public void Api_can_parse_timestamp(string timestamp)
{
DateTime dt;
_hmacAuth.ParseTimestamp(timestamp, out dt).ShouldBeTrue();
}
protected virtual ShopConnectorAuthResult IsAuthenticated(HttpContextBase httpContext, DateTime now, ShopConnectorControllingData controllingData)
{
var request = httpContext.Request;
DateTime headDateTime;
if (request == null)
{
return(ShopConnectorAuthResult.FailedForUnknownReason);
}
if (controllingData.ConnectorUnavailable)
{
return(ShopConnectorAuthResult.ConnectorUnavailable);
}
if (!controllingData.IsExportEnabled)
{
return(ShopConnectorAuthResult.ExportDeactivated);
}
//string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
string headTimestamp = request.Headers[ShopConnectorCore.Header.Date];
string headPublicKey = request.Headers[ShopConnectorCore.Header.PublicKey];
string action = request.RequestContext.RouteData.GetRequiredString("action");
bool forExport = !action.IsCaseInsensitiveEqual("Notification");
string[] authorization = request.Headers["Authorization"].SplitSafe(" ");
if (string.IsNullOrWhiteSpace(headPublicKey))
{
return(ShopConnectorAuthResult.ConnectionInvalid);
}
if (authorization.Length != 2 || !_hmac.IsAuthorizationHeaderValid(authorization[0], authorization[1]))
{
return(ShopConnectorAuthResult.InvalidAuthorizationHeader);
}
if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
{
return(ShopConnectorAuthResult.InvalidTimestamp);
}
int maxMinutes = (controllingData.ValidMinutePeriod <= 0 ? ShopConnectorCore.DefaultTimePeriodMinutes : controllingData.ValidMinutePeriod);
if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
{
return(ShopConnectorAuthResult.TimestampOutOfPeriod);
}
var connection = controllingData.Connections.FirstOrDefault(x => x.IsForExport == forExport && x.PublicKey == headPublicKey);
if (connection == null)
{
return(ShopConnectorAuthResult.ConnectionUnknown);
}
if (!connection.IsActive)
{
return(ShopConnectorAuthResult.ConnectionDisabled);
}
if (connection.LastRequestUtc.HasValue && headDateTime <= connection.LastRequestUtc.Value)
{
return(ShopConnectorAuthResult.TimestampOlderThanLastRequest);
}
var context = new ShopConnectorRequestContext()
{
HttpMethod = request.HttpMethod,
HttpAcceptType = request.Headers["Accept"],
PublicKey = headPublicKey,
SecretKey = connection.SecretKey,
Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
};
string contentMd5 = CreateContentMd5Hash(httpContext.Request);
string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);
if (string.IsNullOrEmpty(messageRepresentation))
{
return(ShopConnectorAuthResult.MissingMessageRepresentationParameter);
}
string signatureProvider = _hmac.CreateSignature(connection.SecretKey, messageRepresentation);
if (signatureProvider != authorization[1])
{
return(ShopConnectorAuthResult.InvalidSignature);
}
controllingData.ConnectionsUpdated = true;
connection.LastRequestUtc = now;
if (connection.RequestCount < long.MaxValue)
{
++connection.RequestCount;
}
return(ShopConnectorAuthResult.Success);
}
protected virtual HmacResult IsAuthenticated(HttpActionContext actionContext, DateTime now, WebApiControllingCacheData cacheControllingData, out User user)
{
user = null;
var request = HttpContext.Current.Request;
DateTime headDateTime;
if (request == null)
{
return(HmacResult.FailedForUnknownReason);
}
string headContentMd5 = request.Headers["Content-Md5"] ?? request.Headers["Content-MD5"];
string headTimestamp = request.Headers[WebApiGlobal.Header.Date];
string headPublicKey = request.Headers[WebApiGlobal.Header.PublicKey];
string scheme = actionContext.Request.Headers.Authorization.Scheme;
string signatureConsumer = actionContext.Request.Headers.Authorization.Parameter;
if (string.IsNullOrWhiteSpace(headPublicKey))
{
return(HmacResult.UserInvalid);
}
if (!_hmac.IsAuthorizationHeaderValid(scheme, signatureConsumer))
{
return(HmacResult.InvalidAuthorizationHeader);
}
if (!_hmac.ParseTimestamp(headTimestamp, out headDateTime))
{
return(HmacResult.InvalidTimestamp);
}
//int maxMinutes = (cacheControllingData.ValidMinutePeriod <= 0 ? WebApiGlobal.DefaultTimePeriodMinutes : cacheControllingData.ValidMinutePeriod);
//if (Math.Abs((headDateTime - now).TotalMinutes) > maxMinutes)
// return HmacResult.TimestampOutOfPeriod;
var apiUser = GetUser(headPublicKey);
if (apiUser == null)
{
return(HmacResult.UserUnknown);
}
if (!apiUser.Active || apiUser.IsDeleted)
{
return(HmacResult.UserIsInactive);
}
//if (!HasPermission(actionContext, apiUser))
// return HmacResult.UserHasNoPermission;
if (!apiUser.WebApiEnabled)
{
return(HmacResult.UserDisabled);
}
//if (!cacheControllingData.NoRequestTimestampValidation && apiUser.LastApiRequest.HasValue && headDateTime <= apiUser.LastApiRequest.Value)
// return HmacResult.TimestampOlderThanLastRequest;
var context = new WebApiRequestContext
{
HttpMethod = request.HttpMethod,
HttpAcceptType = request.Headers["Accept"],
PublicKey = headPublicKey,
SecretKey = apiUser.SecretKey,
Url = HttpUtility.UrlDecode(request.Url.AbsoluteUri.ToLower())
};
//string contentMd5 = CreateContentMd5Hash(actionContext.Request);
//if (!string.IsNullOrWhiteSpace(headContentMd5) && headContentMd5 != contentMd5)
// return HmacResult.ContentMd5NotMatching;
//string messageRepresentation = _hmac.CreateMessageRepresentation(context, contentMd5, headTimestamp);
//if (string.IsNullOrEmpty(messageRepresentation))
// return HmacResult.MissingMessageRepresentationParameter;
//string signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);
//if (signatureProvider != signatureConsumer)
//{
// if (cacheControllingData.AllowEmptyMd5Hash)
// {
// messageRepresentation = _hmac.CreateMessageRepresentation(context, null, headTimestamp);
// signatureProvider = _hmac.CreateSignature(apiUser.SecretKey, messageRepresentation);
// if (signatureProvider != signatureConsumer)
// return HmacResult.InvalidSignature;
// }
// else
// {
// return HmacResult.InvalidSignature;
// }
//}
//var headers = HttpContext.Current.Response.Headers;
//headers.Add(ApiHeaderName.LastRequest, apiUser.LastRequest.HasValue ? apiUser.LastRequest.Value.ToString("o") : "");
apiUser.LastApiRequest = headDateTime;
user = apiUser;
return(HmacResult.Success);
}