cisagov · LaddieZeigler · Sep 30, 2024 · Sep 30, 2024
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Notification/NotificationBusiness.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Notification/NotificationBusiness.cs
@@ -18,6 +18,7 @@
 using System.Threading.Tasks;
 using HtmlAgilityPack;
 using System.IO;
+using DocumentFormat.OpenXml.Wordprocessing;
 
 
 namespace CSETWebCore.Business.Notification
@@ -134,6 +135,13 @@ public void InviteToAssessment(ContactCreateParameters contact)
         /// <param name="password"></param>
         public void SendPasswordEmail(string email, string firstName, string lastName, string password, string appName)
         {
+            // make sure we default to a known app name
+            if (!_appDisplayName.ContainsKey(appName))
+            {
+                appName = "CSET";
+            }
+
+
             string bodyHtml = _resourceHelper.GetEmbeddedResource(Path.Combine("App_Data", @"passwordCreationTemplate_{{scope}}.html"), appName);
             var emailConfig = _configuration.GetSection("Email").AsEnumerable();
             bodyHtml = bodyHtml.Replace("{{name}}", firstName + " " + lastName);
@@ -148,7 +156,7 @@ public void SendPasswordEmail(string email, string firstName, string lastName, s
 
 
             MailMessage message = new MailMessage();
-            message.Subject = "New " + _appDisplayName[appName] + " account creation";
+            message.Subject = $"New {_appDisplayName[appName]} account creation";
             message.Body = bodyHtml;
             message.To.Add(new MailAddress(email));
             message.From = new MailAddress(
@@ -171,6 +179,12 @@ public void SendPasswordEmail(string email, string firstName, string lastName, s
         /// <param name="password"></param>
         public void SendInviteePassword(string email, string firstName, string lastName, string password, string appName)
         {
+            // make sure we default to a known app name
+            if (!_appDisplayName.ContainsKey(appName))
+            {
+                appName = "CSET";
+            }
+
             var emailConfig = _configuration.GetSection("Email").AsEnumerable();
             string bodyHtml = _resourceHelper.GetEmbeddedResource(Path.Combine("App_Data", @"invitedPasswordCreationTemplate_{{scope}}.html"), appName);
             bodyHtml = bodyHtml.Replace("{{name}}", firstName + " " + lastName);
@@ -185,7 +199,7 @@ public void SendInviteePassword(string email, string firstName, string lastName,
 
 
             MailMessage message = new MailMessage();
-            message.Subject = "You are invited to " + _appDisplayName[appName];
+            message.Subject = $"You are invited to {_appDisplayName[appName]}";
             message.Body = bodyHtml;
             message.To.Add(new MailAddress(email));
             message.From = new MailAddress(
@@ -209,7 +223,14 @@ public void SendInviteePassword(string email, string firstName, string lastName,
         /// <param name="subject"></param>
         public void SendPasswordResetEmail(string email, string firstName, string lastName, string password, string subject, string appName)
         {
+            // make sure we default to a known app name
+            if (!_appDisplayName.ContainsKey(appName))
+            {
+                appName = "CSET";
+            }
+
             SetScope(appName);
+
             string bodyHtml = _resourceHelper.GetEmbeddedResource(Path.Combine("App_Data", @"passwordResetTemplate_{{scope}}.html"), appName);
             string name = (firstName + " " + lastName).Trim();
             var emailConfig = _configuration.GetSection("Email").AsEnumerable();
@@ -306,6 +327,13 @@ public void SendTestEmail(string recip)
         {
             SetScope();
 
+            // make sure we default to a known app name
+            var appName = "CSET";
+            if (_appDisplayName.ContainsKey(_scope))
+            {
+                appName = _appDisplayName[_scope];
+            }
+
             // only send the email if configured to do so (unpublished app setting)
             var emailConfig = _configuration.GetSection("Email").AsEnumerable();
             bool allowed = false;
@@ -319,7 +347,7 @@ public void SendTestEmail(string recip)
             }
 
             MailMessage m = new MailMessage();
-            m.Subject = _appDisplayName[_scope] + " Test Message";
+            m.Subject = $"{appName} Test Message";
             m.Body = string.Format("Testing email server {0} on port {1}",
                 emailConfig.FirstOrDefault(x => x.Key == "Email:SmtpHost").Value,
                 emailConfig.FirstOrDefault(x => x.Key == "Email:SmtpPort").Value);

diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/UserAccountSecurityManager.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/UserAccountSecurityManager.cs
@@ -19,6 +19,7 @@
 using CSETWebCore.Model.Auth;
 using System.IO;
 using Microsoft.AspNetCore.Hosting;
+using NLog;
 
 namespace CSETWebCore.Helpers
 {
@@ -104,15 +105,17 @@ public bool CreateUser(CreateUser info, bool sendEmail)
             }
             catch (ApplicationException app)
             {
+                LogManager.GetCurrentClassLogger().Error($"account already exists: ${Newtonsoft.Json.JsonConvert.SerializeObject(app)}");
                 throw new Exception("This account already exists. Please request a new password using the Forgot Password link if you have forgotten your password.", app);
             }
             catch (DbUpdateException due)
             {
+                LogManager.GetCurrentClassLogger().Error($"account already exists: ${Newtonsoft.Json.JsonConvert.SerializeObject(due)}");
                 throw new Exception("This account already exists. Please request a new password using the Forgot Password link if you have forgotten your password.", due);
             }
             catch (Exception exc)
             {
-                NLog.LogManager.GetCurrentClassLogger().Error($"... {exc}");
+                LogManager.GetCurrentClassLogger().Error($"... {exc}");
 
                 return false;
             }
@@ -231,7 +234,7 @@ public bool ResetPassword(string email, string subject, string appName)
             }
             catch (Exception exc)
             {
-                NLog.LogManager.GetCurrentClassLogger().Error($"... {exc}");
+                LogManager.GetCurrentClassLogger().Error($"... {exc}");
 
                 return false;
             }

diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/ResetPasswordController.cs b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/ResetPasswordController.cs
@@ -25,6 +25,7 @@
 using CSETWebCore.Api.Models;
 using NLog;
 using Microsoft.AspNetCore.Hosting;
+using Newtonsoft.Json;
 
 namespace CSETWebCore.Api.Controllers
 {
@@ -219,38 +220,46 @@ public IActionResult PostRegisterUser([FromBody] CreateUser user)
             {
                 if (!ModelState.IsValid)
                 {
+                    LogManager.GetCurrentClassLogger().Error($"Invalid Model State: {JsonConvert.SerializeObject(ModelState)}");
                     return BadRequest("Invalid Model State");
                 }
 
                 if (String.IsNullOrWhiteSpace(user.PrimaryEmail))
                 {
+                    LogManager.GetCurrentClassLogger().Error("missing email");
                     return BadRequest("missing email");
                 }
 
                 if (!emailvalidator.IsMatch(user.PrimaryEmail))
                 {
+                    LogManager.GetCurrentClassLogger().Error($"invalid email format: ${JsonConvert.SerializeObject(user)}");
                     return BadRequest("invalid email format");
                 }
 
                 if (!emailvalidator.IsMatch(user.ConfirmEmail.Trim()))
                 {
+                    LogManager.GetCurrentClassLogger().Error($"invalid email format: ${JsonConvert.SerializeObject(user)}");
                     return BadRequest("invalid email format");
                 }
 
                 if (user.PrimaryEmail != user.ConfirmEmail)
                 {
+
+                    LogManager.GetCurrentClassLogger().Error($"emails do not match: ${JsonConvert.SerializeObject(user)}");
                     return BadRequest("emails do not match");
                 }
 
                 if (_userBusiness.GetUserDetail(user.PrimaryEmail) != null)
                 {
+                    LogManager.GetCurrentClassLogger().Error($"account already exists: ${JsonConvert.SerializeObject(user)}");
                     return BadRequest("account already exists");
                 }
 
                 // Validate the email against an allowlist (if defined by the host)
                 var securityManager = new UserAccountSecurityManager(_context, _userBusiness, _notificationBusiness, _configuration);
                 if (!securityManager.EmailIsAllowed(user.PrimaryEmail, _webHost))
                 {
+                    LogManager.GetCurrentClassLogger().Error($"email not allowed: ${JsonConvert.SerializeObject(user)}");
                     return BadRequest("email not allowed");
                 }
 
@@ -261,7 +270,7 @@ public IActionResult PostRegisterUser([FromBody] CreateUser user)
 
                 if (beta)
                 {
-                    LogManager.GetCurrentClassLogger().Info("CreateUser - CSET is set to 'online beta' mode - no email sent to new user");
+                    LogManager.GetCurrentClassLogger().Error("CreateUser - CSET is set to 'online beta' mode - no email sent to new user");
 
                     // create the user but DO NOT send the temp password email (test/beta)
                     var rval = resetter.CreateUser(user, false);
@@ -280,10 +289,12 @@ public IActionResult PostRegisterUser([FromBody] CreateUser user)
                     }
                 }
 
+                LogManager.GetCurrentClassLogger().Error($"Unknown error: {user}");
                 return BadRequest("Unknown error");
             }
             catch (Exception e)
             {
+                LogManager.GetCurrentClassLogger().Error($"... {e}");
                 return BadRequest(e);
             }
         }
@@ -304,11 +315,13 @@ public IActionResult ResetPassword([FromBody] SecurityQuestionAnswer answer)
 
                 if (!emailvalidator.IsMatch(answer.PrimaryEmail))
                 {
+                    LogManager.GetCurrentClassLogger().Error("reset password - emails don't match");
                     return BadRequest();
                 }
 
                 if (!_userBusiness.GetUserDetail(answer.PrimaryEmail).IsActive)
                 {
+                    LogManager.GetCurrentClassLogger().Error("reset password - user inactive");
                     return BadRequest("user inactive");
                 }