| | | 1 | | using System.Text; |
| | | 2 | | using System.Text.Encodings.Web; |
| | | 3 | | using Kestrun.Hosting; |
| | | 4 | | using Microsoft.AspNetCore.Authentication; |
| | | 5 | | using Microsoft.Extensions.Options; |
| | | 6 | | using Microsoft.Extensions.Primitives; |
| | | 7 | | |
| | | 8 | | namespace Kestrun.Authentication; |
| | | 9 | | |
| | | 10 | | /// <summary> |
| | | 11 | | /// Handles API Key authentication for incoming HTTP requests. |
| | | 12 | | /// </summary> |
| | | 13 | | public class ApiKeyAuthHandler |
| | | 14 | | : AuthenticationHandler<ApiKeyAuthenticationOptions> |
| | | 15 | | { |
| | | 16 | | /// <summary> The Kestrun host instance. </summary> |
| | 0 | 17 | | public KestrunHost Host { get; } |
| | | 18 | | |
| | | 19 | | /// <summary> |
| | | 20 | | /// Initializes a new instance of the <see cref="ApiKeyAuthHandler"/> class. |
| | | 21 | | /// </summary> |
| | | 22 | | /// <param name="host">The Kestrun host instance.</param> |
| | | 23 | | /// <param name="options">The options monitor for API key authentication options.</param> |
| | | 24 | | /// <param name="logger">The logger factory.</param> |
| | | 25 | | /// <param name="encoder">The URL encoder.</param> |
| | | 26 | | public ApiKeyAuthHandler(KestrunHost host, |
| | | 27 | | IOptionsMonitor<ApiKeyAuthenticationOptions> options, |
| | | 28 | | ILoggerFactory logger, |
| | | 29 | | UrlEncoder encoder) |
| | 12 | 30 | | : base(options, logger, encoder) |
| | | 31 | | { |
| | 12 | 32 | | ArgumentNullException.ThrowIfNull(host); |
| | 12 | 33 | | Host = host; |
| | 12 | 34 | | if (host.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) |
| | | 35 | | { |
| | 9 | 36 | | host.Logger.Debug("ApiKeyAuthHandler initialized"); |
| | | 37 | | } |
| | 12 | 38 | | } |
| | | 39 | | |
| | | 40 | | /// <summary> |
| | | 41 | | /// Authenticates the incoming request using an API key. |
| | | 42 | | /// </summary> |
| | | 43 | | /// <returns>An <see cref="AuthenticateResult"/> indicating the authentication outcome.</returns> |
| | | 44 | | protected override async Task<AuthenticateResult> HandleAuthenticateAsync() |
| | | 45 | | { |
| | | 46 | | try |
| | | 47 | | { |
| | 11 | 48 | | if (Options.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) |
| | | 49 | | { |
| | 3 | 50 | | Options.Logger.Debug("Handling API Key authentication for request: {Request}", Request); |
| | | 51 | | } |
| | | 52 | | |
| | | 53 | | // If insecure HTTP is NOT allowed and the request is not HTTPS, fail. |
| | 11 | 54 | | if (!Options.AllowInsecureHttp && !Request.IsHttps) |
| | | 55 | | { |
| | 1 | 56 | | return Fail("HTTPS required"); |
| | | 57 | | } |
| | | 58 | | |
| | 10 | 59 | | if (!TryGetApiKey(out var providedKey)) |
| | | 60 | | { |
| | 1 | 61 | | return Fail("Missing API Key"); |
| | | 62 | | } |
| | | 63 | | |
| | 9 | 64 | | var providedKeyBytes = Encoding.UTF8.GetBytes(providedKey); |
| | 9 | 65 | | var valid = await ValidateApiKeyAsync(providedKey, providedKeyBytes); |
| | 9 | 66 | | if (!valid) |
| | | 67 | | { |
| | 3 | 68 | | return Fail($"Invalid API Key: {providedKey}"); |
| | | 69 | | } |
| | | 70 | | |
| | 6 | 71 | | var ticket = await CreateTicketAsync(providedKey); |
| | 6 | 72 | | if (ticket.Principal is null) |
| | | 73 | | { |
| | 0 | 74 | | return Fail("Authentication ticket has no principal"); |
| | | 75 | | } |
| | 6 | 76 | | Options.Logger.Information("API Key authentication succeeded for identity: {Identity}", ticket.Principal.Ide |
| | | 77 | | |
| | 6 | 78 | | return AuthenticateResult.Success(ticket); |
| | | 79 | | } |
| | 0 | 80 | | catch (Exception ex) |
| | | 81 | | { |
| | 0 | 82 | | Options.Logger.Error(ex, "API Key authentication failed with exception."); |
| | 0 | 83 | | return Fail("Error processing API Key"); |
| | | 84 | | } |
| | 11 | 85 | | } |
| | | 86 | | |
| | | 87 | | /// <summary> |
| | | 88 | | /// Tries to retrieve the API key from the request headers or query string. |
| | | 89 | | /// </summary> |
| | | 90 | | /// <param name="providedKey">The retrieved API key.</param> |
| | | 91 | | /// <returns>True if the API key was found; otherwise, false.</returns> |
| | | 92 | | private bool TryGetApiKey(out string providedKey) |
| | | 93 | | { |
| | 10 | 94 | | providedKey = string.Empty; |
| | | 95 | | |
| | | 96 | | // Primary header |
| | 10 | 97 | | if (!Request.Headers.TryGetValue(Options.ApiKeyName, out var values)) |
| | | 98 | | { |
| | | 99 | | // Additional headers |
| | 11 | 100 | | foreach (var header in Options.AdditionalHeaderNames) |
| | | 101 | | { |
| | 3 | 102 | | if (Request.Headers.TryGetValue(header, out values)) |
| | | 103 | | { |
| | | 104 | | break; |
| | | 105 | | } |
| | | 106 | | } |
| | | 107 | | } |
| | | 108 | | |
| | | 109 | | // Query string fallback |
| | 10 | 110 | | if ((values.Count == 0 || StringValues.IsNullOrEmpty(values)) |
| | 10 | 111 | | && Options.AllowQueryStringFallback |
| | 10 | 112 | | && Request.Query.TryGetValue(Options.ApiKeyName, out var qsValues)) |
| | | 113 | | { |
| | 2 | 114 | | values = qsValues; |
| | | 115 | | } |
| | | 116 | | |
| | 10 | 117 | | if (StringValues.IsNullOrEmpty(values)) |
| | | 118 | | { |
| | 1 | 119 | | return false; |
| | | 120 | | } |
| | | 121 | | |
| | | 122 | | // Normalize potential whitespace/newlines from transport |
| | 9 | 123 | | providedKey = values.ToString().Trim(); |
| | 9 | 124 | | return true; |
| | | 125 | | } |
| | | 126 | | |
| | | 127 | | /// <summary> |
| | | 128 | | /// Validates the provided API key against the expected key or a custom validation method. |
| | | 129 | | /// </summary> |
| | | 130 | | /// <param name="providedKey">The API key provided by the client.</param> |
| | | 131 | | /// <param name="providedKeyBytes">The byte representation of the provided API key.</param> |
| | | 132 | | /// <returns>True if the API key is valid; otherwise, false.</returns> |
| | | 133 | | private async Task<bool> ValidateApiKeyAsync(string providedKey, byte[] providedKeyBytes) |
| | | 134 | | { |
| | 9 | 135 | | return Options.StaticApiKeyAsBytes is not null |
| | 9 | 136 | | ? FixedTimeEquals.Test(providedKeyBytes, Options.StaticApiKeyAsBytes) |
| | 9 | 137 | | : Options.ValidateKeyAsync is not null |
| | 9 | 138 | | ? await Options.ValidateKeyAsync(Context, providedKey, providedKeyBytes) |
| | 9 | 139 | | : throw new InvalidOperationException( |
| | 9 | 140 | | "No API key validation configured. Either set ValidateKey or ExpectedKey in ApiKeyAuthenticationOptions."); |
| | 9 | 141 | | } |
| | | 142 | | |
| | | 143 | | /// <summary> |
| | | 144 | | /// Creates an authentication ticket for the provided API key. |
| | | 145 | | /// </summary> |
| | | 146 | | /// <param name="providedKey"></param> |
| | | 147 | | /// <returns></returns> |
| | | 148 | | private Task<AuthenticationTicket> CreateTicketAsync(string providedKey) |
| | 6 | 149 | | => IAuthHandler.GetAuthenticationTicketAsync(Context, providedKey, Options, Scheme, "ApiKeyClient"); |
| | | 150 | | |
| | | 151 | | /// <summary> |
| | | 152 | | /// Fails the authentication process with the specified reason. |
| | | 153 | | /// </summary> |
| | | 154 | | /// <param name="reason">The reason for the failure.</param> |
| | | 155 | | /// <returns>An <see cref="AuthenticateResult"/> indicating the failure.</returns> |
| | | 156 | | private AuthenticateResult Fail(string reason) |
| | | 157 | | { |
| | 5 | 158 | | Options.Logger.Warning("API Key authentication failed: {Reason}", reason); |
| | 5 | 159 | | return AuthenticateResult.Fail(reason); |
| | | 160 | | } |
| | | 161 | | |
| | | 162 | | /// <summary> |
| | | 163 | | /// Handles the authentication challenge by setting the appropriate response headers and status code. |
| | | 164 | | /// </summary> |
| | | 165 | | /// <param name="properties">Authentication properties for the challenge.</param> |
| | | 166 | | /// <returns>A completed task.</returns> |
| | | 167 | | protected override Task HandleChallengeAsync(AuthenticationProperties properties) |
| | | 168 | | { |
| | 1 | 169 | | if (Options.EmitChallengeHeader) |
| | | 170 | | { |
| | 1 | 171 | | var header = Options.ApiKeyName ?? "X-Api-Key"; |
| | | 172 | | |
| | 1 | 173 | | var value = Options.ChallengeHeaderFormat == ApiKeyChallengeFormat.ApiKeyHeader |
| | 1 | 174 | | ? $"ApiKey header=\"{header}\"" |
| | 1 | 175 | | : header; |
| | | 176 | | |
| | 1 | 177 | | Response.Headers.WWWAuthenticate = value; |
| | | 178 | | } |
| | 1 | 179 | | Response.StatusCode = StatusCodes.Status401Unauthorized; |
| | 1 | 180 | | return Task.CompletedTask; |
| | | 181 | | } |
| | | 182 | | /// <summary> |
| | | 183 | | /// Builds a PowerShell-based API key validator delegate using the provided authentication code settings. |
| | | 184 | | /// </summary> |
| | | 185 | | ///<param name="host">The Kestrun host instance.</param> |
| | | 186 | | /// <param name="settings">The settings containing the PowerShell authentication code.</param> |
| | | 187 | | /// <returns>A delegate that validates an API key using PowerShell code.</returns> |
| | | 188 | | /// <remarks> |
| | | 189 | | /// This method compiles the PowerShell script and returns a delegate that can be used to validate API keys. |
| | | 190 | | /// </remarks> |
| | | 191 | | public static Func<HttpContext, string, byte[], Task<bool>> BuildPsValidator( |
| | | 192 | | KestrunHost host, |
| | | 193 | | AuthenticationCodeSettings settings) |
| | | 194 | | { |
| | 2 | 195 | | if (host.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) |
| | | 196 | | { |
| | 2 | 197 | | host.Logger.Debug("BuildPsValidator settings: {Settings}", settings); |
| | | 198 | | } |
| | | 199 | | |
| | 2 | 200 | | return async (ctx, providedKey, providedKeyBytes) => |
| | 2 | 201 | | { |
| | 2 | 202 | | return await IAuthHandler.ValidatePowerShellAsync(settings.Code, ctx, new Dictionary<string, string> |
| | 2 | 203 | | { |
| | 2 | 204 | | { "providedKey", providedKey }, |
| | 2 | 205 | | { "providedKeyBytes", Convert.ToBase64String(providedKeyBytes) } |
| | 2 | 206 | | }, host.Logger); |
| | 4 | 207 | | }; |
| | | 208 | | } |
| | | 209 | | |
| | | 210 | | /// <summary> |
| | | 211 | | /// Builds a C#-based API key validator delegate using the provided authentication code settings. |
| | | 212 | | /// </summary> |
| | | 213 | | /// <param name="host">The Kestrun host instance.</param> |
| | | 214 | | /// <param name="settings">The settings containing the C# authentication code.</param> |
| | | 215 | | /// <returns>A delegate that validates an API key using C# code.</returns> |
| | | 216 | | public static Func<HttpContext, string, byte[], Task<bool>> BuildCsValidator( |
| | | 217 | | KestrunHost host, |
| | | 218 | | AuthenticationCodeSettings settings) |
| | | 219 | | { |
| | 1 | 220 | | if (host.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) |
| | | 221 | | { |
| | 1 | 222 | | host.Logger.Debug("BuildCsValidator settings: {Settings}", settings); |
| | | 223 | | } |
| | | 224 | | // pass the settings to the core C# validator |
| | 1 | 225 | | var core = IAuthHandler.BuildCsValidator(host, |
| | 1 | 226 | | settings, |
| | 1 | 227 | | ("providedKey", string.Empty), ("providedKeyBytes", Array.Empty<byte>()) |
| | 1 | 228 | | ) ?? throw new InvalidOperationException("Failed to build C# validator delegate from provided settings."); |
| | 1 | 229 | | return (ctx, providedKey, providedKeyBytes) => |
| | 3 | 230 | | core(ctx, new Dictionary<string, object?> |
| | 3 | 231 | | { |
| | 3 | 232 | | ["providedKey"] = providedKey, |
| | 3 | 233 | | ["providedKeyBytes"] = providedKeyBytes |
| | 3 | 234 | | }); |
| | | 235 | | } |
| | | 236 | | |
| | | 237 | | /// <summary> |
| | | 238 | | /// Builds a VB.NET-based API key validator delegate using the provided authentication code settings. |
| | | 239 | | /// </summary> |
| | | 240 | | /// <param name="host">The Kestrun host instance.</param> |
| | | 241 | | /// <param name="settings">The settings containing the VB.NET authentication code.</param> |
| | | 242 | | /// <returns>A delegate that validates an API key using VB.NET code.</returns> |
| | | 243 | | public static Func<HttpContext, string, byte[], Task<bool>> BuildVBNetValidator( |
| | | 244 | | KestrunHost host, |
| | | 245 | | AuthenticationCodeSettings settings) |
| | | 246 | | { |
| | 2 | 247 | | if (host.Logger.IsEnabled(Serilog.Events.LogEventLevel.Debug)) |
| | | 248 | | { |
| | 1 | 249 | | host.Logger.Debug("BuildVBNetValidator settings: {Settings}", settings); |
| | | 250 | | } |
| | | 251 | | // pass the settings to the core VB.NET validator |
| | 2 | 252 | | var core = IAuthHandler.BuildVBNetValidator(host, |
| | 2 | 253 | | settings, |
| | 2 | 254 | | ("providedKey", string.Empty), ("providedKeyBytes", Array.Empty<byte>()) |
| | 2 | 255 | | ) ?? throw new InvalidOperationException("Failed to build VB.NET validator delegate from provided settings." |
| | 2 | 256 | | return (ctx, providedKey, providedKeyBytes) => |
| | 4 | 257 | | core(ctx, new Dictionary<string, object?> |
| | 4 | 258 | | { |
| | 4 | 259 | | ["providedKey"] = providedKey, |
| | 4 | 260 | | ["providedKeyBytes"] = providedKeyBytes |
| | 4 | 261 | | }); |
| | | 262 | | } |
| | | 263 | | } |