public void SignatureFailureTest()
{
var context = _workContext.WithTag(_tag);
var testHeaders = new List <KeyValuePair <string, IEnumerable <string> > >
{
new KeyValuePair <string, IEnumerable <string> >("Content-Type", new string[] { "application/x-www-form-urlencoded", "charset=utf-8" }),
new KeyValuePair <string, IEnumerable <string> >("Content-MD5", new string[] { "kdskflosifm3938dldasksdfjdf" }),
new KeyValuePair <string, IEnumerable <string> >("Api-Cv", new string[] { "dkdfjdie.1" }),
new KeyValuePair <string, IEnumerable <string> >("Api-Key", new string[] { "3asfvesef" }),
new KeyValuePair <string, IEnumerable <string> >("Api-duplicate", new string[] { "false" }),
};
var uri = new Uri("http://*****:*****@domain.com";
IHmacConfiguration hmacConfiguration = new HmacConfiguration();
var hmac = new HmacSignature(hmacConfiguration);
string signature = hmac.CreateSignature(context, credential, apiKey, method, uri, testHeaders);
signature = signature.Remove(credential.Length + 5, 2);
hmac.ValidateSignature(context, signature, apiKey, method, uri, testHeaders).Should().BeFalse();
}
public async Task Invoke(HttpContext httpContext)
{
RequestContext requestContext = httpContext.Items.Get <RequestContext>();
IWorkContext context = (requestContext.Context ?? WorkContext.Empty).WithTag(_tag);
// Does the request has an authorization header
string authorizationValue = httpContext.Request.Headers["Authorization"];
if (authorizationValue.IsEmpty())
{
await _next(httpContext);
return;
}
// Get authorization parts
AuthenticationHeaderValue authorization;
if (!AuthenticationHeaderValue.TryParse(authorizationValue, out authorization) || authorization.Scheme != "hmac")
{
await _next(httpContext);
return;
}
AspMvcEventSource.Log.Verbose(context, $"Authorization {authorization.Parameter}");
string[] signatureParts = authorization.Parameter.Split(':');
if (signatureParts.Length != 2)
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Lookup the credential
IdentityPrincipal identity = await _identityRepository.GetAsync(context, new PrincipalId(signatureParts[0]));
if (identity == null || identity.ApiKey == null || identity.ApiKey.HasExpired)
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Try get date
RequestHeaders requestHeaders = httpContext.Request.GetTypedHeaders();
HmacSignature hmac = new HmacSignature(_hmacConfiguration);
Uri url = new Uri(httpContext.Request.GetEncodedUrl());
IEnumerable <KeyValuePair <string, IEnumerable <string> > > headers = httpContext.Request.Headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value));
// Validate HMAC signature
if (!hmac.ValidateSignature(context, authorization.Parameter, identity.ApiKey.Value, httpContext.Request.Method, url, headers, requestHeaders.Date))
{
httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return;
}
// Set identity of the caller
httpContext.Items.Set(new HmacIdentity(authorization.Parameter));
// Next
await _next(httpContext);
}