public void TamperDetection()
{
// Tamper with an encrypted payload and verify that this
// is detected via the HMAC signature.
using (var cipher = new AesCipher())
{
var decrypted = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
var encrypted = cipher.EncryptToBytes(decrypted);
Assert.Equal(decrypted, cipher.DecryptBytesFrom(encrypted));
// Modify the last byte and ensure that decryption fails.
var tampered = Clone(encrypted);
tampered[encrypted.Length - 1] = (byte)(~tampered[encrypted.Length - 1]);
Assert.Throws <CryptographicException>(() => cipher.DecryptBytesFrom(tampered));
// Remove the last byte and ensure that decryption fails.
tampered = new byte[encrypted.Length - 1];
for (int i = 0; i < tampered.Length; i++)
{
tampered[i] = encrypted[i];
}
Assert.Throws <CryptographicException>(() => cipher.DecryptBytesFrom(tampered));
}
}
public async Task <ActionResult <TokenResponse> > TokenAsync([FromForm] string code)
{
LogDebug($"Processing request for code: [{code}]");
var responseJson = NeonHelper.JsonDeserialize <TokenResponse>(cipher.DecryptBytesFrom(await cache.GetAsync(code)));
LogDebug($"[{code}]: [{NeonHelper.JsonSerialize(responseJson)}]");
_ = cache.RemoveAsync(code);
return(Ok(responseJson));
}
public void Encrypt_ToBase64()
{
// Encrypt a byte array:
using (var cipher = new AesCipher())
{
var decrypted = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
var encrypted = cipher.EncryptToBase64(decrypted);
Assert.Equal(decrypted, cipher.DecryptBytesFrom(encrypted));
}
// Encrypt a string:
using (var cipher = new AesCipher())
{
var decrypted = "1234567890";
var encrypted = cipher.EncryptToBase64(decrypted);
Assert.Equal(decrypted, cipher.DecryptStringFrom(encrypted));
}
}
/// <summary>
/// <para>
/// Entrypoint called as part of the request pipeline.
/// </para>
/// <para>
/// This method is responsible for intercepting token requests from clients.
/// If the client has a valid cookie with a token response in it, we save the
/// token to cache and redirect them back with a code referencing the token in
/// the cache.
/// </para>
/// </summary>
public async Task InvokeAsync(
HttpContext context,
Service NeonSsoSessionProxyService,
IDistributedCache cache,
AesCipher cipher,
DistributedCacheEntryOptions cacheOptions,
INeonLogger logger)
{
try
{
if (context.Request.Cookies.TryGetValue(Service.SessionCookieName, out var requestCookieBase64))
{
var requestCookie = NeonHelper.JsonDeserialize <Cookie>(cipher.DecryptBytesFrom(requestCookieBase64));
if (requestCookie.TokenResponse != null)
{
var code = NeonHelper.GetCryptoRandomPassword(10);
await cache.SetAsync(code, cipher.EncryptToBytes(NeonHelper.JsonSerializeToBytes(requestCookie.TokenResponse)), cacheOptions);
var query = new Dictionary <string, string>()
{
{ "code", code }
};
if (context.Request.Query.TryGetValue("state", out var state))
{
query["state"] = state;
}
if (context.Request.Query.TryGetValue("redirect_uri", out var redirectUri))
{
if (context.Request.Query.TryGetValue("client_id", out var clientId))
{
if (!NeonSsoSessionProxyService.Config.StaticClients.Where(client => client.Id == clientId).First().RedirectUris.Contains(redirectUri))
{
logger.LogError("Invalid redirect URI");
throw new HttpRequestException("Invalid redirect URI.");
}
context.Response.StatusCode = StatusCodes.Status302Found;
context.Response.Headers.Location = QueryHelpers.AddQueryString(redirectUri, query);
logger.LogDebug($"Client and Redirect URI confirmed. [ClientID={clientId}] [RedirectUri={redirectUri}]");
return;
}
else
{
logger.LogError("No Client ID specified.");
throw new HttpRequestException("Invalid Client ID.");
}
}
else
{
throw new HttpRequestException("No redirect_uri specified.");
}
}
}
}
catch (Exception e)
{
NeonSsoSessionProxyService.Log.LogError(e);
}
await _next(context);
}
/// <summary>
/// Transforms the response before returning it to the client.
///
/// <para>
/// This method will add a <see cref="Cookie"/> to each response containing relevant information
/// about the current authentication flow. It also intercepts redirects from Dex and saves any relevant
/// tokens to a cache for reuse.
/// </para>
/// </summary>
/// <param name="httpContext"></param>
/// <param name="proxyResponse"></param>
/// <returns></returns>
public override async ValueTask <bool> TransformResponseAsync(HttpContext httpContext,
HttpResponseMessage proxyResponse)
{
await base.TransformResponseAsync(httpContext, proxyResponse);
Cookie cookie = null;
if (httpContext.Request.Cookies.TryGetValue(Service.SessionCookieName, out var requestCookieBase64))
{
try
{
logger.LogDebug($"Decrypting existing cookie.");
cookie = NeonHelper.JsonDeserialize <Cookie>(cipher.DecryptBytesFrom(requestCookieBase64));
}
catch (Exception e)
{
logger.LogError(e);
cookie = new Cookie();
}
}
else
{
logger.LogDebug($"Cookie not present.");
cookie = new Cookie();
}
// If we're being redirected, intercept request and save token to cookie.
if (httpContext.Response.Headers.Location.Count > 0 &&
Uri.IsWellFormedUriString(httpContext.Response.Headers.Location.Single(), UriKind.Absolute))
{
var location = new Uri(httpContext.Response.Headers.Location.Single());
var code = HttpUtility.ParseQueryString(location.Query).Get("code");
if (!string.IsNullOrEmpty(code))
{
if (cookie != null)
{
var redirect = cookie.RedirectUri;
var token = await dexClient.GetTokenAsync(cookie.ClientId, code, redirect, "authorization_code");
await cache.SetAsync(code, cipher.EncryptToBytes(NeonHelper.JsonSerializeToBytes(token)), cacheOptions);
logger.LogDebug(NeonHelper.JsonSerialize(token));
cookie.TokenResponse = token;
httpContext.Response.Cookies.Append(
Service.SessionCookieName,
cipher.EncryptToBase64(NeonHelper.JsonSerialize(cookie)),
new CookieOptions()
{
Path = "/",
Expires = DateTime.UtcNow.AddSeconds(token.ExpiresIn.Value).AddMinutes(-60),
Secure = true,
SameSite = SameSiteMode.Strict
});
return(true);
}
}
}
// Add query parameters to the cookie.
if (httpContext.Request.Query.TryGetValue("client_id", out var clientId))
{
logger.LogDebug($"Client ID: [{clientId}]");
cookie.ClientId = clientId;
}
if (httpContext.Request.Query.TryGetValue("state", out var state))
{
logger.LogDebug($"State: [{state}]");
cookie.State = state;
}
if (httpContext.Request.Query.TryGetValue("redirect_uri", out var redirectUri))
{
logger.LogDebug($"Redirect Uri: [{redirectUri}]");
cookie.RedirectUri = redirectUri;
}
if (httpContext.Request.Query.TryGetValue("scope", out var scope))
{
logger.LogDebug($"Scope: [{scope}]");
cookie.Scope = scope;
}
if (httpContext.Request.Query.TryGetValue("response_type", out var responseType))
{
logger.LogDebug($"Response Type: [{responseType}]");
cookie.ResponseType = responseType;
}
httpContext.Response.Cookies.Append(
Service.SessionCookieName,
cipher.EncryptToBase64(NeonHelper.JsonSerialize(cookie)),
new CookieOptions()
{
Path = "/",
Expires = DateTime.UtcNow.AddHours(24),
Secure = true,
SameSite = SameSiteMode.Strict
});
return(true);
}
/// <inheritdoc/>
public byte[] Unprotect(byte[] protectedData)
{
return(cipher.DecryptBytesFrom(protectedData));
}