Пример #1
0
        // Delete User From SsoRequest
        public ResponseDTO <HttpStatusCode> DeleteUser(SsoUserRequestDTO request)
        {
            ResponseDTO <HttpStatusCode> response          = new ResponseDTO <HttpStatusCode>();
            ISignatureService            _signatureService = new SignatureService();

            if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
            {
                response.Data  = (HttpStatusCode)400;
                response.Error = "Signature not valid";
                return(response);
            }

            // Protect against replay attacks by checking the timestamp
            if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
            {
                response.Data  = (HttpStatusCode)425;
                response.Error = ErrorStrings.OLD_SSO_REQUEST;
                return(response);
            }

            // Check if request id is in guid format
            Guid ssoId;

            try
            {
                ssoId = new Guid(request.SsoUserId);
            }
            catch (Exception e)
            {
                response.Data  = (HttpStatusCode)400;
                response.Error = "SsoId provided was invalid";
                return(response);
            }

            UserAccountDTO userAccount;
            ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);

            if (userAccountResponse.Data == null)
            {
                // TODO: Add a check if user did not exist or if it was a standard EntityFramework Error
                response.Data  = (HttpStatusCode)404;
                response.Error = "Unable to find ssoId";
                return(response);
            }
            else
            {
                userAccount = userAccountResponse.Data;
            }

            ResponseDTO <bool> boolResponse;

            try
            {
                boolResponse = _userManagementService.DeleteUser(userAccount.Id);
            }
            catch (Exception e)
            {
                response.Data  = (HttpStatusCode)500;
                response.Error = "Failed to delete userID: " + userAccount.Id + "\n" + e.Message;
                return(response);
            }

            if (boolResponse.Data)
            {
                response.Data = (HttpStatusCode)200;
                return(response);
            }
            else
            {
                response.Data  = (HttpStatusCode)500;
                response.Error = boolResponse.Error;
                return(response);
            }
        }
Пример #2
0
        // Delete User From SsoRequest
        public ResponseDTO <HttpStatusCode> LogoutUser(SsoUserRequestDTO request)
        {
            ResponseDTO <HttpStatusCode> response          = new ResponseDTO <HttpStatusCode>();
            ISignatureService            _signatureService = new SignatureService();

            if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
            {
                response.Data  = (HttpStatusCode)400;
                response.Error = "Signature not valid";
                return(response);
            }

            // Protect against replay attacks by checking the timestamp
            if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
            {
                response.Data  = (HttpStatusCode)425;
                response.Error = ErrorStrings.OLD_SSO_REQUEST;
                return(response);
            }

            // Check if request id is in guid format
            Guid ssoId;

            try
            {
                ssoId = new Guid(request.SsoUserId);
            }
            catch (Exception e)
            {
                response.Data  = (HttpStatusCode)400;
                response.Error = "SsoId provided was invalid";
                return(response);
            }

            UserAccountDTO userAccount;
            ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);

            if (userAccountResponse.Data == null)
            {
                // Returns a success because there are no sessions to delete
                // The user has never opend our app so do not stop the SSO logout from continuing
                response.Data = (HttpStatusCode)200;
                return(response);
            }
            else
            {
                userAccount = userAccountResponse.Data;
            }

            ResponseDTO <bool> boolResponse;

            try
            {
                boolResponse = _sessionService.DeleteAllUserSessions(userAccount.Id);
            }
            catch (Exception e)
            {
                response.Data  = (HttpStatusCode)500;
                response.Error = "Failed to delete sessions for userID: " + userAccount.Id + "\n" + e.Message;
                return(response);
            }

            if (boolResponse.Data)
            {
                response.Data = (HttpStatusCode)200;
                return(response);
            }
            else
            {
                response.Data  = (HttpStatusCode)500;
                response.Error = boolResponse.Error;
                return(response);
            }
        }
Пример #3
0
        public ResponseDTO <Session> SsoLogin(SsoUserRequestDTO request)
        {
            ResponseDTO <Session> response = new ResponseDTO <Session>();

            // Before anything happens, validate that this request is coming from the known sso server
            if (!_signatureService.isValidSignature(request.GetStringToSign(), request.Signature))
            {
                response.Data  = null;
                response.Error = "My signature: " + _signatureService.Sign(request.GetStringToSign()) + " Compared to: " + request.Signature;
                _loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
                return(response);
            }

            // Protect against replay attacks by checking the timestamp
            if (DateTimeOffset.Now.AddSeconds(5).ToUnixTimeMilliseconds() < request.Timestamp)
            {
                response.Data  = null;
                response.Error = ErrorStrings.OLD_SSO_REQUEST;
                _loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
                return(response);
            }

            // Convert request SsoId into Guid
            Guid ssoId = new Guid(request.SsoUserId);

            // Search for user in database
            ResponseDTO <UserAccountDTO> userAccountResponse = _userManagementService.GetUserBySsoId(ssoId);
            UserAccountDTO userDTO = userAccountResponse.Data;

            // If the user does not exist in the data store, register the user as a standard user
            if (userAccountResponse.Data == null)
            {
                // Verify the email is not null
                if (request.Email == null)
                {
                    response.Data  = null;
                    response.Error = "User email may not be null.";
                    _loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
                    return(response);
                }

                // Create an unassigned user account
                UserAccount user = new UserAccount()
                {
                    SsoId       = ssoId,
                    Username    = request.Email,
                    IsActive    = true,
                    AcceptedTOS = false,
                    RoleType    = Roles.UNASSIGNED
                };
                List <Claim> newClaims = _claimService.GetUserClaims(Roles.UNASSIGNED, request.Email).Data;

                // Add user to datastore
                ResponseDTO <bool> createUserResponse = _userManagementService.CreateUser(user, newClaims);

                // Check if user creation succeded
                if (!createUserResponse.Data)
                {
                    response.Data  = null;
                    response.Error = createUserResponse.Error;
                    _loggerService.LogError(LogConstants.FAIL_LOGIN, request.SsoUserId, "", response.Error, "");
                    return(response);
                }

                // User now exists in database, proceed with login as normal
                userDTO = new UserAccountDTO(user);
            }

            // Create session for user
            ResponseDTO <Session> sessionResponseDTO = _sessionService.CreateSession(userDTO.Id);

            _loggerService.LogAction(LogConstants.ACTION_LOGIN, userDTO.SsoId.ToString(), sessionResponseDTO.Data.SessionId.ToString());

            return(sessionResponseDTO);
        }