yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ed65769080ede82d2cd703032af2da11e1adb3e
Umbraco-CMS/src/Umbraco.Core/Security/BackOfficeSignInManager.cs

243 lines
10 KiB
C#
Raw Normal View History

Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
using System;
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
using System.Diagnostics;
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
using Microsoft.Owin.Logging;
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
using Microsoft.Owin.Security;
using Umbraco.Core.Configuration;
using Umbraco.Core.Models.Identity;
namespace Umbraco.Core.Security
{
public class BackOfficeSignInManager : SignInManager<BackOfficeIdentityUser, int>
{
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
private readonly ILogger _logger;
private readonly IOwinRequest _request;
U4-8850 Configuring a custom BackOfficeUserManager type will not work if the type is not specifically BackOfficeUserManager
2016-08-12 12:20:00 +02:00
public BackOfficeSignInManager(UserManager<BackOfficeIdentityUser, int> userManager, IAuthenticationManager authenticationManager, ILogger logger, IOwinRequest request)
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
: base(userManager, authenticationManager)
{
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
if (logger == null) throw new ArgumentNullException("logger");
if (request == null) throw new ArgumentNullException("request");
_logger = logger;
_request = request;
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
AuthenticationType = Constants.Security.BackOfficeAuthenticationType;
}
public override Task<ClaimsIdentity> CreateUserIdentityAsync(BackOfficeIdentityUser user)
{
Removes the explicit castings to (BackOfficeUserManager) since that isn't actually the base class! The base class is BackOfficeUserManager<BackOfficeIdentityUser>, all of this identity stuff is a bit of a generics nightmare but that also do to the generic nightmare that is OWIN. Moves more logic to the base class so it can be used by sub classes, fixes the base class to use a generic user type
2016-08-12 16:17:14 +02:00
return user.GenerateUserIdentityAsync((BackOfficeUserManager<BackOfficeIdentityUser>)UserManager);
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
}
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
public static BackOfficeSignInManager Create(IdentityFactoryOptions<BackOfficeSignInManager> options, IOwinContext context, ILogger logger)
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
{
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
return new BackOfficeSignInManager(
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
context.GetBackOfficeUserManager(),
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
context.Authentication,
logger,
context.Request);
}
/// <summary>
/// Sign in the user in using the user name and password
/// </summary>
/// <param name="userName"/><param name="password"/><param name="isPersistent"/><param name="shouldLockout"/>
/// <returns/>
removes some old notes
2016-07-12 13:36:08 +02:00
public override async Task<SignInStatus> PasswordSignInAsync(string userName, string password, bool isPersistent, bool shouldLockout)
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
{
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
var result = await PasswordSignInAsyncImpl(userName, password, isPersistent, shouldLockout);
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
switch (result)
{
case SignInStatus.Success:
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
_logger.WriteCore(TraceEventType.Information, 0,
string.Format(
"User: {0} logged in from IP address {1}",
userName,
_request.RemoteIpAddress), null, null);
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
break;
case SignInStatus.LockedOut:
_logger.WriteCore(TraceEventType.Information, 0,
string.Format(
"Login attempt failed for username {0} from IP address {1}, the user is locked",
userName,
_request.RemoteIpAddress), null, null);
break;
case SignInStatus.RequiresVerification:
_logger.WriteCore(TraceEventType.Information, 0,
string.Format(
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
"Login attempt requires verification for username {0} from IP address {1}",
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
userName,
_request.RemoteIpAddress), null, null);
break;
case SignInStatus.Failure:
_logger.WriteCore(TraceEventType.Information, 0,
string.Format(
"Login attempt failed for username {0} from IP address {1}",
userName,
_request.RemoteIpAddress), null, null);
break;
default:
throw new ArgumentOutOfRangeException();
}
return result;
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
}
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
/// <summary>
/// Borrowed from Micorosoft's underlying sign in manager which is not flexible enough to tell it to use a different cookie type
/// </summary>
/// <param name="userName"></param>
/// <param name="password"></param>
/// <param name="isPersistent"></param>
/// <param name="shouldLockout"></param>
/// <returns></returns>
private async Task<SignInStatus> PasswordSignInAsyncImpl(string userName, string password, bool isPersistent, bool shouldLockout)
{
if (UserManager == null)
{
return SignInStatus.Failure;
}
Port 7.7 - WIP
2017-08-25 17:55:26 +02:00
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
var user = await UserManager.FindByNameAsync(userName);
Port 7.7 - WIP
2017-08-25 17:55:26 +02:00
//if the user is null, create an empty one which can be used for auto-linking
if (user == null)
user = BackOfficeIdentityUser.CreateNew(userName, null, GlobalSettings.DefaultUILanguage);
//check the password for the user, this will allow a developer to auto-link
//an account if they have specified an IBackOfficeUserPasswordChecker
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
if (await UserManager.CheckPasswordAsync(user, password))
{
Port 7.7 - WIP
2017-08-25 17:55:26 +02:00
//the underlying call to this will query the user by Id which IS cached!
if (await UserManager.IsLockedOutAsync(user.Id))
{
return SignInStatus.LockedOut;
}
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
await UserManager.ResetAccessFailedCountAsync(user.Id);
return await SignInOrTwoFactor(user, isPersistent);
}
Port 7.7 - WIP
2017-08-25 17:55:26 +02:00
if (user.HasIdentity && shouldLockout)
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
{
// If lockout is requested, increment access failed count which might lock out the user
await UserManager.AccessFailedAsync(user.Id);
if (await UserManager.IsLockedOutAsync(user.Id))
{
return SignInStatus.LockedOut;
}
}
return SignInStatus.Failure;
Port 7.7 - WIP
2017-08-25 17:55:26 +02:00
}
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
/// <summary>
/// Borrowed from Micorosoft's underlying sign in manager which is not flexible enough to tell it to use a different cookie type
/// </summary>
/// <param name="user"></param>
/// <param name="isPersistent"></param>
/// <returns></returns>
private async Task<SignInStatus> SignInOrTwoFactor(BackOfficeIdentityUser user, bool isPersistent)
{
var id = Convert.ToString(user.Id);
if (await UserManager.GetTwoFactorEnabledAsync(user.Id)
&& (await UserManager.GetValidTwoFactorProvidersAsync(user.Id)).Count > 0)
{
var identity = new ClaimsIdentity(Constants.Security.BackOfficeTwoFactorAuthenticationType);
identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, id));
identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, user.UserName));
AuthenticationManager.SignIn(identity);
return SignInStatus.RequiresVerification;
}
await SignInAsync(user, isPersistent, false);
return SignInStatus.Success;
}
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
/// <summary>
/// Creates a user identity and then signs the identity using the AuthenticationManager
/// </summary>
/// <param name="user"></param>
/// <param name="isPersistent"></param>
/// <param name="rememberBrowser"></param>
/// <returns></returns>
public override async Task SignInAsync(BackOfficeIdentityUser user, bool isPersistent, bool rememberBrowser)
{
var userIdentity = await CreateUserIdentityAsync(user);
// Clear any partial cookies from external or two factor partial sign ins
AuthenticationManager.SignOut(
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
Constants.Security.BackOfficeExternalAuthenticationType,
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
Constants.Security.BackOfficeTwoFactorAuthenticationType);
var nowUtc = DateTime.Now.ToUniversalTime();
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
if (rememberBrowser)
{
var rememberBrowserIdentity = AuthenticationManager.CreateTwoFactorRememberBrowserIdentity(ConvertIdToString(user.Id));
AuthenticationManager.SignIn(new AuthenticationProperties()
{
IsPersistent = isPersistent,
AllowRefresh = true,
IssuedUtc = nowUtc,
ExpiresUtc = nowUtc.AddMinutes(GlobalSettings.TimeOutInMinutes)
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
}, userIdentity, rememberBrowserIdentity);
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
}
else
{
AuthenticationManager.SignIn(new AuthenticationProperties()
{
IsPersistent = isPersistent,
AllowRefresh = true,
IssuedUtc = nowUtc,
ExpiresUtc = nowUtc.AddMinutes(GlobalSettings.TimeOutInMinutes)
}, userIdentity);
}
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
//track the last login date
user.LastLoginDateUtc = DateTime.UtcNow;
porting 7.6@5c5baca into 8
2017-05-30 10:50:09 +02:00
user.AccessFailedCount = 0;
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
await UserManager.UpdateAsync(user);
Fixes: U4-6736 Log "logout" from Umbraco and also ensures logging is occuring on timeout, logout, login all with Identity stuff.
2015-07-23 12:03:50 +02:00
_logger.WriteCore(TraceEventType.Information, 0,
string.Format(
"Login attempt succeeded for username {0} from IP address {1}",
user.UserName,
_request.RemoteIpAddress), null, null);
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
}
porting 7.6-rc1 into 8
2017-05-12 14:49:44 +02:00
/// <summary>
/// Get the user id that has been verified already or -1.
/// </summary>
/// <returns></returns>
/// <remarks>
/// Replaces the underlying call which is not flexible and doesn't support a custom cookie
/// </remarks>
public new async Task<int> GetVerifiedUserIdAsync()
{
var result = await AuthenticationManager.AuthenticateAsync(Constants.Security.BackOfficeTwoFactorAuthenticationType);
if (result != null && result.Identity != null && string.IsNullOrEmpty(result.Identity.GetUserId()) == false)
{
return ConvertIdFromString(result.Identity.GetUserId());
}
return -1;
}
/// <summary>
/// Get the username that has been verified already or null.
/// </summary>
/// <returns></returns>
public async Task<string> GetVerifiedUserNameAsync()
{
var result = await AuthenticationManager.AuthenticateAsync(Constants.Security.BackOfficeTwoFactorAuthenticationType);
if (result != null && result.Identity != null && string.IsNullOrEmpty(result.Identity.GetUserName()) == false)
{
return result.Identity.GetUserName();
}
return null;
}
Implements SignInManager, implements lock out policy for user manager, allows for better implementation of 2 factor auth for developers. Updates to latest owin libs.
2015-07-01 17:07:29 +02:00
}
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
}
Reference in New Issue Copy Permalink