262 lines
10 KiB
C#
262 lines
10 KiB
C#
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Threading;
|
|
using System.Threading.Tasks;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.Extensions.Logging;
|
|
using Microsoft.Extensions.Options;
|
|
using Umbraco.Cms.Core.Configuration;
|
|
using Umbraco.Cms.Core.Net;
|
|
|
|
namespace Umbraco.Cms.Core.Security
|
|
{
|
|
/// <summary>
|
|
/// Abstract class for Umbraco User Managers for back office users or front-end members
|
|
/// </summary>
|
|
/// <typeparam name="TUser">The type of user</typeparam>
|
|
/// /// <typeparam name="TPasswordConfig">The type password config</typeparam>
|
|
public abstract class UmbracoUserManager<TUser, TPasswordConfig> : UserManager<TUser>
|
|
where TUser : UmbracoIdentityUser
|
|
where TPasswordConfig : class, IPasswordConfiguration, new()
|
|
{
|
|
private PasswordGenerator _passwordGenerator;
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="UmbracoUserManager{T, TPasswordConfig}"/> class.
|
|
/// </summary>
|
|
public UmbracoUserManager(
|
|
IIpResolver ipResolver,
|
|
IUserStore<TUser> store,
|
|
IOptions<IdentityOptions> optionsAccessor,
|
|
IPasswordHasher<TUser> passwordHasher,
|
|
IEnumerable<IUserValidator<TUser>> userValidators,
|
|
IEnumerable<IPasswordValidator<TUser>> passwordValidators,
|
|
IdentityErrorDescriber errors,
|
|
IServiceProvider services,
|
|
ILogger<UserManager<TUser>> logger,
|
|
IOptionsMonitor<TPasswordConfig> passwordConfiguration)
|
|
: base(store, optionsAccessor, passwordHasher, userValidators, passwordValidators, new NoopLookupNormalizer(), errors, services, logger)
|
|
{
|
|
IpResolver = ipResolver ?? throw new ArgumentNullException(nameof(ipResolver));
|
|
PasswordConfiguration = passwordConfiguration.CurrentValue ?? throw new ArgumentNullException(nameof(passwordConfiguration));
|
|
passwordConfiguration.OnChange(x => PasswordConfiguration = x);
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public override bool SupportsUserClaim => false; // We don't support an IUserClaimStore and don't need to (at least currently)
|
|
|
|
/// <inheritdoc />
|
|
public override bool SupportsQueryableUsers => false; // It would be nice to support this but we don't need to currently and that would require IQueryable support for our user service/repository
|
|
|
|
/// <summary>
|
|
/// Developers will need to override this to support custom 2 factor auth
|
|
/// </summary>
|
|
/// <inheritdoc />
|
|
public override bool SupportsUserTwoFactor => false;
|
|
|
|
/// <inheritdoc />
|
|
public override bool SupportsUserPhoneNumber => false; // We haven't needed to support this yet, though might be necessary for 2FA
|
|
|
|
/// <summary>
|
|
/// Gets the password configuration
|
|
/// </summary>
|
|
public IPasswordConfiguration PasswordConfiguration { get; private set; }
|
|
|
|
/// <summary>
|
|
/// Gets the IP resolver
|
|
/// </summary>
|
|
public IIpResolver IpResolver { get; }
|
|
|
|
/// <summary>
|
|
/// Used to validate a user's session
|
|
/// </summary>
|
|
/// <param name="userId">The user id</param>
|
|
/// <param name="sessionId">The session id</param>
|
|
/// <returns>True if the session is valid, else false</returns>
|
|
public virtual async Task<bool> ValidateSessionIdAsync(string userId, string sessionId)
|
|
{
|
|
// if this is not set, for backwards compat (which would be super rare), we'll just approve it
|
|
// TODO: This should be removed after members supports this
|
|
if (Store is not IUserSessionStore<TUser> userSessionStore)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
return await userSessionStore.ValidateSessionIdAsync(userId, sessionId);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Helper method to generate a password for a user based on the current password validator
|
|
/// </summary>
|
|
/// <returns>The generated password</returns>
|
|
public string GeneratePassword()
|
|
{
|
|
_passwordGenerator ??= new PasswordGenerator(PasswordConfiguration);
|
|
|
|
string password = _passwordGenerator.GeneratePassword();
|
|
return password;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Used to validate the password without an identity user
|
|
/// Validation code is based on the default ValidatePasswordAsync code
|
|
/// Should return <see cref="IdentityResult.Success"/> if validation is successful
|
|
/// </summary>
|
|
/// <param name="password">The password.</param>
|
|
/// <returns>A <see cref="IdentityResult"/> representing whether validation was successful.</returns>
|
|
public async Task<IdentityResult> ValidatePasswordAsync(string password)
|
|
{
|
|
var errors = new List<IdentityError>();
|
|
var isValid = true;
|
|
foreach (IPasswordValidator<TUser> v in PasswordValidators)
|
|
{
|
|
IdentityResult result = await v.ValidateAsync(this, null, password);
|
|
if (!result.Succeeded)
|
|
{
|
|
if (result.Errors.Any())
|
|
{
|
|
errors.AddRange(result.Errors);
|
|
}
|
|
|
|
isValid = false;
|
|
}
|
|
}
|
|
|
|
if (!isValid)
|
|
{
|
|
Logger.LogWarning(14, "Password validation failed: {errors}.", string.Join(";", errors.Select(e => e.Code)));
|
|
return IdentityResult.Failed(errors.ToArray());
|
|
}
|
|
|
|
return IdentityResult.Success;
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public override async Task<bool> CheckPasswordAsync(TUser user, string password)
|
|
{
|
|
// we cannot proceed if the user passed in does not have an identity
|
|
if (user.HasIdentity == false)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// use the default behavior
|
|
return await base.CheckPasswordAsync(user, password);
|
|
}
|
|
|
|
/// <summary>
|
|
/// This is a special method that will reset the password but will raise the Password Changed event instead of the reset event
|
|
/// </summary>
|
|
/// <param name="userId">The userId</param>
|
|
/// <param name="token">The reset password token</param>
|
|
/// <param name="newPassword">The new password to set it to</param>
|
|
/// <returns>The <see cref="IdentityResult"/></returns>
|
|
/// <remarks>
|
|
/// We use this because in the back office the only way an admin can change another user's password without first knowing their password
|
|
/// is to generate a token and reset it, however, when we do this we want to track a password change, not a password reset
|
|
/// </remarks>
|
|
public virtual async Task<IdentityResult> ChangePasswordWithResetAsync(string userId, string token, string newPassword)
|
|
{
|
|
TUser user = await FindByIdAsync(userId);
|
|
if (user == null)
|
|
{
|
|
throw new InvalidOperationException("Could not find user");
|
|
}
|
|
|
|
IdentityResult result = await ResetPasswordAsync(user, token, newPassword);
|
|
return result;
|
|
}
|
|
|
|
/// <inheritdoc/>
|
|
public override async Task<IdentityResult> SetLockoutEndDateAsync(TUser user, DateTimeOffset? lockoutEnd)
|
|
{
|
|
if (user == null)
|
|
{
|
|
throw new ArgumentNullException(nameof(user));
|
|
}
|
|
|
|
IdentityResult result = await base.SetLockoutEndDateAsync(user, lockoutEnd);
|
|
|
|
// The way we unlock is by setting the lockoutEnd date to the current datetime
|
|
if (!result.Succeeded || lockoutEnd < DateTimeOffset.UtcNow)
|
|
{
|
|
// Resets the login attempt fails back to 0 when unlock is clicked
|
|
await ResetAccessFailedCountAsync(user);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/// <inheritdoc/>
|
|
public override async Task<IdentityResult> ResetAccessFailedCountAsync(TUser user)
|
|
{
|
|
if (user == null)
|
|
{
|
|
throw new ArgumentNullException(nameof(user));
|
|
}
|
|
|
|
var lockoutStore = (IUserLockoutStore<TUser>)Store;
|
|
var accessFailedCount = await GetAccessFailedCountAsync(user);
|
|
|
|
if (accessFailedCount == 0)
|
|
{
|
|
return IdentityResult.Success;
|
|
}
|
|
|
|
await lockoutStore.ResetAccessFailedCountAsync(user, CancellationToken.None);
|
|
|
|
return await UpdateAsync(user);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Overrides the Microsoft ASP.NET user management method
|
|
/// </summary>
|
|
/// <inheritdoc/>
|
|
public override async Task<IdentityResult> AccessFailedAsync(TUser user)
|
|
{
|
|
if (user == null)
|
|
{
|
|
throw new ArgumentNullException(nameof(user));
|
|
}
|
|
|
|
if (Store is not IUserLockoutStore<TUser> lockoutStore)
|
|
{
|
|
throw new NotSupportedException("The current user store does not implement " + typeof(IUserLockoutStore<>));
|
|
}
|
|
|
|
var count = await lockoutStore.IncrementAccessFailedCountAsync(user, CancellationToken.None);
|
|
|
|
if (count >= Options.Lockout.MaxFailedAccessAttempts)
|
|
{
|
|
await lockoutStore.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow.Add(Options.Lockout.DefaultLockoutTimeSpan), CancellationToken.None);
|
|
|
|
// NOTE: in normal aspnet identity this would do set the number of failed attempts back to 0
|
|
// here we are persisting the value for the back office
|
|
}
|
|
|
|
IdentityResult result = await UpdateAsync(user);
|
|
return result;
|
|
}
|
|
|
|
/// <inheritdoc/>
|
|
public async Task<bool> ValidateCredentialsAsync(string username, string password)
|
|
{
|
|
TUser user = await FindByNameAsync(username);
|
|
if (user == null)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (Store is not IUserPasswordStore<TUser> userPasswordStore)
|
|
{
|
|
throw new NotSupportedException("The current user store does not implement " + typeof(IUserPasswordStore<>));
|
|
}
|
|
|
|
var hash = await userPasswordStore.GetPasswordHashAsync(user, new CancellationToken());
|
|
|
|
return await VerifyPasswordAsync(userPasswordStore, user, password) == PasswordVerificationResult.Success;
|
|
}
|
|
}
|
|
}
|