// Admin.NET 项目的版权、商标、专利和其他相关权利均受相应法律法规的保护。使用本项目应遵守相关法律法规和许可证的要求。 // // 本项目主要遵循 MIT 许可证和 Apache 许可证(版本 2.0)进行分发和使用。许可证位于源代码树根目录中的 LICENSE-MIT 和 LICENSE-APACHE 文件。 // // 不得利用本项目从事危害国家安全、扰乱社会秩序、侵犯他人合法权益等法律法规禁止的活动!任何基于本项目二次开发而产生的一切法律纠纷和责任,我们不承担任何责任! using Microsoft.AspNetCore.Authentication; using System.Security.Claims; using System.Security.Cryptography; using System.Text.Encodings.Web; namespace Admin.NET.Core; /// /// Signature 身份验证处理 /// public sealed class SignatureAuthenticationHandler : AuthenticationHandler { #if NET6_0 public SignatureAuthenticationHandler(IOptionsMonitor options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock) { } #else public SignatureAuthenticationHandler(IOptionsMonitor options, ILoggerFactory logger, UrlEncoder encoder) : base(options, logger, encoder) { } #endif private readonly SysCacheService _sysCacheService = App.GetRequiredService(); private new SignatureAuthenticationEvent Events { get => (SignatureAuthenticationEvent)base.Events; set => base.Events = value; } /// /// 确保创建的 Event 类型是 DigestEvents /// /// protected override Task CreateEventsAsync() => throw new NotImplementedException($"{nameof(SignatureAuthenticationOptions)}.{nameof(SignatureAuthenticationOptions.Events)} 需要提供一个实例"); protected override async Task HandleAuthenticateAsync() { var accessKey = Request.Headers["accessKey"].FirstOrDefault(); var timestampStr = Request.Headers["timestamp"].FirstOrDefault(); // 精确到秒 var nonce = Request.Headers["nonce"].FirstOrDefault(); var sign = Request.Headers["sign"].FirstOrDefault(); if (string.IsNullOrEmpty(accessKey)) return await AuthenticateResultFailAsync("accessKey 不能为空"); if (string.IsNullOrEmpty(timestampStr)) return await AuthenticateResultFailAsync("timestamp 不能为空"); if (string.IsNullOrEmpty(nonce)) return await AuthenticateResultFailAsync("nonce 不能为空"); if (string.IsNullOrEmpty(sign)) return await AuthenticateResultFailAsync("sign 不能为空"); // 验证请求数据是否在可接受的时间内 if (!long.TryParse(timestampStr, out var timestamp)) return await AuthenticateResultFailAsync("timestamp 值不合法"); var requestDate = DateTimeUtil.ConvertUnixTime(timestamp); #if NET6_0 var utcNow = Clock.UtcNow; #else var utcNow = TimeProvider.GetUtcNow(); #endif if (requestDate > utcNow.Add(Options.AllowedDateDrift).LocalDateTime || requestDate < utcNow.Subtract(Options.AllowedDateDrift).LocalDateTime) return await AuthenticateResultFailAsync("timestamp 值已超过允许的偏差范围"); // 获取 accessSecret var getAccessSecretContext = new GetAccessSecretContext(Context, Scheme, Options) { AccessKey = accessKey }; var accessSecret = await Events.GetAccessSecret(getAccessSecretContext); if (string.IsNullOrEmpty(accessSecret)) return await AuthenticateResultFailAsync("accessKey 无效"); // 校验签名 var appSecretByte = Encoding.UTF8.GetBytes(accessSecret); string serverSign = SignData(appSecretByte, GetMessageForSign(Context)); if (serverSign != sign) return await AuthenticateResultFailAsync("sign 无效的签名"); // 重放检测 var cacheKey = $"{CacheConst.KeyOpenAccessNonce}{accessKey}|{nonce}"; if (_sysCacheService.ExistKey(cacheKey)) return await AuthenticateResultFailAsync("重复的请求"); _sysCacheService.Set(cacheKey, null, Options.AllowedDateDrift * 2); // 缓存过期时间为偏差范围时间的2倍 // 已验证成功 var signatureValidatedContext = new SignatureValidatedContext(Context, Scheme, Options) { Principal = new ClaimsPrincipal(new ClaimsIdentity(SignatureAuthenticationDefaults.AuthenticationScheme)), AccessKey = accessKey }; await Events.Validated(signatureValidatedContext); // ReSharper disable once ConditionIsAlwaysTrueOrFalse if (signatureValidatedContext.Result != null) return signatureValidatedContext.Result; // ReSharper disable once HeuristicUnreachableCode signatureValidatedContext.Success(); return signatureValidatedContext.Result; } protected override async Task HandleChallengeAsync(AuthenticationProperties properties) { var authResult = await HandleAuthenticateOnceSafeAsync(); var challengeContext = new SignatureChallengeContext(Context, Scheme, Options, properties) { AuthenticateFailure = authResult.Failure, }; await Events.Challenge(challengeContext); // 质询已处理 if (challengeContext.Handled) return; await base.HandleChallengeAsync(properties); } /// /// 获取用于签名的消息 /// /// private static string GetMessageForSign(HttpContext context) { var method = context.Request.Method; // 请求方法(大写) var url = context.Request.Path; // 请求 url,去除协议、域名、参数,以 / 开头 var accessKey = context.Request.Headers["accessKey"].FirstOrDefault(); // 身份标识 var timestamp = context.Request.Headers["timestamp"].FirstOrDefault(); // 时间戳,精确到秒 var nonce = context.Request.Headers["nonce"].FirstOrDefault(); // 唯一随机数 return $"{method}&{url}&{accessKey}&{timestamp}&{nonce}"; } /// /// 对数据进行签名 /// /// /// /// private static string SignData(byte[] secret, string data) { if (secret == null) throw new ArgumentNullException(nameof(secret)); if (data == null) throw new ArgumentNullException(nameof(data)); using HMAC hmac = new HMACSHA256(); hmac.Key = secret; return Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(data))); } /// /// 返回验证失败结果,并在 Items 中增加 ,记录身份验证失败消息 /// /// /// private Task AuthenticateResultFailAsync(string message) { // 写入身份验证失败消息 Context.Items[SignatureAuthenticationDefaults.AuthenticateFailMsgKey] = message; return Task.FromResult(AuthenticateResult.Fail(message)); } }