Exemplo n.º 1
0
        /// <summary>
        /// Validates user input against stored input.
        /// </summary>
        /// <param name="input">Input to compare.</param>
        /// <param name="reference">Reference password.</param>
        /// <returns>Whether the passwords match.</returns>
        public async Task <bool> ValidatePasswordHashAsync(string input, byte[] reference)
        {
            var salt = reference.AsSpan(0, SaltSize).ToArray();

            var utfinput = AbstractionUtilities.UTF8.GetBytes(input);
            var output   = await this.KeyDeriver.DeriveHashAsync(utfinput, salt, PasswordSize);

            return(AbstractionUtilities.ConstantTimeEquals(output, reference.AsSpan(SaltSize), PasswordSize));
        }
Exemplo n.º 2
0
        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddHsts(opts =>
            {
                opts.Preload           = true;
                opts.IncludeSubDomains = true;
                opts.MaxAge            = TimeSpan.FromDays(365);
            });

            services.AddAntiforgery(x =>
            {
                x.Cookie.Name = "Rosetta-XSRF-Token";
                x.HeaderName  = "X-Rosetta-XSRF";
            });

            services.AddOptions <Data.ConfigurationRoot>()
            .Bind(this.Configuration)
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationDatastore>()
            .Bind(this.Configuration.GetSection("Database"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationCache>()
            .Bind(this.Configuration.GetSection("Cache"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationHttp>()
            .Bind(this.Configuration.GetSection("Http"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationHttpProxy>()
            .Bind(this.Configuration.GetSection("Http:ForwardHeaders"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationAuthentication>()
            .Bind(this.Configuration.GetSection("Authentication"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationOAuth>()
            .Bind(this.Configuration.GetSection("Authentication:OAuth"))
            .ValidateDataAnnotations();

            services.AddOptions <ConfigurationSecurity>()
            .Bind(this.Configuration.GetSection("KeyDerivation"))
            .ValidateDataAnnotations();

            services.AddAuthentication(JwtAuthenticationOptions.SchemeName)
            .AddScheme <JwtAuthenticationOptions, JwtAuthenticationHandler>(JwtAuthenticationOptions.SchemeName, opts => { });

            services.AddAuthorization();

            // Configure datastore providers
            var implSelector = new ImplementationSelector();

            services.AddSingleton(implSelector);
            implSelector.ConfigureCtfConfigurationLoaderProvider("yaml", services);
            implSelector.ConfigureDatabaseProvider(this.Configuration["Database:Type"], services);
            implSelector.ConfigureCacheProvider(this.Configuration["Cache:Type"], services);
            implSelector.ConfigureOAuthProviders(this.Configuration
                                                 .GetSection("Authentication:OAuth:Providers")
                                                 .Get <ConfigurationOAuthProvider[]>()
                                                 .Select(x => x.Type), services);

            services.AddTransient <UserPreviewRepository>()
            .AddTransient <ChallengePreviewRepository>()
            .AddSingleton <OAuthTokenHandler>()
            .AddSingleton <ActionTokenPairHandler>()
            .AddSingleton <HttpClient>()
            .AddSingleton <JwtHandler>()
            .AddTransient <PasswordHandler>()
            .AddSingleton <IdGenerator>()
            .AddTransient <IPasswordHashDeriver, Argon2idHashDeriver>()
            .AddTransient <IKeyDeriver, Pbkdf2KeyDeriver>()
            .AddSingleton <EnumDisplayConverter>()
            .AddTransient <IScoringModel, SlowLogisticDecayScoringModel>()
            .AddSingleton <OAuthConfigurationProvider>()
            .AddScoped <OAuthProviderSelector>()
            .AddScoped <LoginSettingsRepository>()
            .AddTransient <MfaValidatorService>()
            .AddScoped <ScoreCalculatorService>()
            .AddSingleton <ScoreLockService>();

            services.AddHostedService <ChallengeBootstrapperService>();

            // filters
            services.AddScoped <ValidRosettaUserFilter>()
            .AddScoped <OptionalRosettaUserFilter>()
            .AddScoped <EventNotStartedFilter>()
            .AddScoped <EventStartedFilter>()
            .AddScoped <EventNotOverFilter>();

#if !DEBUG
            services.AddControllers();

            foreach (var xsrfType in AbstractionUtilities.FindAntiforgeryFilters())
            {
                services.AddSingleton(xsrfType);
            }
#else
            services.AddControllersWithViews();
            services.AddSpaStaticFiles(cfg => cfg.RootPath = $"{this.SpaConfiguration.Root}/dist");
#endif
        }