Beispiel #1
0
        public void Api_can_parse_timestamp(string timestamp)
        {
            DateTime dt;

            _hmacAuth.ParseTimestamp(timestamp, out dt).ShouldBeTrue();
        }
Beispiel #2
0
        protected virtual ShopConnectorAuthResult IsAuthenticated(HttpContextBase httpContext, DateTime now, ShopConnectorControllingData controllingData)
        {
            var      request = httpContext.Request;
            DateTime headDateTime;

            if (request == null)
            {
                return(ShopConnectorAuthResult.FailedForUnknownReason);
            }

            if (controllingData.ConnectorUnavailable)
            {
                return(ShopConnectorAuthResult.ConnectorUnavailable);
            }

            if (!controllingData.IsExportEnabled)
            {
                return(ShopConnectorAuthResult.ExportDeactivated);
            }

            //string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
            string headTimestamp = request.Headers[ShopConnectorCore.Header.Date];
            string headPublicKey = request.Headers[ShopConnectorCore.Header.PublicKey];
            string action        = request.RequestContext.RouteData.GetRequiredString("action");
            bool   forExport     = !action.IsCaseInsensitiveEqual("Notification");

            string[] authorization = request.Headers["Authorization"].SplitSafe(" ");

            if (string.IsNullOrWhiteSpace(headPublicKey))
            {
                return(ShopConnectorAuthResult.ConnectionInvalid);
            }

            if (authorization.Length != 2 || !_hmac.IsAuthorizationHeaderValid(authorization[0], authorization[1]))
            {
                return(ShopConnectorAuthResult.InvalidAuthorizationHeader);
            }

            if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
            {
                return(ShopConnectorAuthResult.InvalidTimestamp);
            }

            int maxMinutes = (controllingData.ValidMinutePeriod <= 0 ? ShopConnectorCore.DefaultTimePeriodMinutes : controllingData.ValidMinutePeriod);

            if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
            {
                return(ShopConnectorAuthResult.TimestampOutOfPeriod);
            }

            var connection = controllingData.Connections.FirstOrDefault(x => x.IsForExport == forExport && x.PublicKey == headPublicKey);

            if (connection == null)
            {
                return(ShopConnectorAuthResult.ConnectionUnknown);
            }

            if (!connection.IsActive)
            {
                return(ShopConnectorAuthResult.ConnectionDisabled);
            }

            if (connection.LastRequestUtc.HasValue && headDateTime <= connection.LastRequestUtc.Value)
            {
                return(ShopConnectorAuthResult.TimestampOlderThanLastRequest);
            }

            var context = new ShopConnectorRequestContext()
            {
                HttpMethod     = request.HttpMethod,
                HttpAcceptType = request.Headers["Accept"],
                PublicKey      = headPublicKey,
                SecretKey      = connection.SecretKey,
                Url            = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
            };

            string contentMd5 = CreateContentMd5Hash(httpContext.Request);

            string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);

            if (string.IsNullOrEmpty(messageRepresentation))
            {
                return(ShopConnectorAuthResult.MissingMessageRepresentationParameter);
            }

            string signatureProvider = _hmac.CreateSignature(connection.SecretKey, messageRepresentation);

            if (signatureProvider != authorization[1])
            {
                return(ShopConnectorAuthResult.InvalidSignature);
            }

            controllingData.ConnectionsUpdated = true;
            connection.LastRequestUtc          = now;

            if (connection.RequestCount < long.MaxValue)
            {
                ++connection.RequestCount;
            }

            return(ShopConnectorAuthResult.Success);
        }
        protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out User user)
        {
            user = null;

            var      request = HttpContext.Current.Request;
            DateTime headDateTime;

            if (request == null)
            {
                return(HmacResult.FailedForUnknownReason);
            }

            string headContentMd5    = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
            string headTimestamp     = request.Headers[WebApiGlobal.Header.Date];
            string headPublicKey     = request.Headers[WebApiGlobal.Header.PublicKey];
            string scheme            = actionContext.Request.Headers.Authorization.Scheme;
            string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter;

            if (string.IsNullOrWhiteSpace(headPublicKey))
            {
                return(HmacResult.UserInvalid);
            }

            if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer))
            {
                return(HmacResult.InvalidAuthorizationHeader);
            }

            if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
            {
                return(HmacResult.InvalidTimestamp);
            }

            //int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod);

            //if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
            //    return HmacResult.TimestampOutOfPeriod;

            var apiUser = GetUser(headPublicKey);

            if (apiUser == null)
            {
                return(HmacResult.UserUnknown);
            }

            if (!apiUser.Active || apiUser.IsDeleted)
            {
                return(HmacResult.UserIsInactive);
            }

            //if (!HasPermission(actionContext, apiUser))
            //    return HmacResult.UserHasNoPermission;

            if (!apiUser.WebApiEnabled)
            {
                return(HmacResult.UserDisabled);
            }

            //if (!cacheControllingData.NoRequestTimestampValidation && apiUser.LastApiRequest.HasValue && headDateTime <= apiUser.LastApiRequest.Value)
            //    return HmacResult.TimestampOlderThanLastRequest;

            var context = new WebApiRequestContext
            {
                HttpMethod     = request.HttpMethod,
                HttpAcceptType = request.Headers["Accept"],
                PublicKey      = headPublicKey,
                SecretKey      = apiUser.SecretKey,
                Url            = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
            };

            //string contentMd5 = CreateContentMd5Hash(actionContext.Request);

            //if (!string.IsNullOrWhiteSpace(headContentMd5) && headContentMd5 != contentMd5)
            //    return HmacResult.ContentMd5NotMatching;

            //string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);

            //if (string.IsNullOrEmpty(messageRepresentation))
            //    return HmacResult.MissingMessageRepresentationParameter;

            //string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);

            //if (signatureProvider != signatureConsumer)
            //{
            //    if (cacheControllingData.AllowEmptyMd5Hash)
            //    {
            //        messageRepresentation = _hmac.CreateMessageRepresentation(context, null, headTimestamp);

            //        signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);

            //        if (signatureProvider != signatureConsumer)
            //            return HmacResult.InvalidSignature;
            //    }
            //    else
            //    {
            //        return HmacResult.InvalidSignature;
            //    }
            //}

            //var headers = HttpContext.Current.Response.Headers;
            //headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : "");

            apiUser.LastApiRequest = headDateTime;
            user = apiUser;
            return(HmacResult.Success);
        }