操控平台后端代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

159 lines
6.7 KiB

6 months ago
// 大名科技(天津)有限公司版权所有 电话:18020030720 QQ:515096995
//
// 此源代码遵循位于源代码树根目录中的 LICENSE 文件的许可证
using Microsoft.AspNetCore.Authentication;
using System.Security.Claims;
using System.Security.Cryptography;
using System.Text.Encodings.Web;
namespace Admin.NET.Core;
/// <summary>
/// Signature 身份验证处理
/// </summary>
public sealed class SignatureAuthenticationHandler : AuthenticationHandler<SignatureAuthenticationOptions>
{
private readonly SysCacheService _cacheService;
public SignatureAuthenticationHandler(IOptionsMonitor<SignatureAuthenticationOptions> options,
ILoggerFactory logger,
UrlEncoder encoder,
ISystemClock clock,
SysCacheService cacheService)
: base(options, logger, encoder, clock)
{
_cacheService = cacheService;
}
private new SignatureAuthenticationEvent Events
{
get => (SignatureAuthenticationEvent)base.Events;
set => base.Events = value;
}
/// <summary>
/// 确保创建的 Event 类型是 DigestEvents
/// </summary>
/// <returns></returns>
protected override Task<object> CreateEventsAsync() => throw new NotImplementedException($"{nameof(SignatureAuthenticationOptions)}.{nameof(SignatureAuthenticationOptions.Events)} 需要提供一个实例");
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
var accessKey = Request.Headers["accessKey"].FirstOrDefault();
var timestampStr = Request.Headers["timestamp"].FirstOrDefault(); // 精确到秒
var nonce = Request.Headers["nonce"].FirstOrDefault();
var sign = Request.Headers["sign"].FirstOrDefault();
if (string.IsNullOrEmpty(accessKey))
return await AuthenticateResultFailAsync("accessKey 不能为空");
if (string.IsNullOrEmpty(timestampStr))
return await AuthenticateResultFailAsync("timestamp 不能为空");
if (string.IsNullOrEmpty(nonce))
return await AuthenticateResultFailAsync("nonce 不能为空");
if (string.IsNullOrEmpty(sign))
return await AuthenticateResultFailAsync("sign 不能为空");
// 验证请求数据是否在可接受的时间内
if (!long.TryParse(timestampStr, out var timestamp))
return await AuthenticateResultFailAsync("timestamp 值不合法");
var requestDate = DateTimeUtil.ToLocalTimeDateBySeconds(timestamp);
if (requestDate > Clock.UtcNow.Add(Options.AllowedDateDrift).LocalDateTime || requestDate < Clock.UtcNow.Subtract(Options.AllowedDateDrift).LocalDateTime)
return await AuthenticateResultFailAsync("timestamp 值已超过允许的偏差范围");
// 获取 accessSecret
var getAccessSecretContext = new GetAccessSecretContext(Context, Scheme, Options) { AccessKey = accessKey };
var accessSecret = await Events.GetAccessSecret(getAccessSecretContext);
if (string.IsNullOrEmpty(accessSecret))
return await AuthenticateResultFailAsync("accessKey 无效");
// 校验签名
var appSecretByte = Encoding.UTF8.GetBytes(accessSecret);
string serverSign = SignData(appSecretByte, GetMessageForSign(Context));
if (serverSign != sign)
return await AuthenticateResultFailAsync("sign 无效的签名");
// 重放检测
var cacheKey = $"{CacheConst.KeyOpenAccessNonce}{accessKey}|{nonce}";
if (_cacheService.ExistKey(cacheKey))
return await AuthenticateResultFailAsync("重复的请求");
_cacheService.Set(cacheKey, null, Options.AllowedDateDrift * 2); // 缓存过期时间为偏差范围时间的2倍
// 已验证成功
var signatureValidatedContext = new SignatureValidatedContext(Context, Scheme, Options)
{
Principal = new ClaimsPrincipal(new ClaimsIdentity(SignatureAuthenticationDefaults.AuthenticationScheme)),
AccessKey = accessKey
};
await Events.Validated(signatureValidatedContext);
// ReSharper disable once ConditionIsAlwaysTrueOrFalse
if (signatureValidatedContext.Result != null)
return signatureValidatedContext.Result;
// ReSharper disable once HeuristicUnreachableCode
signatureValidatedContext.Success();
return signatureValidatedContext.Result;
}
protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
{
var authResult = await HandleAuthenticateOnceSafeAsync();
var challengeContext = new SignatureChallengeContext(Context, Scheme, Options, properties)
{
AuthenticateFailure = authResult.Failure,
};
await Events.Challenge(challengeContext);
// 质询已处理
if (challengeContext.Handled) return;
await base.HandleChallengeAsync(properties);
}
/// <summary>
/// 获取用于签名的消息
/// </summary>
/// <returns></returns>
private static string GetMessageForSign(HttpContext context)
{
var method = context.Request.Method; // 请求方法(大写)
var url = context.Request.Path; // 请求 url,去除协议、域名、参数,以 / 开头
var accessKey = context.Request.Headers["accessKey"].FirstOrDefault(); // 身份标识
var timestamp = context.Request.Headers["timestamp"].FirstOrDefault(); // 时间戳,精确到秒
var nonce = context.Request.Headers["nonce"].FirstOrDefault(); // 唯一随机数
return $"{method}&{url}&{accessKey}&{timestamp}&{nonce}";
}
/// <summary>
/// 对数据进行签名
/// </summary>
/// <param name="secret"></param>
/// <param name="data"></param>
/// <returns></returns>
private static string SignData(byte[] secret, string data)
{
if (secret == null)
throw new ArgumentNullException(nameof(secret));
if (data == null)
throw new ArgumentNullException(nameof(data));
using HMAC hmac = new HMACSHA256();
hmac.Key = secret;
return Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(data)));
}
/// <summary>
/// 返回验证失败结果,并在 Items 中增加 <see cref="SignatureAuthenticationDefaults.AuthenticateFailMsgKey"/>,记录身份验证失败消息
/// </summary>
/// <param name="message"></param>
/// <returns></returns>
private Task<AuthenticateResult> AuthenticateResultFailAsync(string message)
{
// 写入身份验证失败消息
Context.Items[SignatureAuthenticationDefaults.AuthenticateFailMsgKey] = message;
return Task.FromResult(AuthenticateResult.Fail(message));
}
}