public DirectWebResponse GetResponse(HttpWebRequest request, DirectWebRequestOptions options)
{
ErrorUtilities.VerifyArgumentNotNull(request, "request");
// This request MAY have already been prepared by GetRequestStream, but
// we have no guarantee, so do it just to be safe.
this.PrepareRequest(request, false);
// Since we may require SSL for every redirect, we handle each redirect manually
// in order to detect and fail if any redirect sends us to an HTTP url.
// We COULD allow automatic redirect in the cases where HTTPS is not required,
// but our mock request infrastructure can't do redirects on its own either.
Uri originalRequestUri = request.RequestUri;
int i;
for (i = 0; i < this.MaximumRedirections; i++)
{
this.EnsureAllowableRequestUri(request.RequestUri, (options & DirectWebRequestOptions.RequireSsl) != 0);
CachedDirectWebResponse response = this.chainedWebRequestHandler.GetResponse(request, options & ~DirectWebRequestOptions.RequireSsl).GetSnapshot(this.MaximumBytesToRead);
if (response.Status == HttpStatusCode.MovedPermanently ||
response.Status == HttpStatusCode.Redirect ||
response.Status == HttpStatusCode.RedirectMethod ||
response.Status == HttpStatusCode.RedirectKeepVerb)
{
// We have no copy of the post entity stream to repeat on our manually
// cloned HttpWebRequest, so we have to bail.
ErrorUtilities.VerifyProtocol(request.Method != "POST", MessagingStrings.UntrustedRedirectsOnPOSTNotSupported);
Uri redirectUri = new Uri(response.FinalUri, response.Headers[HttpResponseHeader.Location]);
request = request.Clone(redirectUri);
}
else
{
return(response);
}
}
throw ErrorUtilities.ThrowProtocol(MessagingStrings.TooManyRedirects, originalRequestUri);
}
public void Deserialize(T message, IProtocolMessage containingMessage, string value, string messagePartName)
{
Requires.NotNull(message, "message");
Requires.NotNull(containingMessage, "containingMessage");
Requires.NotNullOrEmpty(value, "value");
Requires.NotNullOrEmpty(messagePartName, "messagePartName");
string symmetricSecretHandle = null;
if (this.encrypted && this.cryptoKeyStore != null)
{
string valueWithoutHandle;
MessagingUtilities.ExtractKeyHandleAndPayload(containingMessage, messagePartName, value, out symmetricSecretHandle, out valueWithoutHandle);
value = valueWithoutHandle;
}
message.ContainingMessage = containingMessage;
byte[] data = MessagingUtilities.FromBase64WebSafeString(value);
byte[] signature = null;
if (this.signed)
{
using (var dataStream = new MemoryStream(data)) {
var dataReader = new BinaryReader(dataStream);
signature = dataReader.ReadBuffer();
data = dataReader.ReadBuffer();
}
// Verify that the verification code was issued by message authorization server.
ErrorUtilities.VerifyProtocol(this.IsSignatureValid(data, signature, symmetricSecretHandle), MessagingStrings.SignatureInvalid);
}
if (this.encrypted)
{
data = this.Decrypt(data, symmetricSecretHandle);
}
if (this.compressed)
{
data = MessagingUtilities.Decompress(data);
}
this.DeserializeCore(message, data);
message.Signature = signature; // TODO: we don't really need this any more, do we?
if (this.maximumAge.HasValue)
{
// Has message verification code expired?
DateTime expirationDate = message.UtcCreationDate + this.maximumAge.Value;
if (expirationDate < DateTime.UtcNow)
{
throw new ExpiredMessageException(expirationDate, containingMessage);
}
}
// Has message verification code already been used to obtain an access/refresh token?
if (this.decodeOnceOnly != null)
{
ErrorUtilities.VerifyInternal(this.maximumAge.HasValue, "Oops! How can we validate a nonce without a maximum message age?");
string context = "{" + GetType().FullName + "}";
if (!this.decodeOnceOnly.StoreNonce(context, Convert.ToBase64String(message.Nonce), message.UtcCreationDate))
{
Logger.OpenId.ErrorFormat("Replayed nonce detected ({0} {1}). Rejecting message.", message.Nonce, message.UtcCreationDate);
throw new ReplayedMessageException(containingMessage);
}
}
((IMessage)message).EnsureValidMessage();
}
/// <summary>
/// Verify that the request qualifies under our security policies
/// </summary>
/// <param name="requestUri">The request URI.</param>
/// <param name="requireSsl">If set to <c>true</c>, only web requests that can be made entirely over SSL will succeed.</param>
/// <exception cref="ProtocolException">Thrown when the URI is disallowed for security reasons.</exception>
private void EnsureAllowableRequestUri(Uri requestUri, bool requireSsl)
{
ErrorUtilities.VerifyProtocol(this.IsUriAllowable(requestUri), MessagingStrings.UnsafeWebRequestDetected, requestUri);
ErrorUtilities.VerifyProtocol(!requireSsl || string.Equals(requestUri.Scheme, Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase), MessagingStrings.InsecureWebRequestWithSslRequired, requestUri);
}