public AuthorizationException(string message, Type entityType, AccessType accessType, bool isRecordLevel,
UserRecordPermission grantedPermissions, SecureSession session = null)
: base(message)
{
EntityType = entityType;
AccessType = accessType;
IsRecordLevel = isRecordLevel;
GrantedPermissions = grantedPermissions;
if (session != null) {
RequireReadMode = session.DemandReadAccessLevel;
CurrentDenyReadMode = session.DenyReadAction;
var ctx = session.Context;
UserName = ctx.User.UserName;
UserContextValues = string.Join(string.Empty, ctx.Values.Select(kv => StringHelper.SafeFormat(" [{0}]={1}\r\n", kv.Key, kv.Value)));
var user = ctx.User;
if (user.Authority == null) {
UserRoles = "(UserContext.Authority is not set)";
} else {
UserRoles = user.Authority.GetRoleNames();
PermissionSummary = user.Authority.GetPermissionsSummary(EntityType);
var enDynGrants = user.Authority.DynamicGrants.Where(g => g.IsEnabled(session.Context));
EnabledDynamicGrants = string.Join(",", enDynGrants.Select(g => g.Activity.Name));
}
}
}
private async ValueTask <TlsStream> EstablishSslConnection(string host, HttpRequestMessage request, Stream stream, CancellationToken cancellationToken)
{
logger.Trace("HTTP connection handler: Establish TLS connection");
var secParams = new SecurityParameters();
secParams.CipherSuiteIDs.Add(CipherSuiteId.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
secParams.CipherSuiteIDs.Add(CipherSuiteId.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
secParams.CipherSuiteIDs.Add(CipherSuiteId.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
secParams.CipherSuiteIDs.Add(CipherSuiteId.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
secParams.MinimumVersion = ProtocolVersion.TLS1_2;
secParams.MaximumVersion = ProtocolVersion.TLS1_2;
if (this._settings._clientCertificate != null)
{
var pluginManager = new IVU.Common.Tls.Plugin.CipherSuitePluginInterface.CipherSuitePluginManager();
var privateKey = pluginManager.GetPrivateKey(this._settings._clientCertificate.Key);
secParams.AddCertificate(new X509CertificateCollection {
this._settings._clientCertificate.Certificate
}, privateKey);
}
secParams.ClientCertificateSelectionCallback += (client, server) =>
{
return(0);
};
secParams.ServerCertificateValidationCallback = certificates =>
{
if (this._settings?._serverCertificateCustomValidationCallback == null)
{
logger.Error("No server certificate validation callback provided!");
return(false);
}
return(this._settings?._serverCertificateCustomValidationCallback(
request,
new X509Certificate2(certificates[0]),
null,
SslPolicyErrors.None) == true);
};
var tlsSession = new SecureSession(stream, secParams);
try
{
await tlsSession.PerformClientHandshake(cancellationToken);
logger.Trace("HTTP connection handler: TLS connection successfull establish");
}
catch (Exception ex)
{
tlsSession.Close();
logger.ErrorException("Failed to establish TLS connection: {0}", ex, ex.Message);
throw new TlsConnectFailed("Failed to establish TLS connection", ex);
}
return(new TlsStream(tlsSession));
}
public void Validation_ShouldBeAbleToCreateToken()
{
Prepare();
IHttpContext context = CreateFakeContext(MethodBase.GetCurrentMethod().Name);
SecureSession session = SecureSession.Get(context);
string postString = ApiParameters.ParametersToJsonParamsObjectString("random information");
EncryptedValidationToken token = ApiEncryptionValidation.CreateEncryptedValidationToken(postString, session);
}
public void should_login_token()
{
var secureSession = new SecureSession<Token>(null, new MemoryTokenStore<Token>());
var token = new Token(Guid.Empty, null, false);
secureSession.Login(token);
secureSession.IsLoggedIn().ShouldBeTrue();
secureSession.GetCurrentToken().ShouldEqual(token);
}
protected override void Dispose(bool disposing)
{
if (disposing)
{
this.secureSession?.Close();
this.secureSession = null;
}
base.Dispose(disposing);
}
public void Securesession_ShouldBeAbleToGetSecureSession()
{
ConsoleLogger logger = new ConsoleLogger();
SecureChannel.InitializeDatabase(logger);
Cookie cookie = new Cookie(SecureSession.CookieName, "TestSecureSessionId");
SecureSession session = SecureSession.Get(cookie);
Expect.IsNotNull(session);
}
private static IRequest CreateFakeRequest()
{
IRequest request = A.Fake <IRequest>();
A.CallTo(() => request.Headers).Returns(new NameValueCollection());
A.CallTo(() => request.Cookies).Returns(new CookieCollection());
Cookie sessionCookie = new Cookie(SecureSession.CookieName, SecureSession.GenerateId());
request.Cookies.Add(sessionCookie);
return(request);
}
public void ShouldBeAbleToEncryptAndDecryptWithSecureSession()
{
InitializeSecureChannelSchema();
SecureSession testObject = SecureSession.Get(new ServiceProxyTestHelpers.FormUrlEncodedTestRequest(), A.Fake <IResponse>());
string data = "Monkey";
string cipher = testObject.EncryptWithPublicKey(data);
string decrypted = testObject.DecryptWithPrivateKey(cipher);
Expect.AreEqual(data, decrypted);
}
/// <summary>
/// Decrypt the input string of the specified ExecutionRequest
/// if it is intended for the SecureChannel
/// </summary>
/// <param name="execRequest"></param>
public static void DecryptSecureChannelInvoke(ExecutionRequest execRequest)
{
if (execRequest.Instance != null &&
execRequest.Instance.GetType() == typeof(SecureChannel) &&
execRequest.MethodName.Equals(nameof(SecureChannel.Invoke)))
{
execRequest.InputString = SecureSession.Get(execRequest.Context).Decrypt(execRequest.InputString);
HttpArgs args = new HttpArgs();
args.ParseJson(execRequest.InputString);
execRequest.JsonParams = args["jsonParams"];
}
}
public void should_not_log_in_an_invalid_user()
{
var authenticationService = Substitute.For<IAuthenticationService<Token>>();
var secureSession = new SecureSession<Token>(authenticationService, new MemoryTokenStore<Token>());
authenticationService.Authenticate(Arg.Any<string>(), Arg.Any<string>()).
ReturnsForAnyArgs(x => { throw new AuthenticationService.AccessDeniedException(); });
Assert.Throws<AuthenticationService.AccessDeniedException>(() => secureSession.Login("username", "password"));
secureSession.IsLoggedIn().ShouldBeFalse();
secureSession.GetCurrentToken().ShouldBeNull();
}
public void should_logout_user()
{
var authenticationService = Substitute.For<IAuthenticationService<Token>>();
var secureSession = new SecureSession<Token>(authenticationService, new MemoryTokenStore<Token>());
authenticationService.Authenticate(Arg.Any<string>(), Arg.Any<string>()).
ReturnsForAnyArgs(new Token(Guid.Empty, null, false));
secureSession.Login("username", "password");
secureSession.Logout();
secureSession.IsLoggedIn().ShouldBeFalse();
secureSession.GetCurrentToken().ShouldBeNull();
}
public void Securesession_ShouldBeAbleToSetValidationToken()
{
ConsoleLogger logger = new ConsoleLogger();
SecureChannel.InitializeDatabase(logger);
IRequest request = CreateFakeRequest();
SecureSession session = SecureSession.Get(request);
ApiEncryptionValidation.SetEncryptedValidationToken(request.Headers, "Some random data", session.PublicKey);
Expect.IsNotNull(request.Headers[CustomHeaders.ValidationToken]);
OutLine(request.Headers[CustomHeaders.ValidationToken]);
}
public void Securesession_ShouldBeAbleToEncryptAndDecryptWithSecureSession()
{
SecureChannelConfig config = new SecureChannelConfig();
Exception ex;
config.SchemaInitializer.Initialize(new ConsoleLogger(), out ex);
Expect.IsNull(ex);
SecureSession testObject = SecureSession.Get(new ServiceProxyTestHelpers.FormUrlEncodedTestRequest(), A.Fake <IResponse>());
string data = "Monkey";
string cipher = testObject.EncryptWithPublicKey(data);
string decrypted = testObject.DecryptWithPrivateKey(cipher);
Expect.AreEqual(data, decrypted);
}
public static void Main(string[] args)
{
SecurityParameters securityParameters = new SecurityParameters();
securityParameters.CipherSuiteIDs.Add(0x000a);
securityParameters.ServerCertificateValidationCallback = new ServerCertificateValidationCallback(CertificateValidationCallback);
securityParameters.ClientCertificateSelectionCallback = new ClientCertificateSelectionCallback(CertificateSelectionCallback);
if (args.Length >= 2)
{
X509CertificateCollection certs = new X509CertificateCollection();
for (int i = 0; i < args.Length - 1; i++)
{
certs.Add(new X509Certificate(args[i]));
}
// Get plugin manager for importing the private key
string path = System.Reflection.Assembly.GetAssembly(typeof(AaltoTLS.HandshakeLayer.HandshakeSession)).Location;
string directory = Path.GetDirectoryName(path);
CipherSuitePluginManager pluginManager = new CipherSuitePluginManager(directory);
// Import the private key into asymmetric algorithm
byte[] privateKeyData = File.ReadAllBytes(args[args.Length - 1]);
CertificatePrivateKey privateKey = pluginManager.GetPrivateKey(privateKeyData);
securityParameters.AddCertificate(certs, privateKey);
}
string host = "www.mikestoolbox.net";
int port = 443;
string request = "GET / HTTP/1.1\r\nHost: " + host + "\r\n\r\n";
try {
TcpClient tcpClient = new TcpClient(host, port);
NetworkStream ns = tcpClient.GetStream();
SecureSession session = new SecureSession(ns, securityParameters);
session.PerformClientHandshake(host);
session.Send(Encoding.UTF8.GetBytes(request));
byte[] received = session.Receive();
Console.WriteLine("Received data: " + Encoding.UTF8.GetString(received));
session.Close();
} catch (SocketException) {
Console.WriteLine("Unable to connect to server");
return;
}
}
public void Securesession_StartSessionShouldCreateSecureSessionEntry()
{
SecureChannel server = new SecureChannel();
server.HttpContext = A.Fake <IHttpContext>();
server.HttpContext.Request = new ServiceProxyTestHelpers.FormUrlEncodedTestRequest();
SecureChannelMessage <ClientSessionInfo> message = server.InitSession(new Instant());
ClientSessionInfo sessionInfo = message.Data;
SecureSession created = SecureSession.OneWhere(c => c.Id == sessionInfo.SessionId);
Expect.IsNotNull(created);
Expect.IsNotNullOrEmpty(created.Identifier, "Identifier was null or empty");
Expect.AreEqual(created.Identifier, sessionInfo.ClientIdentifier, "ClientIdentifiers didn't match");
Expect.AreEqual(sessionInfo.PublicKey, created.PublicKey);
}
public void should_login_valid_user()
{
var authenticationService = Substitute.For<IAuthenticationService<Token>>();
var secureSession = new SecureSession<Token>(authenticationService, new MemoryTokenStore<Token>());
var userId = Guid.NewGuid();
authenticationService.Authenticate(Arg.Any<string>(), Arg.Any<string>()).
ReturnsForAnyArgs(new Token(userId, "username", true));
secureSession.Login("username", "password");
secureSession.IsLoggedIn().ShouldBeTrue();
var token = secureSession.GetCurrentToken();
token.ShouldNotBeNull();
token.UserId.ShouldEqual(userId);
token.Username.ToString().ShouldEqual("username");
token.IsAdministrator.ShouldBeTrue();
}
private void IVRButton_Click(object sender, EventArgs e)
{
try
{
var api = new ConversationsApi();
string conversationId = conversationIdTextBox.Text;
string participantId = participantIdTextbox.Text;
CreateSecureSession body = new CreateSecureSession();
body.FlowId = "";
body.UserData = "<OrderID>|1000|" + conversationId + "|<Entity>";
body.Disconnect = false;
body.SourceParticipantId = userIdTextbox.Text; // agentId
SecureSession result = api.PostConversationParticipantSecureivrsessions(conversationId, participantId, body);
IVRResultTextbox.Text = result.ToJson();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
public static void CleanUp()
{
FilesToDelete.Each(file =>
{
if (File.Exists(file))
{
File.Delete(file);
}
});
Prepare();
ApiKeyCollection keys = ApiKey.LoadAll();
keys.Delete();
SecureSessionCollection sessions = SecureSession.LoadAll();
sessions.Delete();
ApplicationCollection all = Application.LoadAll();
all.Delete();
ClearAppsAndStopServers();
}
public void Validation_ShouldBeAbleToSetAndValidateValidationToken()
{
Prepare();
SecureSession session = SecureSession.Get(SecureSession.GenerateId());
string postString = ApiParameters.ParametersToJsonParamsObjectString("random info");
SecureServiceProxyClient <Echo> client = new SecureServiceProxyClient <Echo>("http://blah.com");
HttpWebRequest request = client.GetServiceProxyRequest("Send");
ApiEncryptionValidation.SetEncryptedValidationToken(request.Headers, postString, session.PublicKey);
Cookie cookie = new Cookie(SecureSession.CookieName, session.Identifier, "", "blah.cxm");
request.CookieContainer.Add(cookie);
request.Headers[Headers.SecureSession] = session.Identifier;
Expect.IsNotNull(request.Headers);
Expect.IsNotNull(request.Headers[Headers.Nonce]);
Expect.IsNotNull(request.Headers[Headers.ValidationToken]);
Expect.AreEqual(EncryptedTokenValidationStatus.Success, ApiEncryptionValidation.ValidateEncryptedToken(request.Headers, postString));
}
public override void Close()
{
this.secureSession?.Close();
this.secureSession = null;
}
public static ISecureSession OpenSecureSession(this OperationContext context)
{
var session = new SecureSession(context);
return(session);
}
public void Handle()
{
NetworkStream networkStream = null;
try
{
bool loop = true;
IPEndPoint ipep = (IPEndPoint)Socket.RemoteEndPoint;
IPAddress = ipep.Address;
networkStream = new NetworkStream(Socket);
try
{
Session = new SecureSession(networkStream, Certificates.SecurityParameters);
Session.PerformServerHandshake(Certificates.Certificate);
}
catch
{
loop = false;
}
while (loop)
{
HydraRequest request = null;
try
{
request = new HydraRequest(this);
}
catch
{
break;
}
Modules.IModule module = null;
switch (request.Module)
{
case "feed":
{
module = new Modules.FeedModule(this);
break;
}
case "profile":
{
module = new Modules.ProfileModule(this);
break;
}
case "onesite_proxy":
{
module = new Modules.OnesiteProxyModule(this);
break;
}
case "ugc":
{
module = new Modules.UgcModule(this);
break;
}
default:
{
HydraResponse response = new HydraResponse(this);
response.StatusCode = 404;
response.Status = "File Not Found";
response.Payload = new byte[0];
response.Send();
break;
}
}
if (module != null)
module.HandleRequest(request);
}
}
catch (Exception ex)
{
}
try
{
Session.Close();
networkStream.Flush();
networkStream.Close();
Socket.Disconnect(false);
Socket.Dispose();
}
catch
{
}
}
public TlsStream(SecureSession secureSession)
{
this.secureSession = secureSession;
}
public override bool TryRespond(IHttpContext context)
{
if (!IsInitialized)
{
Initialize();
}
IRequest request = context.Request;
IResponse response = context.Response;
Session.Init(context);
SecureSession.Init(context);
bool handled = false;
string path = request.Url.AbsolutePath;
string commonPath = Path.Combine("/common", path.TruncateFront(1));
byte[] content = new byte[] { };
string appName = AppConf.AppNameFromUri(request.Url, BamConf.AppConfigs);
string[] checkedPaths = new string[] { };
if (AppContentResponders.ContainsKey(appName))
{
handled = AppContentResponders[appName].TryRespond(context, out checkedPaths);
}
if (!handled && !ShouldIgnore(path))
{
string readFileFromPath;
bool exists;
exists = ServerRoot.FileExists(path, out readFileFromPath);
if (!exists)
{
exists = ServerRoot.FileExists(commonPath, out readFileFromPath);
}
if (exists)
{
string ext = Path.GetExtension(readFileFromPath);
if (FileCachesByExtension.ContainsKey(ext))
{
FileCache cache = FileCachesByExtension[ext];
if (ShouldZip(request))
{
SetGzipContentEncodingHeader(response);
content = cache.GetZippedContent(readFileFromPath);
}
else
{
content = cache.GetContent(readFileFromPath);
}
handled = true;
}
}
if (handled)
{
SetContentType(response, path);
SendResponse(response, content);
OnResponded(context);
}
else
{
LogContentNotFound(path, appName, checkedPaths);
OnNotResponded(context);
}
}
return(handled);
}
public bool TryRespond(IHttpContext context, bool endResponse = false)
{
try
{
if (Etags.CheckEtags(context))
{
return(true);
}
if (!IsInitialized)
{
Initialize();
}
IRequest request = context.Request;
IResponse response = context.Response;
Session.Init(context);
SecureSession.Init(context);
bool handled = false;
string path = request.Url.AbsolutePath;
string commonPath = Path.Combine("/common", path.TruncateFront(1));
byte[] content = new byte[] { };
string appName = ResolveApplicationName(context);
string[] checkedPaths = new string[] { };
if (AppContentResponders.ContainsKey(appName))
{
handled = AppContentResponders[appName].TryRespond(context, out checkedPaths);
}
if (!handled && !ShouldIgnore(path))
{
bool exists;
exists = ServerRoot.FileExists(path, out string absoluteFileSystemPath);
if (!exists)
{
exists = ServerRoot.FileExists(commonPath, out absoluteFileSystemPath);
}
if (exists)
{
string ext = Path.GetExtension(absoluteFileSystemPath);
if (FileCachesByExtension.ContainsKey(ext))
{
FileCache cache = FileCachesByExtension[ext];
if (ShouldZip(request))
{
SetGzipContentEncodingHeader(response);
content = cache.GetZippedContent(absoluteFileSystemPath);
}
else
{
content = cache.GetContent(absoluteFileSystemPath);
}
handled = true;
Etags.SetLastModified(response, request.Url.ToString(), new FileInfo(absoluteFileSystemPath).LastWriteTime);
}
}
if (handled)
{
SetContentType(response, path);
Etags.Set(response, request.Url.ToString(), content);
SendResponse(response, content);
OnResponded(context);
}
else
{
LogContentNotFound(path, appName, checkedPaths);
OnNotResponded(context);
}
}
if (!handled && endResponse)
{
SendResponse(response, "Not Found", 404);
}
return(handled);
}
catch (Exception ex)
{
Logger.AddEntry("An error occurred in {0}.{1}: {2}", ex, this.GetType().Name, MethodBase.GetCurrentMethod().Name, ex.Message);
OnNotResponded(context);
return(false);
}
}