Ejemplo n.º 1
0
        protected override Task InitializeAsync(object initializationData = null)
        {
            if (!HttpResponse.IsSuccessStatusCode)
            {
                ErrorMessage = initializationData as string;
                return(Task.CompletedTask);
            }

            Policy = initializationData as DiscoveryPolicy ?? new DiscoveryPolicy();

            var validationError = Validate(Policy);

            if (validationError.IsPresent())
            {
                Json = default;

                ErrorType    = ResponseErrorType.PolicyViolation;
                ErrorMessage = validationError;
            }

            MtlsEndpointAliases =
                new MtlsEndpointAliases(Json.TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases));

            return(Task.CompletedTask);
        }
Ejemplo n.º 2
0
        public DiscoveryResponse(string raw, DiscoveryPolicy policy = null)
        {
            if (policy == null)
            {
                policy = new DiscoveryPolicy();
            }

            IsError    = false;
            StatusCode = HttpStatusCode.OK;
            Raw        = raw;

            try
            {
                Json = JObject.Parse(raw);
                var validationError = Validate(policy);

                if (!string.IsNullOrEmpty(validationError))
                {
                    IsError = true;
                    Json    = null;

                    ErrorType = ResponseErrorType.PolicyViolation;
                    Error     = validationError;
                }
            }
            catch (Exception ex)
            {
                IsError = true;

                ErrorType = ResponseErrorType.Exception;
                Error     = ex.Message;
                Exception = ex;
            }
        }
Ejemplo n.º 3
0
        private string Validate(DiscoveryPolicy policy)
        {
            if (policy.ValidateIssuerName)
            {
                if (string.IsNullOrWhiteSpace(Issuer))
                {
                    return("Issuer name is missing");
                }

                var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash(), policy.AuthorityNameComparison);
                if (!isValid)
                {
                    return("Issuer name does not match authority: " + Issuer);
                }
            }

            var error = ValidateEndpoints(Json, policy);

            if (error.IsPresent())
            {
                return(error);
            }

            return(string.Empty);
        }
        /// <summary>
        /// Initialize instance of DiscoveryCache with passed authority.
        /// </summary>
        /// <param name="authority">Base address or discovery document endpoint.</param>
        /// <param name="client">The client.</param>
        /// <param name="policy">The policy.</param>
        public DiscoveryCache(string authority, HttpClient client = null, DiscoveryPolicy policy = null)
        {
            _authority = authority;
            _policy    = policy ?? new DiscoveryPolicy();

            if (client == null)
            {
                client = new HttpClient();
            }
            _getHttpClient = () => client;
        }
Ejemplo n.º 5
0
        public string ValidateEndoints(JObject json, DiscoveryPolicy policy)
        {
            var authorityHost = new Uri(policy.Authority).Authority;

            foreach (var element in json)
            {
                if (element.Key.EndsWith("Endpoint", StringComparison.OrdinalIgnoreCase) ||
                    element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase))
                {
                    var endpoint = element.Value.ToString();
                    Uri uri;

                    var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out uri);
                    if (!isValidUri)
                    {
                        return($"Malformed endpoint: {endpoint}");
                    }

                    if (!DiscoveryUrlHelper.IsValidScheme(uri))
                    {
                        return($"Malformed endpoint: {endpoint}");
                    }

                    if (!DiscoveryUrlHelper.IsSecureScheme(uri, policy))
                    {
                        return($"Endpoint does not use HTTPS: {endpoint}");
                    }

                    if (policy.ValidateEndpoints)
                    {
                        if (!string.Equals(authorityHost, uri.Host))
                        {
                            return($"Endpoint is on a different host than authority: {endpoint}");
                        }

                        if (!endpoint.StartsWith(policy.Authority, StringComparison.Ordinal))
                        {
                            return($"Endpoint belongs to different authority: {endpoint}");
                        }
                    }
                }
            }

            if (policy.RequireKeySet)
            {
                if (string.IsNullOrWhiteSpace(JwksUri))
                {
                    return("Keyset is missing");
                }
            }

            return(string.Empty);
        }
Ejemplo n.º 6
0
        private string Validate(DiscoveryPolicy policy)
        {
            if (policy.ValidateIssuerName)
            {
                var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash());
                if (!isValid)
                {
                    return("Issuer name does not match authority");
                }
            }

            var error = ValidateEndoints(Json, policy);

            if (!string.IsNullOrEmpty(error))
            {
                return(error);
            }

            return(string.Empty);
        }
Ejemplo n.º 7
0
        public static bool IsSecureScheme(Uri url, DiscoveryPolicy policy)
        {
            if (policy.RequireHttps == true)
            {
                if (policy.AllowHttpOnLoopback == true)
                {
                    var hostName = url.DnsSafeHost;

                    foreach (var address in policy.LoopbackAddresses)
                    {
                        if (string.Equals(hostName, address, StringComparison.OrdinalIgnoreCase))
                        {
                            return(true);
                        }
                    }
                }

                return(string.Equals(url.Scheme, "https", StringComparison.OrdinalIgnoreCase));
            }

            return(true);
        }
Ejemplo n.º 8
0
        protected override Task InitializeAsync(object initializationData = null)
        {
            if (!HttpResponse.IsSuccessStatusCode)
            {
                ErrorMessage = initializationData as string;
                return(Task.CompletedTask);
            }

            Policy = initializationData as DiscoveryPolicy ?? new DiscoveryPolicy();

            var validationError = Validate(Policy);

            if (validationError.IsPresent())
            {
                Json = null;

                ErrorType    = ResponseErrorType.PolicyViolation;
                ErrorMessage = validationError;
            }

            return(Task.CompletedTask);
        }
Ejemplo n.º 9
0
        private string Validate(DiscoveryPolicy policy)
        {
            if (policy.ValidateIssuerName)
            {
                IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy ?? DiscoveryPolicy.DefaultAuthorityValidationStrategy;

                AuthorityValidationResult issuerValidationResult = strategy.IsIssuerNameValid(Issuer, policy.Authority);

                if (!issuerValidationResult.Success)
                {
                    return(issuerValidationResult.ErrorMessage);
                }
            }

            var error = ValidateEndpoints(Json, policy);

            if (error.IsPresent())
            {
                return(error);
            }

            return(string.Empty);
        }
        private string Validate(DiscoveryPolicy policy)
        {
            if (policy.ValidateIssuerName)
            {
#pragma warning disable 0618
                IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy ?? new StringComparisonAuthorityValidationStrategy(policy.AuthorityNameComparison);
#pragma warning restore 0618

                AuthorityValidationResult issuerValidationResult = strategy.IsIssuerNameValid(Issuer, policy.Authority);

                if (!issuerValidationResult.Success)
                {
                    return(issuerValidationResult.ErrorMessage);
                }
            }

            var error = ValidateEndpoints(Json, policy);
            if (error.IsPresent())
            {
                return(error);
            }

            return(string.Empty);
        }
Ejemplo n.º 11
0
        /// <summary>
        /// Validates the endoints and jwks_uri according to the security policy.
        /// </summary>
        /// <param name="json">The json.</param>
        /// <param name="policy">The policy.</param>
        /// <returns></returns>
        public string ValidateEndpoints(JObject json, DiscoveryPolicy policy)
        {
            // allowed hosts
            var allowedHosts = new HashSet <string>(policy.AdditionalEndpointBaseAddresses.Select(e => new Uri(e).Authority))
            {
                new Uri(policy.Authority).Authority
            };

            // allowed authorities (hosts + base address)
            var allowedAuthorities = new HashSet <string>(policy.AdditionalEndpointBaseAddresses)
            {
                policy.Authority
            };

            foreach (var element in json)
            {
                if (element.Key.EndsWith("endpoint", StringComparison.OrdinalIgnoreCase) ||
                    element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase) ||
                    element.Key.Equals(OidcConstants.Discovery.CheckSessionIframe, StringComparison.OrdinalIgnoreCase))
                {
                    var endpoint = element.Value.ToString();

                    var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out Uri uri);
                    if (!isValidUri)
                    {
                        return($"Malformed endpoint: {endpoint}");
                    }

                    if (!DiscoveryUrlHelper.IsValidScheme(uri))
                    {
                        return($"Malformed endpoint: {endpoint}");
                    }

                    if (!DiscoveryUrlHelper.IsSecureScheme(uri, policy))
                    {
                        return($"Endpoint does not use HTTPS: {endpoint}");
                    }

                    if (policy.ValidateEndpoints)
                    {
                        // if endpoint is on exclude list, don't validate
                        if (policy.EndpointValidationExcludeList.Contains(element.Key))
                        {
                            continue;
                        }

                        bool isAllowed = false;
                        foreach (var host in allowedHosts)
                        {
                            if (string.Equals(host, uri.Authority))
                            {
                                isAllowed = true;
                            }
                        }

                        if (!isAllowed)
                        {
                            return($"Endpoint is on a different host than authority: {endpoint}");
                        }


                        isAllowed = false;
                        foreach (var authority in allowedAuthorities)
                        {
                            if (endpoint.StartsWith(authority, policy.AuthorityNameComparison))
                            {
                                isAllowed = true;
                            }
                        }

                        if (!isAllowed)
                        {
                            return($"Endpoint belongs to different authority: {endpoint}");
                        }
                    }
                }
            }

            if (policy.RequireKeySet)
            {
                if (string.IsNullOrWhiteSpace(JwksUri))
                {
                    return("Keyset is missing");
                }
            }

            return(string.Empty);
        }
 /// <summary>
 /// Initialize instance of DiscoveryCache with passed authority.
 /// </summary>
 /// <param name="authority">Base address or discovery document endpoint.</param>
 /// <param name="httpClientFunc">The HTTP client function.</param>
 /// <param name="policy">The policy.</param>
 public DiscoveryCache(string authority, Func <HttpClient> httpClientFunc, DiscoveryPolicy policy = null)
 {
     _authority     = authority;
     _policy        = policy ?? new DiscoveryPolicy();
     _getHttpClient = httpClientFunc ?? throw new ArgumentNullException(nameof(httpClientFunc));
 }
Ejemplo n.º 13
0
 /// <summary>
 /// Initialize instance of DiscoveryCache with passed authority.
 /// </summary>
 /// <param name="authority">Base address or discovery document endpoint.</param>
 /// <param name="policy">The policy.</param>
 public DiscoveryCache(string authority, DiscoveryPolicy policy = null)
 {
     _authority     = authority;
     _policy        = policy ?? new DiscoveryPolicy();
     _getHttpClient = () => new HttpClient();
 }