Skip to content
Permalink
Browse files

#1099 : Current user is validated against all API calls.

  • Loading branch information...
michaellwest committed Mar 9, 2019
1 parent b585736 commit e84699e74c40bc8dc28733b86a08d43f6691e3b9
@@ -124,19 +124,20 @@ public void ProcessRequest(HttpContext context)

var isAuthenticated = Context.IsLoggedIn;

if (!CheckServiceAuthentication(context, apiVersion, serviceName, isAuthenticated))
if (!CheckServiceAuthentication(context, serviceName, identity, isAuthenticated))
{
return;
}

var useContextDatabase = apiVersion.Is("file") || apiVersion.Is("handle") || !isAuthenticated ||
string.IsNullOrEmpty(originParam) || originParam.Is("current");

// in some cases we need to set the database as it's still set to web after authentication
if (!scDb.IsNullOrEmpty())
{
Context.Database = Database.GetDatabase(scDb);
}

var useContextDatabase = apiVersion.Is("file") || apiVersion.Is("handle") || !isAuthenticated ||
string.IsNullOrEmpty(originParam) || originParam.Is("current");
var scriptDb = useContextDatabase ? Context.Database : Database.GetDatabase(originParam);
var dbName = scriptDb?.Name;

@@ -243,32 +244,21 @@ private static bool CheckServiceEnabled(HttpContext context, string apiVersion,
return false;
}

private static bool CheckServiceAuthentication(HttpContext context, string apiVersion, string serviceName, bool isAuthenticated)
private static bool CheckServiceAuthentication(HttpContext context, string serviceName, AccountIdentity identity, bool isAuthenticated)
{
var skipAuthentication = false;
if (identity.Name == Context.User.Name) return true;

switch (apiVersion)
{
case "1":
case "2":
skipAuthentication = true;
break;
default:
if (!isAuthenticated)
{
const string disabledMessage =
"The request could not be completed because the service requires authentication.";
if (isAuthenticated) return true;

context.Response.StatusCode = 401;
context.Response.StatusDescription = disabledMessage;
context.Response.SuppressFormsAuthenticationRedirect = true;
PowerShellLog.Error($"Attempt to call the {serviceName} service failed as - user not logged in, authentication failed, or no credentials provided.");
}
const string disabledMessage =
"The request could not be completed because the service requires authentication.";

break;
}
context.Response.StatusCode = 401;
context.Response.StatusDescription = disabledMessage;
context.Response.SuppressFormsAuthenticationRedirect = true;
PowerShellLog.Error($"Attempt to call the {serviceName} service failed as - user not logged in, authentication failed, or no credentials provided.");

return skipAuthentication || isAuthenticated;
return false;
}

private static bool CheckIsUserAuthorized(HttpContext context, string authUserName, string serviceName)
@@ -65,11 +65,15 @@ Describe "Web API Responses" {
}
It "Wrong password should throw exception" {
$execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/ChildrenAsHtml?user=admin&password=invalid" }
$execution | Should Throw "(404) Not Found"
$execution | Should Throw "(401) Unauthorized"
}
It "Non existing user should throw exception" {
$execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/ChildrenAsHtml?user=non_existing&password=invalid" }
$execution | Should Throw "(401) Unauthorized"
}
It "Not found script should throw exception" {
$execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/NotFound" }
$execution | Should Throw "(404) Not Found"
}
}
}

0 comments on commit e84699e

Please sign in to comment.
You can’t perform that action at this time.