adds authorization to the scheduled publishing , this new attribute can be used to secure scheduled tasks as well.

Shazwazza · Shazwazza · commit 65ea6f94d337 · 2014-06-23T15:02:23.000+10:00
diff --git a/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs b/src/Umbraco.Web/Mvc/AdminTokenAuthorizeAttribute.cs
@@ -0,0 +1,108 @@
+﻿using System;
+using System.Text;
+using System.Text.RegularExpressions;
+using System.Web;
+using System.Web.Mvc;
+using Umbraco.Core;
+using Umbraco.Core.Logging;
+
+namespace Umbraco.Web.Mvc
+{
+    /// <summary>
+    /// Used for authorizing scheduled tasks
+    /// </summary>
+    public sealed class AdminTokenAuthorizeAttribute : AuthorizeAttribute
+    {
+        private readonly ApplicationContext _applicationContext;
+
+        /// <summary>
+        /// THIS SHOULD BE ONLY USED FOR UNIT TESTS
+        /// </summary>
+        /// <param name="appContext"></param>
+        public AdminTokenAuthorizeAttribute(ApplicationContext appContext)
+        {
+            if (appContext == null) throw new ArgumentNullException("appContext");
+            _applicationContext = appContext;
+        }
+
+        public AdminTokenAuthorizeAttribute()
+        {
+        }
+
+        private ApplicationContext GetApplicationContext()
+        {
+            return _applicationContext ?? ApplicationContext.Current;
+        }
+
+        /// <summary>
+        /// Used to return the value that needs to go in the Authorization header
+        /// </summary>
+        /// <param name="appContext"></param>
+        /// <returns></returns>
+        public static string GetAuthHeaderTokenVal(ApplicationContext appContext)
+        {
+            var admin = appContext.Services.UserService.GetUserById(0);
+
+            var token = string.Format("{0}u____u{1}u____u{2}", admin.Email, admin.Username, admin.RawPasswordValue);
+
+            var encrypted = token.EncryptWithMachineKey();
+            var bytes = Encoding.UTF8.GetBytes(encrypted);
+            var base64 = Convert.ToBase64String(bytes);
+            return "AToken val=\"" + base64 + "\"";
+        }
+
+        /// <summary>
+        /// Ensures that the user must be in the Administrator or the Install role
+        /// </summary>
+        /// <param name="httpContext"></param>
+        /// <returns></returns>
+        protected override bool AuthorizeCore(HttpContextBase httpContext)
+        {
+            if (httpContext == null) throw new ArgumentNullException("httpContext");
+
+            var appContext = GetApplicationContext();
+
+            //we need to that the app is configured and that a user is logged in
+            if (appContext.IsConfigured == false) return false;
+
+            //need the auth header
+            if (httpContext.Request.Headers["Authorization"] == null || httpContext.Request.Headers["Authorization"].IsNullOrWhiteSpace()) return false;
+
+            var header = httpContext.Request.Headers["Authorization"];
+            if (header.StartsWith("AToken ") == false) return false;
+
+            var keyVal = Regex.Matches(header, "AToken val=(.*?)(?:$|\\s)");
+            if (keyVal.Count != 1) return false;
+            if (keyVal[0].Groups.Count != 2) return false;
+
+            var admin = appContext.Services.UserService.GetUserById(0);
+            if (admin == null) return false;
+
+            try
+            {
+                //get the token value from the header
+                var val = keyVal[0].Groups[1].Value.Trim("\"");
+                //un-base 64 the string
+                var bytes = Convert.FromBase64String(val);
+                var encrypted = Encoding.UTF8.GetString(bytes);
+                //decrypt the string
+                var text = encrypted.DecryptWithMachineKey();
+                
+                //split
+                var split = text.Split(new[] {"u____u"}, StringSplitOptions.RemoveEmptyEntries);
+                if (split.Length != 3) return false;
+                
+                //compare
+                return
+                    split[0] == admin.Email
+                    && split[1] == admin.Username
+                    && split[2] == admin.RawPasswordValue;
+            }
+            catch (Exception ex)
+            {
+                LogHelper.Error<AdminTokenAuthorizeAttribute>("Failed to format passed in token value", ex);
+                return false;
+            }
+        }
+    }
+}
diff --git a/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs b/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs
@@ -7,7 +7,7 @@
 
 namespace Umbraco.Web.Mvc
 {
-	/// <summary>	
+    /// <summary>	
 	/// Ensures authorization is successful for a back office user
 	/// </summary>
 	public sealed class UmbracoAuthorizeAttribute : AuthorizeAttribute
diff --git a/src/Umbraco.Web/Scheduling/ScheduledPublishing.cs b/src/Umbraco.Web/Scheduling/ScheduledPublishing.cs
@@ -1,10 +1,12 @@
 using System;
 using System.Diagnostics;
 using System.Net;
+using System.Text;
 using Umbraco.Core;
 using Umbraco.Core.Logging;
 using Umbraco.Core.Publishing;
 using Umbraco.Core.Sync;
+using Umbraco.Web.Mvc;
 
 namespace Umbraco.Web.Scheduling
 {
@@ -28,7 +30,10 @@ public void Start(object sender)
                 var umbracoBaseUrl = ServerEnvironmentHelper.GetCurrentServerUmbracoBaseUrl();
                 var url = string.Format("{0}/RestServices/ScheduledPublish/", umbracoBaseUrl);
                 using (var wc = new WebClient())
-                {                    
+                {
+                    //pass custom the authorization header
+                    wc.Headers.Set("Authorization", AdminTokenAuthorizeAttribute.GetAuthHeaderTokenVal(appContext));
+
                     var result = wc.UploadString(url, "");
                 }
             }
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -302,6 +302,7 @@
     <Compile Include="Models\IRenderModel.cs" />
     <Compile Include="Models\PostRedirectModel.cs" />
     <Compile Include="Models\PublishedProperty.cs" />
+    <Compile Include="Mvc\AdminTokenAuthorizeAttribute.cs" />
     <Compile Include="Mvc\RedirectToUmbracoUrlResult.cs" />
     <Compile Include="PublishedCache\MemberPublishedContent.cs" />
     <Compile Include="PublishedCache\RawValueProperty.cs" />
diff --git a/src/Umbraco.Web/WebServices/ScheduledPublishController.cs b/src/Umbraco.Web/WebServices/ScheduledPublishController.cs
@@ -7,11 +7,10 @@
 
 namespace Umbraco.Web.WebServices
 {
-    //TODO: How to authenticate?
-
     /// <summary>
     /// A REST controller used for running the scheduled publishing, this is called from the background worker timer
     /// </summary>
+    [AdminTokenAuthorize]
     public class ScheduledPublishController : UmbracoController
     {
         private static bool _isPublishingRunning = false;

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`
`8`	`8`	`namespace Umbraco.Web.Mvc`
`9`	`9`	`{`
`10`		`- /// <summary>`
	`10`	`+ /// <summary>`
`11`	`11`	`/// Ensures authorization is successful for a back office user`
`12`	`12`	`/// </summary>`
`13`	`13`	`public sealed class UmbracoAuthorizeAttribute : AuthorizeAttribute`
Original file line number	Diff line number	Diff line change
`@@ -7,11 +7,10 @@`
`7`	`7`
`8`	`8`	`namespace Umbraco.Web.WebServices`
`9`	`9`	`{`
`10`		`- //TODO: How to authenticate?`
`11`		`-`
`12`	`10`	`/// <summary>`
`13`	`11`	`/// A REST controller used for running the scheduled publishing, this is called from the background worker timer`
`14`	`12`	`/// </summary>`
	`13`	`+ [AdminTokenAuthorize]`
`15`	`14`	`public class ScheduledPublishController : UmbracoController`
`16`	`15`	`{`
`17`	`16`	`private static bool _isPublishingRunning = false;`