From 2658dae6497c8b85dcb1ddcf9e636dc07aa6e536 Mon Sep 17 00:00:00 2001 From: Bjarke Berg Date: Sun, 9 Feb 2020 19:14:19 +0100 Subject: [PATCH] Introduced interface on WebSecurity --- .../Security/IWebSecurity.cs | 92 +++++++++++++++++++ .../Security/ValidateRequestAttempt.cs | 0 .../TestControllerActivatorBase.cs | 2 +- .../Filters/ContentSaveValidationAttribute.cs | 2 +- src/Umbraco.Web/IUmbracoContext.cs | 2 +- src/Umbraco.Web/Mvc/UmbracoController.cs | 2 +- src/Umbraco.Web/Security/WebSecurity.cs | 8 +- src/Umbraco.Web/Umbraco.Web.csproj | 1 - src/Umbraco.Web/UmbracoContext.cs | 4 +- src/Umbraco.Web/UmbracoHttpHandler.cs | 2 +- src/Umbraco.Web/UmbracoWebService.cs | 2 +- .../WebApi/UmbracoApiControllerBase.cs | 2 +- 12 files changed, 105 insertions(+), 14 deletions(-) create mode 100644 src/Umbraco.Abstractions/Security/IWebSecurity.cs rename src/{Umbraco.Web => Umbraco.Abstractions}/Security/ValidateRequestAttempt.cs (100%) diff --git a/src/Umbraco.Abstractions/Security/IWebSecurity.cs b/src/Umbraco.Abstractions/Security/IWebSecurity.cs new file mode 100644 index 0000000000..cc268b87b4 --- /dev/null +++ b/src/Umbraco.Abstractions/Security/IWebSecurity.cs @@ -0,0 +1,92 @@ +using Umbraco.Core; +using Umbraco.Core.Models.Membership; + +namespace Umbraco.Web.Security +{ + public interface IWebSecurity + { + /// + /// Gets the current user. + /// + /// The current user. + IUser CurrentUser { get; } + + /// + /// Logs a user in. + /// + /// The user Id + /// returns the number of seconds until their session times out + double PerformLogin(int userId); + + /// + /// Clears the current login for the currently logged in user + /// + void ClearCurrentLogin(); + + /// + /// Validates credentials for a back office user + /// + /// + /// + /// + /// + /// This uses ASP.NET Identity to perform the validation + /// + bool ValidateBackOfficeCredentials(string username, string password); + + /// + /// Gets the current user's id. + /// + /// + Attempt GetUserId(); + + /// + /// Returns the current user's unique session id - used to mitigate csrf attacks or any other reason to validate a request + /// + /// + string GetSessionId(); + + /// + /// Validates the currently logged in user and ensures they are not timed out + /// + /// + bool ValidateCurrentUser(); + + /// + /// Validates the current user assigned to the request and ensures the stored user data is valid + /// + /// set to true if you want exceptions to be thrown if failed + /// If true requires that the user is approved to be validated + /// + ValidateRequestAttempt ValidateCurrentUser(bool throwExceptions, bool requiresApproval = true); + + /// + /// Authorizes the full request, checks for SSL and validates the current user + /// + /// set to true if you want exceptions to be thrown if failed + /// + ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false); + + /// + /// Checks if the specified user as access to the app + /// + /// + /// + /// + bool UserHasSectionAccess(string section, IUser user); + + /// + /// Checks if the specified user by username as access to the app + /// + /// + /// + /// + bool UserHasSectionAccess(string section, string username); + + /// + /// Ensures that a back office user is logged in + /// + /// + bool IsAuthenticated(); + } +} diff --git a/src/Umbraco.Web/Security/ValidateRequestAttempt.cs b/src/Umbraco.Abstractions/Security/ValidateRequestAttempt.cs similarity index 100% rename from src/Umbraco.Web/Security/ValidateRequestAttempt.cs rename to src/Umbraco.Abstractions/Security/ValidateRequestAttempt.cs diff --git a/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs b/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs index c0279e1204..e7abec5ee2 100644 --- a/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs +++ b/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs @@ -101,7 +101,7 @@ namespace Umbraco.Tests.TestHelpers.ControllerTesting var backofficeIdentity = (UmbracoBackOfficeIdentity) owinContext.Authentication.User.Identity; - var webSecurity = new Mock(null, null, globalSettings); + var webSecurity = new Mock(); //mock CurrentUser var groups = new List(); diff --git a/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs b/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs index b94d4d43bc..de84d80074 100644 --- a/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs +++ b/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs @@ -83,7 +83,7 @@ namespace Umbraco.Web.Editors.Filters /// /// /// - private bool ValidateUserAccess(ContentItemSave contentItem, HttpActionContext actionContext, WebSecurity webSecurity) + private bool ValidateUserAccess(ContentItemSave contentItem, HttpActionContext actionContext, IWebSecurity webSecurity) { //We now need to validate that the user is allowed to be doing what they are doing. diff --git a/src/Umbraco.Web/IUmbracoContext.cs b/src/Umbraco.Web/IUmbracoContext.cs index 8a624a8132..a37c70dfc7 100644 --- a/src/Umbraco.Web/IUmbracoContext.cs +++ b/src/Umbraco.Web/IUmbracoContext.cs @@ -24,7 +24,7 @@ namespace Umbraco.Web /// /// Gets the WebSecurity class /// - WebSecurity Security { get; } + IWebSecurity Security { get; } /// /// Gets the uri that is handled by ASP.NET after server-side rewriting took place. diff --git a/src/Umbraco.Web/Mvc/UmbracoController.cs b/src/Umbraco.Web/Mvc/UmbracoController.cs index 3056a9837a..68605a9086 100644 --- a/src/Umbraco.Web/Mvc/UmbracoController.cs +++ b/src/Umbraco.Web/Mvc/UmbracoController.cs @@ -70,7 +70,7 @@ namespace Umbraco.Web.Mvc /// /// Gets the web security helper. /// - public virtual WebSecurity Security => UmbracoContext.Security; + public virtual IWebSecurity Security => UmbracoContext.Security; protected UmbracoController() : this( diff --git a/src/Umbraco.Web/Security/WebSecurity.cs b/src/Umbraco.Web/Security/WebSecurity.cs index 5dc6551b90..3b19fd7eb2 100644 --- a/src/Umbraco.Web/Security/WebSecurity.cs +++ b/src/Umbraco.Web/Security/WebSecurity.cs @@ -19,7 +19,7 @@ namespace Umbraco.Web.Security /// /// A utility class used for dealing with USER security in Umbraco /// - public class WebSecurity + public class WebSecurity : IWebSecurity { private readonly HttpContextBase _httpContext; private readonly IUserService _userService; @@ -215,7 +215,7 @@ namespace Umbraco.Web.Security /// /// set to true if you want exceptions to be thrown if failed /// - internal ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false) + public ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false) { // check for secure connection if (_globalSettings.UseHttps && _httpContext.Request.IsSecureConnection == false) @@ -232,7 +232,7 @@ namespace Umbraco.Web.Security /// /// /// - internal virtual bool UserHasSectionAccess(string section, IUser user) + public virtual bool UserHasSectionAccess(string section, IUser user) { return user.HasSectionAccess(section); } @@ -243,7 +243,7 @@ namespace Umbraco.Web.Security /// /// /// - internal bool UserHasSectionAccess(string section, string username) + public bool UserHasSectionAccess(string section, string username) { var user = _userService.GetByUsername(username); if (user == null) diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj index 6cbb4afa9a..5c226b257e 100755 --- a/src/Umbraco.Web/Umbraco.Web.csproj +++ b/src/Umbraco.Web/Umbraco.Web.csproj @@ -597,7 +597,6 @@ - True diff --git a/src/Umbraco.Web/UmbracoContext.cs b/src/Umbraco.Web/UmbracoContext.cs index 374b78c333..5f2f43d61f 100644 --- a/src/Umbraco.Web/UmbracoContext.cs +++ b/src/Umbraco.Web/UmbracoContext.cs @@ -30,7 +30,7 @@ namespace Umbraco.Web // warn: does *not* manage setting any IUmbracoContextAccessor internal UmbracoContext(HttpContextBase httpContext, IPublishedSnapshotService publishedSnapshotService, - WebSecurity webSecurity, + IWebSecurity webSecurity, IUmbracoSettingsSection umbracoSettings, IEnumerable urlProviders, IEnumerable mediaUrlProviders, @@ -93,7 +93,7 @@ namespace Umbraco.Web /// /// Gets the WebSecurity class /// - public WebSecurity Security { get; } + public IWebSecurity Security { get; } /// /// Gets the uri that is handled by ASP.NET after server-side rewriting took place. diff --git a/src/Umbraco.Web/UmbracoHttpHandler.cs b/src/Umbraco.Web/UmbracoHttpHandler.cs index 447bdde430..27a3255edd 100644 --- a/src/Umbraco.Web/UmbracoHttpHandler.cs +++ b/src/Umbraco.Web/UmbracoHttpHandler.cs @@ -58,7 +58,7 @@ namespace Umbraco.Web /// /// Gets the web security helper. /// - public WebSecurity Security => UmbracoContextAccessor.UmbracoContext.Security; + public IWebSecurity Security => UmbracoContextAccessor.UmbracoContext.Security; /// /// Gets the Url helper. diff --git a/src/Umbraco.Web/UmbracoWebService.cs b/src/Umbraco.Web/UmbracoWebService.cs index ed78314560..3b35dbd6c7 100644 --- a/src/Umbraco.Web/UmbracoWebService.cs +++ b/src/Umbraco.Web/UmbracoWebService.cs @@ -74,7 +74,7 @@ namespace Umbraco.Web /// /// Gets the web security helper. /// - public WebSecurity Security => UmbracoContext.Security; + public IWebSecurity Security => UmbracoContext.Security; /// /// Gets the Url helper. diff --git a/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs b/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs index 9b35416def..4ac773e8c8 100644 --- a/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs +++ b/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs @@ -131,7 +131,7 @@ namespace Umbraco.Web.WebApi /// /// Gets the web security helper. /// - public WebSecurity Security => UmbracoContext.Security; + public IWebSecurity Security => UmbracoContext.Security; /// /// Tries to get the current HttpContext.