceHash = HttpUtility.UrlDecode(context.Request.Cookies["n"]);
            }

            if (string.IsNullOrWhiteSpace(expectedNonceHash))
            {
                return(BadRequest($"User login failed: Missing Nonce Hash Cookie. {nonceDescription} In this case the Cookie containing the SHA256 hash of the nonce is missing from the request."));
            }

            var nonceFromClaims = principal.Claims.FirstOrDefault(c => c.Type == "nonce");

            if (nonceFromClaims == null)
            {
                return(BadRequest($"User login failed: Missing Nonce Claim. {nonceDescription} In this case the 'nonce' claim is missing from the security token."));
            }

            var nonceFromClaimsHash = Nonce.Protect(nonceFromClaims.Value);

            if (nonceFromClaimsHash != expectedNonceHash)
            {
                return(BadRequest($"User login failed: Tampered Nonce. {nonceDescription} In this case the nonce looks like it has been tampered with or reused. The nonce is '{nonceFromClaims}'. The SHA256 hash of the state was expected to be '{expectedNonceHash}' but was '{nonceFromClaimsHash}'."));
            }

            // Step 4: Now the integrity of the request has been validated we can figure out which Octopus User this represents
            var authenticationCandidate = principalToUserResourceMapper.MapToUserResource(principal);

            // Step 4a: Check if this authentication attempt is already being banned
            var action = loginTracker.BeforeAttempt(authenticationCandidate.Username, context.Request.UserHostAddress);

            if (action == InvalidLoginAction.Ban)
            {
                return(BadRequest("You have had too many failed login attempts in a short period of time. Please try again later."));
            }

            // Step 4b: Try to get or create a the Octopus User this external identity represents
            var userResult = GetOrCreateUser(authenticationCandidate, principal);

            if (userResult.Succeeded)
            {
                loginTracker.RecordSucess(authenticationCandidate.Username, context.Request.UserHostAddress);

                var authCookies = authCookieCreator.CreateAuthCookies(context.Request, userResult.User.IdentificationToken, SessionExpiry.TwentyDays);

                return(RedirectResponse(response, stateFromRequest)
                       .WithCookies(authCookies)
                       .WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo)));
            }

            // Step 5: Handle other types of failures
            loginTracker.RecordFailure(authenticationCandidate.Username, context.Request.UserHostAddress);

            // Step 5a: Slow this potential attacker down a bit since they seem to keep failing
            if (action == InvalidLoginAction.Slow)
            {
                sleep.For(1000);
            }

            if (!userResult.User.IsActive)
            {
                return(BadRequest($"The Octopus User Account '{authenticationCandidate.Username}' has been disabled by an Administrator. If you believe this to be a mistake, please contact your Octopus Administrator to have your account re-enabled."));
            }

            if (userResult.User.IsService)
            {
                return(BadRequest($"The Octopus User Account '{authenticationCandidate.Username}' is a Service Account, which are prevented from using Octopus interactively. Service Accounts are designed to authorize external systems to access the Octopus API using an API Key."));
            }

            return(BadRequest($"User login failed: {userResult.FailureReason}"));
        }
Exemplo n.º 3
0
        public async Task <Response> ExecuteAsync(NancyContext context, IResponseFormatter response)
        {
            string state;
            var    principalContainer = await authTokenHandler.GetPrincipalAsync(context.Request, out state);

            var principal = principalContainer.principal;

            if (principal == null || !string.IsNullOrEmpty(principalContainer.error))
            {
                log.Info($"User login failed - {principalContainer.error}");
                return(RedirectResponse(response, $"{context.Request.Form["state"]}?error={principalContainer.error}"));
            }

            var cookieStateHash = string.Empty;

            if (context.Request.Cookies.ContainsKey("s"))
            {
                cookieStateHash = HttpUtility.UrlDecode(context.Request.Cookies["s"]);
            }
            if (State.Protect(state) != cookieStateHash)
            {
                log.Info($"User login failed - invalid state");
                return(RedirectResponse(response, $"{state}?error=Invalid state"));
            }

            var cookieNonceHash = string.Empty;

            if (context.Request.Cookies.ContainsKey("n"))
            {
                cookieNonceHash = HttpUtility.UrlDecode(context.Request.Cookies["n"]);
            }

            var nonce = principal.Claims.FirstOrDefault(c => c.Type == "nonce");

            if (nonce == null || Nonce.Protect(nonce.Value) != cookieNonceHash)
            {
                log.Info("User login failed - invalid nonce");
                return(RedirectResponse(response, $"{state}?error=Invalid nonce"));
            }

            var model = principalToUserHandler.GetUserResource(principal);

            var action = loginTracker.BeforeAttempt(model.Username, context.Request.UserHostAddress);

            if (action == InvalidLoginAction.Ban)
            {
                return(RedirectResponse(response, $"{state}?error=You have had too many failed login attempts in a short period of time. Please try again later."));
            }

            var userResult = GetOrCreateUser(model, principal);

            if (!userResult.Succeeded)
            {
                loginTracker.RecordFailure(model.Username, context.Request.UserHostAddress);

                if (action == InvalidLoginAction.Slow)
                {
                    sleep.For(1000);
                }

                return(RedirectResponse(response, $"{state}?error={userResult.FailureReason}"));
            }

            if (!userResult.User.IsActive || userResult.User.IsService)
            {
                loginTracker.RecordFailure(model.Username, context.Request.UserHostAddress);

                if (action == InvalidLoginAction.Slow)
                {
                    sleep.For(1000);
                }

                return(RedirectResponse(response, $"{state}?error=Invalid username or password"));
            }

            loginTracker.RecordSucess(model.Username, context.Request.UserHostAddress);

            var cookie = authCookieCreator.CreateAuthCookie(context, userResult.User.IdentificationToken, true);

            return(RedirectResponse(response, state)
                   .WithCookie(cookie)
                   .WithHeader("Expires", DateTime.UtcNow.AddYears(1).ToString("R", DateTimeFormatInfo.InvariantInfo)));
        }