AppStd/DigitalData.StaffDBServer
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DigitalData.StaffDBServer/HRD.LDAPService/Ldap/LdapAuthenticationService.cs

213 lines
8.6 KiB
C#
Raw Blame History

using HRD.LDAPService.JWT;
using System;
using System.DirectoryServices.AccountManagement;
using System.Linq;
namespace HRD.LDAPService
{
public static class LdapAuthenticationService
{
private const string LDAP_DOMAIN = "dhr.local";
private static UserPrincipal GetUserPrincipal(string loginName, PrincipalContext principalContext)
{
try
{
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, loginName);
if (userPrincipal == null)
{
userPrincipal = UserPrincipal.FindByIdentity(principalContext, loginName);
if (userPrincipal == null)
{
throw new Exception($"Can't find an user by name: '{loginName}'");
}
}
return userPrincipal;
}
catch (Exception ex)
{
throw new Exception($"Login failed wrong user credentials '{loginName}'", ex);
}
}
/// <summary>
/// Returns a User without LDAP user authentication
/// </summary>
/// <param name="ldapUser"></param>
/// <returns></returns>
public static LdapUser RenewIdentity(string token)
{
if (string.IsNullOrEmpty(token)) { throw new ArgumentNullException("Token is empty!"); }
try
{
LdapUser ldapUserFromToken = JwtManager.DecryptTokenAsLdapUser(token);
if (ldapUserFromToken == default)
{
throw new Exception($"Wrong token");
}
using PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, LDAP_DOMAIN);
ldapUserFromToken.IsValidatCredentials = true;
UpdateLdapUserFromPrincipalContext(ref ldapUserFromToken, principalContext);
return ldapUserFromToken;
}
catch (Exception ex)
{
throw new Exception($"Renew failed", ex);
}
}
/// <summary>
/// Returns a User without LDAP user authentication
/// </summary>
/// <param name="ldapUser"></param>
/// <returns></returns>
public static LdapUser RenewIdentity(LdapUser ldapUser)
{
if (ldapUser == default) { return default; }
try
{
if (String.IsNullOrEmpty(ldapUser.LoginName))
{
throw new Exception($"Renew Login failed empty user Loginname");
}
LdapUser ldapUserFromToken = JwtManager.DecryptTokenAsLdapUser(ldapUser.Token);
if (ldapUserFromToken == default)
{
throw new Exception($"Wrong token");
}
if (!string.Equals(ldapUserFromToken.LoginName, ldapUser.LoginName, StringComparison.OrdinalIgnoreCase))
{
throw new Exception($"Loginname and Token-Loginname are not the same");
}
if (ldapUser.IsRealLDAPUser)
{
ldapUserFromToken.IsRealLDAPUser = ldapUser.IsRealLDAPUser;
using PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, LDAP_DOMAIN);
ldapUser.IsValidatCredentials = true;
UpdateLdapUserFromPrincipalContext(ref ldapUserFromToken, principalContext);
}
else
{
ldapUserFromToken.IsRealLDAPUser = false;
ldapUserFromToken.AddPasswordHash(ldapUser.PasswordHash);
if (!string.Equals(ldapUserFromToken.PasswordHashShort, ldapUser.PasswordHashShort, StringComparison.OrdinalIgnoreCase))
{
throw new Exception($"PasswordHashShort and Token-PasswordHashShortare not the same");
}
ldapUserFromToken.IsValidatCredentials = !string.IsNullOrEmpty(ldapUserFromToken.PasswordHash);
ldapUserFromToken.Enabled = ldapUserFromToken.IsValidatCredentials;
ldapUserFromToken.BadLogonCount = ldapUserFromToken.IsValidatCredentials ? 0 : ldapUserFromToken.BadLogonCount + 1;
//ldapUserFromToken.IsAccountLockedOut = ;
//ldapUserFromToken.LdapName = ;
//ldapUserFromToken.LdapSurname = ;
//ldapUserFromToken.LdapGuid = ;
//ldapUserFromToken.Email = ;
//ldapUserFromToken.AccountLockoutTime = ;
}
return ldapUserFromToken;
}
catch (Exception ex)
{
throw new Exception($"Login failed wrong user credentials '{ldapUser.LoginName}'", ex);
}
}
/// <summary>
/// Returns a User after LDAP user authentication
/// </summary>
/// <param name="ldapUser"></param>
/// <returns></returns>
public static bool CheckAndUpdateIdentityWithPassword(LdapUser ldapUser)
{
if (ldapUser == default) { return false; }
try
{
if (String.IsNullOrEmpty(ldapUser.LoginName))
{
throw new Exception($"Login failed wrong user Loginname");
}
if (!JwtTokenConfig.DeaktivateLDAP)
{
ldapUser.IsRealLDAPUser = true;
using var principalContext = new PrincipalContext(ContextType.Domain, LDAP_DOMAIN);
//Check PWD
ldapUser.IsValidatCredentials = principalContext.ValidateCredentials(ldapUser.LoginName, ldapUser.Password);
UpdateLdapUserFromPrincipalContext(ref ldapUser, principalContext);
}
else
{
ldapUser.IsRealLDAPUser = false;
//ldapUser.AddPasswordHash(JWTCrypt.GenerateHashPassword(ldapUser.Password));
var hash = JWTCrypt.SHA512(ldapUser.Password);
ldapUser.AddPasswordHash(hash);
ldapUser.IsValidatCredentials = !string.IsNullOrEmpty(ldapUser.PasswordHash);
if (ldapUser.IsValidatCredentials)
{
ldapUser.Enabled = true;
ldapUser.BadLogonCount = 0;
ldapUser.LastBadPasswordAttempt = null;
}
else
{
ldapUser.Enabled = false;
ldapUser.BadLogonCount = +1;
ldapUser.LastBadPasswordAttempt = DateTime.UtcNow;
}
//ldapUser.IsAccountLockedOut = ;
//ldapUser.LdapName = ;
//ldapUser.LdapSurname = ;
//ldapUser.LdapGuid = ;
//ldapUser.Email = ;
//ldapUser.AccountLockoutTime = ;
}
return true;
}
catch (Exception ex)
{
ldapUser.IsValidatCredentials = false;
throw new Exception($"Login failed wrong user credentials '{ldapUser.LoginName}'", ex);
}
}
private static void UpdateLdapUserFromPrincipalContext(ref LdapUser ldapUser, PrincipalContext principalContext)
{
UserPrincipal userPrincipal = GetUserPrincipal(ldapUser.LoginName, principalContext);
if (userPrincipal == default)
{
throw new Exception($"Renew Login failed wrong user credentials '{ldapUser.LoginName}'");
}
ldapUser.IsAccountLockedOut = userPrincipal.IsAccountLockedOut();
ldapUser.BadLogonCount = userPrincipal.BadLogonCount;
ldapUser.Enabled = userPrincipal.Enabled ?? false;
ldapUser.LastBadPasswordAttempt = userPrincipal.LastBadPasswordAttempt;
ldapUser.LdapName = userPrincipal.Name;
ldapUser.LdapSurname = userPrincipal.Surname;
ldapUser.LdapGuid = userPrincipal.Guid;
ldapUser.Email = userPrincipal.EmailAddress;
ldapUser.AccountLockoutTime = userPrincipal.AccountLockoutTime;
ldapUser.RoleList = ldapUser.RoleList.Union(JWT.JwtTokenConfig.JwtRoleList).ToList();
if (ldapUser.RoleList?.Count > 0)
{
ldapUser = userPrincipal.Context.CheckAndAddGroupMembers(userPrincipal, ldapUser);
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink