/// <summary>
/// Initialize a new instance of <see cref="JwtSigningCertificateProvider"/> with settings for accessing a key vault and file system.
/// </summary>
/// <param name="keyVaultSettings">Settings required to access a certificate stored in a key vault.</param>
/// <param name="certificateSettings">Settings required to access a certificate stored on a file system.</param>
public JwtSigningCertificateProvider(
IOptions <KeyVaultSettings> keyVaultSettings,
IOptions <CertificateSettings> certificateSettings)
{
_keyVaultSettings = keyVaultSettings.Value;
_certificateSettings = certificateSettings.Value;
}
public BankCheckService(FedsfmCheckService fedsfmService, IOptions <ConnectionSettings> connectionSettings, ILogger <BankCheckService> logger, IOptions <CertificateSettings> certificateSettings)
{
_fedsfmService = fedsfmService;
_connectionSettings = connectionSettings.Value;
_logger = logger;
_certificatePassword = certificateSettings.Value;
}
void Verify(CertificateSettings settings)
{
Assert.NotNull(settings.Resolvers);
foreach (CertResolverSettings resolverSettings in settings.Resolvers)
{
Assert.DoesNotThrow(() => resolverSettings.Validate());
CertServiceResolverSettings serviceResolverSettings = resolverSettings as CertServiceResolverSettings;
if (serviceResolverSettings != null)
{
Assert.False(serviceResolverSettings.OrgCertificatesOnly);
}
ICertificateResolver resolver = null;
Assert.DoesNotThrow(() => resolver = resolverSettings.CreateResolver());
Assert.NotNull(resolver);
if (serviceResolverSettings != null)
{
Assert.False(((ConfigCertificateResolver)resolver).OrgCertificatesOnly);
serviceResolverSettings.OrgCertificatesOnly = true;
resolver = serviceResolverSettings.CreateResolver();
Assert.True(((ConfigCertificateResolver)resolver).OrgCertificatesOnly);
}
}
}
public void IsAvailable_NullCertificate_ReturnsFalse()
{
var settings = new CertificateSettings {
UseDeveloperCredentials = true
};
var certificate = new Certificate(settings, Mock.Of <ILogger>());
certificate.IsAvailable.Should().BeFalse();
}
public void Path_NullCertificate_ReturnsNull()
{
var settings = new CertificateSettings {
UseDeveloperCredentials = true
};
var certificate = new Certificate(settings, Mock.Of <ILogger>());
certificate.Path.Should().BeNull();
}
public void Constructor_BadCertificatePath_ThrowsException()
{
var settings = new CertificateSettings
{
CertificatePath = "BadPath",
PrivateKeyPath = "NHSD"
};
Assert.Throws <CertificateSettingsException>(() => new Certificate(settings, Mock.Of <ILogger>()));
}
/// <summary>
/// The default constructor
/// </summary>
/// <param name="options">The options</param>
/// <param name="logger">The logger</param>
/// <param name="encoder">The Url encoder</param>
/// <param name="clock">The system clock</param>
/// <param name="keyVaultSettings">The key vault settings</param>
/// <param name="certSettings">The certification settings</param>
public JwtCookieHandler(
IOptionsMonitor <JwtCookieOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
IOptions <KeyVaultSettings> keyVaultSettings,
IOptions <CertificateSettings> certSettings)
: base(options, logger, encoder, clock)
{
_keyVaultSettings = keyVaultSettings.Value;
_certificateSettings = certSettings.Value;
}
internal Certificate(CertificateSettings certificateSettings, ILogger logger)
{
if (logger is null)
{
throw new ArgumentNullException(nameof(logger));
}
if (certificateSettings is null)
{
throw new ArgumentNullException(nameof(certificateSettings));
}
Path = certificateSettings.CertificatePath;
Instance = Load(logger, certificateSettings);
}
// GET api/certificatetest
public CertificateSettings Get()
{
CertificateSettings settings = new CertificateSettings();
X509Store _certStore = null;
string _strCertificateAppSettings = string.Empty;
try
{
_certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
_certStore.Open(OpenFlags.ReadOnly);
_strCertificateAppSettings = Environment.GetEnvironmentVariable("APPSETTING_WEBSITE_LOAD_CERTIFICATES");
if (string.IsNullOrEmpty(_strCertificateAppSettings) != true)
{
settings.AppsettingWebsiteLoadCertificatesValue = _strCertificateAppSettings;
X509Certificate2Collection col = _certStore.Certificates;
if (_certStore.Certificates.Count > 0)
{
foreach (X509Certificate2 _cert in _certStore.Certificates)
{
ClientCert cert = new ClientCert
{
IssuerName = _cert.IssuerName.Name,
SubjectName = _cert.SubjectName.Name,
Thumbprint = _cert.Thumbprint,
HasPrivateKey = _cert.HasPrivateKey,
ExpirationDate = _cert.NotAfter,
IsExportable = IsPrivateKeyExportable(_cert)
};
settings.Certificates.Add(cert);
}
}
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
_certStore.Close();
}
return(settings);
}
public void Constructor_ValidCertificatePath_InitializesAsExpected()
{
WriteEmbeddedFilesToDisk();
var settings = new CertificateSettings
{
CertificatePath = CertificateName,
PrivateKeyPath = CertificateKeyName
};
var certificate = new Certificate(settings, Mock.Of <ILogger>());
certificate.Instance.Should().NotBeNull();
certificate.Instance.Thumbprint.Should().Be("13C9ED6D78CBE4905367D5A99A66BF84B9D2E55F");
certificate.IsAvailable.Should().BeTrue();
certificate.Path.Should().Be(CertificateName);
DeleteEmbeddedFiles();
}
private static X509Certificate2 Load(ILogger logger, CertificateSettings settings)
{
if (settings.UseDeveloperCredentials)
{
return(null);
}
var path = settings.CertificatePath;
logger.Information("Loading certificate {path}", path);
try
{
byte[] certBuffer = GetBytesFromPem(settings.CertificatePath, "CERTIFICATE");
byte[] keyBuffer = GetBytesFromPem(settings.PrivateKeyPath, "RSA PRIVATE KEY");
using var certificate = new X509Certificate2(certBuffer);
using var rsa = RSA.Create();
rsa.ImportRSAPrivateKey(keyBuffer, out _);
var certificateWithPrivateKey = certificate.CopyWithPrivateKey(rsa);
if (certificateWithPrivateKey.Verify())
{
logger.Information("Certificate validation succeeded: {certificate}", certificate.ToString(true));
}
else
{
logger.Warning("Certificate validation failed: {certificate}", certificate.ToString(true));
}
return(certificateWithPrivateKey);
}
catch (Exception e)
{
throw new CertificateSettingsException("Error with certificate or settings", e);
}
}
/// <summary>
/// Obtain the <see cref="SigningCredentials"/> to be used when signing a new JSON Web Token.
/// </summary>
/// <param name="keyVaultSettings">Settings that can be used to access a key vault with the signing certificate.</param>
/// <param name="certificateSettings">Settings to identify a certificate stored on the file system.</param>
/// <returns>The <see cref="SigningCredentials"/>.</returns>
public static async Task <SigningCredentials> GetSigningCredentials(KeyVaultSettings keyVaultSettings, CertificateSettings certificateSettings)
{
await Semaphore.WaitAsync();
try
{
if (_signingCredentialsUpdateTime > DateTime.Now && _signingCredentials != null)
{
return(_signingCredentials);
}
X509Certificate2 cert;
if (string.IsNullOrEmpty(keyVaultSettings.ClientId) || string.IsNullOrEmpty(keyVaultSettings.ClientSecret))
{
cert = new X509Certificate2(certificateSettings.CertificatePath, certificateSettings.CertificatePwd);
}
else
{
KeyVaultClient client = KeyVaultSettings.GetClient(keyVaultSettings.ClientId, keyVaultSettings.ClientSecret);
CertificateBundle certificate = await client.GetCertificateAsync(keyVaultSettings.SecretUri, certificateSettings.CertificateName);
SecretBundle secret = await client.GetSecretAsync(certificate.SecretIdentifier.Identifier);
byte[] pfxBytes = Convert.FromBase64String(secret.Value);
cert = new X509Certificate2(pfxBytes);
}
_signingCredentials = new X509SigningCredentials(cert, SecurityAlgorithms.RsaSha256);
// Reuse the same SigningCredentials for 30 minutes
_signingCredentialsUpdateTime = DateTime.Now.AddMinutes(30);
return(_signingCredentials);
}
finally
{
Semaphore.Release();
}
}
/// <summary>
/// Initialize a new instance of <see cref="JwtSigningCertificateProviderStub"/> with settings for accessing file system.
/// </summary>
/// <param name="certificateSettings">Settings required to access a certificate stored on a file system.</param>
public JwtSigningCertificateProviderStub(IOptions <CertificateSettings> certificateSettings)
{
_certificateSettings = certificateSettings.Value;
}
public void InstallServices(IServiceCollection services, IConfiguration configuration,
IWebHostEnvironment environment)
{
IdentityModelEventSource.ShowPII = true;
services.AddHttpContextAccessor();
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
var certificateSettings = new CertificateSettings();
configuration.GetSection(nameof(CertificateSettings)).Bind(certificateSettings);
string filePath = Path.Combine(environment.ContentRootPath, certificateSettings.Path);
Console.WriteLine(filePath);
var certificate = new X509Certificate2(filePath, certificateSettings.Password);
var optionsTokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new X509SecurityKey(certificate),
IssuerSigningKeyResolver =
(token, securityToken, kid, validationParameters) =>
new List <X509SecurityKey> {
new X509SecurityKey(certificate)
},
ValidateIssuer = false,
ValidateAudience = false,
RequireExpirationTime = false,
ValidateLifetime = true,
};
var urlSettings = new UrlSettings();
configuration.GetSection(nameof(UrlSettings)).Bind(urlSettings);
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
options.Authority = urlSettings.IdentityServer;
options.RequireHttpsMetadata = false;
options.Audience = Constants.ApiName;
options.SaveToken = true;
options.TokenValidationParameters = optionsTokenValidationParameters;
options.Events = new JwtBearerEvents
{
OnChallenge = async context =>
{
var errorDetails = new ErrorDetails
{
StatusCode = (int)HttpStatusCode.Unauthorized,
Message = "Unauthorized User",
};
context.Response.StatusCode = errorDetails.StatusCode;
// Emit the WWW-Authenticate header.
context.Response.Headers.Append(HeaderNames.WWWAuthenticate, context.Options.Challenge);
context.Response.ContentType = "application/json";
await context.Response.WriteAsync(JsonConvert.SerializeObject(errorDetails));
context.HandleResponse();
},
};
});
services.AddAuthorization(options =>
{
options.AddPolicy(PolicyConstants.UpdateCommunityRolePolicy,
policy => { policy.AddRequirements(new CanUpdateCommunityAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.DeleteCommunityRolePolicy,
policy => { policy.AddRequirements(new CanDeleteCommunityAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.AddModeratorRolePolicy,
policy => { policy.AddRequirements(new CanAddModeratorAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.DeletePostRolePolicy,
policy => { policy.AddRequirements(new CanDeletePostAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.UpdatePostRolePolicy,
policy => { policy.AddRequirements(new CanUpdatePostAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.DeleteCommentRolePolicy,
policy => { policy.AddRequirements(new CanDeleteCommentAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.UpdateCommentRolePolicy,
policy => { policy.AddRequirements(new CanUpdateCommentAuthorizationRequirement()); });
options.AddPolicy(PolicyConstants.ManageCategoryRolePolicy,
policy => { policy.AddRequirements(new CanManageCategoryAuthorizationRequirement()); });
});
services.AddScoped <IAuthorizationHandler, CanUpdateCommunityHandler>();
services.AddScoped <IAuthorizationHandler, CanDeleteCommunityHandler>();
services.AddScoped <IAuthorizationHandler, CanAddModeratorHandler>();
services.AddScoped <IAuthorizationHandler, CanDeletePostHandler>();
services.AddScoped <IAuthorizationHandler, CanUpdatePostHandler>();
services.AddScoped <IAuthorizationHandler, CanDeleteCommentHandler>();
services.AddScoped <IAuthorizationHandler, CanUpdateCommentHandler>();
services.AddScoped <IAuthorizationHandler, CanManageCategoryHandler>();
services.AddSingleton(x =>
new BlobServiceClient(configuration.GetValue <string>("AzureBlobStorageConnectionString")));
services.AddSingleton <IBlobService, BlobService>();
services.AddHttpClient();
services.AddCors(config =>
{
config.AddPolicy(Constants.CorsPolicy, builder =>
{
builder.WithOrigins(urlSettings.Spa)
.AllowAnyMethod()
.AllowAnyHeader();
});
});
services.AddCors();
services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies());
services.AddControllers(options =>
{
options.Filters.Add <ValidationFilter>();
options.Filters.Add <ExceptionHandlerFilter>();
})
.AddFluentValidation(fv =>
{
fv.RunDefaultMvcValidationAfterFluentValidationExecutes = false;
fv.RegisterValidatorsFromAssemblyContaining <Startup>();
});
}
public ExtensionSettings()
{
WalletConfig = new WalletConfigSettings();
DataRPCServer = new DataRPCServerSettings();
Certificate = new CertificateSettings();
}
/// <summary>
/// Initialise a new instance of <see cref="OpenIdController"/> with the given input values.
/// </summary>
/// <param name="generalSettings">The application general settings.</param>
/// <param name="certSettings">The settings section for certificate information.</param>
/// <param name="keyVaultSettings">The settings section for the platform key vault.</param>
public OpenIdController(IOptions <GeneralSettings> generalSettings, IOptions <CertificateSettings> certSettings, IOptions <KeyVaultSettings> keyVaultSettings)
{
this.generalSettings = generalSettings.Value;
this.certSettings = certSettings.Value;
this.keyVaultSettings = keyVaultSettings.Value;
}
public WebRequestWithCertHandlerCreator()
{
_certSettings = new CertificateSettings();
}
