#1443 Block unsolicited wsfed logins by default.

Tratcher · Tratcher · commit 7b0dca363613 · 2017-10-05T15:47:22.000-07:00
diff --git a/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs b/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs
@@ -20,6 +20,7 @@ namespace Microsoft.AspNetCore.Authentication.WsFederation
     /// </summary>
     public class WsFederationHandler : RemoteAuthenticationHandler<WsFederationOptions>, IAuthenticationSignOutHandler
     {
+        private const string CorrelationProperty = ".xsrf";
         private WsFederationConfiguration _configuration;
 
         /// <summary>
@@ -78,6 +79,8 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
                 wsFederationMessage.Wreply = BuildRedirectUri(Options.CallbackPath);
             }
 
+            GenerateCorrelationId(properties);
+
             var redirectContext = new RedirectContext(Context, Scheme, Options, properties)
             {
                 ProtocolMessage = wsFederationMessage
@@ -141,12 +144,15 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             {
                 // Retrieve our cached redirect uri
                 var state = wsFederationMessage.Wctx;
-                // WsFed allows for uninitiated logins, state may be missing.
+                // WsFed allows for uninitiated logins, state may be missing. See AllowUnsolicitedLogins.
                 var properties = Options.StateDataFormat.Unprotect(state);
 
                 if (properties == null)
                 {
-                    properties = new AuthenticationProperties();
+                    if (!Options.AllowUnsolicitedLogins)
+                    {
+                        return HandleRequestResult.Fail("Unsolicited logins are not allowed.");
+                    }
                 }
                 else
                 {
@@ -164,6 +170,15 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 {
                     return messageReceivedContext.Result;
                 }
+                wsFederationMessage = messageReceivedContext.ProtocolMessage;
+                properties = messageReceivedContext.Properties; // Provides a new instance if not set.
+
+                // If state did flow from the challenge then validate it. See AllowUnsolicitedLogins above.
+                if (properties.Items.TryGetValue(CorrelationProperty, out string correlationId)
+                    && !ValidateCorrelationId(properties))
+                {
+                    return HandleRequestResult.Fail("Correlation failed.");
+                }
 
                 if (wsFederationMessage.Wresult == null)
                 {
@@ -187,6 +202,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
                 {
                     return securityTokenReceivedContext.Result;
                 }
+                wsFederationMessage = securityTokenReceivedContext.ProtocolMessage;
+                properties = messageReceivedContext.Properties;
 
                 if (_configuration == null)
                 {
diff --git a/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationOptions.cs b/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationOptions.cs
@@ -153,5 +153,11 @@ public TokenValidationParameters TokenValidationParameters
         /// The default is true. This should be disabled only in development environments.
         /// </summary>
         public bool RequireHttpsMetadata { get; set; } = true;
+
+        /// <summary>
+        /// The Ws-Federation protocol allows the user to initiate logins without contacting the application for a Challenge first.
+        /// However, that flow is susceptible to XSRF and other attacks so it is disabled here by default.
+        /// </summary>
+        public bool AllowUnsolicitedLogins { get; set; }
     }
 }
diff --git a/test/Microsoft.AspNetCore.Authentication.WsFederation.Test/WsFederationTest.cs b/test/Microsoft.AspNetCore.Authentication.WsFederation.Test/WsFederationTest.cs
@@ -1,6 +1,7 @@
 ﻿// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -51,53 +52,42 @@ public async Task ValidTokenIsAccepted()
             var response = await httpClient.GetAsync("/");
             var queryItems = QueryHelpers.ParseQuery(response.Headers.Location.Query);
 
-            // Send an invalid token and verify that the token is not honored
-            var kvps = new List<KeyValuePair<string, string>>();
-            kvps.Add(new KeyValuePair<string, string>("wa", "wsignin1.0"));
-            kvps.Add(new KeyValuePair<string, string>("wresult", File.ReadAllText(@"ValidToken.xml")));
-            kvps.Add(new KeyValuePair<string, string>("wctx", queryItems["wctx"]));
-            response = await httpClient.PostAsync(queryItems["wreply"], new FormUrlEncodedContent(kvps));
+            var request = new HttpRequestMessage(HttpMethod.Post, queryItems["wreply"]);
+            CopyCookies(response, request);
+            request.Content = CreateSignInContent("ValidToken.xml", queryItems["wctx"]);
+            response = await httpClient.SendAsync(request);
 
             Assert.Equal(HttpStatusCode.Found, response.StatusCode);
 
-            var request = new HttpRequestMessage(HttpMethod.Get, response.Headers.Location);
-            var cookies = SetCookieHeaderValue.ParseList(response.Headers.GetValues(HeaderNames.SetCookie).ToList());
-            foreach (var cookie in cookies)
-            {
-                if (cookie.Value.HasValue)
-                {
-                    request.Headers.Add(HeaderNames.Cookie, new CookieHeaderValue(cookie.Name, cookie.Value).ToString());
-                }
-            }
+            request = new HttpRequestMessage(HttpMethod.Get, response.Headers.Location);
+            CopyCookies(response, request);
             response = await httpClient.SendAsync(request);
 
             // Did the request end in the actual resource requested for
             Assert.Equal(WsFederationDefaults.AuthenticationScheme, await response.Content.ReadAsStringAsync());
         }
 
         [Fact]
-        public async Task ValidUnsolicitedTokenIsAccepted()
+        public async Task ValidUnsolicitedTokenIsRefused()
         {
             var httpClient = CreateClient();
+            var form = CreateSignInContent("ValidToken.xml", suppressWctx: true);
+            var exception = await Assert.ThrowsAsync<Exception>(() => httpClient.PostAsync(httpClient.BaseAddress + "signin-wsfed", form));
+            Assert.Contains("Unsolicited logins are not allowed.", exception.Message);
+        }
 
-            // Send an invalid token and verify that the token is not honored
-            var kvps = new List<KeyValuePair<string, string>>();
-            kvps.Add(new KeyValuePair<string, string>("wa", "wsignin1.0"));
-            kvps.Add(new KeyValuePair<string, string>("wresult", File.ReadAllText(@"ValidToken.xml")));
-            kvps.Add(new KeyValuePair<string, string>("suppressWctx", "true"));
-            var response = await httpClient.PostAsync(httpClient.BaseAddress + "signin-wsfed", new FormUrlEncodedContent(kvps));
+        [Fact]
+        public async Task ValidUnsolicitedTokenIsAcceptedWhenAllowed()
+        {
+            var httpClient = CreateClient(allowUnsolicited: true);
+
+            var form = CreateSignInContent("ValidToken.xml", suppressWctx: true);
+            var response = await httpClient.PostAsync(httpClient.BaseAddress + "signin-wsfed", form);
 
             Assert.Equal(HttpStatusCode.Found, response.StatusCode);
 
             var request = new HttpRequestMessage(HttpMethod.Get, response.Headers.Location);
-            var cookies = SetCookieHeaderValue.ParseList(response.Headers.GetValues(HeaderNames.SetCookie).ToList());
-            foreach (var cookie in cookies)
-            {
-                if (cookie.Value.HasValue)
-                {
-                    request.Headers.Add(HeaderNames.Cookie, new CookieHeaderValue(cookie.Name, cookie.Value).ToString());
-                }
-            }
+            CopyCookies(response, request);
             response = await httpClient.SendAsync(request);
 
             // Did the request end in the actual resource requested for
@@ -113,94 +103,119 @@ public async Task InvalidTokenIsRejected()
             var response = await httpClient.GetAsync("/");
             var queryItems = QueryHelpers.ParseQuery(response.Headers.Location.Query);
 
-            // Send an invalid token and verify that the token is not honored
-            var kvps = new List<KeyValuePair<string, string>>();
-            kvps.Add(new KeyValuePair<string, string>("wa", "wsignin1.0"));
-            kvps.Add(new KeyValuePair<string, string>("wresult", File.ReadAllText(@"InvalidToken.xml")));
-            kvps.Add(new KeyValuePair<string, string>("wctx", queryItems["wctx"]));
-            response = await httpClient.PostAsync(queryItems["wreply"], new FormUrlEncodedContent(kvps));
+            var request = new HttpRequestMessage(HttpMethod.Post, queryItems["wreply"]);
+            CopyCookies(response, request);
+            request.Content = CreateSignInContent("InvalidToken.xml", queryItems["wctx"]);
+            response = await httpClient.SendAsync(request);
 
             // Did the request end in the actual resource requested for
             Assert.Equal("AuthenticationFailed", await response.Content.ReadAsStringAsync());
         }
 
-        private HttpClient CreateClient()
+        private FormUrlEncodedContent CreateSignInContent(string tokenFile, string wctx = null, bool suppressWctx = false)
         {
-            var builder = new WebHostBuilder()
-                            .ConfigureServices(ConfigureAppServices)
-                            .Configure(ConfigureApp);
-            var server = new TestServer(builder);
-            return server.CreateClient();
+            var kvps = new List<KeyValuePair<string, string>>();
+            kvps.Add(new KeyValuePair<string, string>("wa", "wsignin1.0"));
+            kvps.Add(new KeyValuePair<string, string>("wresult", File.ReadAllText(tokenFile)));
+            if (!string.IsNullOrEmpty(wctx))
+            {
+                kvps.Add(new KeyValuePair<string, string>("wctx", wctx));
+            }
+            if (suppressWctx)
+            {
+                kvps.Add(new KeyValuePair<string, string>("suppressWctx", "true"));
+            }
+            return new FormUrlEncodedContent(kvps);
         }
 
-        private void ConfigureAppServices(IServiceCollection services)
+        private void CopyCookies(HttpResponseMessage response, HttpRequestMessage request)
         {
-            services.AddAuthentication(sharedOptions =>
-            {
-                sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-                sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-                sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
-            })
-            .AddWsFederation(options =>
+            var cookies = SetCookieHeaderValue.ParseList(response.Headers.GetValues(HeaderNames.SetCookie).ToList());
+            foreach (var cookie in cookies)
             {
-                options.Wtrealm = "http://Automation1";
-                options.MetadataAddress = "https://login.windows.net/4afbc689-805b-48cf-a24c-d4aa3248a248/federationmetadata/2007-06/federationmetadata.xml";
-                options.BackchannelHttpHandler = new WaadMetadataDocumentHandler();
-                options.StateDataFormat = new CustomStateDataFormat();
-                options.SecurityTokenHandlers = new List<ISecurityTokenValidator>() { new TestSecurityTokenValidator() };
-                options.UseTokenLifetime = false;
-                options.Events = new WsFederationEvents()
+                if (cookie.Value.HasValue)
+                {
+                    request.Headers.Add(HeaderNames.Cookie, new CookieHeaderValue(cookie.Name, cookie.Value).ToString());
+                }
+            }
+        }
+
+        private HttpClient CreateClient(bool allowUnsolicited = false)
+        {
+            var builder = new WebHostBuilder()
+                .Configure(ConfigureApp)
+                .ConfigureServices(services =>
                 {
-                    MessageReceived = context =>
+                    services.AddAuthentication(sharedOptions =>
                     {
-                        if (!context.ProtocolMessage.Parameters.TryGetValue("suppressWctx", out var suppress))
-                        {
-                            Assert.True(context.ProtocolMessage.Wctx.Equals("customValue"), "wctx is not my custom value");
-                        }
-                        context.HttpContext.Items["MessageReceived"] = true;
-                        return Task.FromResult(0);
-                    },
-                    RedirectToIdentityProvider = context =>
+                        sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                        sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                        sharedOptions.DefaultChallengeScheme = WsFederationDefaults.AuthenticationScheme;
+                    })
+                    .AddCookie()
+                    .AddWsFederation(options =>
                     {
-                        if (context.ProtocolMessage.IsSignInMessage)
+                        options.Wtrealm = "http://Automation1";
+                        options.MetadataAddress = "https://login.windows.net/4afbc689-805b-48cf-a24c-d4aa3248a248/federationmetadata/2007-06/federationmetadata.xml";
+                        options.BackchannelHttpHandler = new WaadMetadataDocumentHandler();
+                        options.StateDataFormat = new CustomStateDataFormat();
+                        options.SecurityTokenHandlers = new List<ISecurityTokenValidator>() { new TestSecurityTokenValidator() };
+                        options.UseTokenLifetime = false;
+                        options.AllowUnsolicitedLogins = allowUnsolicited;
+                        options.Events = new WsFederationEvents()
                         {
-                            // Sign in message
-                            context.ProtocolMessage.Wctx = "customValue";
-                        }
+                            MessageReceived = context =>
+                            {
+                                if (!context.ProtocolMessage.Parameters.TryGetValue("suppressWctx", out var suppress))
+                                {
+                                    Assert.True(context.ProtocolMessage.Wctx.Equals("customValue"), "wctx is not my custom value");
+                                }
+                                context.HttpContext.Items["MessageReceived"] = true;
+                                return Task.FromResult(0);
+                            },
+                            RedirectToIdentityProvider = context =>
+                            {
+                                if (context.ProtocolMessage.IsSignInMessage)
+                                {
+                                    // Sign in message
+                                    context.ProtocolMessage.Wctx = "customValue";
+                                }
 
-                        return Task.FromResult(0);
-                    },
-                    SecurityTokenReceived = context =>
-                    {
-                        context.HttpContext.Items["SecurityTokenReceived"] = true;
-                        return Task.FromResult(0);
-                    },
-                    SecurityTokenValidated = context =>
-                    {
-                        Assert.True((bool)context.HttpContext.Items["MessageReceived"], "MessageReceived notification not invoked");
-                        Assert.True((bool)context.HttpContext.Items["SecurityTokenReceived"], "SecurityTokenReceived notification not invoked");
+                                return Task.FromResult(0);
+                            },
+                            SecurityTokenReceived = context =>
+                            {
+                                context.HttpContext.Items["SecurityTokenReceived"] = true;
+                                return Task.FromResult(0);
+                            },
+                            SecurityTokenValidated = context =>
+                            {
+                                Assert.True((bool)context.HttpContext.Items["MessageReceived"], "MessageReceived notification not invoked");
+                                Assert.True((bool)context.HttpContext.Items["SecurityTokenReceived"], "SecurityTokenReceived notification not invoked");
 
-                        if (context.Principal != null)
-                        {
-                            var identity = context.Principal.Identities.Single();
-                            identity.AddClaim(new Claim("ReturnEndpoint", "true"));
-                            identity.AddClaim(new Claim("Authenticated", "true"));
-                            identity.AddClaim(new Claim(identity.RoleClaimType, "Guest", ClaimValueTypes.String));
-                        }
-
-                        return Task.FromResult(0);
-                    },
-                    AuthenticationFailed = context =>
-                    {
-                        context.HttpContext.Items["AuthenticationFailed"] = true;
-                        //Change the request url to something different and skip Wsfed. This new url will handle the request and let us know if this notification was invoked.
-                        context.HttpContext.Request.Path = new PathString("/AuthenticationFailed");
-                        context.SkipHandler();
-                        return Task.FromResult(0);
-                    }
-                };
-            })
-            .AddCookie();
+                                if (context.Principal != null)
+                                {
+                                    var identity = context.Principal.Identities.Single();
+                                    identity.AddClaim(new Claim("ReturnEndpoint", "true"));
+                                    identity.AddClaim(new Claim("Authenticated", "true"));
+                                    identity.AddClaim(new Claim(identity.RoleClaimType, "Guest", ClaimValueTypes.String));
+                                }
+
+                                return Task.FromResult(0);
+                            },
+                            AuthenticationFailed = context =>
+                            {
+                                context.HttpContext.Items["AuthenticationFailed"] = true;
+                                //Change the request url to something different and skip Wsfed. This new url will handle the request and let us know if this notification was invoked.
+                                context.HttpContext.Request.Path = new PathString("/AuthenticationFailed");
+                                context.SkipHandler();
+                                return Task.FromResult(0);
+                            }
+                        };
+                    });
+                });
+            var server = new TestServer(builder);
+            return server.CreateClient();
         }
 
         private void ConfigureApp(IApplicationBuilder app)

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ namespace Microsoft.AspNetCore.Authentication.WsFederation`
`20`	`20`	`/// </summary>`
`21`	`21`	`public class WsFederationHandler : RemoteAuthenticationHandler<WsFederationOptions>, IAuthenticationSignOutHandler`
`22`	`22`	`{`
	`23`	`+ private const string CorrelationProperty = ".xsrf";`
`23`	`24`	`private WsFederationConfiguration _configuration;`
`24`	`25`
`25`	`26`	`/// <summary>`
`@@ -78,6 +79,8 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop`
`78`	`79`	`wsFederationMessage.Wreply = BuildRedirectUri(Options.CallbackPath);`
`79`	`80`	`}`
`80`	`81`
	`82`	`+ GenerateCorrelationId(properties);`
	`83`	`+`
`81`	`84`	`var redirectContext = new RedirectContext(Context, Scheme, Options, properties)`
`82`	`85`	`{`
`83`	`86`	`ProtocolMessage = wsFederationMessage`
`@@ -141,12 +144,15 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`141`	`144`	`{`
`142`	`145`	`// Retrieve our cached redirect uri`
`143`	`146`	`var state = wsFederationMessage.Wctx;`
`144`		`- // WsFed allows for uninitiated logins, state may be missing.`
	`147`	`+ // WsFed allows for uninitiated logins, state may be missing. See AllowUnsolicitedLogins.`
`145`	`148`	`var properties = Options.StateDataFormat.Unprotect(state);`
`146`	`149`
`147`	`150`	`if (properties == null)`
`148`	`151`	`{`
`149`		`- properties = new AuthenticationProperties();`
	`152`	`+ if (!Options.AllowUnsolicitedLogins)`
	`153`	`+ {`
	`154`	`+ return HandleRequestResult.Fail("Unsolicited logins are not allowed.");`
	`155`	`+ }`
`150`	`156`	`}`
`151`	`157`	`else`
`152`	`158`	`{`
`@@ -164,6 +170,15 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`164`	`170`	`{`
`165`	`171`	`return messageReceivedContext.Result;`
`166`	`172`	`}`
	`173`	`+ wsFederationMessage = messageReceivedContext.ProtocolMessage;`
	`174`	`+ properties = messageReceivedContext.Properties; // Provides a new instance if not set.`
	`175`	`+`
	`176`	`+ // If state did flow from the challenge then validate it. See AllowUnsolicitedLogins above.`
	`177`	`+ if (properties.Items.TryGetValue(CorrelationProperty, out string correlationId)`
	`178`	`+ && !ValidateCorrelationId(properties))`
	`179`	`+ {`
	`180`	`+ return HandleRequestResult.Fail("Correlation failed.");`
	`181`	`+ }`
`167`	`182`
`168`	`183`	`if (wsFederationMessage.Wresult == null)`
`169`	`184`	`{`
`@@ -187,6 +202,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync`
`187`	`202`	`{`
`188`	`203`	`return securityTokenReceivedContext.Result;`
`189`	`204`	`}`
	`205`	`+ wsFederationMessage = securityTokenReceivedContext.ProtocolMessage;`
	`206`	`+ properties = messageReceivedContext.Properties;`
`190`	`207`
`191`	`208`	`if (_configuration == null)`
`192`	`209`	`{`
Original file line number	Diff line number	Diff line change
`@@ -153,5 +153,11 @@ public TokenValidationParameters TokenValidationParameters`
`153`	`153`	`/// The default is true. This should be disabled only in development environments.`
`154`	`154`	`/// </summary>`
`155`	`155`	`public bool RequireHttpsMetadata { get; set; } = true;`
	`156`	`+`
	`157`	`+ /// <summary>`
	`158`	`+ /// The Ws-Federation protocol allows the user to initiate logins without contacting the application for a Challenge first.`
	`159`	`+ /// However, that flow is susceptible to XSRF and other attacks so it is disabled here by default.`
	`160`	`+ /// </summary>`
	`161`	`+ public bool AllowUnsolicitedLogins { get; set; }`
`156`	`162`	`}`
`157`	`163`	`}`