protected virtual WebClient CreateAuthenticatedWebClient(string url, params SignatureFactor[] additionalFactors)
{
var challenge = GetChallenge();
var client = new WebClient();
client.Headers.Add("X-MC-MAC", _responseService.CreateSignature(challenge, url, additionalFactors).SignatureHash);
client.Headers.Add("X-MC-Nonce", challenge);
return(client);
}
private string MakeRequest(string url, string parameters)
{
string nonce = Guid.NewGuid().ToString();
WebClient wc = new WebClient {
Encoding = Encoding.UTF8
};
if (_ss == null)
{
_ss = new SignatureService(_registration.GetScsRegistration <ContentMigrationRegistration>().AuthenticationSecret);
HmacServer = new ScsHmacServer(_ss, new UniqueChallengeStore());
}
var signature = _ss.CreateSignature(nonce, url, new[] { new SignatureFactor("payload", parameters) });
wc.Headers["X-MC-MAC"] = signature.SignatureHash;
wc.Headers["X-MC-Nonce"] = nonce;
var currentPolicy = ServicePointManager.SecurityProtocol;
try
{
// .NET < 4.6.1 uses (insecure) SSL3 by default and does not enable TLS 1.2 for WebClient.
ServicePointManager.SecurityProtocol = SetSslCiphers();
return(wc.UploadString(url, "POST", parameters));
}
catch (WebException ex)
{
if (ex.Status == WebExceptionStatus.ProtocolError)
{
var response = ex.Response as HttpWebResponse;
if (response?.StatusCode == HttpStatusCode.Forbidden)
{
throw new AccessViolationException("Remote server returned Forbidden. Make sure your shared secrets match.");
}
throw new Exception("Remote server didn't return a response", ex);
}
throw new Exception("Remote server didn't return a response", ex);
}
finally
{
ServicePointManager.SecurityProtocol = currentPolicy;
}
}
public virtual bool ValidateToken(string challenge, string response, string url, IChapServerLogger logger, params SignatureFactor[] additionalFactors)
{
if (!_challengeStore.ConsumeChallenge(challenge))
{
logger?.RejectedDueToInvalidChallenge(challenge, url);
return(false); // invalid or expired challenge
}
// we now know the challenge was valid. But what about the response?
var localMacOfRequest = _responseService.CreateSignature(challenge, url, additionalFactors);
if (localMacOfRequest.SignatureHash.Equals(response))
{
return(true);
}
logger?.RejectedDueToInvalidSignature(challenge, response, localMacOfRequest);
return(false);
}
public virtual bool ValidateToken(string challenge, string response, string url, IChapServerLogger logger, params SignatureFactor[] additionalFactors)
{
// Check signature first, to avoid any DDoS vulnerabilities in challenge tracking
var localMacOfRequest = _responseService.CreateSignature(challenge, url, additionalFactors);
if (!localMacOfRequest.SignatureHash.Equals(response))
{
logger?.RejectedDueToInvalidSignature(challenge, response, localMacOfRequest);
return(false);
}
// if the HMAC matches, then we check that the challenge value
// (which in this case is random generated by the client)
// has not been used recently
if (!_challengeStore.ConsumeChallenge(challenge))
{
logger?.RejectedDueToInvalidChallenge(challenge, url);
return(false); // invalid or expired challenge
}
return(true);
}
public bool Sync()
{
if (string.IsNullOrWhiteSpace(_panelUrl) || string.IsNullOrWhiteSpace(_secret))
{
throw new ArgumentNullException();
}
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
var syncUrl = _urlProvider.GetUrl(Verb.Sync);
var challenge = _requestFactory.Create(_urlProvider.GetUrl(Verb.Challenge), 360000, null).Execute();
var signature = _signatureService.CreateSignature(challenge, syncUrl, null);
return(_requestFactory
.Create(syncUrl, 10800000,
new Dictionary <string, string>
{
{ "X-MC-MAC", signature.SignatureHash }, { "X-MC-Nonce", challenge }
})
.Execute(_streamProcessor) &&
!_log.HasLoggedErrors);
}