DI related changes to the interface, adding the fallback for extracting the ClaimUid.

Author: harshgMSFT

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgery.cs

@@ -3,6 +3,7 @@
 using Microsoft.AspNet.Abstractions;
 using Microsoft.AspNet.Mvc.Rendering;
 using Microsoft.AspNet.Security.DataProtection;
+using System.Threading.Tasks;
 
 namespace Microsoft.AspNet.Mvc
 {
@@ -15,12 +16,15 @@ public sealed class AntiForgery
         private static readonly string _purpose = "Microsoft.AspNet.Mvc.AntiXsrf.AntiForgeryToken.v1";
         private readonly AntiForgeryWorker _worker;
 
-        public AntiForgery(IAntiForgeryConfig config,
-            IClaimUidExtractor claimUidExtractor)
+        public AntiForgery(IClaimUidExtractor claimUidExtractor,
+                           IDataProtectionProvider dataProtectionProvider,
+                           IAntiForgeryAdditionalDataProvider additionalDataProvider)
         {
-            var serializer = new AntiForgeryTokenSerializer(DataProtectionProvider.CreateNew().CreateProtector(_purpose));
+            // TODO: This is temporary till we figure out how to flow configs using DI.
+            var config = new AntiForgeryConfigWrapper();
+            var serializer = new AntiForgeryTokenSerializer(dataProtectionProvider.CreateProtector(_purpose));
             var tokenStore = new AntiForgeryTokenStore(config, serializer);
-            var tokenProvider = new TokenValidator(config, claimUidExtractor);
+            var tokenProvider = new TokenProvider(config, claimUidExtractor, additionalDataProvider);
             _worker = new AntiForgeryWorker(serializer, config, tokenStore, tokenProvider, tokenProvider);
         }
 
@@ -69,9 +73,9 @@ public AntiForgeryTokenSet GetTokens(HttpContext context, string oldCookieToken)
         /// The anti-forgery token may be generated by calling GetHtml().
         /// </summary>
         /// <param name="context">The http context associated with the current call.</param>
-        public void Validate(HttpContext context)
+        public async Task ValidateAsync(HttpContext context)
         {
-            _worker.Validate(context);
+           await _worker.ValidateAsync(context);
         }
 
         /// <summary>

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryConfig.cs

@@ -1,28 +1,13 @@
-
-using System.ComponentModel;
-
-namespace Microsoft.AspNet.Mvc
+namespace Microsoft.AspNet.Mvc
 {
     /// <summary>
     /// Provides programmatic configuration for the anti-forgery token system.
     /// </summary>
     public static class AntiForgeryConfig
     {
         internal const string AntiForgeryTokenFieldName = "__RequestVerificationToken";
-
+        private const string AntiForgeryCookieTokenName = "__RequestVerificationCookieToken";
         private static string _cookieName;
-        private static string _uniqueClaimTypeIdentifier;
-
-        /// <summary>
-        /// Specifies an object that can provide additional data to put into all
-        /// generated tokens and that can validate additional data in incoming
-        /// tokens.
-        /// </summary>
-        public static IAntiForgeryAdditionalDataProvider AdditionalDataProvider
-        {
-            get;
-            set;
-        }
 
         /// <summary>
         /// Specifies the name of the cookie that is used by the anti-forgery
@@ -71,28 +56,10 @@ public static bool SuppressXFrameOptionsHeader
             set;
         }
 
-        /// <summary>
-        /// Specifies whether the anti-forgery system should skip checking
-        /// for conditions that might indicate misuse of the system. Please
-        /// use caution when setting this switch, as improper use could open
-        /// security holes in the application.
-        /// </summary>
-        /// <remarks>
-        /// Setting this switch will disable several checks, including:
-        /// - Identity.IsAuthenticated = true without Identity.Name being set
-        /// - special-casing claims-based identities
-        /// </remarks>
-        [EditorBrowsable(EditorBrowsableState.Never)]
-        public static bool SuppressIdentityHeuristicChecks
-        {
-            get;
-            set;
-        }
-
-        // TODO: Replace the stub.
+        // TODO: Replace the stub. 
         private static string GetAntiForgeryCookieName()
         {
-            return AntiForgeryTokenFieldName;
+            return AntiForgeryCookieTokenName;
         }
     }
 }

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryConfigWrapper.cs

@@ -1,16 +1,7 @@
-
-namespace Microsoft.AspNet.Mvc
+namespace Microsoft.AspNet.Mvc
 {
     public sealed class AntiForgeryConfigWrapper : IAntiForgeryConfig
     {
-        public IAntiForgeryAdditionalDataProvider AdditionalDataProvider
-        {
-            get
-            {
-                return AntiForgeryConfig.AdditionalDataProvider;
-            }
-        }
-
         public string CookieName
         {
             get { return AntiForgeryConfig.CookieName; }
@@ -26,11 +17,6 @@ public bool RequireSSL
             get { return AntiForgeryConfig.RequireSsl; }
         }
 
-        public bool SuppressIdentityHeuristicChecks
-        {
-            get { return AntiForgeryConfig.SuppressIdentityHeuristicChecks; }
-        }
-
         public bool SuppressXFrameOptionsHeader
         {
             get { return AntiForgeryConfig.SuppressXFrameOptionsHeader; }

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryTokenStore.cs

@@ -1,6 +1,7 @@
 
 using System;
 using Microsoft.AspNet.Abstractions;
+using System.Threading.Tasks;
 
 namespace Microsoft.AspNet.Mvc
 {
@@ -28,10 +29,11 @@ public AntiForgeryToken GetCookieToken(HttpContext httpContext)
             return _serializer.Deserialize(cookie);
         }
 
-        public AntiForgeryToken GetFormToken(HttpContext httpContext)
+        public async Task<AntiForgeryToken> GetFormTokenAsync(HttpContext httpContext)
         {
-            string value = httpContext.Request.GetFormAsync().Result[_config.FormFieldName];
-            if (String.IsNullOrEmpty(value))
+            var form = await httpContext.Request.GetFormAsync();
+            string value = form[_config.FormFieldName];
+            if (string.IsNullOrEmpty(value))
             {
                 // did not exist
                 return null;
@@ -46,8 +48,7 @@ public void SaveCookieToken(HttpContext httpContext, AntiForgeryToken token)
             CookieOptions options = new CookieOptions() { HttpOnly = true };
 
             // Note: don't use "newCookie.Secure = _config.RequireSSL;" since the default
-            // value of newCookie.Secure is automatically populated from the <httpCookies>
-            // config element.
+            // value of newCookie.Secure is poulated out of band.
             if (_config.RequireSSL)
             {
                 options.Secure = true;

src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryWorker.cs

@@ -7,6 +7,7 @@
 using Microsoft.AspNet.Mvc.Core;
 using Microsoft.AspNet.Mvc.Rendering;
 using System.Security.Claims;
+using System.Threading.Tasks;
 
 namespace Microsoft.AspNet.Mvc
 {
@@ -37,7 +38,7 @@ private void CheckSSLConfig(HttpContext httpContext)
 
         private AntiForgeryToken DeserializeToken(string serializedToken)
         {
-            return (!String.IsNullOrEmpty(serializedToken))
+            return (!string.IsNullOrEmpty(serializedToken))
                 ? _serializer.Deserialize(serializedToken)
                 : null;
         }
@@ -56,15 +57,17 @@ private AntiForgeryToken DeserializeTokenNoThrow(string serializedToken)
             }
         }
 
-        private static IIdentity ExtractIdentity(HttpContext httpContext)
+        private static ClaimsIdentity ExtractIdentity(HttpContext httpContext)
         {
             if (httpContext != null)
             {
                 ClaimsPrincipal user = httpContext.User;
 
                 if (user != null)
                 {
-                   return user.Identity;
+                    // We only support ClaimsIdentity.
+                    // Todo remove this once httpContext.User moves to ClaimsIdentity.
+                   return user.Identity as ClaimsIdentity;
                 }
             }
 
@@ -159,13 +162,13 @@ private string Serialize(AntiForgeryToken token)
         // [ ENTRY POINT ]
         // Given an HttpContext, validates that the anti-XSRF tokens contained
         // in the cookies & form are OK for this request.
-        public void Validate(HttpContext httpContext)
+        public async Task ValidateAsync(HttpContext httpContext)
         {
             CheckSSLConfig(httpContext);
 
             // Extract cookie & form tokens
             AntiForgeryToken cookieToken = _tokenStore.GetCookieToken(httpContext);
-            AntiForgeryToken formToken = _tokenStore.GetFormToken(httpContext);
+            AntiForgeryToken formToken = await _tokenStore.GetFormTokenAsync(httpContext);
 
             // Validate
             _validator.ValidateTokens(httpContext, ExtractIdentity(httpContext), cookieToken, formToken);

src/Microsoft.AspNet.Mvc.Core/AntiForgery/BinaryBlob.cs

@@ -5,6 +5,7 @@
 using System.Globalization;
 using System.Text;
 using Microsoft.AspNet.Security.DataProtection;
+using System.Runtime.CompilerServices;
 
 namespace Microsoft.AspNet.Mvc
 {
@@ -94,6 +95,7 @@ private static byte[] GenerateNewToken(int bitLength)
             return data;
         }
 
+        [MethodImplAttribute(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)] 
         private static bool AreByteArraysEqual(byte[] a, byte[] b)
         {
             if (a == null || b == null || a.Length != b.Length)

src/Microsoft.AspNet.Mvc.Core/AntiForgery/DefaultAntiForgeryAdditionalDataProvider.cs

@@ -0,0 +1,18 @@
+using Microsoft.AspNet.Abstractions;
+
+namespace Microsoft.AspNet.Mvc
+{
+    public class DefaultAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
+    {
+        public virtual string GetAdditionalData(HttpContext context)
+        {
+            return string.Empty;
+        }
+
+        public virtual bool ValidateAdditionalData(HttpContext context, string additionalData)
+        {
+            // Default implementation does not understand anything but empty data.
+            return string.IsNullOrEmpty(additionalData);
+        }
+    }
+}

src/Microsoft.AspNet.Mvc.Core/AntiForgery/DefaultClaimUidExtractor.cs

@@ -4,71 +4,54 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Security.Cryptography;
-using System.Security.Principal;
 
 namespace Microsoft.AspNet.Mvc
 {
     // Can extract unique identifers for a claims-based identity
     public class DefaultClaimUidExtractor : IClaimUidExtractor
     {
-        private const string NameIdentifierClaimType = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
-
-        private readonly IAntiForgeryConfig _config;
-
-        public DefaultClaimUidExtractor(IAntiForgeryConfig config)
+        public string ExtractClaimUid(ClaimsIdentity claimsIdentity)
         {
-            _config = config;
-        }
-
-        public byte[] ExtractClaimUid(IIdentity identity)
-        {
-            if (identity == null || !identity.IsAuthenticated || _config.SuppressIdentityHeuristicChecks)
+            if (claimsIdentity == null || !claimsIdentity.IsAuthenticated)
             {
                 // Skip anonymous users
-                // Skip when claims-based checks are disabled
-                return null;
-            }
-
-            var claimsIdentity = identity as ClaimsIdentity;
-            if (claimsIdentity == null)
-            {
-                // not a claims-based identity
                 return null;
             }
 
-            string[] uniqueIdentifierParameters = GetUniqueIdentifierParameters(claimsIdentity);
+            var uniqueIdentifierParameters = GetUniqueIdentifierParameters(claimsIdentity);
             byte[] claimUidBytes = ComputeSHA256(uniqueIdentifierParameters);
-            return claimUidBytes;
+            return Convert.ToBase64String(claimUidBytes);
         }
 
-        private static string[] GetUniqueIdentifierParameters(ClaimsIdentity claimsIdentity)
+        private static IEnumerable<string> GetUniqueIdentifierParameters(ClaimsIdentity claimsIdentity)
         {
-            // TODO: We need to select a single claim based on the Authentication Type of the claim.
-            var claims = claimsIdentity.Claims;
-
-            // TODO: Need to check with vittorio for acs.
-            // For a correctly configured ACS consumer, this tuple will uniquely
-            // identify a user of the application. We assume that a well-behaved
-            // identity provider will never assign the same name identifier to multiple
-            // users within its security realm, and we assume that ACS has been
-            // configured so that each identity provider has a unique 'identityProvider'
-            // claim.
-            // By default, we look for 'nameIdentifier' claim.
-            Claim nameIdentifierClaim = claims.SingleOrDefault(claim => String.Equals(NameIdentifierClaimType, claim.Type, StringComparison.Ordinal));
-            if (nameIdentifierClaim == null || String.IsNullOrEmpty(nameIdentifierClaim.Value))
+            // TODO: Need to enable support for special casing acs identities.
+            var nameIdentifierClaim = claimsIdentity.FindFirst(claim =>
+                                                            String.Equals(ClaimTypes.NameIdentifier,
+                                                                        claim.Type, StringComparison.Ordinal));
+            if (nameIdentifierClaim != null && !string.IsNullOrEmpty(nameIdentifierClaim.Value))
             {
-                // TODO: The exception message would be decided based on the claim types we choose to expose.
-                throw new InvalidOperationException("Resources.ClaimUidExtractor_DefaultClaimsNotPresent");
+                return new string[]
+                {
+                    ClaimTypes.NameIdentifier,
+                    nameIdentifierClaim.Value
+                };
             }
 
-            return new string[]
+            // We Do not understand this claimsIdentity, fallback on serializing the entire claims Identity.
+            var claims = claimsIdentity.Claims.ToList();
+            claims.Sort((a, b) => string.Compare(a.Type, b.Type, StringComparison.Ordinal));
+            var identifierParameters = new List<string>();
+            foreach (var claim in claims)
             {
-                NameIdentifierClaimType,
-                nameIdentifierClaim.Value
-            };
+                identifierParameters.Add(claim.Type);
+                identifierParameters.Add(claim.Value);
+            }
+
+            return identifierParameters;
         }
 
-        private static byte[] ComputeSHA256(IList<string> parameters)
+        private static byte[] ComputeSHA256(IEnumerable<string> parameters)
         {
             using (MemoryStream ms = new MemoryStream())
             {
@@ -78,6 +61,7 @@ private static byte[] ComputeSHA256(IList<string> parameters)
                     {
                         bw.Write(parameter); // also writes the length as a prefix; unambiguous
                     }
+
                     bw.Flush();
 
                     using (SHA256 sha256 = SHA256.Create())

src/Microsoft.AspNet.Mvc.Core/AntiForgery/IAntiForgeryConfig.cs

@@ -3,9 +3,6 @@
     // Provides configuration information about the anti-forgery system.
     public interface IAntiForgeryConfig
     {
-        // Provides additional data to go into the tokens.
-        IAntiForgeryAdditionalDataProvider AdditionalDataProvider { get; }
-
         // Name of the cookie to use.
         string CookieName { get; }
 
@@ -15,9 +12,6 @@ public interface IAntiForgeryConfig
         // Whether SSL is mandatory for this request.
         bool RequireSSL { get; }
 
-        // Skip ClaimsIdentity & related logic.
-        bool SuppressIdentityHeuristicChecks { get; }
-
         // Skip X-FRAME-OPTIONS header.
         bool SuppressXFrameOptionsHeader { get; }
     }

src/Microsoft.AspNet.Mvc.Core/AntiForgery/IClaimUidExtractor.cs

@@ -1,10 +1,11 @@
-using System.Security.Principal;
+using System.Security.Claims;
+using System.Security.Principal;
 
 namespace Microsoft.AspNet.Mvc
 {
     // Can extract unique identifers for a claims-based identity
     public interface IClaimUidExtractor
     {
-        byte[] ExtractClaimUid(IIdentity identity);
+        string ExtractClaimUid(ClaimsIdentity identity);
     }
 }