public void GenerateAndDecomposeTokenWithAdditionalElements(string resourceUri, string key, string policyName, int expiryInSeconds)
{
var token = SharedAccessTokens.GenerateSasToken(resourceUri, key, policyName, expiryInSeconds);
Assert.IsTrue(!string.IsNullOrWhiteSpace(token), "The token should not be null or whitespace");
Assert.IsFalse(SharedAccessTokens.DecomposeSasToken($"{ token }&ad=additionalstuff", out var _, out var _, out var _, out var _, out var _), "Successfully decomposes");
}
public void DecompositionMissingElementsFailure()
{
Assert.IsFalse(SharedAccessTokens.DecomposeSasToken("SharedAccessSignature sig=uRaXRcD2L%2BxXDzq5nSu%2FSEQw0CsQT%2Fx1AmEKaWocenw%3D&se=1599667990&skn=policy1", out var _, out var _, out var _, out var _, out var _), "Not expected to pass decomposition missing resource");
Assert.IsFalse(SharedAccessTokens.DecomposeSasToken("SharedAccessSignature sr=%2Flocalhost%2Fdevice%2Fevents%2F&se=1599667990&skn=policy1", out var _, out var _, out var _, out var _, out var _), "Not expected to pass decomposition missing signature");
Assert.IsFalse(SharedAccessTokens.DecomposeSasToken("SharedAccessSignature sr=%2Flocalhost%2Fdevice%2Fevents%2F&sig=uRaXRcD2L%2BxXDzq5nSu%2FSEQw0CsQT%2Fx1AmEKaWocenw%3D&se=1599667990", out var _, out var _, out var _, out var _, out var _), "Not expected to pass decomposition missing policy name");
Assert.IsFalse(SharedAccessTokens.DecomposeSasToken("SharedAccessSignature sr=%2Flocalhost%2Fdevice%2Fevents%2F&sig=uRaXRcD2L%2BxXDzq5nSu%2FSEQw0CsQT%2Fx1AmEKaWocenw%3D&skn=policy1", out var _, out var _, out var _, out var _, out var _), "Not expected to pass decomposition missing expires at");
}
/// <summary>
/// Authenticates the client credentials against the hub
/// </summary>
/// <param name="request">The request</param>
/// <param name="cancellationToken">A token to monitor for abort requests</param>
/// <returns>The authentication response</returns>
protected virtual async Task <AuthenticationResponsePayload> AuthenticateClientAsync(HttpRequest request, CancellationToken cancellationToken)
{
AuthenticationResponsePayload response = null;
using (var reader = new StreamReader(request.Body))
{
var requestPayload = JsonConvert.DeserializeObject <AuthenticationRequestPayload>(reader.ReadToEnd());
using (_authenticationTiming.Time())
{
if (await AuthenticateAsync(request, requestPayload, cancellationToken).ConfigureAwait(false))
{
var accessToken = SharedAccessTokens.GenerateSasToken($"{_sasTokenScheme}://{requestPayload.UserName}", _sasSigningKey, _sasTokenPolicyName, (int)_sasTokenTimeout.TotalSeconds);
response = new AuthenticationResponsePayload
{
TokenType = "bearer",
AccessToken = accessToken
};
}
}
}
return(response);
}
public void GenerateAndValidateToken(string resourceUri, string key, string policyName, int expiryInSeconds)
{
var token = SharedAccessTokens.GenerateSasToken(resourceUri, key, policyName, expiryInSeconds);
Assert.IsTrue(!string.IsNullOrWhiteSpace(token), "The token should not be null or whitespace");
Assert.IsTrue(SharedAccessTokens.DecomposeSasToken(token, out var outputResourceUri, out var outputPolicyName, out var _, out var stringToValidate, out var signature), "Successfully decomposes");
Assert.IsTrue(SharedAccessTokens.IsSignatureValid(signature, key, stringToValidate), "The signature was not valid");
Assert.IsTrue(string.Equals(outputResourceUri, resourceUri, StringComparison.Ordinal), "Resource URI not expected");
Assert.IsTrue(string.Equals(outputPolicyName, policyName, StringComparison.Ordinal), "Policy name not expected");
}
public void GenerateAndDecomposeToken(string resourceUri, string key, string policyName, int expiryInSeconds)
{
var token = SharedAccessTokens.GenerateSasToken(resourceUri, key, policyName, expiryInSeconds);
System.Diagnostics.Debug.Print(token);
Assert.IsTrue(!string.IsNullOrWhiteSpace(token), "The token should not be null or whitespace");
Assert.IsTrue(SharedAccessTokens.DecomposeSasToken(token, out var outputResourceUri, out var outputPolicyName, out var _, out var _, out var _), "Successfully decomposes");
Assert.IsTrue(string.Equals(outputResourceUri, resourceUri, StringComparison.Ordinal), "Resource URI not expected");
Assert.IsTrue(string.Equals(outputPolicyName, policyName, StringComparison.Ordinal), "Policy name not expected");
}
/// <summary>
/// Validates a token that has already been granted
/// </summary>
/// <param name="context">The HTTP Context that generated the request</param>
private async Task ValidateTokenAsync(HttpContext context)
{
var failedAuthentication = true;
using (_logger.BeginScope("Validate Token"))
{
if (context.Request.Headers.ContainsKey(_authorizationHeaderName))
{
var accessToken = context.Request.Headers[_authorizationHeaderName][0];
if (accessToken.StartsWith("Bearer "))
{
accessToken = accessToken.Substring("Bearer ".Length);
if (SharedAccessTokens.DecomposeSasToken(accessToken, out var resourceUri, out var policyName, out var expiresAt, out var stringToValidate, out var signature))
{
if (string.Equals(policyName, _sasTokenPolicyName, StringComparison.Ordinal))
{
if (SharedAccessTokens.IsSignatureValid(signature, _sasSigningKey, stringToValidate))
{
if (DateTime.UtcNow < expiresAt)
{
context.Request.Headers.Add(_resourceUriHeaderName, resourceUri);
context.Request.Headers.Add(_authorizationPolicyHeaderName, policyName);
await _next.Invoke(context).ConfigureAwait(true);
failedAuthentication = false;
_authenticationSuccess.Observe(1.0);
}
}
}
}
}
}
if (failedAuthentication)
{
_authenticationFailure.Observe(1.0);
_logger.LogInformation("Attempted authentication failed");
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.Response.ContentType = ContentType;
await context.Response.WriteAsync(FailureResponse).ConfigureAwait(true);
_validateFailure.Observe(1.0);
}
else
{
_validateSuccess.Observe(1.0);
}
}
}
public void ValidationFailure(string signature, string key, string stringToValidate)
{
byte[] signatureBytes;
if (signature == "0")
{
signatureBytes = new byte[0];
}
else if (string.IsNullOrWhiteSpace(signature))
{
signatureBytes = null;
}
else
{
signatureBytes = Encoding.ASCII.GetBytes(signature);
}
Assert.IsFalse(SharedAccessTokens.IsSignatureValid(signatureBytes, key, stringToValidate), "The signature was not valid");
}
