Esempio n. 1
0
        public void SignatureFailureTest()
        {
            var context = _workContext.WithTag(_tag);

            var testHeaders = new List <KeyValuePair <string, IEnumerable <string> > >
            {
                new KeyValuePair <string, IEnumerable <string> >("Content-Type", new string[] { "application/x-www-form-urlencoded", "charset=utf-8" }),
                new KeyValuePair <string, IEnumerable <string> >("Content-MD5", new string[] { "kdskflosifm3938dldasksdfjdf" }),
                new KeyValuePair <string, IEnumerable <string> >("Api-Cv", new string[] { "dkdfjdie.1" }),
                new KeyValuePair <string, IEnumerable <string> >("Api-Key", new string[] { "3asfvesef" }),
                new KeyValuePair <string, IEnumerable <string> >("Api-duplicate", new string[] { "false" }),
            };

            var          uri        = new Uri("http://*****:*****@domain.com";

            IHmacConfiguration hmacConfiguration = new HmacConfiguration();
            var    hmac      = new HmacSignature(hmacConfiguration);
            string signature = hmac.CreateSignature(context, credential, apiKey, method, uri, testHeaders);

            signature = signature.Remove(credential.Length + 5, 2);
            hmac.ValidateSignature(context, signature, apiKey, method, uri, testHeaders).Should().BeFalse();
        }
Esempio n. 2
0
        public async Task Invoke(HttpContext httpContext)
        {
            RequestContext requestContext = httpContext.Items.Get <RequestContext>();
            IWorkContext   context        = (requestContext.Context ?? WorkContext.Empty).WithTag(_tag);

            // Does the request has an authorization header
            string authorizationValue = httpContext.Request.Headers["Authorization"];

            if (authorizationValue.IsEmpty())
            {
                await _next(httpContext);

                return;
            }

            // Get authorization parts
            AuthenticationHeaderValue authorization;

            if (!AuthenticationHeaderValue.TryParse(authorizationValue, out authorization) || authorization.Scheme != "hmac")
            {
                await _next(httpContext);

                return;
            }

            AspMvcEventSource.Log.Verbose(context, $"Authorization {authorization.Parameter}");
            string[] signatureParts = authorization.Parameter.Split(':');
            if (signatureParts.Length != 2)
            {
                httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                return;
            }

            // Lookup the credential
            IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(signatureParts[0]));

            if (identity == null || identity.ApiKey == null || identity.ApiKey.HasExpired)
            {
                httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                return;
            }

            // Try get date
            RequestHeaders requestHeaders = httpContext.Request.GetTypedHeaders();
            HmacSignature  hmac           = new HmacSignature(_hmacConfiguration);
            Uri            url            = new Uri(httpContext.Request.GetEncodedUrl());
            IEnumerable <KeyValuePair <string, IEnumerable <string> > > headers = httpContext.Request.Headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value));

            // Validate HMAC signature
            if (!hmac.ValidateSignature(context, authorization.Parameter, identity.ApiKey.Value, httpContext.Request.Method, url, headers, requestHeaders.Date))
            {
                httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                return;
            }

            // Set identity of the caller
            httpContext.Items.Set(new HmacIdentity(authorization.Parameter));

            // Next
            await _next(httpContext);
        }