Refaktorisierung: Absicherung von DB-Operationen und Verbesserung der Geschäftslogik
- Implementierung von LINQ-Abfragen innerhalb der Core-Bibliothek zur Minderung von SQL-Injection-Anfälligkeiten für DB-Operationen von Umschlägen und Empfängern. - Aktualisierung der Geschäftslogik in der Service-Schicht für verbessertes Transaktionshandling. - Erweiterung der ServiceMessage um eine neue Flag-Funktion zum Verfolgen von Cybersecurity- und Datenintegritätsproblemen. - Hinzufügen spezifischer Benutzerverhaltensflags zur besseren Erkennung und Behandlung potenzieller Datenverletzungen.
This commit is contained in:
Developer 02
@@ -9,6 +9,8 @@ using Microsoft.AspNetCore.Mvc;
|
||||
using System.Diagnostics;
|
||||
using System.Security.Claims;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using DigitalData.Core.API;
|
||||
using DigitalData.Core.Application;
|
||||
|
||||
namespace EnvelopeGenerator.Web.Controllers
|
||||
{
|
||||
@@ -18,136 +20,144 @@ namespace EnvelopeGenerator.Web.Controllers
|
||||
private readonly IConfiguration _config;
|
||||
private readonly IEnvelopeReceiverService _envRcvService;
|
||||
private readonly IEnvelopeService _envelopeService;
|
||||
|
||||
public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IConfiguration configuration, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeService envelopeService) : base(databaseService, logger)
|
||||
private readonly IEnvelopeHistoryService _historyService;
|
||||
public HomeController(DatabaseService databaseService, EnvelopeOldService envelopeOldService, ILogger<HomeController> logger, IConfiguration configuration, IEnvelopeReceiverService envelopeReceiverService, IEnvelopeService envelopeService, IEnvelopeHistoryService historyService) : base(databaseService, logger)
|
||||
{
|
||||
this.envelopeOldService = envelopeOldService;
|
||||
_envRcvService = envelopeReceiverService;
|
||||
_envelopeService = envelopeService;
|
||||
_config = configuration;
|
||||
_historyService = historyService;
|
||||
}
|
||||
|
||||
[HttpGet("/")]
|
||||
public IActionResult Index()
|
||||
{
|
||||
return View();
|
||||
}
|
||||
|
||||
[HttpPost("/")]
|
||||
public IActionResult DebugEnvelopes([FromForm] string? password)
|
||||
{
|
||||
try
|
||||
{
|
||||
var passwordFromConfig = _config["Config:AdminPassword"];
|
||||
|
||||
if (passwordFromConfig == null)
|
||||
{
|
||||
ViewData["error"] = "No admin password configured!";
|
||||
return View("Index");
|
||||
}
|
||||
|
||||
if (password != passwordFromConfig)
|
||||
{
|
||||
ViewData["error"] = "Wrong Password!";
|
||||
return View("Index");
|
||||
}
|
||||
|
||||
List<Envelope> envelopes = envelopeOldService.LoadEnvelopes();
|
||||
|
||||
return View(envelopes);
|
||||
}
|
||||
catch(Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, "Unexpected error");
|
||||
ViewData["error"] = "Unknown error!";
|
||||
return View("Index");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
[HttpGet("/EnvelopeKey/{envelopeReceiverId}")]
|
||||
public async Task<IActionResult> SendAccessCode([FromRoute] string envelopeReceiverId)
|
||||
{
|
||||
var envelope = await _envelopeService.ReadByUuidAsync(envelopeReceiverId.GetEnvelopeUuid());
|
||||
|
||||
EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId);
|
||||
|
||||
if (response.Envelope.UseAccessCode)
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
try
|
||||
{
|
||||
bool accessCodeAlreadyRequested = database.Models.receiverModel.AccessCodeAlreadyRequested(response.Receiver.Email, response.Envelope.Id);
|
||||
(string envelopeUuid, string receiverSignature) = envelopeReceiverId.DecodeEnvelopeReceiverId();
|
||||
var envelopeResult = await _envelopeService.ReadByUuidAsync(envelopeUuid, signature: receiverSignature, withEnvelopeReceivers:true);
|
||||
var envelope = envelopeResult.Data;
|
||||
var envelopeReceiver = envelope?.EnvelopeReceivers?.FirstOrDefault();
|
||||
var mailAddress = envelopeReceiver?.Receiver?.EmailAddress;
|
||||
var useAccessCode = envelope?.UseAccessCode;
|
||||
|
||||
if (!accessCodeAlreadyRequested)
|
||||
ViewData["EnvelopeResult"] = envelopeResult;
|
||||
if(envelopeResult.IsSuccess && envelope is not null && mailAddress is not null && (envelope.UseAccessCode ?? false))
|
||||
{
|
||||
EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId);
|
||||
|
||||
bool accessCodeAlreadyRequested = database.Models.receiverModel.AccessCodeAlreadyRequested(response.Receiver.Email, response.Envelope.Id);
|
||||
accessCodeAlreadyRequested = await _historyService.AccessCodeAlreadyRequested(envelopeId: envelope.Id, userReference: mailAddress);
|
||||
if (!accessCodeAlreadyRequested)
|
||||
{
|
||||
// Send email with password
|
||||
bool actionResult = database.Services.actionService.RequestAccessCode(response.Envelope, response.Receiver);
|
||||
bool result = database.Services.emailService.SendDocumentAccessCodeReceivedEmail(response.Envelope, response.Receiver);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// Send email with password
|
||||
bool actionResult = database.Services.actionService.RequestAccessCode(response.Envelope, response.Receiver);
|
||||
bool result = database.Services.emailService.SendDocumentAccessCodeReceivedEmail(response.Envelope, response.Receiver);
|
||||
envelopeResult.WithMessageKey(MessageKey.FailedToSendAccessCode);
|
||||
_logger.LogError($"{MessageKey.FailedToSendAccessCode.ToString()}");
|
||||
}
|
||||
}
|
||||
catch(Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, MessageKey.UnexpectedError.ToString());
|
||||
}
|
||||
|
||||
return Redirect($"/EnvelopeKey/{envelopeReceiverId}/Locked");
|
||||
return View("EnvelopeLocked").WithData("EnvelopeKey", envelopeReceiverId);
|
||||
}
|
||||
|
||||
[HttpGet("/EnvelopeKey/{envelopeReceiverId}/Locked")]
|
||||
[HttpGet("EnvelopeKey/{envelopeReceiverId}/Locked")]
|
||||
public IActionResult EnvelopeLocked([FromRoute] string envelopeReceiverId)
|
||||
{
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
return View();
|
||||
return View().WithData("EnvelopeKey", envelopeReceiverId);
|
||||
}
|
||||
|
||||
[HttpPost("/EnvelopeKey/{envelopeReceiverId}/Locked")]
|
||||
public async Task<IActionResult> LogInEnvelope([FromRoute] string envelopeReceiverId, [FromForm] string access_code)
|
||||
{
|
||||
var decodedId = envelopeReceiverId.DecodeEnvelopeReceiverId();
|
||||
|
||||
_logger.LogInformation($"Envelope UUID: [{decodedId.EnvelopeUuid}]");
|
||||
_logger.LogInformation($"Receiver Signature: [{decodedId.ReceiverSignature}]");
|
||||
|
||||
var verification = await _envRcvService.VerifyAccessCode(decodedId.EnvelopeUuid, access_code);
|
||||
EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId);
|
||||
|
||||
if (verification.IsSuccess)
|
||||
try
|
||||
{
|
||||
if (envelopeOldService.ReceiverAlreadySigned(response.Envelope, response.Receiver.Id))
|
||||
(string? uuid, string? signature) = envelopeReceiverId.DecodeEnvelopeReceiverId();
|
||||
|
||||
if(uuid is null || signature is null)
|
||||
{
|
||||
return Redirect("/EnvelopeKey/{envelopeReceiverId}/Success");
|
||||
_logger.LogWarning($"{MessageKey.WrongEnvelopeReceiverId.ToString()}");
|
||||
return BadRequest(_envelopeService.CreateMessage(false, MessageKey.WrongEnvelopeReceiverId.ToString()));
|
||||
}
|
||||
|
||||
var envelope = await _envelopeService.ReadByUuidAsync(uuid: decodedId.EnvelopeUuid, signature: decodedId.ReceiverSignature, withAll: true);
|
||||
database.Services.actionService.EnterCorrectAccessCode(response.Envelope, response.Receiver); //for history
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
ViewData["EnvelopeResponse"] = response;
|
||||
_logger.LogInformation($"Envelope UUID: [{uuid}]\nReceiver Signature: [{signature}]");
|
||||
|
||||
if (response.Envelope.Documents.Count() > 0)
|
||||
var verification = await _envRcvService.VerifyAccessCodeAsync(uuid: uuid, signature: signature, accessCode: access_code);
|
||||
var isVerified = verification.Data;
|
||||
|
||||
EnvelopeResponse response = await envelopeOldService.LoadEnvelope(envelopeReceiverId);
|
||||
|
||||
if (!verification.IsSuccess)
|
||||
{
|
||||
var document = await envelopeOldService.GetDocument(response.Envelope.Documents[0].Id, envelopeReceiverId);
|
||||
byte[] bytes = await envelopeOldService.GetDocumentContents(document);
|
||||
ViewData["DocumentBytes"] = bytes;
|
||||
_logger.LogServiceMessage(verification);
|
||||
|
||||
if (verification.HasFlag(Flag.SecurityBreach))
|
||||
return Forbid();
|
||||
|
||||
return StatusCode(StatusCodes.Status500InternalServerError, verification.ClientMessages.Join());
|
||||
}
|
||||
else if (isVerified)
|
||||
{
|
||||
if (envelopeOldService.ReceiverAlreadySigned(response.Envelope, response.Receiver.Id))
|
||||
{
|
||||
return Redirect($"/EnvelopeKey/{envelopeReceiverId}/Success");
|
||||
}
|
||||
|
||||
var envelope = await _envelopeService.ReadByUuidAsync(uuid: uuid, signature: signature, withAll: true);
|
||||
|
||||
database.Services.actionService.EnterCorrectAccessCode(response.Envelope, response.Receiver); //for history
|
||||
ViewData["EnvelopeKey"] = envelopeReceiverId;
|
||||
ViewData["EnvelopeResponse"] = response;
|
||||
|
||||
if (response.Envelope.Documents.Count() > 0)
|
||||
{
|
||||
var document = await envelopeOldService.GetDocument(response.Envelope.Documents[0].Id, envelopeReceiverId);
|
||||
byte[] bytes = await envelopeOldService.GetDocumentContents(document);
|
||||
ViewData["DocumentBytes"] = bytes;
|
||||
}
|
||||
else
|
||||
ViewData["DocumentBytes"] = null;
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
new Claim(ClaimTypes.NameIdentifier, uuid),
|
||||
new Claim(ClaimTypes.Hash, signature),
|
||||
};
|
||||
|
||||
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var authProperties = new AuthenticationProperties
|
||||
{
|
||||
};
|
||||
|
||||
await HttpContext.SignInAsync(
|
||||
CookieAuthenticationDefaults.AuthenticationScheme,
|
||||
new ClaimsPrincipal(claimsIdentity),
|
||||
authProperties);
|
||||
|
||||
return View("ShowEnvelope", envelope);
|
||||
}
|
||||
else
|
||||
ViewData["DocumentBytes"] = null;
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
new Claim(ClaimTypes.NameIdentifier, decodedId.EnvelopeUuid),
|
||||
new Claim(ClaimTypes.Hash, decodedId.ReceiverSignature),
|
||||
};
|
||||
database.Services.actionService.EnterIncorrectAccessCode(response.Envelope, response.Receiver); //for history
|
||||
_logger.LogWarning(string.Join("\n", verification.Messages));
|
||||
return Unauthorized();
|
||||
|
||||
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var authProperties = new AuthenticationProperties
|
||||
{
|
||||
};
|
||||
|
||||
await HttpContext.SignInAsync(
|
||||
CookieAuthenticationDefaults.AuthenticationScheme,
|
||||
new ClaimsPrincipal(claimsIdentity),
|
||||
authProperties);
|
||||
|
||||
return View("ShowEnvelope", envelope);
|
||||
}
|
||||
else
|
||||
}
|
||||
}
|
||||
catch(Exception ex)
|
||||
{
|
||||
database.Services.actionService.EnterIncorrectAccessCode(response.Envelope, response.Receiver); //for history
|
||||
return Unauthorized();
|
||||
|
||||
_logger.LogError(ex, MessageKey.UnexpectedError.ToString());
|
||||
return this.InnerServiceError(messageKey: MessageKey.UnexpectedError);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -168,14 +178,11 @@ namespace EnvelopeGenerator.Web.Controllers
|
||||
return Ok(new { EnvelopeUuid = envelopeUuid, ReceiverSignature = receiverSignature });
|
||||
}
|
||||
|
||||
[HttpGet("Error")]
|
||||
[ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
|
||||
public IActionResult Error()
|
||||
{
|
||||
return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
|
||||
}
|
||||
|
||||
[Authorize]
|
||||
[HttpGet("test")]
|
||||
public string Test() => "Test";
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user