AntiForgery Interfaces.

Also contains some code ported over.
This Commit is only for review purpose.

Author: harshgMSFT

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgery.cs

@@ -0,0 +1,111 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using System;
+using System.ComponentModel;
+using System.Diagnostics.CodeAnalysis;
+using System.Security.Claims;
+using System.Security.Principal;
+using Microsoft.AspNet.Abstractions;
+using Microsoft.AspNet.Mvc.Rendering;
+using Microsoft.AspNet.Security.DataProtection;
+
+namespace Microsoft.AspNet.Mvc
+{
+    /// <summary>
+    /// Provides access to the anti-forgery system, which provides protection against
+    /// Cross-site Request Forgery (XSRF, also called CSRF) attacks.
+    /// </summary>
+    public class AntiForgery
+    {
+        private static readonly AntiForgeryWorker _worker = CreateSingletonAntiForgeryWorker();
+        private static readonly string _purpose =  "Microsoft.AspNet.Mvc.AntiXsrf.AntiForgeryToken.v1" ;
+
+        private static AntiForgeryWorker CreateSingletonAntiForgeryWorker()
+        {
+            // initialize the dependency chain
+            IAntiForgeryConfig config = new AntiForgeryConfigWrapper();
+
+            // TODO populate the IDataProtectionProvider using DI.
+            IDataProtectionProvider dataProtectionProvider = DataProtectionProvider.CreateNew();
+            IAntiForgeryTokenSerializer serializer = new AntiForgeryTokenSerializer(dataProtectionProvider.CreateProtector(_purpose));
+            ITokenStore tokenStore = new AntiForgeryTokenStore(config, serializer);
+            IClaimUidExtractor claimUidExtractor = new DefaultClaimUidExtractor(config);
+            var tokenProvider = new TokenValidator(config, claimUidExtractor);
+
+            return new AntiForgeryWorker(serializer, config, tokenStore, tokenProvider, tokenProvider);
+        }
+
+        /// <summary>
+        /// Generates an anti-forgery token for this request. This token can
+        /// be validated by calling the Validate() method.
+        /// </summary>
+        /// <returns>An HTML string corresponding to an &lt;input type="hidden"&gt;
+        /// element. This element should be put inside a &lt;form&gt;.</returns>
+        /// <remarks>
+        /// This method has a side effect: it may set a response cookie.
+        /// </remarks>
+        public static HtmlString GetHtml(HttpContext context)
+        {
+            TagBuilder retVal = _worker.GetFormInputElement(context);
+            return retVal.ToHtmlString(TagRenderMode.SelfClosing);
+        }
+
+        /// <summary>
+        /// Generates an anti-forgery token pair (cookie and form token) for this request.
+        /// This method is similar to GetHtml(), but this method gives the caller control
+        /// over how to persist the returned values. To validate these tokens, call the
+        /// appropriate overload of Validate.
+        /// </summary>
+        /// <param name="oldCookieToken">The anti-forgery token - if any - that already existed
+        /// for this request. May be null. The anti-forgery system will try to reuse this cookie
+        /// value when generating a matching form token.</param>
+        /// <param name="newCookieToken">Will contain a new cookie value if the old cookie token
+        /// was null or invalid. If this value is non-null when the method completes, the caller
+        /// must persist this value in the form of a response cookie, and the existing cookie value
+        /// should be discarded. If this value is null when the method completes, the existing
+        /// cookie value was valid and needn't be modified.</param>
+        /// <param name="formToken">The value that should be stored in the &lt;form&gt;. The caller
+        /// should take care not to accidentally swap the cookie and form tokens.</param>
+        /// <remarks>
+        /// Unlike the GetHtml() method, this method has no side effect. The caller
+        /// is responsible for setting the response cookie and injecting the returned
+        /// form token as appropriate.
+        /// </remarks>
+        [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "1#",
+            Justification = "Method is intended for advanced audiences.")]
+        [SuppressMessage("Microsoft.Design", "CA1021:AvoidOutParameters", MessageId = "2#",
+            Justification = "Method is intended for advanced audiences.")]
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public static void GetTokens(HttpContext context, string oldCookieToken, out string newCookieToken, out string formToken)
+        {
+            _worker.GetTokens(context, oldCookieToken, out newCookieToken, out formToken);
+        }
+
+        /// <summary>
+        /// Validates an anti-forgery token that was supplied for this request.
+        /// The anti-forgery token may be generated by calling GetHtml().
+        /// </summary>
+        /// <remarks>
+        /// Throws an HttpAntiForgeryException if validation fails.
+        /// </remarks>
+        public static void Validate(HttpContext context)
+        {
+            _worker.Validate(context);
+        }
+
+        /// <summary>
+        /// Validates an anti-forgery token pair that was generated by the GetTokens method.
+        /// </summary>
+        /// <param name="cookieToken">The token that was supplied in the request cookie.</param>
+        /// <param name="formToken">The token that was supplied in the request form body.</param>
+        /// <remarks>
+        /// Throws an HttpAntiForgeryException if validation fails.
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Advanced)]
+        public static void Validate(HttpContext context, string cookieToken, string formToken)
+        {
+            _worker.Validate(context, cookieToken, formToken);
+        }
+    }
+}
+

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryConfig.cs

@@ -0,0 +1,100 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using System.ComponentModel;
+using System.Text;
+
+namespace Microsoft.AspNet.Mvc
+{
+    /// <summary>
+    /// Provides programmatic configuration for the anti-forgery token system.
+    /// </summary>
+    public static class AntiForgeryConfig
+    {
+        internal const string AntiForgeryTokenFieldName = "__RequestVerificationToken";
+
+        private static string _cookieName;
+        private static string _uniqueClaimTypeIdentifier;
+
+        /// <summary>
+        /// Specifies an object that can provide additional data to put into all
+        /// generated tokens and that can validate additional data in incoming
+        /// tokens.
+        /// </summary>
+        public static IAntiForgeryAdditionalDataProvider AdditionalDataProvider
+        {
+            get;
+            set;
+        }
+
+        /// <summary>
+        /// Specifies the name of the cookie that is used by the anti-forgery
+        /// system.
+        /// </summary>
+        /// <remarks>
+        /// If an explicit name is not provided, the system will automatically
+        /// generate a name.
+        /// </remarks>
+        public static string CookieName
+        {
+            get
+            {
+                if (_cookieName == null)
+                {
+                    _cookieName = GetAntiForgeryCookieName();
+                }
+                return _cookieName;
+            }
+            set
+            {
+                _cookieName = value;
+            }
+        }
+
+        /// <summary>
+        /// Specifies whether SSL is required for the anti-forgery system
+        /// to operate. If this setting is 'true' and a non-SSL request
+        /// comes into the system, all anti-forgery APIs will fail.
+        /// </summary>
+        public static bool RequireSsl
+        {
+            get;
+            set;
+        }
+
+        /// <summary>
+        /// Specifies whether to suppress the generation of X-Frame-Options header
+        /// which is used to prevent ClickJacking. By default, the X-Frame-Options
+        /// header is generated with the value SAMEORIGIN. If this setting is 'true', 
+        /// the X-Frame-Options header will not be generated for the response.
+        /// </summary>
+        public static bool SuppressXFrameOptionsHeader
+        {
+            get;
+            set;
+        }
+
+        /// <summary>
+        /// Specifies whether the anti-forgery system should skip checking
+        /// for conditions that might indicate misuse of the system. Please
+        /// use caution when setting this switch, as improper use could open
+        /// security holes in the application.
+        /// </summary>
+        /// <remarks>
+        /// Setting this switch will disable several checks, including:
+        /// - Identity.IsAuthenticated = true without Identity.Name being set
+        /// - special-casing claims-based identities
+        /// </remarks>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public static bool SuppressIdentityHeuristicChecks
+        {
+            get;
+            set;
+        }
+
+        // TODO: Replace the stub.
+        private static string GetAntiForgeryCookieName()
+        {
+            return AntiForgeryTokenFieldName;
+        }
+    }
+}

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryConfigWrapper.cs

@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNet.Mvc
+{
+    internal sealed class AntiForgeryConfigWrapper : IAntiForgeryConfig
+    {
+        public IAntiForgeryAdditionalDataProvider AdditionalDataProvider
+        {
+            get
+            {
+                return AntiForgeryConfig.AdditionalDataProvider;
+            }
+        }
+
+        public string CookieName
+        {
+            get { return AntiForgeryConfig.CookieName; }
+        }
+
+        public string FormFieldName
+        {
+            get { return AntiForgeryConfig.AntiForgeryTokenFieldName; }
+        }
+
+        public bool RequireSSL
+        {
+            get { return AntiForgeryConfig.RequireSsl; }
+        }
+
+        public bool SuppressIdentityHeuristicChecks
+        {
+            get { return AntiForgeryConfig.SuppressIdentityHeuristicChecks; }
+        }
+
+        public bool SuppressXFrameOptionsHeader
+        {
+            get { return AntiForgeryConfig.SuppressXFrameOptionsHeader; }
+        }
+    }
+}

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryToken.cs

@@ -0,0 +1,62 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNet.Mvc
+{
+    public class AntiForgeryToken
+    {
+        internal const int SecurityTokenBitLength = 128;
+        internal const int ClaimUidBitLength = 256;
+
+        private string _additionalData;
+        private BinaryBlob _securityToken;
+        private string _username;
+
+        public string AdditionalData
+        {
+            get
+            {
+                return _additionalData ?? String.Empty;
+            }
+            set
+            {
+                _additionalData = value;
+            }
+        }
+
+        public BinaryBlob ClaimUid { get; set; }
+
+        public bool IsSessionToken { get; set; }
+
+        public BinaryBlob SecurityToken
+        {
+            get
+            {
+                if (_securityToken == null)
+                {
+                    _securityToken = new BinaryBlob(SecurityTokenBitLength);
+                }
+                return _securityToken;
+            }
+            set
+            {
+                _securityToken = value;
+            }
+        }
+
+        public string Username
+        {
+            get
+            {
+                return _username ?? String.Empty;
+            }
+            set
+            {
+                _username = value;
+            }
+        }
+    }
+}

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryTokenSerializer.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNet.Security.DataProtection;
+
+namespace Microsoft.AspNet.Mvc
+{
+    // TODO: Stub :Replace with actual implementation
+    internal sealed class AntiForgeryTokenSerializer : IAntiForgeryTokenSerializer
+    {
+        private readonly IDataProtector _cryptoSystem;
+
+        internal AntiForgeryTokenSerializer(IDataProtector cryptoSystem)
+        {
+            _cryptoSystem = cryptoSystem;
+        }
+
+        public AntiForgeryToken Deserialize(string serializedToken)
+        {
+            throw new NotImplementedException();
+        }
+
+        public string Serialize(AntiForgeryToken token)
+        {
+            throw new NotImplementedException();
+        }
+    }
+}