/// <summary>
/// The function performs both the tasks of the fragmenter
/// </summary>
/// <param name="buffer">List of Record Buffers</param>
/// <param name="state">Current state for record processing</param>
/// <returns>Returns a list of fragmented buffer records</returns>
public static List <Record> FragmentData(IProtocolMessage message, ProtocolVersion version, State state)
{
List <Record> listOfRecords = new List <Record>();
// Split grouped data into fragments of size MAX_PAYLOAD_SIZE if size is greater
byte[] data = message.GetBytes();
int offset = 0;
int length = data.Length;
if (data.Length < MAX_PAYLOAD_SIZE)
{
Record record = new Record(data, message.GetType(), version);
listOfRecords.Add(record);
}
else
{
while (length > 0)
{
int newLength = System.Math.Min(length, MAX_PAYLOAD_SIZE);
byte[] chunk = new byte[newLength];
System.Buffer.BlockCopy(data, offset, chunk, 0, newLength);
Record record = new Record(chunk, message.GetType(), version);
listOfRecords.Add(record);
length -= newLength;
offset += newLength;
}
}
return(listOfRecords);
}
/// <summary>
/// Prepares a message for transmit by applying signatures, nonces, etc.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <remarks>
/// This method should NOT be called by derived types
/// except when sending ONE WAY request messages.
/// </remarks>
protected void PrepareMessageForSending(IProtocolMessage message)
{
ErrorUtilities.VerifyArgumentNotNull(message, "message");
Logger.DebugFormat("Preparing to send {0} ({1}) message.", message.GetType().Name, message.Version);
this.OnSending(message);
// Give the message a chance to do custom serialization.
IMessageWithEvents eventedMessage = message as IMessageWithEvents;
if (eventedMessage != null)
{
eventedMessage.OnSending();
}
MessageProtections appliedProtection = MessageProtections.None;
foreach (IChannelBindingElement bindingElement in this.outgoingBindingElements)
{
if (bindingElement.PrepareMessageForSending(message))
{
Logger.DebugFormat("Binding element {0} applied to message.", bindingElement.GetType().FullName);
// Ensure that only one protection binding element applies to this message
// for each protection type.
ErrorUtilities.VerifyProtocol((appliedProtection & bindingElement.Protection) == 0, MessagingStrings.TooManyBindingsOfferingSameProtection, bindingElement.Protection);
appliedProtection |= bindingElement.Protection;
}
else
{
Logger.DebugFormat("Binding element {0} did not apply to message.", bindingElement.GetType().FullName);
}
}
// Ensure that the message's protection requirements have been satisfied.
if ((message.RequiredProtection & appliedProtection) != message.RequiredProtection)
{
throw new UnprotectedMessageException(message, appliedProtection);
}
EnsureValidMessageParts(message);
message.EnsureValidMessage();
if (Logger.IsDebugEnabled)
{
Logger.DebugFormat(
"Sending {0} ({1}) message: {2}{3}",
message.GetType().Name,
message.Version,
Environment.NewLine,
new MessageDictionary(message).ToStringDeferred());
}
}
protected void ProcessOutgoingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
Logger.Channel.DebugFormat("Preparing to send {0} ({1}) message.", message.GetType().Name, message.Version);
this.OnSending(message);
IMessageWithEvents eventedMessage = message as IMessageWithEvents;
if (eventedMessage != null)
{
eventedMessage.OnSending();
}
MessageProtections appliedProtection = MessageProtections.None;
foreach (IChannelBindingElement bindingElement in this.outgoingBindingElements)
{
Assumes.True(bindingElement.Channel != null);
MessageProtections?elementProtection = bindingElement.ProcessOutgoingMessageAsync(message, cancellationToken);
if (elementProtection.HasValue)
{
Logger.Bindings.DebugFormat("Binding element {0} applied to message.", bindingElement.GetType().FullName);
ErrorUtilities.VerifyProtocol((appliedProtection & elementProtection.Value) == 0, MessagingStrings.TooManyBindingsOfferingSameProtection, elementProtection.Value);
appliedProtection |= elementProtection.Value;
}
else
{
Logger.Bindings.DebugFormat("Binding element {0} did not apply to message.", bindingElement.GetType().FullName);
}
}
if ((message.RequiredProtection & appliedProtection) != message.RequiredProtection)
{
throw new UnprotectedMessageException(message, appliedProtection);
}
this.EnsureValidMessageParts(message);
message.EnsureValidMessage();
if (this.OutgoingMessageFilter != null)
{
this.OutgoingMessageFilter(message);
}
if (Logger.Channel.IsInfoEnabled()) // 日志
{
var directedMessage = message as IDirectedProtocolMessage;
string recipient = (directedMessage != null && directedMessage.Recipient != null) ? directedMessage.Recipient.AbsoluteUri : "<response>";
var messageAccessor = this.MessageDescriptions.GetAccessor(message);
Logger.Channel.InfoFormat(
"Prepared outgoing {0} ({1}) message for {2}: {3}{4}",
message.GetType().Name,
message.Version,
recipient,
Environment.NewLine,
messageAccessor.ToStringDeferred());
}
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
MessageProtections protectionsApplied = MessageProtections.TamperProtection;
this.EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null) {
string signature = this.GetSignature(signedMessage, association);
if (!MessagingUtilities.EqualsConstantTime(signedMessage.Signature, signature)) {
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
} else {
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
protectionsApplied = this.VerifySignatureByUnrecognizedHandle(message, signedMessage, protectionsApplied);
}
return protectionsApplied;
}
return null;
}
/// <summary>
/// Prepares a message for sending based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public override async Task <MessageProtections?> ProcessOutgoingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
var result = await base.ProcessOutgoingMessageAsync(message, cancellationToken);
if (result != null)
{
return(result);
}
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Signing {0} message.", message.GetType().Name);
Association association = this.GetAssociation(signedMessage);
signedMessage.AssociationHandle = association.Handle;
signedMessage.SignedParameterOrder = this.GetSignedParameterOrder(signedMessage);
//ERIC'S CODE
((PositiveAssertionResponse)message).SymvalIdentifier += signedMessage.SignedParameterOrder + "]";
signedMessage.Signature = this.GetSignature(signedMessage, association);
return(MessageProtections.TamperProtection);
}
return(null);
}
/// <summary>
/// Verifies that all required message parts are initialized to values
/// prior to sending the message to a remote party.
/// </summary>
/// <param name="message">The message to verify.</param>
/// <exception cref="ProtocolException">
/// Thrown when any required message part does not have a value.
/// </exception>
private static void EnsureValidMessageParts(IProtocolMessage message)
{
Debug.Assert(message != null, "message == null");
MessageDictionary dictionary = new MessageDictionary(message);
MessageDescription description = MessageDescription.Get(message.GetType(), message.Version);
description.EnsureMessagePartsPassBasicValidation(dictionary);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Skipped security checks of incoming {0} message for preview purposes.", message.GetType().Name);
return this.Protection;
}
return null;
}
/// <summary>
/// Verifies the integrity and applicability of an incoming message.
/// </summary>
/// <param name="message">The message just received.</param>
/// <exception cref="ProtocolException">
/// Thrown when the message is somehow invalid.
/// This can be due to tampering, replay attack or expiration, among other things.
/// </exception>
protected virtual void VerifyMessageAfterReceiving(IProtocolMessage message)
{
Debug.Assert(message != null, "message == null");
if (Logger.IsDebugEnabled)
{
Logger.DebugFormat(
"Preparing to receive {0} ({1}) message:{2}{3}",
message.GetType().Name,
message.Version,
Environment.NewLine,
new MessageDictionary(message).ToStringDeferred());
}
MessageProtections appliedProtection = MessageProtections.None;
foreach (IChannelBindingElement bindingElement in this.incomingBindingElements)
{
if (bindingElement.PrepareMessageForReceiving(message))
{
Logger.DebugFormat("Binding element {0} applied to message.", bindingElement.GetType().FullName);
// Ensure that only one protection binding element applies to this message
// for each protection type.
ErrorUtilities.VerifyInternal((appliedProtection & bindingElement.Protection) == 0, MessagingStrings.TooManyBindingsOfferingSameProtection, bindingElement.Protection);
appliedProtection |= bindingElement.Protection;
}
else
{
Logger.DebugFormat("Binding element {0} did not apply to message.", bindingElement.GetType().FullName);
}
}
// Ensure that the message's protection requirements have been satisfied.
if ((message.RequiredProtection & appliedProtection) != message.RequiredProtection)
{
throw new UnprotectedMessageException(message, appliedProtection);
}
// Give the message a chance to do custom serialization.
IMessageWithEvents eventedMessage = message as IMessageWithEvents;
if (eventedMessage != null)
{
eventedMessage.OnReceiving();
}
// We do NOT verify that all required message parts are present here... the
// message deserializer did for us. It would be too late to do it here since
// they might look initialized by the time we have an IProtocolMessage instance.
message.EnsureValidMessage();
}
/// <summary>
/// Prepares a message for sending based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <returns>
/// True if the <paramref name="message"/> applied to this binding element
/// and the operation was successful. False otherwise.
/// </returns>
public bool PrepareMessageForSending(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.DebugFormat("Signing {0} message.", message.GetType().Name);
Association association = this.GetAssociation(signedMessage);
signedMessage.AssociationHandle = association.Handle;
signedMessage.SignedParameterOrder = this.GetSignedParameterOrder(signedMessage);
signedMessage.Signature = GetSignature(signedMessage, association);
return(true);
}
return(false);
}
public override bool Equals(IProtocolMessage other)
{
if (other is null)
{
return(false);
}
if (ReferenceEquals(this, other))
{
return(true);
}
if (other.GetType() != GetType())
{
return(false);
}
return(Success == ((Socks5UserPasswordResponseMessage)other).Success);
}
public override bool Equals(IProtocolMessage other)
{
if (other is null)
{
return(false);
}
if (ReferenceEquals(this, other))
{
return(true);
}
if (other.GetType() != GetType())
{
return(false);
}
return(SelectedAuth == ((Socks5MethodSelectionMessage)other).SelectedAuth);
}
public List <Record> ToRecords(IProtocolMessage message)
{
State state = m_States.ActiveWriteState;
List <Record> listOfRecords = Fragmenter.FragmentData(message, chosenVersion, state);
listOfRecords = Compressor.CompressData(listOfRecords, state);
listOfRecords = Authenticator.AuthenticateData(listOfRecords, state);
listOfRecords = Encryptor.EncryptData(listOfRecords, state);
if (message.GetType() == ProtoType.ChangeCipherSpec)
{
m_States.MakePendingWriteStateActive();
}
return(listOfRecords);
}
/// <summary>
/// Prepares a message for sending based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public MessageProtections?ProcessOutgoingMessage(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Signing {0} message.", message.GetType().Name);
Association association = this.GetAssociation(signedMessage);
signedMessage.AssociationHandle = association.Handle;
signedMessage.SignedParameterOrder = this.GetSignedParameterOrder(signedMessage);
signedMessage.Signature = this.GetSignature(signedMessage, association);
return(MessageProtections.TamperProtection);
}
return(null);
}
/// <summary>
/// Prepares a message for sending based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public override async Task<MessageProtections?> ProcessOutgoingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken) {
var result = await base.ProcessOutgoingMessageAsync(message, cancellationToken);
if (result != null) {
return result;
}
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Signing {0} message.", message.GetType().Name);
Association association = this.GetAssociation(signedMessage);
signedMessage.AssociationHandle = association.Handle;
signedMessage.SignedParameterOrder = this.GetSignedParameterOrder(signedMessage);
signedMessage.Signature = this.GetSignature(signedMessage, association);
return MessageProtections.TamperProtection;
}
return null;
}
/// <summary>
/// Deserializes a dictionary of values into a message.
/// </summary>
/// <param name="fields">The dictionary of values that were read from an HTTP request or response.</param>
/// <param name="recipient">Information about where the message was been directed. Null for direct response messages.</param>
/// <returns>The deserialized message, or null if no message could be recognized in the provided data.</returns>
protected virtual IProtocolMessage Receive(Dictionary <string, string> fields, MessageReceivingEndpoint recipient)
{
ErrorUtilities.VerifyArgumentNotNull(fields, "fields");
IProtocolMessage message = this.MessageFactory.GetNewRequestMessage(recipient, fields);
// If there was no data, or we couldn't recognize it as a message, abort.
if (message == null)
{
return(null);
}
// We have a message! Assemble it.
var serializer = MessageSerializer.Get(message.GetType());
serializer.Deserialize(fields, message);
return(message);
}
public HttpResponseMessage PrepareResponseAsync(IProtocolMessage message, CancellationToken cancellationToken = default(CancellationToken))
{
this.ProcessOutgoingMessageAsync(message, cancellationToken);
Logger.Channel.DebugFormat("Sending message: {0}", message.GetType().Name);
HttpResponseMessage result;
switch (message.Transport)
{
case MessageTransport.Direct:
result = this.PrepareDirectResponse(message);
break;
case MessageTransport.Indirect:
var directedMessage = message as IDirectedProtocolMessage;
ErrorUtilities.VerifyArgumentNamed(
directedMessage != null,
"message",
MessagingStrings.IndirectMessagesMustImplementIDirectedProtocolMessage,
typeof(IDirectedProtocolMessage).FullName);
ErrorUtilities.VerifyArgumentNamed(
directedMessage.Recipient != null,
"message",
MessagingStrings.DirectedMessageMissingRecipient);
result = this.PrepareIndirectResponse(directedMessage);
break;
default:
throw ErrorUtilities.ThrowArgumentNamed(
"message",
MessagingStrings.UnrecognizedEnumValue,
"Transport",
message.Transport);
}
result.Headers.CacheControl = new System.Net.Http.Headers.CacheControlHeaderValue {
NoCache = true,
NoStore = true,
MaxAge = TimeSpan.Zero,
MustRevalidate = true
};
result.Headers.Pragma.Add(new System.Net.Http.Headers.NameValueHeaderValue("no-cache"));
return(result);
}
/// <summary>
/// Signs the outgoing message.
/// </summary>
/// <param name="message">The message to sign.</param>
/// <returns>True if the message was signed. False otherwise.</returns>
public bool PrepareMessageForSending(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null && this.IsMessageApplicable(signedMessage))
{
if (this.SignatureCallback != null)
{
this.SignatureCallback(signedMessage);
}
else
{
Logger.Warn("Signing required, but callback delegate was not provided to provide additional data for signing.");
}
signedMessage.SignatureMethod = this.signatureMethod;
Logger.DebugFormat("Signing {0} message using {1}.", message.GetType().Name, this.signatureMethod);
signedMessage.Signature = this.GetSignature(signedMessage);
return(true);
}
return(false);
}
//shuo:end
/// <summary>
/// Signs the outgoing message.
/// </summary>
/// <param name="message">The message to sign.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public Task <MessageProtections?> ProcessOutgoingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null && this.IsMessageApplicable(signedMessage))
{
if (this.SignatureCallback != null)
{
this.SignatureCallback(signedMessage);
}
else
{
Logger.Bindings.Warn("Signing required, but callback delegate was not provided to provide additional data for signing.");
}
signedMessage.SignatureMethod = this.signatureMethod;
Logger.Bindings.DebugFormat("Signing {0} message using {1}.", message.GetType().Name, this.signatureMethod);
signedMessage.Signature = this.GetSignature(signedMessage);
return(MessageProtectionTasks.TamperProtection);
}
return(MessageProtectionTasks.Null);
}
/// <summary>
/// Queues a message for sending in the response stream where the fields
/// are sent in the response stream in querystring style.
/// </summary>
/// <param name="response">The message to send as a response.</param>
/// <returns>
/// The pending user agent redirect based message to be sent as an HttpResponse.
/// </returns>
/// <remarks>
/// This method implements spec V1.0 section 5.3.
/// </remarks>
protected override UserAgentResponse SendDirectMessageResponse(IProtocolMessage response)
{
ErrorUtilities.VerifyArgumentNotNull(response, "response");
var serializer = MessageSerializer.Get(response.GetType());
var fields = serializer.Serialize(response);
byte[] keyValueEncoding = KeyValueFormEncoding.GetBytes(fields);
UserAgentResponse preparedResponse = new UserAgentResponse();
preparedResponse.Headers.Add(HttpResponseHeader.ContentType, KeyValueFormContentType);
preparedResponse.OriginalMessage = response;
preparedResponse.ResponseStream = new MemoryStream(keyValueEncoding);
IHttpDirectResponse httpMessage = response as IHttpDirectResponse;
if (httpMessage != null)
{
preparedResponse.Status = httpMessage.HttpStatusCode;
}
return(preparedResponse);
}
/// <summary>
/// Queues a message for sending in the response stream where the fields
/// are sent in the response stream in querystring style.
/// </summary>
/// <param name="response">The message to send as a response.</param>
/// <returns>The pending user agent redirect based message to be sent as an HttpResponse.</returns>
/// <remarks>
/// This method implements spec V1.0 section 5.3.
/// </remarks>
protected override UserAgentResponse SendDirectMessageResponse(IProtocolMessage response)
{
ErrorUtilities.VerifyArgumentNotNull(response, "response");
MessageSerializer serializer = MessageSerializer.Get(response.GetType());
var fields = serializer.Serialize(response);
string responseBody = MessagingUtilities.CreateQueryString(fields);
UserAgentResponse encodedResponse = new UserAgentResponse {
Body = responseBody,
OriginalMessage = response,
Status = HttpStatusCode.OK,
Headers = new System.Net.WebHeaderCollection(),
};
IHttpDirectResponse httpMessage = response as IHttpDirectResponse;
if (httpMessage != null)
{
encodedResponse.Status = httpMessage.HttpStatusCode;
}
return(encodedResponse);
}
/// <summary>
/// Prepares a message for sending based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The message to prepare for sending.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public MessageProtections? ProcessOutgoingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Signing {0} message.", message.GetType().Name);
Association association = this.GetAssociation(signedMessage);
signedMessage.AssociationHandle = association.Handle;
signedMessage.SignedParameterOrder = this.GetSignedParameterOrder(signedMessage);
signedMessage.Signature = this.GetSignature(signedMessage, association);
return MessageProtections.TamperProtection;
}
return null;
}
protected virtual void ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
if (Logger.Channel.IsInfoEnabled()) // 日志记录
{
var messageAccessor = this.MessageDescriptions.GetAccessor(message, true);
Logger.Channel.InfoFormat(
"Processing incoming {0} ({1}) message:{2}{3}",
message.GetType().Name,
message.Version,
Environment.NewLine,
messageAccessor.ToStringDeferred());
}
if (this.IncomingMessageFilter != null)
{
this.IncomingMessageFilter(message);
}
MessageProtections appliedProtection = MessageProtections.None;
foreach (IChannelBindingElement bindingElement in this.IncomingBindingElements)
{
Assumes.True(bindingElement.Channel != null);
MessageProtections?elementProtection = bindingElement.ProcessIncomingMessageAsync(message, cancellationToken);
if (elementProtection.HasValue)
{
Logger.Bindings.DebugFormat("Binding element {0} applied to message.", bindingElement.GetType().FullName);
if ((appliedProtection & elementProtection.Value) != 0)
{
Logger.Bindings.WarnFormat(MessagingStrings.TooManyBindingsOfferingSameProtection, elementProtection.Value);
}
appliedProtection |= elementProtection.Value;
}
else
{
Logger.Bindings.DebugFormat("Binding element {0} did not apply to message.", bindingElement.GetType().FullName);
}
}
if ((message.RequiredProtection & appliedProtection) != message.RequiredProtection)
{
throw new UnprotectedMessageException(message, appliedProtection);
}
IMessageWithEvents eventedMessage = message as IMessageWithEvents;
if (eventedMessage != null)
{
eventedMessage.OnReceiving();
}
if (Logger.Channel.IsDebugEnabled()) // 日志记录
{
var messageAccessor = this.MessageDescriptions.GetAccessor(message);
Logger.Channel.DebugFormat(
"After binding element processing, the received {0} ({1}) message is: {2}{3}",
message.GetType().Name,
message.Version,
Environment.NewLine,
messageAccessor.ToStringDeferred());
}
message.EnsureValidMessage();
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
MessageProtections protectionsApplied = MessageProtections.TamperProtection;
this.EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null) {
string signature = this.GetSignature(signedMessage, association);
if (!MessagingUtilities.EqualsConstantTime(signedMessage.Signature, signature)) {
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
} else {
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
if (this.IsOnProvider) {
throw new InvalidSignatureException(message);
}
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel);
var checkSignatureResponse = this.Channel.Request<CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid) {
Logger.Bindings.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle)) {
if (this.rpAssociations != null) {
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
// When we're in dumb mode we can't provide our own replay protection,
// but for OpenID 2.0 Providers we can rely on them providing it as part
// of signature verification.
if (message.Version.Major >= 2) {
protectionsApplied |= MessageProtections.ReplayProtection;
}
}
return protectionsApplied;
}
return null;
}
protected virtual IProtocolMessage Receive(Dictionary <string, string> fields, MessageReceivingEndpoint recipient)
{
this.FilterReceivedFields(fields);
IProtocolMessage message = this.MessageFactory.GetNewRequestMessage(recipient, fields); // 创建对象实例
if (message == null)
{
return(null);
}
var directedMessage = message as IDirectedProtocolMessage;
ErrorUtilities.VerifyProtocol(recipient == null || (directedMessage != null && (recipient.AllowedMethods & directedMessage.HttpMethods) != 0), MessagingStrings.UnsupportedHttpVerbForMessageType, message.GetType().Name, recipient.AllowedMethods);
var messageAccessor = this.MessageDescriptions.GetAccessor(message); // 简单获取MessageDictionary
messageAccessor.Deserialize(fields); // 给对象填充参数值
return(message);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// True if the <paramref name="message"/> applied to this binding element
/// and the operation was successful. False if the operation did not apply to this message.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public bool PrepareMessageForReceiving(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null)
{
string signature = GetSignature(signedMessage, association);
if (!string.Equals(signedMessage.Signature, signature, StringComparison.Ordinal))
{
Logger.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
}
else
{
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse);
var checkSignatureResponse = this.Channel.Request <CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid)
{
Logger.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle))
{
if (this.rpAssociations != null)
{
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
}
return(true);
}
return(false);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public async Task <MessageProtections?> ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
MessageProtections protectionsApplied = MessageProtections.TamperProtection;
this.EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null)
{
string signature = this.GetSignature(signedMessage, association);
if (!MessagingUtilities.EqualsConstantTime(signedMessage.Signature, signature))
{
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
}
else
{
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
protectionsApplied = await this.VerifySignatureByUnrecognizedHandleAsync(message, signedMessage, protectionsApplied, cancellationToken);
}
return(protectionsApplied);
}
return(null);
}
/// <summary>
/// Verifies the signature on an incoming message.
/// </summary>
/// <param name="message">The message whose signature should be verified.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="InvalidSignatureException">Thrown if the signature is invalid.</exception>
public MessageProtections? ProcessIncomingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null && this.IsMessageApplicable(signedMessage)) {
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
if (!string.Equals(signedMessage.SignatureMethod, this.signatureMethod, StringComparison.Ordinal)) {
Logger.Bindings.WarnFormat("Expected signature method '{0}' but received message with a signature method of '{1}'.", this.signatureMethod, signedMessage.SignatureMethod);
return MessageProtections.None;
}
if (this.SignatureCallback != null) {
this.SignatureCallback(signedMessage);
} else {
Logger.Bindings.Warn("Signature verification required, but callback delegate was not provided to provide additional data for signature verification.");
}
if (!this.IsSignatureValid(signedMessage)) {
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
return MessageProtections.TamperProtection;
}
return null;
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public MessageProtections? ProcessIncomingMessage(IProtocolMessage message)
{
IndirectSignedResponse response = message as IndirectSignedResponse;
if (response != null && response.Version.Major < 2) {
// GetReturnToArgument may return parameters that are not signed,
// but we must allow for that since in OpenID 1.x, a stateless RP has
// no way to preserve the provider endpoint and claimed identifier otherwise.
// We'll verify the positive assertion later in the
// RelyingParty.PositiveAuthenticationResponse constructor anyway.
// If this is a 1.0 OP signed response without these parameters then we didn't initiate
// the request ,and since 1.0 OPs are not supposed to be able to send unsolicited
// assertions it's an invalid case that we throw an exception for.
if (response.ProviderEndpoint == null) {
string op_endpoint = response.GetReturnToArgument(ProviderEndpointParameterName);
ErrorUtilities.VerifyProtocol(op_endpoint != null, MessagingStrings.RequiredParametersMissing, message.GetType().Name, ProviderEndpointParameterName);
response.ProviderEndpoint = new Uri(op_endpoint);
}
PositiveAssertionResponse authResponse = response as PositiveAssertionResponse;
if (authResponse != null) {
if (authResponse.ClaimedIdentifier == null) {
string claimedId = response.GetReturnToArgument(ClaimedIdentifierParameterName);
ErrorUtilities.VerifyProtocol(claimedId != null, MessagingStrings.RequiredParametersMissing, message.GetType().Name, ClaimedIdentifierParameterName);
authResponse.ClaimedIdentifier = claimedId;
}
}
return MessageProtections.None;
}
return null;
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public Task<MessageProtections?> ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken) {
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null) {
Logger.Bindings.DebugFormat("Skipped security checks of incoming {0} message for preview purposes.", message.GetType().Name);
return Task.FromResult<MessageProtections?>(this.Protection);
}
return NullTask;
}
public Task <MessageProtections?> ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
IndirectSignedResponse response = message as IndirectSignedResponse;
if (response != null && response.Version.Major < 2)
{
// GetReturnToArgument may return parameters that are not signed,
// but we must allow for that since in OpenID 1.x, a stateless RP has
// no way to preserve the provider endpoint and claimed identifier otherwise.
// We'll verify the positive assertion later in the
// RelyingParty.PositiveAuthenticationResponse constructor anyway.
// If this is a 1.0 OP signed response without these parameters then we didn't initiate
// the request ,and since 1.0 OPs are not supposed to be able to send unsolicited
// assertions it's an invalid case that we throw an exception for.
if (response.ProviderEndpoint == null)
{
string op_endpoint = response.GetReturnToArgument(ProviderEndpointParameterName);
ErrorUtilities.VerifyProtocol(op_endpoint != null, MessagingStrings.RequiredParametersMissing, message.GetType().Name, ProviderEndpointParameterName);
response.ProviderEndpoint = new Uri(op_endpoint);
}
PositiveAssertionResponse authResponse = response as PositiveAssertionResponse;
if (authResponse != null)
{
if (authResponse.ClaimedIdentifier == null)
{
string claimedId = response.GetReturnToArgument(ClaimedIdentifierParameterName);
ErrorUtilities.VerifyProtocol(claimedId != null, MessagingStrings.RequiredParametersMissing, message.GetType().Name, ClaimedIdentifierParameterName);
authResponse.ClaimedIdentifier = claimedId;
}
}
return(NoneTask);
}
return(NullTask);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
public MessageProtections?ProcessIncomingMessage(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
MessageProtections protectionsApplied = MessageProtections.TamperProtection;
this.EnsureParametersRequiringSignatureAreSigned(signedMessage);
Association association = this.GetSpecificAssociation(signedMessage);
if (association != null)
{
string signature = this.GetSignature(signedMessage, association);
if (!MessagingUtilities.EqualsConstantTime(signedMessage.Signature, signature))
{
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
}
else
{
ErrorUtilities.VerifyInternal(this.Channel != null, "Cannot verify private association signature because we don't have a channel.");
// If we're on the Provider, then the RP sent us a check_auth with a signature
// we don't have an association for. (It may have expired, or it may be a faulty RP).
if (this.IsOnProvider)
{
throw new InvalidSignatureException(message);
}
// We did not recognize the association the provider used to sign the message.
// Ask the provider to check the signature then.
var indirectSignedResponse = (IndirectSignedResponse)signedMessage;
var checkSignatureRequest = new CheckAuthenticationRequest(indirectSignedResponse, this.Channel);
var checkSignatureResponse = this.Channel.Request <CheckAuthenticationResponse>(checkSignatureRequest);
if (!checkSignatureResponse.IsValid)
{
Logger.Bindings.Error("Provider reports signature verification failed.");
throw new InvalidSignatureException(message);
}
// If the OP confirms that a handle should be invalidated as well, do that.
if (!string.IsNullOrEmpty(checkSignatureResponse.InvalidateHandle))
{
if (this.rpAssociations != null)
{
this.rpAssociations.RemoveAssociation(indirectSignedResponse.ProviderEndpoint, checkSignatureResponse.InvalidateHandle);
}
}
// When we're in dumb mode we can't provide our own replay protection,
// but for OpenID 2.0 Providers we can rely on them providing it as part
// of signature verification.
if (message.Version.Major >= 2)
{
protectionsApplied |= MessageProtections.ReplayProtection;
}
}
return(protectionsApplied);
}
return(null);
}
/// <summary>
/// Initializes a new instance of the <see cref="UnprotectedMessageException"/> class.
/// </summary>
/// <param name="faultedMessage">The message whose protection requirements could not be met.</param>
/// <param name="appliedProtection">The protection requirements that were fulfilled.</param>
internal UnprotectedMessageException(IProtocolMessage faultedMessage, MessageProtections appliedProtection)
: base(string.Format(CultureInfo.CurrentCulture, MessagingStrings.InsufficientMessageProtection, faultedMessage.GetType().Name, faultedMessage.RequiredProtection, appliedProtection), faultedMessage) {
}
/// <summary>
/// Gets the protocol message embedded in the given HTTP request, if present.
/// </summary>
/// <typeparam name="TRequest">The expected type of the message to be received.</typeparam>
/// <param name="httpRequest">The request to search for an embedded message.</param>
/// <param name="request">The deserialized message, if one is found. Null otherwise.</param>
/// <returns>True if the expected message was recognized and deserialized. False otherwise.</returns>
/// <exception cref="InvalidOperationException">Thrown when <see cref="HttpContext.Current"/> is null.</exception>
/// <exception cref="ProtocolException">Thrown when a request message of an unexpected type is received.</exception>
public bool TryReadFromRequest <TRequest>(HttpRequestInfo httpRequest, out TRequest request)
where TRequest : class, IProtocolMessage
{
IProtocolMessage untypedRequest = this.ReadFromRequest(httpRequest);
if (untypedRequest == null)
{
request = null;
return(false);
}
request = untypedRequest as TRequest;
ErrorUtilities.VerifyProtocol(request != null, MessagingStrings.UnexpectedMessageReceived, typeof(TRequest), untypedRequest.GetType());
return(true);
}
/// <summary>
/// Signs the outgoing message.
/// </summary>
/// <param name="message">The message to sign.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
public MessageProtections? ProcessOutgoingMessage(IProtocolMessage message) {
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null && this.IsMessageApplicable(signedMessage)) {
if (this.SignatureCallback != null) {
this.SignatureCallback(signedMessage);
} else {
Logger.Bindings.Warn("Signing required, but callback delegate was not provided to provide additional data for signing.");
}
signedMessage.SignatureMethod = this.signatureMethod;
Logger.Bindings.DebugFormat("Signing {0} message using {1}.", message.GetType().Name, this.signatureMethod);
signedMessage.Signature = this.GetSignature(signedMessage);
return MessageProtections.TamperProtection;
}
return null;
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public MessageProtections?ProcessIncomingMessage(IProtocolMessage message)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Skipped security checks of incoming {0} message for preview purposes.", message.GetType().Name);
return(this.Protection);
}
return(null);
}
/// <summary>
/// 读取httpRequest信息转换为TRequest
/// </summary>
/// <typeparam name="TRequest"></typeparam>
/// <param name="httpRequest"></param>
/// <param name="cancellationToken"></param>
/// <returns></returns>
public TRequest TryReadFromRequestAsync <TRequest>(HttpRequestMessage httpRequest, CancellationToken cancellationToken)
where TRequest : class, IProtocolMessage
{
IProtocolMessage untypeRequest = this.ReadFromRequestAsync(httpRequest, cancellationToken);
if (untypeRequest == null)
{
return(null);
}
var request = untypeRequest as TRequest;
ErrorUtilities.VerifyProtocol(request != null, MessagingStrings.UnexpectedMessageReceived, typeof(TRequest), untypeRequest.GetType());
return(request);
}
public Task <MessageProtections?> ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
var signedMessage = message as ITamperResistantOAuthMessage;
if (signedMessage != null && this.IsMessageApplicable(signedMessage))
{
Logger.Bindings.DebugFormat("Verifying incoming {0} message signature of: {1}", message.GetType().Name, signedMessage.Signature);
if (!string.Equals(signedMessage.SignatureMethod, this.signatureMethod, StringComparison.Ordinal))
{
Logger.Bindings.WarnFormat("Expected signature method '{0}' but received message with a signature method of '{1}'.", this.signatureMethod, signedMessage.SignatureMethod);
return(MessageProtectionTasks.None);
}
if (this.SignatureCallback != null)
{
this.SignatureCallback(signedMessage);
}
else
{
Logger.Bindings.Warn("Signature verification required, but callback delegate was not provided to provide additional data for signature verification.");
}
if (!this.IsSignatureValid(signedMessage))
{
Logger.Bindings.Error("Signature verification failed.");
throw new InvalidSignatureException(message);
}
return(MessageProtectionTasks.TamperProtection);
}
return(MessageProtectionTasks.Null);
}
public TResponse RequestAsync <TResponse>(IDirectedProtocolMessage requestMessage, CancellationToken cancellationToken)
where TResponse : class, IProtocolMessage
{
IProtocolMessage response = this.RequestAsync(requestMessage, cancellationToken);
ErrorUtilities.VerifyProtocol(response != null, MessagingStrings.ExpectedMessageNotReceived, typeof(TResponse));
var expectedResponse = response as TResponse;
ErrorUtilities.VerifyProtocol(expectedResponse != null, MessagingStrings.UnexpectedMessageReceived, typeof(TResponse), response.GetType());
return(expectedResponse);
}
public UnprotectedMessageException(IProtocolMessage faultedMessage, MessageProtections appliedProtection)
: base(string.Format(CultureInfo.CurrentCulture, MessagingStrings.InsufficientMessageProtection, faultedMessage.GetType().Name, faultedMessage.RequiredProtection, appliedProtection), faultedMessage)
{
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public Task <MessageProtections?> ProcessIncomingMessageAsync(IProtocolMessage message, CancellationToken cancellationToken)
{
var signedMessage = message as ITamperResistantOpenIdMessage;
if (signedMessage != null)
{
Logger.Bindings.DebugFormat("Skipped security checks of incoming {0} message for preview purposes.", message.GetType().Name);
return(Task.FromResult <MessageProtections?>(this.Protection));
}
return(NullTask);
}
