public async Task TamperedTimestampMacMustFailClientAuthentication()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationInternalAsync(request, DateTime.UtcNow.AddMinutes(-2));
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var wwwheader = response.Headers.WwwAuthenticate.FirstOrDefault();
Assert.IsNotNull(wwwheader);
Assert.AreEqual("hawk", wwwheader.Scheme);
Assert.IsNotNull(wwwheader.Parameter);
string tsParameter = wwwheader.Parameter;
// ts and tsm must be present
Assert.IsTrue(ParameterChecker.IsFieldPresent(tsParameter, "ts"));
Assert.IsTrue(ParameterChecker.IsFieldPresent(tsParameter, "tsm"));
Assert.IsTrue(await client.AuthenticateAsync(response));
string tamperedtsParameter = tsParameter.Replace("tsm=\"", "tsm=\"1234"); // tsm="abc" => tsm = "1234abc"
response.Headers.WwwAuthenticate.Remove(wwwheader);
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("hawk", tamperedtsParameter));
Assert.IsFalse(await client.AuthenticateAsync(response));
}
}
}
}
public async Task MustReturn401WhenHawkParameterTimestampIsStale()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationInternalAsync(request, DateTime.UtcNow.AddMinutes(-2));
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
Assert.IsFalse(String.IsNullOrEmpty(response.Headers.WwwAuthenticate.FirstOrDefault().Parameter));
string tsParameter = response.Headers.WwwAuthenticate.FirstOrDefault().Parameter;
// ts and tsm must be present
Assert.IsTrue(ParameterChecker.IsFieldPresent(tsParameter, "ts"));
Assert.IsTrue(ParameterChecker.IsFieldPresent(tsParameter, "tsm"));
Assert.IsTrue(await client.AuthenticateAsync(response));
}
}
}
}
public async Task MustReturn401WhenUriIsTampered()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
string bewit = await client.CreateBewitAsync(request, 10);
var parts = bewit.ToUtf8StringFromBase64Url().Split('\\');
string id = parts[0];
string timestamp = parts[1];
string mac = parts[2];
string ext = parts[3];
string tamperedBewit = String.Format(@"{0}\{1}\{2}\{3}", "Id of my choice", timestamp, mac, ext);
tamperedBewit = tamperedBewit.ToBytesFromUtf8().ToBase64UrlString();
using (var freshRequest = new HttpRequestMessage())
{
string tamperedUri = URI + "/1";
freshRequest.RequestUri = new Uri(tamperedUri + "?bewit=" + tamperedBewit);
using (var response = await invoker.SendAsync(freshRequest, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
}
public async Task MustReturn401WhenHawkParameterHasDuplicateAttribute()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
string goodParameter = request.Headers.Authorization.Parameter;
string duplicates = goodParameter + "," + goodParameter;
request.Headers.Authorization =
new AuthenticationHeaderValue("hawk", duplicates);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
Assert.IsTrue(String.IsNullOrEmpty(response.Headers.WwwAuthenticate.FirstOrDefault().Parameter));
}
}
}
}
public async Task MustReturn204WhenValidHawkSchemeHeaderIsPresentInPut()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Put, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
request.Content = new ObjectContent<string>("Steve", new JsonMediaTypeFormatter());
await client.CreateClientAuthorizationAsync(request);
string parameter = request.Headers.Authorization.Parameter;
// hash must be present, since PUT contains a request body
Assert.IsTrue(ParameterChecker.IsFieldPresent(parameter, "hash"));
request.Headers.Authorization = new AuthenticationHeaderValue("hawk", parameter);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.NoContent, response.StatusCode);
string authorization = response.Headers.GetValues("Server-Authorization").FirstOrDefault();
// mac must be present in Server-Authorization
Assert.IsTrue(ParameterChecker.IsFieldPresent(authorization, "mac"));
// Since there is no response body, no hash must be present in Server-Authorization
Assert.IsFalse(ParameterChecker.IsFieldPresent(authorization, "hash"));
Assert.IsTrue(await client.AuthenticateAsync(response));
}
}
}
}
public async Task MustReturn200WhenValidHawkSchemeHeaderIsPresentInPost()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Post, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
request.Content = new ObjectContent<string>("Steve", new JsonMediaTypeFormatter());
await client.CreateClientAuthorizationAsync(request);
string parameter = request.Headers.Authorization.Parameter;
// hash must be present, since POST contains a request body
Assert.IsTrue(ParameterChecker.IsFieldPresent(parameter, "hash"));
request.Headers.Authorization =
new AuthenticationHeaderValue("hawk", parameter);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Hello, Steve. Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsTrue(await client.AuthenticateAsync(response));
}
}
}
}
private static async Task MustReturn401WhenHawParameterIsTampered(string tamperedAttribute)
{
using (var invoker = new HttpMessageInvoker(ServerFactory.Create()))
{
using (var request = new HttpRequestMessage(HttpMethod.Post, URI))
{
request.Content = new ObjectContent <string>("Steve", new JsonMediaTypeFormatter());
var client = new HawkClient(() => ServerFactory.DefaultCredential);
client.ApplicationSpecificData = "world peace";
await client.CreateClientAuthorizationAsync(request);
string goodParameter = request.Headers.Authorization.Parameter;
// For example, ts="1370846381" becomes ts="bad1370846381"
string tampered = goodParameter.Replace((tamperedAttribute + "=\""), (tamperedAttribute + "=\"bad"));
request.Headers.Authorization =
new AuthenticationHeaderValue("hawk", tampered);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
}
}
}
}
private static async Task MustReturn401WhenHawParameterHasMissingAttribute(string missingAttribute)
{
using (var invoker = new HttpMessageInvoker(ServerFactory.Create()))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
string goodParameter = request.Headers.Authorization.Parameter;
string incompleteParameter = goodParameter.Split(',')
.Where(t => !t.Trim().StartsWith(missingAttribute))
.Aggregate((a, b) => a + "," + b).Trim();
request.Headers.Authorization =
new AuthenticationHeaderValue("hawk", incompleteParameter);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
Assert.IsTrue(String.IsNullOrEmpty(response.Headers.WwwAuthenticate.FirstOrDefault().Parameter));
}
}
}
}
public async Task TamperedResponseMacOrHashMustFailClientAuthentication()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
string header = response.Headers.GetValues(HawkConstants.ServerAuthorizationHeaderName).FirstOrDefault();
Assert.IsTrue(await client.AuthenticateAsync(response));
string tamperedHeader = header.Replace("mac=\"", "mac=\"1234"); // mac="abc" => mac = "1234abc"
response.Headers.Remove(HawkConstants.ServerAuthorizationHeaderName);
response.Headers.Add(HawkConstants.ServerAuthorizationHeaderName, tamperedHeader);
Assert.IsFalse(await client.AuthenticateAsync(response));
tamperedHeader = header.Replace("hash=\"", "hash=\"1234"); // hash="abc" => hash = "1234abc"
response.Headers.Remove(HawkConstants.ServerAuthorizationHeaderName);
response.Headers.Add(HawkConstants.ServerAuthorizationHeaderName, tamperedHeader);
Assert.IsFalse(await client.AuthenticateAsync(response));
}
}
}
}
static void Main(string[] args)
{
string uri = "http://localhost:12345/values";
var credential = new Credential()
{
Id = "dh37fgj492je",
Algorithm = SupportedAlgorithms.SHA256,
User = "******",
Key = Convert.FromBase64String("wBgvhp1lZTr4Tb6K6+5OQa1bL9fxK7j8wBsepjqVNiQ=")
};
// GET and POST using the Authorization header
var options = new ClientOptions()
{
CredentialsCallback = () => credential,
RequestPayloadHashabilityCallback = (r) => true,
NormalizationCallback = (req) =>
{
string name = "X-Request-Header-To-Protect";
return(req.Headers.ContainsKey(name) ?
name + ":" + req.Headers[name].First() : null);
}
};
var handler = new HawkValidationHandler(options);
HttpClient client = HttpClientFactory.Create(handler);
client.DefaultRequestHeaders.Add("X-Request-Header-To-Protect", "secret");
var response = client.GetAsync(uri).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
response = client.PostAsJsonAsync(uri, credential.User).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// GET using Bewit
var hawkClient = new HawkClient(options);
var request = new HttpRequestMessage()
{
RequestUri = new Uri(uri)
};
string bewit = hawkClient.CreateBewit(new WebApiRequestMessage(request),
lifeSeconds: 60);
// Bewit is handed off to a client needing temporary access to the resource.
var clientNeedingTempAccess = new WebClient();
var resource = clientNeedingTempAccess.DownloadString(uri + "?bewit=" + bewit);
Console.WriteLine(resource);
Console.Read();
}
public async Task MustThrowInvalidOperationExceptionWhenBewitUsedWithPost()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Post, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 10);
await invoker.SendAsync(request, CancellationToken.None);
}
}
}
public async Task MustReturn401WhenProtectedCustomHeaderIsTampered()
{
Func <HttpRequestMessage, string, bool> verificationCallback = (request, appSpecificData) =>
{
// Client and server decided that appSpecificData will be
// header name:header value, like so: X-Request-Header:Swoosh
if (String.IsNullOrEmpty(appSpecificData))
{
return(true); // Nothing to check against
}
var parts = appSpecificData.Split(':');
string headerName = parts[0];
string value = parts[1];
if (request.Headers.Contains(headerName) &&
request.Headers.GetValues(headerName).First().Equals(value))
{
return(true);
}
return(false);
};
server = ServerFactory.Create(null, verificationCallback);
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
// Sensitive header to protect but simulate tampering by changing the value
request.Headers.Add("X-Request-Header", "Tampered Swoosh");
var client = new HawkClient(() => ServerFactory.DefaultCredential);
// Put the sensitive header in the earlier decided format in the ApplicationSpecificData property
client.ApplicationSpecificData = "X-Request-Header:Swoosh";
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
}
}
}
}
public async Task MustReturn401WhenBewitHasExpired()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 0); // no life in it
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task TimestampInSubsequentRequestMustBeAdjustedBasedOnTimestampInWwwAuthenticateHeaderOfPrevious()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
// Simulate server clock running 5 minutes slower than client and
// produce the parameter with ts and tsm
var timestamp = new NormalizedTimestamp(DateTime.UtcNow.AddMinutes(-5), ServerFactory.DefaultCredential);
string timestampHeader = timestamp.ToWwwAuthenticateHeaderParameter();
// Add that to the WWW-Authenticate before authenticating with the
// client, to simulate clock skew
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("hawk", timestampHeader));
// Client must have now calculated an offset of -300 seconds approx
Assert.IsTrue(await client.AuthenticateAsync(response));
Assert.IsTrue(HawkClient.CompensatorySeconds <= -299 && HawkClient.CompensatorySeconds >= -301);
// Create a fresh request and see if this offset is applied to the timestamp
using (var subsequentRequest = new HttpRequestMessage(HttpMethod.Get, URI))
{
await client.CreateClientAuthorizationAsync(subsequentRequest);
string header = subsequentRequest.Headers.Authorization.Parameter;
ArtifactsContainer artifacts = null;
Assert.IsTrue(ArtifactsContainer.TryParse(header, out artifacts));
var timestampInSubsequentRequest = artifacts.Timestamp;
var now = DateTime.UtcNow.ToUnixTime();
// Since server clock is slow, the timestamp going out must be offset by the same 5 minutes
// or 300 seconds. Give leeway of a second while asserting.
ulong difference = now - timestampInSubsequentRequest;
Assert.IsTrue(difference >= 299 && difference <= 301);
}
}
}
}
}
public async Task MustReturn200WhenBewitIsValid()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 10);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsFalse(response.Headers.Contains(HawkConstants.ServerAuthorizationHeaderName));
}
}
}
}
public async Task MustReturn200WhenValidHawkSchemeHeaderIsPresentInGet()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsTrue(await client.AuthenticateAsync(response));
}
}
}
}
static void Main(string[] args)
{
string uri = "http://localhost:12345/api/values";
string headerName = "X-Response-Header-To-Protect";
var credential = new Credential()
{
Id = "dh37fgj492je",
Algorithm = SupportedAlgorithms.SHA256,
User = "******",
Key = "werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn"
};
// GET and POST using the Authorization header
var handler = new HawkValidationHandler(credentialsCallback: () => credential,
verificationCallback: (r, ext) =>
ext.Equals(headerName + ":" + r.Headers.GetValues(headerName).First()));
HttpClient client = HttpClientFactory.Create(handler);
var response = client.GetAsync(uri).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
response = client.PostAsJsonAsync(uri, credential.User).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// GET using Bewit
var hawkClient = new HawkClient(() => credential);
string bewit = hawkClient.CreateBewitAsync(new HttpRequestMessage()
{
RequestUri = new Uri(uri)
},
lifeSeconds: 60).Result;
// Bewit is handed off to a client needing temporary access to the resource.
var clientNeedingTempAccess = new WebClient();
var resource = clientNeedingTempAccess.DownloadString(uri + "?bewit=" + bewit);
Console.WriteLine(resource);
Console.Read();
}
public async Task MustReturn200ForValidHawkSchemeWithXffRequestHeaderContainingIPV6AddressAndPort()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
request.Headers.Add("X-Forwarded-For", "[ipv6]:99");
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsTrue(await client.AuthenticateAsync(response));
}
}
}
}
public async Task MustReturn401WhenQueryStringIsChangedAfterMacIsComputed()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI + "?firstname=Louis&&lastname=Phillipe"))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request); // Hash is now based on ?firstname=Louis&&lastname=Phillipe
// Changing query string to ?firstname=Luis&&lastname=Phillip
request.RequestUri = new Uri(URI + "?firstname=Luis&&lastname=Phillip");
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
}
}
}
}
protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var client = new HawkClient(this.credentialsCallback);
if (this.normalizationCallback != null)
client.ApplicationSpecificData = this.normalizationCallback(request);
await client.CreateClientAuthorizationAsync(request);
var response = await base.SendAsync(request, cancellationToken);
if (!await client.AuthenticateAsync(response))
throw new SecurityException("Invalid Mac and/or hash. Response possibly tampered.");
bool isValidAppSpecificData = this.verificationCallback == null ||
this.verificationCallback(response, client.WebApiSpecificData);
if (!isValidAppSpecificData)
throw new SecurityException("Invalid Application Specific Data");
return response;
}
public async Task MustReturn401WhenMacCreatedUsingBadSymmetricKey()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var badCredential = ServerFactory.Credentials.First();
badCredential.Key = "werxhqb98"; // Some key other than werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn
var client = new HawkClient(() => badCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
}
}
}
}
public async Task MustReturn401WhenHawkCredentialIdIsInvalid()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var badCredential = ServerFactory.Credentials.First();
badCredential.Id = "SomeIdOtherThan-dh37fgj492je"; // Some id other than dh37fgj492je
var client = new HawkClient(() => badCredential);
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
Assert.IsTrue(String.IsNullOrEmpty(response.Headers.WwwAuthenticate.FirstOrDefault().Parameter));
}
}
}
}
public async Task MustReturn401WhenBodyContentIsChangedAfterMacAndHashAreComputed()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Post, URI))
{
request.Content = new ObjectContent <string>("Steve", new JsonMediaTypeFormatter());
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateClientAuthorizationAsync(request); // Hash is now based on "Steve"
// Changing body to "Stephen"
request.Content = new ObjectContent <string>("Stephen", new JsonMediaTypeFormatter());
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
Assert.IsNotNull(response.Headers.WwwAuthenticate.FirstOrDefault());
Assert.AreEqual("hawk", response.Headers.WwwAuthenticate.FirstOrDefault().Scheme);
}
}
}
}
static void Main(string[] args)
{
string uri = "http://localhost:12345/api/values";
string headerName = "X-Response-Header-To-Protect";
var credential = new Credential()
{
Id = "dh37fgj492je",
Algorithm = SupportedAlgorithms.SHA256,
User = "******",
Key = "werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn"
};
// GET and POST using the Authorization header
var handler = new HawkValidationHandler(credentialsCallback: () => credential,
verificationCallback: (r, ext) =>
ext.Equals(headerName + ":" + r.Headers.GetValues(headerName).First()));
HttpClient client = HttpClientFactory.Create(handler);
var response = client.GetAsync(uri).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
response = client.PostAsJsonAsync(uri, credential.User).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// GET using Bewit
var hawkClient = new HawkClient(() => credential);
string bewit = hawkClient.CreateBewitAsync(new HttpRequestMessage() { RequestUri = new Uri(uri) },
lifeSeconds:60).Result;
// Bewit is handed off to a client needing temporary access to the resource.
var clientNeedingTempAccess = new WebClient();
var resource = clientNeedingTempAccess.DownloadString(uri + "?bewit=" + bewit);
Console.WriteLine(resource);
Console.Read();
}
public async Task MustReturn200WhenValidHawkSchemeHeaderWithAppSpecifiDataIsPresentInGetAndServerSendsAppSpecificData()
{
Func<HttpResponseMessage, string> normalizationCallback = (response) =>
{
// Simulate service adding a sensitive header
response.Headers.Add("X-Header-To-Protect", "Swoop"); // Sensitive header to protect
// return the status code and the sensitive header in the agreed format
return (int)response.StatusCode + ":X-Header-To-Protect:Swoop";
};
Func<HttpRequestMessage, string, bool> verificationCallback = (request, appSpecificData) =>
{
// Client and server decided that appSpecificData will be in the form of
// header name and header value separated by a colon, like so: X-Header-To-Protect:Swoosh.
if (String.IsNullOrEmpty(appSpecificData))
return true; // Nothing to check against
var parts = appSpecificData.Split(':');
string headerName = parts[0];
string value = parts[1];
if (request.Headers.Contains(headerName) &&
request.Headers.GetValues(headerName).First().Equals(value))
return true;
return false;
};
server = ServerFactory.Create(normalizationCallback, verificationCallback);
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
request.Headers.Add("X-Header-To-Protect", "Swoosh"); // Sensitive header to protect
var client = new HawkClient(() => ServerFactory.DefaultCredential);
client.ApplicationSpecificData = "X-Header-To-Protect:Swoosh"; // Put the sensitive header in the format agreed
await client.CreateClientAuthorizationAsync(request);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsTrue(await client.AuthenticateAsync(response));
Assert.IsNotNull(client.WebApiSpecificData);
Assert.IsFalse(String.IsNullOrWhiteSpace(client.WebApiSpecificData));
var parts = client.WebApiSpecificData.Split(':');
HttpStatusCode status = (HttpStatusCode)Enum.Parse(typeof(HttpStatusCode), parts[0]);
string headerName = parts[1];
string value = parts[2];
Assert.AreEqual(response.StatusCode, status);
Assert.IsTrue(response.Headers.Contains(headerName));
Assert.IsTrue(response.Headers.GetValues(headerName).First().Equals(value));
}
}
}
}
