Incorporate CSRF token handling into the GAM security provider.

claudiamurialdo · claudiamurialdo · commit d66fa184897d · 2023-08-07T13:47:00.000-03:00
diff --git a/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs b/dotnet/src/dotnetframework/GxClasses/Helpers/HttpHelper.cs
@@ -50,6 +50,7 @@ public class HttpHeader
 		public static string XGXFILENAME = "x-gx-filename";
 		internal static string ACCEPT = "Accept";
 		internal static string TRANSFER_ENCODING = "Transfer-Encoding";
+		internal static string X_GXCSRF_TOKEN= "X-GXCSRF-TOKEN":
 	}
 	internal class HttpHeaderValue
 	{
@@ -91,6 +92,7 @@ public class HttpHelper
 		const string GAM_CODE_OTP_USER_ACCESS_CODE_SENT = "400";
 		const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";
 		const string GAM_CODE_TOKEN_EXPIRED = "103";
+		const string GAM_CODE_CSRF_INVALID_TOKEN = "550";
 		static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) | (?<=[^A-Z])(?=[A-Z]) | (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);
 
 		const string CORS_MAX_AGE_SECONDS = "86400";
@@ -252,6 +254,10 @@ private static HttpStatusCode GamCodeToHttpStatus(string code, HttpStatusCode de
 			{
 				return HttpStatusCode.Forbidden;
 			}
+			else if (code == GAM_CODE_CSRF_INVALID_TOKEN)
+			{
+				return HttpStatusCode.BadRequest;
+			}
 			return defaultCode;
 		}
 		private static void SetJsonError(HttpContext httpContext, string statusCode, string statusDescription)
diff --git a/dotnet/src/dotnetframework/GxClasses/Security/GxSecurityProvider.cs b/dotnet/src/dotnetframework/GxClasses/Security/GxSecurityProvider.cs
@@ -20,7 +20,9 @@ public class OutData : Dictionary<string, object>
 	public interface ISecurityProvider
 	{
 		GxResult checkaccesstoken(IGxContext context, String token, out bool isOK);
+		GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK);
 		GxResult checkaccesstokenprm(IGxContext context, String token, String permissionPrefix, out bool sessionOk, out bool permissionOk);
+		GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission);
 		void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK);
 		void checksessionprm(IGxContext context, string pathAndQuery, String permissionPrefix, out bool isOK, out bool isPermissionOK);
 		GxResult refreshtoken(IGxContext context, String clientId, String clientSecret, String refreshToken, out OutData outData, out bool flag);
@@ -88,14 +90,25 @@ public GxResult checkaccesstoken(IGxContext context, string token, out bool isOK
 			isOK = false;
 			return new GxResult();
 		}
-
+		public GxResult checkaccesstoken(IGxContext context, bool useCSRF_Token, out string CSRF_Token, out bool isOK)
+		{
+			isOK = false;
+			CSRF_Token = string.Empty;
+			return new GxResult();
+		}
 		public GxResult checkaccesstokenprm(IGxContext context, string token, string permissionPrefix, out bool sessionOk, out bool permissionOk)
 		{
 			permissionOk = false;
 			sessionOk = true;
 			return new GxResult();
 		}
-
+		public GxResult checkaccesstokenprm(IGxContext context, bool useCSRF_Token, string permissionName, out string CSRF_Token, out bool sessionOk, out bool permission)
+		{
+			sessionOk = false;
+			permission = false;
+			CSRF_Token = string.Empty;
+			return new GxResult();
+		}
 		public void checksession(IGxContext context, string CleanAbsoluteUri, out bool isOK)
 		{
 			isOK = false;
diff --git a/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs b/dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs
@@ -450,23 +450,37 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o
 				else
 				{
 					
-					token = token.Replace("OAuth ", "");
+					string CSRFToken;
+					bool useCSRFToken = false;
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, token, out isOK);
+						if (Config.GetValueOf("CSRFToken", out string useCSRFTokenStr) && bool.TryParse(useCSRFTokenStr, out bool useCSRFTokenValue))
+						{
+							useCSRFToken = useCSRFTokenValue;
+						}
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, useCSRFToken, out CSRFToken, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(httpContext, result.Code, result.Description);
 							return false;
 						}
+						else
+						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+						}
+									
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, token, objPermissionPrefix, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, useCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+
 							return true;
 						}
 						else
diff --git a/dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs b/dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs
@@ -567,24 +567,36 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool
 				}
 				else
 				{
-
+					string CSRFToken;
+					bool useCSRFToken = false;
 					token = token.Replace("OAuth ", "");
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, token, out isOK);
+						if (Config.GetValueOf("CSRFToken", out string useCSRFTokenStr) && bool.TryParse(useCSRFTokenStr, out bool useCSRFTokenValue))
+						{
+							useCSRFToken = useCSRFTokenValue;
+						}
+						GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, useCSRFToken, out CSRFToken, out isOK);
 						if (!isOK)
 						{
 							HttpHelper.SetGamError(_httpContext, result.Code, result.Description);
 							return false;
 						}
+						else
+						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
+						}
 					}
 					else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)
 					{
 						bool sessionOk, permissionOk;
-						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, token, objPermissionPrefix, out sessionOk, out permissionOk);
+						GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, useCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);
 						if (permissionOk)
 						{
+							if (!string.IsNullOrEmpty(CSRFToken))
+								AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);
 							return true;
 						}
 						else

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ public class HttpHeader`
`50`	`50`	`public static string XGXFILENAME = "x-gx-filename";`
`51`	`51`	`internal static string ACCEPT = "Accept";`
`52`	`52`	`internal static string TRANSFER_ENCODING = "Transfer-Encoding";`
	`53`	`+ internal static string X_GXCSRF_TOKEN= "X-GXCSRF-TOKEN":`
`53`	`54`	`}`
`54`	`55`	`internal class HttpHeaderValue`
`55`	`56`	`{`
`@@ -91,6 +92,7 @@ public class HttpHelper`
`91`	`92`	`const string GAM_CODE_OTP_USER_ACCESS_CODE_SENT = "400";`
`92`	`93`	`const string GAM_CODE_TFA_USER_MUST_VALIDATE = "410";`
`93`	`94`	`const string GAM_CODE_TOKEN_EXPIRED = "103";`
	`95`	`+ const string GAM_CODE_CSRF_INVALID_TOKEN = "550";`
`94`	`96`	`static Regex CapitalsToTitle = new Regex(@"(?<=[A-Z])(?=[A-Z][a-z]) \| (?<=[^A-Z])(?=[A-Z]) \| (?<=[A-Za-z])(?=[^A-Za-z])", RegexOptions.IgnorePatternWhitespace);`
`95`	`97`
`96`	`98`	`const string CORS_MAX_AGE_SECONDS = "86400";`
`@@ -252,6 +254,10 @@ private static HttpStatusCode GamCodeToHttpStatus(string code, HttpStatusCode de`
`252`	`254`	`{`
`253`	`255`	`return HttpStatusCode.Forbidden;`
`254`	`256`	`}`
	`257`	`+ else if (code == GAM_CODE_CSRF_INVALID_TOKEN)`
	`258`	`+ {`
	`259`	`+ return HttpStatusCode.BadRequest;`
	`260`	`+ }`
`255`	`261`	`return defaultCode;`
`256`	`262`	`}`
`257`	`263`	`private static void SetJsonError(HttpContext httpContext, string statusCode, string statusDescription)`
Original file line number	Diff line number	Diff line change
`@@ -450,23 +450,37 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o`
`450`	`450`	`else`
`451`	`451`	`{`
`452`	`452`
`453`		`- token = token.Replace("OAuth ", "");`
	`453`	`+ string CSRFToken;`
	`454`	`+ bool useCSRFToken = false;`
`454`	`455`	`if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)`
`455`	`456`	`{`
`456`	`457`	`bool isOK;`
`457`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, token, out isOK);`
	`458`	`+ if (Config.GetValueOf("CSRFToken", out string useCSRFTokenStr) && bool.TryParse(useCSRFTokenStr, out bool useCSRFTokenValue))`
	`459`	`+ {`
	`460`	`+ useCSRFToken = useCSRFTokenValue;`
	`461`	`+ }`
	`462`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstoken(context, useCSRFToken, out CSRFToken, out isOK);`
`458`	`463`	`if (!isOK)`
`459`	`464`	`{`
`460`	`465`	`HttpHelper.SetGamError(httpContext, result.Code, result.Description);`
`461`	`466`	`return false;`
`462`	`467`	`}`
	`468`	`+ else`
	`469`	`+ {`
	`470`	`+ if (!string.IsNullOrEmpty(CSRFToken))`
	`471`	`+ AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
	`472`	`+ }`
	`473`	`+`
`463`	`474`	`}`
`464`	`475`	`else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)`
`465`	`476`	`{`
`466`	`477`	`bool sessionOk, permissionOk;`
`467`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, token, objPermissionPrefix, out sessionOk, out permissionOk);`
	`478`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(context, useCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);`
`468`	`479`	`if (permissionOk)`
`469`	`480`	`{`
	`481`	`+ if (!string.IsNullOrEmpty(CSRFToken))`
	`482`	`+ AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
	`483`	`+`
`470`	`484`	`return true;`
`471`	`485`	`}`
`472`	`486`	`else`
Original file line number	Diff line number	Diff line change
`@@ -567,24 +567,36 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool`
`567`	`567`	`}`
`568`	`568`	`else`
`569`	`569`	`{`
`570`		`-`
	`570`	`+ string CSRFToken;`
	`571`	`+ bool useCSRFToken = false;`
`571`	`572`	`token = token.Replace("OAuth ", "");`
`572`	`573`	`if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)`
`573`	`574`	`{`
`574`	`575`	`bool isOK;`
`575`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, token, out isOK);`
	`576`	`+ if (Config.GetValueOf("CSRFToken", out string useCSRFTokenStr) && bool.TryParse(useCSRFTokenStr, out bool useCSRFTokenValue))`
	`577`	`+ {`
	`578`	`+ useCSRFToken = useCSRFTokenValue;`
	`579`	`+ }`
	`580`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstoken(_gxContext, useCSRFToken, out CSRFToken, out isOK);`
`576`	`581`	`if (!isOK)`
`577`	`582`	`{`
`578`	`583`	`HttpHelper.SetGamError(_httpContext, result.Code, result.Description);`
`579`	`584`	`return false;`
`580`	`585`	`}`
	`586`	`+ else`
	`587`	`+ {`
	`588`	`+ if (!string.IsNullOrEmpty(CSRFToken))`
	`589`	`+ AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
	`590`	`+ }`
`581`	`591`	`}`
`582`	`592`	`else if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityHigh)`
`583`	`593`	`{`
`584`	`594`	`bool sessionOk, permissionOk;`
`585`		`- GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, token, objPermissionPrefix, out sessionOk, out permissionOk);`
	`595`	`+ GxResult result = GxSecurityProvider.Provider.checkaccesstokenprm(_gxContext, useCSRFToken, objPermissionPrefix, out CSRFToken, out sessionOk, out permissionOk);`
`586`	`596`	`if (permissionOk)`
`587`	`597`	`{`
	`598`	`+ if (!string.IsNullOrEmpty(CSRFToken))`
	`599`	`+ AddHeader(HttpHeader.X_GXCSRF_TOKEN, CSRFToken);`
`588`	`600`	`return true;`
`589`	`601`	`}`
`590`	`602`	`else`