public async Task <(byte[], Guid)> Authorize(string entityName, string sessionIdValue, byte[] body, byte[] hmacHeader, bool read)
{
var sessionId = String.IsNullOrEmpty(sessionIdValue)
? Guid.Empty
: Guid.Parse(sessionIdValue);
var session = sessions.Find(x => x.Id == sessionId);
if (session == null)
{
var entity = await _entityService.Get(entityName);
session = new Session();
sessions.Add(session);
var attributes = read ? entity.ReadAttributes : entity.WriteAttributes;
var(protocolStep, Z) = _abeAuthBuilder.BuildStepOne(attributes, _options.Value.SGTSharedKey);
session.Z = Z;
return(protocolStep, session.Id);
}
else
{
if (session.ProtocolStep == AbeAuthSteps.GetAccessPolicy)
{
var request = _abeAuthBuilder.GetStepData <AbeAuthStepSix>(body);
_encryptor.SetKey(_options.Value.SGTSharedKey);
var sharedKey = _encryptor.Decrypt(request.CtPep);
var hmac = CryptoHelper.ComputeHash(session.Z, sharedKey);
if (!hmac.SequenceEqual(request.HMAC))
{
throw new ProtocolArgumentException("HMAC is incorrect!");
}
session.SharedKey = sharedKey;
session.ProtocolStep = AbeAuthSteps.ConfirmAccessPolicy;
var protocolStep = _abeAuthBuilder.BuildStepSeven(request.HMAC, sharedKey);
return(protocolStep, session.Id);
}
else
{
if (hmacHeader == null)
{
throw new ProtocolArgumentException("Session hmac is null!");
}
var correctHmac = CryptoHelper.ComputeHash(body, session.SharedKey);
if (!correctHmac.SequenceEqual(hmacHeader))
{
throw new ProtocolArgumentException("Session hmac is incorrect!");
}
}
}
return(null, session.Id);
}
public async Task <(byte[], string)> ProcessTokenRequest(byte[] requestData, string inputSessionId)
{
Guid sessionId = String.IsNullOrEmpty(inputSessionId)
? Guid.Empty
: Guid.Parse(inputSessionId);
var session = await _sessions
.Find(x => x.Id == sessionId)
.FirstOrDefaultAsync();
if (session == null)
{
var request = _abeAuthBuilder.GetStepData <AbeAuthStepTwo>(requestData);
var Z = CryptoHelper.ComputeHash($"{string.Join("", request.AccessPolicy)}{_options.Value.IoTASharedKey}");
if (!Z.SequenceEqual(request.Z))
{
throw new ProtocolArgumentException("HMAC from policy enforcement point is incorrect!");
}
var decryptedNonce = await _abeDecorator.Decrypt(request.CT);
var requestNonce = BitConverter.ToInt32(decryptedNonce, 0);
var(protocolStep, nonceAbonent, nonceAccess) =
await _abeAuthBuilder.BuildStepThree(request.AccessPolicy,
request.AbonentAttributes, requestNonce);
session = new Session()
{
Id = Guid.NewGuid(),
AccessPolicy = request.AccessPolicy,
AbonentAttributes = request.AbonentAttributes,
Nonce1 = requestNonce,
Nonce2 = nonceAbonent,
Nonce3 = nonceAccess,
HMAC = Z
};
await _sessions.InsertOneAsync(session);
return(protocolStep, session.Id.ToString());
}
else
{
if (!session.IsProcessed)
{
var request = _abeAuthBuilder.GetStepData <AbeAuthStepFour>(requestData);
var nonceHash = CryptoHelper.ComputeHash($"{session.Nonce2}{session.Nonce3}");
if (!nonceHash.SequenceEqual(request.NonceHash))
{
throw new ProtocolArgumentException("Nonce hash in incorrect!");
}
var protocolStep = await _abeAuthBuilder.BuildStepFive(
session.AbonentAttributes,
_options.Value.IoTASharedKey,
session.HMAC);
session.IsProcessed = true;
var filter = Builders <Session> .Filter.Eq("Id", session.Id);
var update = Builders <Session> .Update.Set("IsProcessed", true);
await _sessions.UpdateOneAsync(filter, update);
return(protocolStep, session.Id.ToString());
}
}
return(null, "");
}
