hw

demos/HW01Demo/ConsoleApp01/Program.cs

@@ -10,6 +10,8 @@ namespace ConsoleApp01
         {
             Console.WriteLine("ics0031-2020f Andres.Kaver HW01");
 
+            Cesar();
+            
             RSADemo();
 
             /*

demos/HW02Demo/Domain/Cesar.cs

+using Microsoft.AspNetCore.Identity;
+
 namespace Domain
 {
     public class Cesar
@@ -6,5 +8,8 @@ namespace Domain
         public int Key { get; set; }
         public string PlainText { get; set; }
         public string CypherText { get; set; }
+
+        public string UserId { get; set; }
+        public IdentityUser User { get; set; }
     }
 }

demos/HW02Demo/Domain/Domain.csproj

@@ -4,4 +4,8 @@
         <TargetFramework>netstandard2.1</TargetFramework>
     </PropertyGroup>
 
+    <ItemGroup>
+      <PackageReference Include="Microsoft.Extensions.Identity.Stores" Version="3.1.8" />
+    </ItemGroup>
+
 </Project>

demos/HW02Demo/WebApp/Controllers/CesarsController.cs

 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Rendering;
 using Microsoft.EntityFrameworkCore;
 using Domain;
+using Microsoft.AspNetCore.Authorization;
 using WebApp.Data;
 
 namespace WebApp.Controllers
 {
+    [Authorize]
     public class CesarsController : Controller
     {
         private readonly ApplicationDbContext _context;
 
         public CesarsController(ApplicationDbContext context)
         {
+
             _context = context;
         }
 
+
+        public string GetUserId()
+        {
+            var claim = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.NameIdentifier);
+            return claim?.Value ?? "";
+        }
+
         // GET: Cesars
         public async Task<IActionResult> Index()
         {
-            return View(await _context.Cesars.ToListAsync());
+            var userId = GetUserId();
+            return View(await _context.Cesars.Where(c => c.UserId == userId).ToListAsync());
+
         }
 
         // GET: Cesars/Details/5
@@ -64,6 +77,7 @@ namespace WebApp.Controllers
             {
                 cesar.Key = cesar.Key % 255;
                 cesar.CypherText = System.Convert.ToBase64String(Crypto.Cesar.CesarEncryptString(cesar.PlainText, (byte) cesar.Key, Encoding.Default));
+                cesar.UserId = GetUserId();
                 _context.Add(cesar);
                 await _context.SaveChangesAsync();
                 return RedirectToAction(nameof(Index));
@@ -104,7 +118,7 @@ namespace WebApp.Controllers
         // more details, see http://go.microsoft.com/fwlink/?LinkId=317598.
         [HttpPost]
         [ValidateAntiForgeryToken]
-        public async Task<IActionResult> Edit(int id, [Bind("Id,Key,PlainText,CypherText")] Cesar cesar)
+        public async Task<IActionResult> Edit(int id, Cesar cesar)
         {
             if (id != cesar.Id)
             {
@@ -112,7 +126,8 @@ namespace WebApp.Controllers
             }
 
             ValidateCesar(cesar);
-           
+
+            cesar.UserId = GetUserId();
             
             if (ModelState.IsValid)
             {
@@ -163,7 +178,9 @@ namespace WebApp.Controllers
         [ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteConfirmed(int id)
         {
+            // TODO: .where(c => c.Id == id && c.UserId == GetUserId()
             var cesar = await _context.Cesars.FindAsync(id);
+            
             _context.Cesars.Remove(cesar);
             await _context.SaveChangesAsync();
             return RedirectToAction(nameof(Index));

demos/HW02Demo/WebApp/Controllers/HomeController.cs

@@ -3,12 +3,14 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using WebApp.Models;
 
 namespace WebApp.Controllers
 {
+    [Authorize]
     public class HomeController : Controller
     {
         private readonly ILogger<HomeController> _logger;
@@ -18,6 +20,7 @@ namespace WebApp.Controllers
             _logger = logger;
         }
 
+        [AllowAnonymous]
         public IActionResult Index()
         {
             //return "OK";
@@ -29,6 +32,7 @@ namespace WebApp.Controllers
             return "Test it is!";
         }
 
+        
         public IActionResult Privacy()
         {
             return View();

demos/HW02Demo/WebApp/Data/ApplicationDbContext.cs

@@ -3,11 +3,14 @@ using System.Collections.Generic;
 using System.Security.Permissions;
 using System.Text;
 using Domain;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
 
 namespace WebApp.Data
 {
+
+
     public class ApplicationDbContext : IdentityDbContext
     {
         public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)

demos/HW02Demo/WebApp/Views/Cesars/Create.cshtml

@@ -14,17 +14,17 @@
             <div asp-validation-summary="ModelOnly" class="text-danger"></div>
             <div class="form-group">
                 <label asp-for="Key" class="control-label"></label>
-                <input asp-for="Key" class="form-control" />
+                <input asp-for="Key" class="form-control"/>
                 <span asp-validation-for="Key" class="text-danger"></span>
             </div>
             <div class="form-group">
                 <label asp-for="PlainText" class="control-label"></label>
-                <input asp-for="PlainText" class="form-control" />
+                <input asp-for="PlainText" class="form-control"/>
                 <span asp-validation-for="PlainText" class="text-danger"></span>
             </div>
 
             <div class="form-group">
-                <input type="submit" value="Create" class="btn btn-primary" />
+                <input type="submit" value="Create" class="btn btn-primary"/>
             </div>
         </form>
     </div>

demos/HW02Demo/WebApp/Views/Cesars/Edit.cshtml

@@ -13,6 +13,7 @@
         <form asp-action="Edit">
             <div asp-validation-summary="ModelOnly" class="text-danger"></div>
             <input type="hidden" asp-for="Id" />
+            
             <div class="form-group">
                 <label asp-for="Key" class="control-label"></label>
                 <input asp-for="Key" class="form-control" />

demos/HW02Demo/WebApp/Views/Cesars/Index.cshtml

@@ -21,7 +21,7 @@
             <th>
                 @Html.DisplayNameFor(model => model.CypherText)
             </th>
-            <th>Decrypt</th>
+            <th>UserId</th>
             <th></th>
         </tr>
     </thead>
@@ -38,7 +38,7 @@
                 @Html.DisplayFor(modelItem => item.CypherText)
             </td>
             <td>
-                ----
+                @item.UserId
             </td>
             <td>
                 <a asp-action="Edit" asp-route-id="@item.Id">Edit</a> |

demos/HW02Demo/WebApp/Views/Home/Privacy.cshtml

@@ -3,4 +3,26 @@
 }
 <h1>@ViewData["Title"]</h1>
 
-<p>Use this page to detail your site's privacy policy.</p>
\ No newline at end of file
+<p>No privacy here</p>
+<h2>Claims</h2>
+<table>
+    <tr>
+        <th>Type</th>
+        <th>Value</th>
+        <th>ValueType</th>
+    </tr>
+    @foreach (var claim in User.Claims)
+    {
+        <tr>
+            <td>
+                @claim.Type
+            </td>
+            <td>
+                @claim.Value
+            </td>
+            <td>
+                @claim.ValueType
+            </td>
+        </tr>
+    }
+</table>
\ No newline at end of file

hw/HOMEWORK.md

@@ -46,3 +46,9 @@ Re-implement diffie-hellman and rsa as web app (move crypto functions into separ
 
 In the case of RSA implement encryption of text (convert it to bytes) and decryption (Also in console app).
 
+## HW05
+
+***Deadline 2020-11-08 23:59:59***
+
+Secure your web app controllers (diffie-helman and rsa) as was demonstrated in class. IDOR. Use the built in identity system. Check for correct user and correct ownership of resources on every controller action.
+