| | 1 | | // Copyright (c) Microsoft Corporation. All rights reserved. |
| | 2 | | // Licensed under the MIT License. |
| | 3 | |
|
| | 4 | | using Azure.Core; |
| | 5 | | using Azure.Core.Pipeline; |
| | 6 | | using System; |
| | 7 | | using System.Collections.Generic; |
| | 8 | | using System.Globalization; |
| | 9 | | using System.Threading.Tasks; |
| | 10 | |
|
| | 11 | | namespace Azure.Security.KeyVault |
| | 12 | | { |
| | 13 | | internal class ChallengeBasedAuthenticationPolicy : HttpPipelinePolicy |
| | 14 | | { |
| | 15 | | private const string BearerChallengePrefix = "Bearer "; |
| | 16 | |
|
| | 17 | | private readonly TokenCredential _credential; |
| | 18 | |
|
| | 19 | | private AuthenticationChallenge _challenge = null; |
| | 20 | | private string _headerValue; |
| | 21 | | private DateTimeOffset _refreshOn; |
| | 22 | |
|
| 50 | 23 | | public ChallengeBasedAuthenticationPolicy(TokenCredential credential) |
| | 24 | | { |
| 50 | 25 | | _credential = credential; |
| 50 | 26 | | } |
| | 27 | |
|
| | 28 | | public override void Process(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline) |
| | 29 | | { |
| 54 | 30 | | ProcessCoreAsync(message, pipeline, false).EnsureCompleted(); |
| 54 | 31 | | } |
| | 32 | |
|
| | 33 | | public override ValueTask ProcessAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline) |
| | 34 | | { |
| 64 | 35 | | return ProcessCoreAsync(message, pipeline, true); |
| | 36 | | } |
| | 37 | |
|
| | 38 | | private async ValueTask ProcessCoreAsync(HttpMessage message, ReadOnlyMemory<HttpPipelinePolicy> pipeline, bool |
| | 39 | | { |
| 118 | 40 | | if (message.Request.Uri.Scheme != Uri.UriSchemeHttps) |
| | 41 | | { |
| 0 | 42 | | throw new InvalidOperationException("Bearer token authentication is not permitted for non TLS protected |
| | 43 | | } |
| | 44 | |
|
| 118 | 45 | | RequestContent originalContent = message.Request.Content; |
| | 46 | |
|
| | 47 | | // if this policy doesn't have _challenge cached try to get it from the static challenge cache |
| 118 | 48 | | AuthenticationChallenge challenge = _challenge ?? AuthenticationChallenge.GetChallenge(message); |
| | 49 | |
|
| | 50 | | // if we still don't have the challenge for the endpoint |
| | 51 | | // remove the content from the request and send without authentication to get the challenge |
| 118 | 52 | | if (challenge == null) |
| | 53 | | { |
| 40 | 54 | | message.Request.Content = null; |
| | 55 | | } |
| | 56 | | // otherwise if we already know the challenge authenticate the request |
| | 57 | | else |
| | 58 | | { |
| 78 | 59 | | await AuthenticateRequestAsync(message, async, challenge).ConfigureAwait(false); |
| | 60 | | } |
| | 61 | |
|
| 118 | 62 | | if (async) |
| | 63 | | { |
| 64 | 64 | | await ProcessNextAsync(message, pipeline).ConfigureAwait(false); |
| | 65 | | } |
| | 66 | | else |
| | 67 | | { |
| 54 | 68 | | ProcessNext(message, pipeline); |
| | 69 | | } |
| | 70 | |
|
| | 71 | | // if we get a 401 |
| 118 | 72 | | if (message.Response.Status == 401) |
| | 73 | | { |
| | 74 | | // set the content to the original content in case it was cleared |
| 40 | 75 | | message.Request.Content = originalContent; |
| | 76 | |
|
| | 77 | | // update the cached challenge |
| 40 | 78 | | challenge = AuthenticationChallenge.GetChallenge(message); |
| | 79 | |
|
| 40 | 80 | | if (challenge != null) |
| | 81 | | { |
| | 82 | | // update the cached challenge if not yet set or different from the current challenge (e.g. moved te |
| 40 | 83 | | if (_challenge == null || !challenge.Equals(_challenge)) |
| | 84 | | { |
| 40 | 85 | | _challenge = challenge; |
| | 86 | | } |
| | 87 | |
|
| | 88 | | // authenticate the request and resend |
| 40 | 89 | | await AuthenticateRequestAsync(message, async, challenge).ConfigureAwait(false); |
| | 90 | |
|
| 40 | 91 | | if (async) |
| | 92 | | { |
| 18 | 93 | | await ProcessNextAsync(message, pipeline).ConfigureAwait(false); |
| | 94 | | } |
| | 95 | | else |
| | 96 | | { |
| 22 | 97 | | ProcessNext(message, pipeline); |
| | 98 | | } |
| | 99 | | } |
| | 100 | | } |
| 118 | 101 | | } |
| | 102 | |
|
| | 103 | | private async Task AuthenticateRequestAsync(HttpMessage message, bool async, AuthenticationChallenge challenge) |
| | 104 | | { |
| 118 | 105 | | if (_headerValue is null || DateTimeOffset.UtcNow >= _refreshOn) |
| | 106 | | { |
| 40 | 107 | | AccessToken token = async ? |
| 40 | 108 | | await _credential.GetTokenAsync(new TokenRequestContext(challenge.Scopes, message.Request.Client |
| 40 | 109 | | _credential.GetToken(new TokenRequestContext(challenge.Scopes, message.Request.ClientRequestId), |
| | 110 | |
|
| 40 | 111 | | _headerValue = BearerChallengePrefix + token.Token; |
| 40 | 112 | | _refreshOn = token.ExpiresOn - TimeSpan.FromMinutes(2); |
| | 113 | | } |
| | 114 | |
|
| 118 | 115 | | message.Request.Headers.SetValue(HttpHeader.Names.Authorization, _headerValue); |
| 118 | 116 | | } |
| | 117 | |
|
| | 118 | | internal class AuthenticationChallenge |
| | 119 | | { |
| 2 | 120 | | private static readonly Dictionary<string, AuthenticationChallenge> s_cache = new Dictionary<string, Authent |
| 2 | 121 | | private static readonly object s_cacheLock = new object(); |
| 2 | 122 | | private static readonly string[] s_challengeDelimiters = new string[] { "," }; |
| | 123 | |
|
| 40 | 124 | | private AuthenticationChallenge(string authority, string scope) |
| | 125 | | { |
| 40 | 126 | | Authority = authority; |
| 40 | 127 | | Scopes = new string[] { scope }; |
| 40 | 128 | | } |
| | 129 | |
|
| 0 | 130 | | public string Authority { get; } |
| | 131 | |
|
| 40 | 132 | | public string[] Scopes { get; } |
| | 133 | |
|
| | 134 | | public override bool Equals(object obj) |
| | 135 | | { |
| 0 | 136 | | if (ReferenceEquals(this, obj)) |
| | 137 | | { |
| 0 | 138 | | return true; |
| | 139 | | } |
| | 140 | |
|
| | 141 | | // This assumes that Authority Scopes are always non-null and Scopes has a length of one. |
| | 142 | | // This is guaranteed by the way the AuthenticationChallenge cache is constructed. |
| 0 | 143 | | if (obj is AuthenticationChallenge other) |
| | 144 | | { |
| 0 | 145 | | return string.Equals(Authority, other.Authority, StringComparison.OrdinalIgnoreCase) |
| 0 | 146 | | && string.Equals(Scopes[0], other.Scopes[0], StringComparison.OrdinalIgnoreCase); |
| | 147 | | } |
| | 148 | |
|
| 0 | 149 | | return false; |
| | 150 | | } |
| | 151 | |
|
| | 152 | | public override int GetHashCode() |
| | 153 | | { |
| | 154 | | // Currently the hash code is simply the hash of the authority and first scope as this is what is used t |
| | 155 | | // This assumes that Authority Scopes are always non-null and Scopes has a length of one. |
| | 156 | | // This is guaranteed by the way the AuthenticationChallenge cache is constructed. |
| 0 | 157 | | return HashCodeBuilder.Combine(Authority, Scopes[0]); |
| | 158 | | } |
| | 159 | |
|
| | 160 | | public static AuthenticationChallenge GetChallenge(HttpMessage message) |
| | 161 | | { |
| 80 | 162 | | AuthenticationChallenge challenge = null; |
| | 163 | |
|
| 80 | 164 | | if (message.HasResponse) |
| | 165 | | { |
| 40 | 166 | | challenge = GetChallengeFromResponse(message.Response); |
| | 167 | |
|
| | 168 | | // if the challenge is non-null cache it |
| 40 | 169 | | if (challenge != null) |
| | 170 | | { |
| 40 | 171 | | string authority = GetRequestAuthority(message.Request); |
| 40 | 172 | | lock (s_cacheLock) |
| | 173 | | { |
| 40 | 174 | | s_cache[authority] = challenge; |
| 40 | 175 | | } |
| | 176 | | } |
| | 177 | | } |
| | 178 | | else |
| | 179 | | { |
| | 180 | | // try to get the challenge from the cache |
| 40 | 181 | | string authority = GetRequestAuthority(message.Request); |
| 40 | 182 | | lock (s_cacheLock) |
| | 183 | | { |
| 40 | 184 | | s_cache.TryGetValue(authority, out challenge); |
| 40 | 185 | | } |
| | 186 | | } |
| | 187 | |
|
| 80 | 188 | | return challenge; |
| | 189 | | } |
| | 190 | |
|
| | 191 | | internal static void ClearCache() |
| | 192 | | { |
| | 193 | | // try to get the challenge from the cache |
| 42 | 194 | | lock (s_cacheLock) |
| | 195 | | { |
| 42 | 196 | | s_cache.Clear(); |
| 42 | 197 | | } |
| 42 | 198 | | } |
| | 199 | |
|
| | 200 | | private static AuthenticationChallenge GetChallengeFromResponse(Response response) |
| | 201 | | { |
| 40 | 202 | | AuthenticationChallenge challenge = null; |
| | 203 | |
|
| 40 | 204 | | if (response.Headers.TryGetValue("WWW-Authenticate", out string challengeValue) && challengeValue.Starts |
| | 205 | | { |
| 40 | 206 | | challenge = ParseBearerChallengeHeaderValue(challengeValue); |
| | 207 | | } |
| | 208 | |
|
| 40 | 209 | | return challenge; |
| | 210 | | } |
| | 211 | |
|
| | 212 | | private static AuthenticationChallenge ParseBearerChallengeHeaderValue(string challengeValue) |
| | 213 | | { |
| 40 | 214 | | string authority = null; |
| 40 | 215 | | string scope = null; |
| | 216 | |
|
| | 217 | | // remove the bearer challenge prefix |
| 40 | 218 | | var trimmedChallenge = challengeValue.Substring(BearerChallengePrefix.Length); |
| | 219 | |
|
| | 220 | | // Split the trimmed challenge into a set of name=value strings that |
| | 221 | | // are comma separated. The value fields are expected to be within |
| | 222 | | // quotation characters that are stripped here. |
| 40 | 223 | | string[] pairs = trimmedChallenge.Split(s_challengeDelimiters, StringSplitOptions.RemoveEmptyEntries); |
| | 224 | |
|
| 40 | 225 | | if (pairs.Length > 0) |
| | 226 | | { |
| | 227 | | // Process the name=value string |
| 240 | 228 | | for (int i = 0; i < pairs.Length; i++) |
| | 229 | | { |
| 80 | 230 | | string[] pair = pairs[i].Split('='); |
| | 231 | |
|
| 80 | 232 | | if (pair.Length == 2) |
| | 233 | | { |
| | 234 | | // We have a key and a value, now need to trim and decode |
| 80 | 235 | | string key = pair[0].AsSpan().Trim().Trim('\"').ToString(); |
| 80 | 236 | | string value = pair[1].AsSpan().Trim().Trim('\"').ToString(); |
| | 237 | |
|
| 80 | 238 | | if (!string.IsNullOrEmpty(key)) |
| | 239 | | { |
| | 240 | | // Ordered by current likelihood. |
| 80 | 241 | | if (string.Equals(key, "authorization", StringComparison.OrdinalIgnoreCase)) |
| | 242 | | { |
| 40 | 243 | | authority = value; |
| | 244 | | } |
| 40 | 245 | | else if (string.Equals(key, "resource", StringComparison.OrdinalIgnoreCase)) |
| | 246 | | { |
| 40 | 247 | | scope = value + "/.default"; |
| | 248 | | } |
| 0 | 249 | | else if (string.Equals(key, "scope", StringComparison.OrdinalIgnoreCase)) |
| | 250 | | { |
| 0 | 251 | | scope = value; |
| | 252 | | } |
| 0 | 253 | | else if (string.Equals(key, "authorization_uri", StringComparison.OrdinalIgnoreCase)) |
| | 254 | | { |
| 0 | 255 | | authority = value; |
| | 256 | | } |
| | 257 | | } |
| | 258 | | } |
| | 259 | | } |
| | 260 | | } |
| | 261 | |
|
| 40 | 262 | | if (authority != null && scope != null) |
| | 263 | | { |
| 40 | 264 | | return new AuthenticationChallenge(authority, scope); |
| | 265 | | } |
| | 266 | |
|
| 0 | 267 | | return null; |
| | 268 | | } |
| | 269 | |
|
| | 270 | | private static string GetRequestAuthority(Request request) |
| | 271 | | { |
| 80 | 272 | | Uri uri = request.Uri.ToUri(); |
| | 273 | |
|
| 80 | 274 | | string authority = uri.Authority; |
| | 275 | |
|
| 80 | 276 | | if (!authority.Contains(":") && uri.Port > 0) |
| | 277 | | { |
| | 278 | | // Append port for complete authority |
| 80 | 279 | | authority = uri.Authority + ":" + uri.Port.ToString(CultureInfo.InvariantCulture); |
| | 280 | | } |
| | 281 | |
|
| 80 | 282 | | return authority; |
| | 283 | | } |
| | 284 | | } |
| | 285 | | } |
| | 286 | | } |