diff --git a/OpenIddict.sln b/OpenIddict.sln index 49bf3dab..694dafa7 100644 --- a/OpenIddict.sln +++ b/OpenIddict.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 -VisualStudioVersion = 14.0.23107.0 +VisualStudioVersion = 14.0.25123.0 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "OpenIddict", "src\OpenIddict\OpenIddict.xproj", "{80A8D6CE-C29A-4602-9844-D51FEF9C33C8}" EndProject @@ -23,10 +23,6 @@ Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "OpenIddict.Core", "src\Open EndProject Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "OpenIddict.Mvc", "src\OpenIddict.Mvc\OpenIddict.Mvc.xproj", "{7AE46E2F-E93B-4FF9-B941-6CD7A3E1BF84}" EndProject -Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "external", "external", "{DE26CC68-28BA-44BB-B28E-43B949C6C606}" -EndProject -Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "NWebsec", "external\NWebsec\NWebsec.xproj", "{38C8E88F-1D01-466F-B47D-6D67F13C1594}" -EndProject Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "OpenIddict.Security", "src\OpenIddict.Security\OpenIddict.Security.xproj", "{3744B1BC-3498-4958-B020-B2688A78B989}" EndProject Global @@ -67,10 +63,6 @@ Global {7AE46E2F-E93B-4FF9-B941-6CD7A3E1BF84}.Debug|Any CPU.Build.0 = Debug|Any CPU {7AE46E2F-E93B-4FF9-B941-6CD7A3E1BF84}.Release|Any CPU.ActiveCfg = Release|Any CPU {7AE46E2F-E93B-4FF9-B941-6CD7A3E1BF84}.Release|Any CPU.Build.0 = Release|Any CPU - {38C8E88F-1D01-466F-B47D-6D67F13C1594}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {38C8E88F-1D01-466F-B47D-6D67F13C1594}.Debug|Any CPU.Build.0 = Debug|Any CPU - {38C8E88F-1D01-466F-B47D-6D67F13C1594}.Release|Any CPU.ActiveCfg = Release|Any CPU - {38C8E88F-1D01-466F-B47D-6D67F13C1594}.Release|Any CPU.Build.0 = Release|Any CPU {3744B1BC-3498-4958-B020-B2688A78B989}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {3744B1BC-3498-4958-B020-B2688A78B989}.Debug|Any CPU.Build.0 = Debug|Any CPU {3744B1BC-3498-4958-B020-B2688A78B989}.Release|Any CPU.ActiveCfg = Release|Any CPU @@ -88,7 +80,6 @@ Global {D2450929-ED0E-420D-B475-327924F9701C} = {D544447C-D701-46BB-9A5B-C76C612A596B} {E60CF8CA-6313-4359-BE43-AFCBB927EA30} = {D544447C-D701-46BB-9A5B-C76C612A596B} {7AE46E2F-E93B-4FF9-B941-6CD7A3E1BF84} = {D544447C-D701-46BB-9A5B-C76C612A596B} - {38C8E88F-1D01-466F-B47D-6D67F13C1594} = {DE26CC68-28BA-44BB-B28E-43B949C6C606} {3744B1BC-3498-4958-B020-B2688A78B989} = {D544447C-D701-46BB-9A5B-C76C612A596B} EndGlobalSection EndGlobal diff --git a/external/NWebsec/ApplicationBuilderExtensions.cs b/external/NWebsec/ApplicationBuilderExtensions.cs deleted file mode 100644 index d64f25b0..00000000 --- a/external/NWebsec/ApplicationBuilderExtensions.cs +++ /dev/null @@ -1,197 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using NWebsec.Core.HttpHeaders.Configuration.Validation; -using NWebsec.Middleware; -using NWebsec.Middleware.Middleware; - -// ReSharper disable once CheckNamespace -namespace Microsoft.AspNetCore.Builder -{ - public static class ApplicationBuilderExtensions - { - /// - /// Adds a middleware to the pipeline that validates redirects. - /// - /// The to which the middleware is added. - /// The supplied in the app parameter. - public static IApplicationBuilder UseRedirectValidation(this IApplicationBuilder app) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - - var options = new RedirectValidationOptions(); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that validates redirects. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseRedirectValidation(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new RedirectValidationOptions(); - configurer(options); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the Strict-Transport-Security header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseHsts(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new HstsOptions(); - configurer(options); - new HstsConfigurationValidator().Validate(options); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the Public-Key-Pins header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseHpkp(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new HpkpOptions(); - configurer(options); - new HpkpConfigurationValidator().ValidateNumberOfPins(options.Config); - return app.UseMiddleware(options, false); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the Public-Key-Pins-Report-Only header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseHpkpReportOnly(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new HpkpOptions(); - configurer(options); - new HpkpConfigurationValidator().ValidateNumberOfPins(options.Config); - return app.UseMiddleware(options, true); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the X-Content-Type-Options header. - /// - /// The to which the middleware is added. - /// The supplied in the app parameter. - public static IApplicationBuilder UseXContentTypeOptions(this IApplicationBuilder app) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - - return app.UseMiddleware(); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the X-Download-Options header. - /// - /// The to which the middleware is added. - /// The supplied in the app parameter. - public static IApplicationBuilder UseXDownloadOptions(this IApplicationBuilder app) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - - return app.UseMiddleware(); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the X-Frame-Options header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseXfo(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new XFrameOptions(); - configurer(options); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the X-Robots-Tag header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseXRobotsTag(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new XRobotsTagOptions(); - configurer(options); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the X-Xss-Protection header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseXXssProtection(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new XXssProtectionOptions(); - configurer(options); - return app.UseMiddleware(options); - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the Content-Security-Policy header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new CspOptions(); - configurer(options); - return app.UseMiddleware(options, false); //Last param indicates it's not reportOnly. - } - - /// - /// Adds a middleware to the ASP.NET pipeline that sets the Content-Security-Policy-Report-Only header. - /// - /// The to which the middleware is added. - /// An that configures the options for the middleware. - /// The supplied in the app parameter. - public static IApplicationBuilder UseCspReportOnly(this IApplicationBuilder app, Action configurer) - { - if (app == null) throw new ArgumentNullException(nameof(app)); - if (configurer == null) throw new ArgumentNullException(nameof(configurer)); - - var options = new CspOptions(); - configurer(options); - return app.UseMiddleware(options, true); //Last param indicates it's reportOnly. - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Core/OwinEnvironment.cs b/external/NWebsec/Core/OwinEnvironment.cs deleted file mode 100644 index fc72d5b7..00000000 --- a/external/NWebsec/Core/OwinEnvironment.cs +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; -using NWebsec.Core; - -namespace NWebsec.Middleware.Core -{ - //TODO Get rid of these? - internal class OwinEnvironment - { - private readonly IDictionary _environment; - - internal OwinEnvironment(IDictionary env) - { - _environment = env; - RequestHeaders = new RequestHeaders((IDictionary)_environment[OwinKeys.RequestHeaders]); - ResponseHeaders = new ResponseHeaders((IDictionary)_environment[OwinKeys.ResponseHeaders]); - } - - internal string RequestScheme => (string)_environment[OwinKeys.RequestScheme]; - - internal string RequestPathBase => (string)_environment[OwinKeys.RequestPathBase]; - - internal string RequestPath => (string)_environment[OwinKeys.RequestPath]; - - internal int ResponseStatusCode - { - get { return (int)_environment[OwinKeys.ResponseStatusCode]; } - set { _environment[OwinKeys.ResponseStatusCode] = value; } - } - - internal RequestHeaders RequestHeaders { get; private set; } - - internal ResponseHeaders ResponseHeaders { get; private set; } - - internal NWebsecContext NWebsecContext - { - get - { - if (!_environment.ContainsKey(NWebsecContext.ContextKey)) - { - _environment[NWebsecContext.ContextKey] = new NWebsecContext(); - } - - return _environment[NWebsecContext.ContextKey] as NWebsecContext; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Core/OwinKeys.cs b/external/NWebsec/Core/OwinKeys.cs deleted file mode 100644 index 10969705..00000000 --- a/external/NWebsec/Core/OwinKeys.cs +++ /dev/null @@ -1,28 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Middleware.Core -{ - internal static class OwinKeys - { - //Request - internal static string RequestBody = "owin.RequestBody"; - internal static string RequestHeaders = "owin.RequestHeaders"; - internal static string RequestMethod = "owin.RequestMethod"; - internal static string RequestPath = "owin.RequestPath"; - internal static string RequestPathBase = "owin.RequestPathBase"; - internal static string RequestProtocol = "owin.RequestProtocol"; - internal static string RequestQueryString = "owin.RequestQueryString"; - internal static string RequestScheme = "owin.RequestScheme"; - - //Response - internal static string ResponseBody = "owin.ResponseBody"; - internal static string ResponseHeaders = "owin.ResponseHeaders"; - internal static string ResponseStatusCode = "owin.ResponseStatusCode"; - internal static string ResponseReasonPhrase = "owin.ResponseReasonPhrase"; - internal static string ResponseProtocol = "owin.ResponseProtocol"; - - //Other - internal static string CallCancelled = "owin.CallCancelled"; - internal static string Version = "owin.Version"; - } -} \ No newline at end of file diff --git a/external/NWebsec/Core/RequestHeaders.cs b/external/NWebsec/Core/RequestHeaders.cs deleted file mode 100644 index 04175151..00000000 --- a/external/NWebsec/Core/RequestHeaders.cs +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.Linq; - -namespace NWebsec.Middleware.Core -{ - internal class RequestHeaders - { - private readonly IDictionary _headers; - - internal RequestHeaders(IDictionary headers) - { - _headers = headers; - } - - public string Host - { - get - { - try - { - return _headers.ContainsKey("Host") ? _headers["Host"].Single() : null; - } - catch (Exception) - { - throw new Exception("Multiple Host headers detected: " + String.Join(" ", _headers["Host"])); - } - } - } - - /// - /// Gets the value of a header - /// - /// - /// The header's values as a comma separated list, null if the header is not set. - public string GetHeaderValue(string headername) - { - string[] values; - return _headers.TryGetValue(headername, out values) ? String.Join(",", values) : null; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Core/ResponseHeaders.cs b/external/NWebsec/Core/ResponseHeaders.cs deleted file mode 100644 index b595d89c..00000000 --- a/external/NWebsec/Core/ResponseHeaders.cs +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.Linq; - -namespace NWebsec.Middleware.Core -{ - internal class ResponseHeaders - { - private readonly IDictionary _headers; - - internal ResponseHeaders(IDictionary headers) - { - _headers = headers; - } - - /// - /// Gets the value of the Location header if present. Otherwise returns null. - /// - public string Location - { - get - { - try - { - return _headers.ContainsKey("Location") ? _headers["Location"].Single() : null; - } - catch (Exception) - { - throw new Exception("Multiple Location headers detected: " + String.Join(" ", _headers["Location"])); - } - } - set { _headers["Location"] = new[] { value }; } - } - - internal void SetHeader(string name, string value) - { - _headers[name] = new[] { value }; - } - - internal void RemoveHeader(string name) - { - _headers.Remove(name); - } - } -} \ No newline at end of file diff --git a/external/NWebsec/CspDirective.cs b/external/NWebsec/CspDirective.cs deleted file mode 100644 index 9a732a43..00000000 --- a/external/NWebsec/CspDirective.cs +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; -using System.ComponentModel; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class CspDirective : ICspDirectiveConfiguration - { - public CspDirective() - { - Enabled = true; - } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool Enabled { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool NoneSrc { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool SelfSrc { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool UnsafeInlineSrc { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool UnsafeEvalSrc { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public string Nonce { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public IEnumerable CustomSources { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/CspDirectiveExtensions.cs b/external/NWebsec/CspDirectiveExtensions.cs deleted file mode 100644 index 698fa063..00000000 --- a/external/NWebsec/CspDirectiveExtensions.cs +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using NWebsec.Core.HttpHeaders.Configuration; -using NWebsec.Core.HttpHeaders.Csp; - -namespace NWebsec.Middleware -{ - public static class CspDirectiveExtensions - { - /// - /// Sets the "none" source for the CSP directive. This source cannot be combined with other sources on a CSP directive. - /// - /// The type of the CSP directive configuration object. - /// The CSP directive configuration object. - /// Thrown when sources have already been configured for the directive. - public static void None(this T directive) where T : class, ICspDirectiveBasicConfiguration - { - if (directive == null) throw new ArgumentNullException("directive"); - - ValidateBeforeSettingNoneSource(directive); - directive.NoneSrc = true; - } - - /// - /// Sets the "self" source for the CSP directive. - /// - /// The type of the CSP directive configuration object. - /// The CSP directive configuration object. - /// The CSP directive configuration object. - public static T Self(this T directive) where T : class, ICspDirectiveBasicConfiguration - { - if (directive == null) throw new ArgumentNullException("directive"); - - directive.SelfSrc = true; - return directive; - } - - /// - /// Sets custom sources for the CSP directive. - /// - /// The type of the CSP directive configuration object. - /// The CSP directive configuration object. - /// One or more custom sources. - /// The CSP directive configuration object. - public static T CustomSources(this T directive, params string[] sources) where T : class, ICspDirectiveBasicConfiguration - { - if (directive == null) throw new ArgumentNullException("directive"); - if (sources.Length == 0) throw new ArgumentException("You must supply at least one source.", "sources"); - - try - { - directive.CustomSources = sources.Select(s => CspUriSource.Parse(s).ToString()).ToArray(); - } - catch (InvalidCspSourceException e) - { - throw new ArgumentException("Invalid source. Details: " + e.Message, "sources", e); - } - - return directive; - } - - /// - /// Sets the "unsafe-inline" source for the CSP directive. - /// - /// The type of the CSP directive configuration object. - /// The CSP directive configuration object. - /// The CSP directive configuration object. - public static T UnsafeInline(this T directive) where T : class, ICspDirectiveUnsafeInlineConfiguration - { - if (directive == null) throw new ArgumentNullException("directive"); - - directive.UnsafeInlineSrc = true; - return directive; - } - - /// - /// Sets the "unsafe-eval" source for the CSP directive. - /// - /// The type of the CSP directive configuration object. - /// The CSP directive configuration object. - /// The CSP directive configuration object. - public static T UnsafeEval(this T directive) where T : class, ICspDirectiveConfiguration - { - if (directive == null) throw new ArgumentNullException("directive"); - - directive.UnsafeEvalSrc = true; - return directive; - } - - private static void ValidateBeforeSettingNoneSource(ICspDirectiveBasicConfiguration directive) - { - if (directive.SelfSrc || (directive.CustomSources != null && directive.CustomSources.Any())) - { - throw new InvalidOperationException("It is a logical error to combine the \"None\" source with other sources."); - } - - var unsafeInline = directive as ICspDirectiveUnsafeInlineConfiguration; - - if (unsafeInline != null && unsafeInline.UnsafeInlineSrc) - { - throw new InvalidOperationException("It is a logical error to combine the \"None\" source with other sources."); - } - - var unsafeEval = directive as ICspDirectiveConfiguration; - - if (unsafeEval != null && unsafeEval.UnsafeEvalSrc) - { - throw new InvalidOperationException("It is a logical error to combine the \"None\" source with other sources."); - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/CspOptions.cs b/external/NWebsec/CspOptions.cs deleted file mode 100644 index 4857726f..00000000 --- a/external/NWebsec/CspOptions.cs +++ /dev/null @@ -1,161 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class CspOptions : ICspConfiguration, IFluentCspOptions - { - public bool Enabled { get; set; } = true; - - public ICspDirectiveConfiguration DefaultSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration ScriptSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration ObjectSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration StyleSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration ImgSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration MediaSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration FrameSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration FontSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration ConnectSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration BaseUriDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration ChildSrcDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration FormActionDirective { get; set; } = new CspDirective(); - - public ICspDirectiveConfiguration FrameAncestorsDirective { get; set; } = new CspDirective(); - - public ICspPluginTypesDirectiveConfiguration PluginTypesDirective { get; set; } = new FluentCspPluginTypesDirective(); - - public ICspSandboxDirectiveConfiguration SandboxDirective { get; set; } = new FluentCspSandboxDirective(); - - public ICspUpgradeDirectiveConfiguration UpgradeInsecureRequestsDirective { get; set; } = new CspUpgradeDirectiveConfiguration(); - - public ICspReportUriDirectiveConfiguration ReportUriDirective { get; set; } = new CspReportUriDirective(); - - public IFluentCspOptions DefaultSources(Action configurer) - { - configurer(DefaultSrcDirective); - return this; - } - - public IFluentCspOptions ScriptSources(Action configurer) - { - configurer(ScriptSrcDirective); - return this; - } - - public IFluentCspOptions ObjectSources(Action configurer) - { - configurer(ObjectSrcDirective); - return this; - } - - public IFluentCspOptions StyleSources(Action configurer) - { - configurer(StyleSrcDirective); - return this; - } - - public IFluentCspOptions ImageSources(Action configurer) - { - configurer(ImgSrcDirective); - return this; - } - - public IFluentCspOptions MediaSources(Action configurer) - { - configurer(MediaSrcDirective); - return this; - } - - public IFluentCspOptions FrameSources(Action configurer) - { - configurer(FrameSrcDirective); - return this; - } - - public IFluentCspOptions FontSources(Action configurer) - { - configurer(FontSrcDirective); - return this; - } - - public IFluentCspOptions ConnectSources(Action configurer) - { - configurer(ConnectSrcDirective); - return this; - } - - public IFluentCspOptions BaseUris(Action configurer) - { - configurer(BaseUriDirective); - return this; - } - - public IFluentCspOptions ChildSources(Action configurer) - { - configurer(ChildSrcDirective); - return this; - } - - public IFluentCspOptions FormActions(Action configurer) - { - configurer(FormActionDirective); - return this; - } - - public IFluentCspOptions FrameAncestors(Action configurer) - { - configurer(FrameAncestorsDirective); - return this; - } - - public IFluentCspOptions PluginTypes(Action configurer) - { - configurer((IFluentCspPluginTypesDirective)PluginTypesDirective); - return this; - } - - public IFluentCspOptions Sandbox() - { - SandboxDirective.Enabled = true; - return this; - } - - public IFluentCspOptions Sandbox(Action configurer) - { - SandboxDirective.Enabled = true; - configurer((IFluentCspSandboxDirective)SandboxDirective); - return this; - } - - public IFluentCspOptions UpgradeInsecureRequests(int httpsPort = 443) - { - if (httpsPort < 1 || httpsPort > 65535) - { - throw new ArgumentOutOfRangeException(nameof(httpsPort),"The port number must be in the range 1-65535."); - } - - UpgradeInsecureRequestsDirective.Enabled = true; - UpgradeInsecureRequestsDirective.HttpsPort = httpsPort; - return this; - } - - public IFluentCspOptions ReportUris(Action configurer) - { - configurer((IFluentCspReportUriDirective)ReportUriDirective); - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/CspReportUriDirective.cs b/external/NWebsec/CspReportUriDirective.cs deleted file mode 100644 index bef625ac..00000000 --- a/external/NWebsec/CspReportUriDirective.cs +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using NWebsec.Core.HttpHeaders.Configuration; -using NWebsec.Core.HttpHeaders.Csp; - -namespace NWebsec.Middleware -{ - public class CspReportUriDirective : ICspReportUriDirectiveConfiguration, IFluentCspReportUriDirective - { - internal CspReportUriDirective() - { - Enabled = true; - } - - public bool Enabled { get; set; } - public bool EnableBuiltinHandler { get; set; } - public IEnumerable ReportUris { get; set; } - - public void Uris(params string[] reportUris) - { - if (reportUris.Length == 0) throw new ArgumentException("You must supply at least one report URI.", "reportUris"); - - var reportUriList = new List(); - - foreach (var reportUri in reportUris) - { - Uri uri; - if (!Uri.TryCreate(reportUri, UriKind.RelativeOrAbsolute, out uri)) - { - throw new ArgumentException("Could not parse reportUri: " + reportUri); - } - - reportUriList.Add(CspUriSource.EncodeUri(uri)); - } - ReportUris = reportUriList.ToArray(); - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Exceptions/RedirectValidationException.cs b/external/NWebsec/Exceptions/RedirectValidationException.cs deleted file mode 100644 index 2f7ef276..00000000 --- a/external/NWebsec/Exceptions/RedirectValidationException.cs +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.Exceptions -{ - public class RedirectValidationException : Exception - { - public RedirectValidationException(string message) : base(message) - { - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Extensions/HttpContextExtensions.cs b/external/NWebsec/Extensions/HttpContextExtensions.cs deleted file mode 100644 index b488c5bd..00000000 --- a/external/NWebsec/Extensions/HttpContextExtensions.cs +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Http; - -namespace NWebsec.Core.Extensions -{ - public static class HttpContextExtensions - { - public static NWebsecContext GetNWebsecContext(this HttpContext context) - { - if (!context.Items.ContainsKey(NWebsecContext.ContextKey)) - { - context.Items[NWebsecContext.ContextKey] = new NWebsecContext(); - } - - return context.Items[NWebsecContext.ContextKey] as NWebsecContext; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Fluent/IFluentInterface.cs b/external/NWebsec/Fluent/IFluentInterface.cs deleted file mode 100644 index 310cc912..00000000 --- a/external/NWebsec/Fluent/IFluentInterface.cs +++ /dev/null @@ -1,53 +0,0 @@ -//This code was lended from http://bit.ly/ifluentinterface, and is not covered by the regular NWebsec lisence. - -using System; -using System.ComponentModel; - -namespace NWebsec.Core.Fluent -{ - /// - /// Interface that is used to build fluent interfaces and hides methods declared by from - /// IntelliSense. - /// - /// - /// Code that consumes implementations of this interface should expect one of two things: - /// - /// - /// When referencing the interface from within the same solution (project reference), you will still see the - /// methods this interface is meant to hide. - /// - /// - /// When referencing the interface through the compiled output assembly (external reference), the standard - /// Object methods will be hidden as intended. - /// - /// - /// See http://bit.ly/ifluentinterface for more information. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - public interface IFluentInterface - { - /// - /// Redeclaration that hides the method from IntelliSense. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - Type GetType(); - - /// - /// Redeclaration that hides the method from IntelliSense. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - int GetHashCode(); - - /// - /// Redeclaration that hides the method from IntelliSense. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - string ToString(); - - /// - /// Redeclaration that hides the method from IntelliSense. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool Equals(object obj); - } -} \ No newline at end of file diff --git a/external/NWebsec/FluentCspPluginTypesDirective.cs b/external/NWebsec/FluentCspPluginTypesDirective.cs deleted file mode 100644 index 2e8a0a8a..00000000 --- a/external/NWebsec/FluentCspPluginTypesDirective.cs +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using NWebsec.Core.HttpHeaders.Configuration; -using NWebsec.Core.HttpHeaders.Configuration.Validation; - -namespace NWebsec.Middleware -{ - public class FluentCspPluginTypesDirective : CspPluginTypesDirectiveConfiguration, IFluentCspPluginTypesDirective - { - public FluentCspPluginTypesDirective() - { - Enabled = true; - } - - -#pragma warning disable CS0108 // Member hides inherited member; missing new keyword - public void MediaTypes(params string[] mediaTypes) -#pragma warning restore CS0108 // Member hides inherited member; missing new keyword - { - if (mediaTypes == null) - { - throw new ArgumentNullException(nameof(mediaTypes)); - } - - if (mediaTypes.Length == 0) - { - throw new ArgumentException("One or more parameter values expected.", nameof(mediaTypes)); - } - var validator = new Rfc2045MediaTypeValidator(); - var types = mediaTypes.Distinct().ToArray(); - - foreach (var mediaType in types) - { - try - { - validator.Validate(mediaType); - } - catch (Exception e) - { - throw new ArgumentException("Invalid argument. Details: " + e.Message, e); - } - } - - base.MediaTypes = types; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/FluentCspSandboxDirective.cs b/external/NWebsec/FluentCspSandboxDirective.cs deleted file mode 100644 index f470c85d..00000000 --- a/external/NWebsec/FluentCspSandboxDirective.cs +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - class FluentCspSandboxDirective : CspSandboxDirectiveConfiguration, IFluentCspSandboxDirective - { - public new IFluentCspSandboxDirective AllowForms() - { - base.AllowForms = true; - return this; - } - - public new IFluentCspSandboxDirective AllowPointerLock() - { - base.AllowPointerLock = true; - return this; - } - - public new IFluentCspSandboxDirective AllowPopups() - { - base.AllowPopups = true; - return this; - } - - public new IFluentCspSandboxDirective AllowSameOrigin() - { - base.AllowSameOrigin = true; - return this; - } - - public new IFluentCspSandboxDirective AllowScripts() - { - base.AllowScripts = true; - return this; - } - - public new IFluentCspSandboxDirective AllowTopNavigation() - { - base.AllowTopNavigation = true; - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Helpers/CspUpgradeHelper.cs b/external/NWebsec/Helpers/CspUpgradeHelper.cs deleted file mode 100644 index ee2964e8..00000000 --- a/external/NWebsec/Helpers/CspUpgradeHelper.cs +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using Microsoft.AspNetCore.Http; - -namespace NWebsec.Middleware.Helpers -{ - //Tested indirectly by CSP Middleware - internal class CspUpgradeHelper - { - internal static bool UaSupportsUpgradeInsecureRequests(HttpContext env) - { - var upgradeHeader = env.Request.Headers["Upgrade-Insecure-Requests"]; - - return upgradeHeader.Any(h => h.Equals("1", StringComparison.Ordinal)); - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Helpers/HeaderResultHandler.cs b/external/NWebsec/Helpers/HeaderResultHandler.cs deleted file mode 100644 index 6708b5ac..00000000 --- a/external/NWebsec/Helpers/HeaderResultHandler.cs +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Http; -using NWebsec.Core.HttpHeaders; - -namespace NWebsec.Core.Helpers -{ - public class HeaderResultHandler : IHeaderResultHandler - { - public void HandleHeaderResult(HttpResponse response, HeaderResult result) - { - if (result == null) - { - return; - } - - switch (result.Action) - { - case HeaderResult.ResponseAction.Set: - response.Headers[result.Name] = result.Value; - return; - case HeaderResult.ResponseAction.Remove: - response.Headers.Remove(result.Name); - return; - - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Helpers/IHeaderResultHandler.cs b/external/NWebsec/Helpers/IHeaderResultHandler.cs deleted file mode 100644 index fc665cb1..00000000 --- a/external/NWebsec/Helpers/IHeaderResultHandler.cs +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Http; -using NWebsec.Core.HttpHeaders; - -namespace NWebsec.Core.Helpers -{ - public interface IHeaderResultHandler - { - void HandleHeaderResult(HttpResponse response, HeaderResult result); - } -} \ No newline at end of file diff --git a/external/NWebsec/Helpers/X509/TlvTripletHeader.cs b/external/NWebsec/Helpers/X509/TlvTripletHeader.cs deleted file mode 100644 index 9e02c01a..00000000 --- a/external/NWebsec/Helpers/X509/TlvTripletHeader.cs +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.Helpers.X509 -{ - internal class TlvTripletHeader - { - public byte Tag { get; set; } - public int Length { get; set; } - public byte[] RawData { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/Helpers/X509/X509Helper.cs b/external/NWebsec/Helpers/X509/X509Helper.cs deleted file mode 100644 index 76d7c326..00000000 --- a/external/NWebsec/Helpers/X509/X509Helper.cs +++ /dev/null @@ -1,252 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.IO; -using System.Linq; -using System.Security.Cryptography; -using System.Security.Cryptography.X509Certificates; - -namespace NWebsec.Core.Helpers.X509 -{ - public class X509Helper - { - private const byte AsnInteger = 0x02; - private const byte AsnBitString = 0x03; - private const byte AsnSequence = 0x30; - private const byte AsnOptional = 0xA0; - - private static readonly byte[] AsnTags = { AsnInteger, AsnBitString, AsnSequence, AsnOptional }; - - //TODO cleanup. Perhaps a test or two. - //[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Security", "CA2122:DoNotIndirectlyExposeMethodsWithLinkDemands"), SecuritySafeCritical] - public X509Certificate2 GetCertByThumbprint(string thumbprint, StoreLocation storeLocation, StoreName storeName) - { - X509Store certStore = null; - X509Certificate2Collection certs = null; - try - { - certStore = new X509Store(storeName, storeLocation); - certStore.Open(OpenFlags.ReadOnly); - certs = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false); - - if (certs.Count > 1) - { - var message = string.Format("Something went horribly wrong, found more than one cert with thumbprint {0} in store location {1}, storename {2}", thumbprint, storeLocation, storeName); - throw new Exception(message); - } - - if (certs.Count == 0) - { - var message = string.Format("No certificate with thumbprint {0} in store location {1}, storename {2}", thumbprint, storeLocation, storeName); - throw new ArgumentException(message); - } - - //Returns new cert, all existing certs will be cleaned up - return certs[0]; - } - catch - { - if (certs != null) - { - foreach (var cert in certs) - { - CleanupCert(cert); - } - } - if (certStore != null) - { - foreach (var cert in certStore.Certificates) - { - CleanupCert(cert); - } -#if DNX451 - certStore.Close(); -#elif NET451 - certStore.Close(); -#else - certStore.Dispose(); -#endif - } - throw; - } - } - - /// - /// Returns a string suitable for inclusion in an HPKP header, including hash algoritm. - /// - /// - /// - public string GetSubjectPublicKeyInfoPinValue(X509Certificate2 cert) - { - var spki = GetRawSubjectPublicKeyInfo(cert); - using (var sha256 = SHA256.Create()) - { - var hash = Convert.ToBase64String(sha256.ComputeHash(spki)); - return string.Format("sha256=\"" + hash + "\""); - } - } - - private static byte[] GetRawSubjectPublicKeyInfo(X509Certificate2 cert) - { - if (cert.Version != 3) - { - throw new ArgumentException("Only X.509 certificate version 3 is supported. This cert was version " + cert.Version); - } - - var rawCert = cert.RawData; - - using (var ms = new MemoryStream(rawCert)) - { - //Get outer cert sequence header - var tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence, for start of certificate."); - //Console.WriteLine("Got certficate sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - - //Get tbs cert sequence header - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence, for start of tbc cert."); - //Console.WriteLine("Got tbs certficate sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - - //Get cert version integer header - tlv = ReadTlvTripletHeader(ms); - - while (tlv.Tag == AsnOptional) - { - //Console.WriteLine("Got optional TLV, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - tlv = ReadTlvTripletHeader(ms); - } - - if (tlv.Tag != AsnInteger) throw new Exception("Expected ASN integer cert version."); - //Console.WriteLine("Got the certficate version, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - - - var version = ms.ReadByte(); - if (version == -1) throw new Exception("Could not read version byte"); - //Console.WriteLine("Cert version: " + version); - - //Get serial number - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnInteger) throw new Exception("Expected ASN integer serial number."); - //Console.WriteLine("Got the cert serial number, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - - var serialNumber = new byte[tlv.Length]; - - var read = ms.Read(serialNumber, 0, serialNumber.Length); - - if (read < serialNumber.Length) throw new Exception("Expected reading " + tlv.Length + " serial number bytes, got " + read); - - //Skip signature sequence - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence signature."); - //Console.WriteLine("Got the cert signature sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - ms.Seek(tlv.Length, SeekOrigin.Current); - //Console.WriteLine("Skipped ahead " + tlv.Length + " bytes."); - - //Skip issuer sequence - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence issuer."); - //Console.WriteLine("Got the cert issuer sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - ms.Seek(tlv.Length, SeekOrigin.Current); - //Console.WriteLine("Skipped ahead " + tlv.Length + " bytes."); - - //Skip validity sequence - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence validity."); - //Console.WriteLine("Got the cert validity sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - ms.Seek(tlv.Length, SeekOrigin.Current); - //Console.WriteLine("Skipped ahead " + tlv.Length + " bytes."); - - //Skip subject sequence - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence subject."); - //Console.WriteLine("Got the cert subject sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - ms.Seek(tlv.Length, SeekOrigin.Current); - //Console.WriteLine("Skipped ahead " + tlv.Length + " bytes."); - - //Skip subject sequence - tlv = ReadTlvTripletHeader(ms); - if (tlv.Tag != AsnSequence) throw new Exception("Expected ASN sequence SPKI."); - //Console.WriteLine("Got the cert SPKI sequence, parsed length: " + tlv.Length + " " + BitConverter.ToString(tlv.RawData)); - - //New array for both tlv bits and content bits. - var spkiChunk = new byte[tlv.RawData.Length + tlv.Length]; - - Array.Copy(tlv.RawData, spkiChunk, tlv.RawData.Length); - - read = ms.Read(spkiChunk, tlv.RawData.Length, tlv.Length); - - if (read > tlv.Length) throw new Exception("Got " + read + " SPKI bytes, expected " + spkiChunk.Length); - - return spkiChunk; - } - } - - private static TlvTripletHeader ReadTlvTripletHeader(MemoryStream ms) - { - var firstBytes = new byte[2]; - var read = ms.Read(firstBytes, 0, firstBytes.Length); - - if (read < 1) - { - throw new Exception("No data read!"); - } - - if (!AsnTags.Any(t => t == firstBytes[0])) throw new Exception("Unexptected ASN.1 tag byte: " + BitConverter.ToString(firstBytes, 0, 1)); - - if (read < 2) - { - throw new Exception("No length byte read!"); - } - - if (firstBytes[1] < 0x80) - { - return new TlvTripletHeader() { Tag = firstBytes[0], Length = firstBytes[1], RawData = firstBytes }; - } - - //Handle multi-byte length. - var numberOfLengthBytes = firstBytes[1] - 0x80; - - if (numberOfLengthBytes < 1) throw new Exception("Invalid length byte. Indicated multibyte length, with length 0."); - if (numberOfLengthBytes > 4) throw new NotSupportedException("Leading length byte indicates more than 4 length bytes, which is not supported. Indicated length bytes: " + numberOfLengthBytes); - - //Get the bytes - var lengthBytes = new byte[numberOfLengthBytes]; - var bytesRead = ms.Read(lengthBytes, 0, lengthBytes.Length); - - if (bytesRead != lengthBytes.Length) throw new Exception(string.Format("Expected {0} length bytes, got {1}", lengthBytes.Length, bytesRead)); - - //Got the bytes, make an int. - var length = 0; - //Console.WriteLine("Adding length bytes: " + BitConverter.ToString(lengthBytes)); - foreach (var lengthByte in lengthBytes) - { - - //Shift existing bytes so they become more significant. Avoid platform dependent bit fiddling. - //Console.WriteLine("Length tweak starting: " + BitConverter.ToString(BitConverter.GetBytes(length))); - - length = length * 256; - //Console.WriteLine("Shifted length to make room for next byte: " + BitConverter.ToString(BitConverter.GetBytes(length))); - - length += lengthByte; - //Console.WriteLine("Added next byte: " + BitConverter.ToString(BitConverter.GetBytes(length))); - } - - var rawbytes = new byte[firstBytes.Length + lengthBytes.Length]; - Array.Copy(firstBytes, rawbytes, firstBytes.Length); - Array.Copy(lengthBytes, 0, rawbytes, firstBytes.Length, lengthBytes.Length); - - return new TlvTripletHeader { Tag = firstBytes[0], Length = length, RawData = rawbytes }; - } - - private void CleanupCert(X509Certificate2 cert) - { -#if NET451 - cert.Reset(); -#elif DNX451 - cert.Reset(); -#else - cert.Dispose(); -#endif - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HpkpOptions.cs b/external/NWebsec/HpkpOptions.cs deleted file mode 100644 index 54c4bea8..00000000 --- a/external/NWebsec/HpkpOptions.cs +++ /dev/null @@ -1,124 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.Security.Cryptography.X509Certificates; -using NWebsec.Core.Helpers.X509; -using NWebsec.Core.HttpHeaders.Configuration.Validation; - -namespace NWebsec.Middleware -{ - public class HpkpOptions : IFluentHpkpOptions - { - private readonly List _pins; - private readonly HpkpConfigurationValidator _validator; - - internal HpkpOptionsConfiguration Config { get; set; } - - public HpkpOptions() - { - _pins = new List(); - Config = new HpkpOptionsConfiguration { Pins = _pins }; - _validator = new HpkpConfigurationValidator(); - } - - // ReSharper disable once CSharpWarnings::CS0109 - public IFluentHpkpOptions MaxAge(int days = 0, int hours = 0, int minutes = 0, int seconds = 0) - { - if (days < 0) throw new ArgumentOutOfRangeException("days", "Value must be equal to or larger than 0."); - if (hours < 0) throw new ArgumentOutOfRangeException("hours", "Value must be equal to or larger than 0."); - if (minutes < 0) throw new ArgumentOutOfRangeException("minutes", "Value must be equal to or larger than 0."); - if (seconds < 0) throw new ArgumentOutOfRangeException("seconds", "Value must be equal to or larger than 0."); - - Config.MaxAge = new TimeSpan(days, hours, minutes, seconds); - return this; - } - - public IFluentHpkpOptions IncludeSubdomains() - { - Config.IncludeSubdomains = true; - return this; - } - - public IFluentHpkpOptions ReportUri(string reportUri) - { - try - { - _validator.ValidateReportUri(reportUri); - } - catch (Exception e) - { - throw new ArgumentException(e.Message, "reportUri"); - } - - Config.ReportUri = reportUri; - return this; - } - - public IFluentHpkpOptions AllResponses() - { - Config.HttpsOnly = false; - return this; - } - - public IFluentHpkpOptions Sha256Pins(params string[] pins) - { - foreach (var pin in pins) - { - try - { - _validator.ValidateRawPin(pin); - } - catch (Exception e) - { - throw new ArgumentException(e.Message, "pins"); - } - - var formattedPin = "sha256=\"" + pin + "\""; - if (!_pins.Contains(formattedPin)) - { - _pins.Add(formattedPin); - } - } - return this; - } - - public IFluentHpkpOptions PinCertificate(string thumbprint, StoreLocation storeLocation = StoreLocation.LocalMachine, - StoreName storeName = StoreName.My) - { - - try - { - _validator.ValidateThumbprint(thumbprint); - } - catch (Exception e) - { - throw new ArgumentException(e.Message, thumbprint); - } - - var helper = new X509Helper(); - var cert = helper.GetCertByThumbprint(thumbprint, storeLocation, storeName); - var pin = helper.GetSubjectPublicKeyInfoPinValue(cert); - -#if DNX451 - cert.Reset(); -#elif NET451 - cert.Reset(); -#else - cert.Dispose(); -#endif - if (!_pins.Contains(pin)) - { - _pins.Add(pin); - } - - return this; - } - - public IFluentHpkpOptions HttpsOnly() - { - Config.HttpsOnly = true; - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HpkpOptionsConfiguration.cs b/external/NWebsec/HpkpOptionsConfiguration.cs deleted file mode 100644 index e3374d4e..00000000 --- a/external/NWebsec/HpkpOptionsConfiguration.cs +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.ComponentModel; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class HpkpOptionsConfiguration : IHpkpConfiguration - { - internal HpkpOptionsConfiguration() - { - MaxAge = TimeSpan.Zero; - HttpsOnly = true; - Pins = new string[0]; - } - - [EditorBrowsable(EditorBrowsableState.Never)] - public IEnumerable Pins { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public TimeSpan MaxAge { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool IncludeSubdomains { get; set; } - - public string ReportUri { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool HttpsOnly { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HstsOptions.cs b/external/NWebsec/HstsOptions.cs deleted file mode 100644 index 2554c6af..00000000 --- a/external/NWebsec/HstsOptions.cs +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Middleware -{ - public class HstsOptions : HstsOptionsConfiguration, IFluentHstsOptions - { - - // ReSharper disable once CSharpWarnings::CS0109 - public new IFluentHstsOptions MaxAge(int days = 0, int hours = 0, int minutes = 0, int seconds = 0) - { - if (days < 0) throw new ArgumentOutOfRangeException(nameof(days), "Value must be equal to or larger than 0."); - if (hours < 0) throw new ArgumentOutOfRangeException(nameof(hours), "Value must be equal to or larger than 0."); - if (minutes < 0) throw new ArgumentOutOfRangeException(nameof(minutes), "Value must be equal to or larger than 0."); - if (seconds < 0) throw new ArgumentOutOfRangeException(nameof(seconds), "Value must be equal to or larger than 0."); - - base.MaxAge = new TimeSpan(days, hours, minutes, seconds); - return this; - } - - public new IFluentHstsOptions IncludeSubdomains() - { - base.IncludeSubdomains = true; - return this; - } - - public new IFluentHstsOptions Preload() - { - base.Preload = true; - return this; - } - - public new IFluentHstsOptions UpgradeInsecureRequests() - { - base.UpgradeInsecureRequests = true; - return this; - } - - public IFluentHstsOptions AllResponses() - { - base.HttpsOnly = false; - return this; - } - - public new IFluentHstsOptions HttpsOnly() - { - base.HttpsOnly = true; - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HstsOptionsConfiguration.cs b/external/NWebsec/HstsOptionsConfiguration.cs deleted file mode 100644 index dc924c16..00000000 --- a/external/NWebsec/HstsOptionsConfiguration.cs +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.ComponentModel; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class HstsOptionsConfiguration : IHstsConfiguration - { - internal HstsOptionsConfiguration() - { - MaxAge = TimeSpan.Zero; - HttpsOnly = true; - } - - [EditorBrowsable(EditorBrowsableState.Never)] - public TimeSpan MaxAge { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool IncludeSubdomains { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool Preload { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool HttpsOnly { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool UpgradeInsecureRequests { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspConfiguration.cs deleted file mode 100644 index 95f7f27c..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspConfiguration.cs +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspConfiguration : ICspConfiguration - { - public CspConfiguration(bool initializeDirectives=true) - { - if (!initializeDirectives) - { - return; - } - - DefaultSrcDirective = new CspDirectiveConfiguration(); - ScriptSrcDirective = new CspDirectiveConfiguration(); - ObjectSrcDirective = new CspDirectiveConfiguration(); - StyleSrcDirective = new CspDirectiveConfiguration(); - ImgSrcDirective = new CspDirectiveConfiguration(); - MediaSrcDirective = new CspDirectiveConfiguration(); - FrameSrcDirective = new CspDirectiveConfiguration(); - FontSrcDirective = new CspDirectiveConfiguration(); - ConnectSrcDirective = new CspDirectiveConfiguration(); - BaseUriDirective = new CspDirectiveConfiguration(); - ChildSrcDirective = new CspDirectiveConfiguration(); - FormActionDirective = new CspDirectiveConfiguration(); - FrameAncestorsDirective = new CspDirectiveConfiguration(); - PluginTypesDirective = new CspPluginTypesDirectiveConfiguration(); - SandboxDirective = new CspSandboxDirectiveConfiguration(); - UpgradeInsecureRequestsDirective = new CspUpgradeDirectiveConfiguration(); - ReportUriDirective = new CspReportUriDirectiveConfiguration(); - } - - public bool Enabled { get; set; } - public ICspDirectiveConfiguration DefaultSrcDirective { get; set; } - public ICspDirectiveConfiguration ScriptSrcDirective { get; set; } - public ICspDirectiveConfiguration ObjectSrcDirective { get; set; } - public ICspDirectiveConfiguration StyleSrcDirective { get; set; } - public ICspDirectiveConfiguration ImgSrcDirective { get; set; } - public ICspDirectiveConfiguration MediaSrcDirective { get; set; } - public ICspDirectiveConfiguration FrameSrcDirective { get; set; } - public ICspDirectiveConfiguration FontSrcDirective { get; set; } - public ICspDirectiveConfiguration ConnectSrcDirective { get; set; } - public ICspDirectiveConfiguration BaseUriDirective { get; set; } - public ICspDirectiveConfiguration ChildSrcDirective { get; set; } - public ICspDirectiveConfiguration FormActionDirective { get; set; } - public ICspDirectiveConfiguration FrameAncestorsDirective { get; set; } - public ICspPluginTypesDirectiveConfiguration PluginTypesDirective { get; set; } - public ICspSandboxDirectiveConfiguration SandboxDirective { get; set; } - public ICspUpgradeDirectiveConfiguration UpgradeInsecureRequestsDirective { get; set; } - public ICspReportUriDirectiveConfiguration ReportUriDirective { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspDirectiveConfiguration.cs deleted file mode 100644 index 80f95526..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspDirectiveConfiguration.cs +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspDirectiveConfiguration : ICspDirectiveConfiguration - { - private static readonly string[] EmptySources = new string[0]; - - public CspDirectiveConfiguration() - { - Enabled = true; - CustomSources = EmptySources; - } - - public bool Enabled { get; set; } - public bool NoneSrc { get; set; } - public bool SelfSrc { get; set; } - public bool UnsafeInlineSrc { get; set; } - public bool UnsafeEvalSrc { get; set; } - public IEnumerable CustomSources { get; set; } - public string Nonce { get; set; } - - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspHeaderConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspHeaderConfiguration.cs deleted file mode 100644 index dba0c1d3..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspHeaderConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspHeaderConfiguration : ICspHeaderConfiguration - { - public bool Enabled { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspPluginTypesDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspPluginTypesDirectiveConfiguration.cs deleted file mode 100644 index 1e70103e..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspPluginTypesDirectiveConfiguration.cs +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspPluginTypesDirectiveConfiguration : ICspPluginTypesDirectiveConfiguration - { - private static readonly string[] EmptySources = new string[0]; - - public bool Enabled { get; set; } - public IEnumerable MediaTypes { get; set; } - - public CspPluginTypesDirectiveConfiguration() - { - Enabled = true; - MediaTypes = EmptySources; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspReportUriDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspReportUriDirectiveConfiguration.cs deleted file mode 100644 index f15b2a3a..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspReportUriDirectiveConfiguration.cs +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspReportUriDirectiveConfiguration : ICspReportUriDirectiveConfiguration - { - public CspReportUriDirectiveConfiguration() - { - ReportUris = new string[0]; - } - - public bool Enabled { get; set; } - //TODO figure out what to do with this property - public bool EnableBuiltinHandler { get; set; } - public IEnumerable ReportUris { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspSandboxDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspSandboxDirectiveConfiguration.cs deleted file mode 100644 index f0675d98..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspSandboxDirectiveConfiguration.cs +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspSandboxDirectiveConfiguration : ICspSandboxDirectiveConfiguration - { - public bool Enabled { get; set; } - public bool AllowForms { get; set; } - public bool AllowPointerLock { get; set; } - public bool AllowPopups { get; set; } - public bool AllowSameOrigin { get; set; } - public bool AllowScripts { get; set; } - public bool AllowTopNavigation { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/CspUpgradeDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/CspUpgradeDirectiveConfiguration.cs deleted file mode 100644 index d15867b4..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/CspUpgradeDirectiveConfiguration.cs +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class CspUpgradeDirectiveConfiguration : ICspUpgradeDirectiveConfiguration - { - - public bool Enabled { get; set; } - public int HttpsPort { get; set; } = 443; - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/HpkpConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/HpkpConfiguration.cs deleted file mode 100644 index 873685c0..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/HpkpConfiguration.cs +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class HpkpConfiguration : IHpkpConfiguration - { - public IEnumerable Pins { get; set; } - public TimeSpan MaxAge { get; set; } - public bool IncludeSubdomains { get; set; } - public string ReportUri { get; set; } - public bool HttpsOnly { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/HstsConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/HstsConfiguration.cs deleted file mode 100644 index 4dbb50b3..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/HstsConfiguration.cs +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class HstsConfiguration : IHstsConfiguration - { - public TimeSpan MaxAge { get; set; } - public bool IncludeSubdomains { get; set; } - public bool Preload { get; set; } - public bool HttpsOnly { get; set; } - public bool UpgradeInsecureRequests { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspConfiguration.cs deleted file mode 100644 index 0609c32a..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspConfiguration.cs +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface ICspConfiguration - { - bool Enabled { get; set; } - ICspDirectiveConfiguration DefaultSrcDirective { get; set; } - ICspDirectiveConfiguration ScriptSrcDirective { get; set; } - ICspDirectiveConfiguration ObjectSrcDirective { get; set; } - ICspDirectiveConfiguration StyleSrcDirective { get; set; } - ICspDirectiveConfiguration ImgSrcDirective { get; set; } - ICspDirectiveConfiguration MediaSrcDirective { get; set; } - ICspDirectiveConfiguration FrameSrcDirective { get; set; } - ICspDirectiveConfiguration FontSrcDirective { get; set; } - ICspDirectiveConfiguration ConnectSrcDirective { get; set; } - ICspReportUriDirectiveConfiguration ReportUriDirective { get; set; } - - //CSP 2 - ICspDirectiveConfiguration BaseUriDirective { get; set; } - ICspDirectiveConfiguration ChildSrcDirective { get; set; } - ICspDirectiveConfiguration FormActionDirective { get; set; } - ICspDirectiveConfiguration FrameAncestorsDirective { get; set; } - ICspPluginTypesDirectiveConfiguration PluginTypesDirective { get; set; } - ICspSandboxDirectiveConfiguration SandboxDirective { get; set; } - - //Upgrade insecure requests - ICspUpgradeDirectiveConfiguration UpgradeInsecureRequestsDirective { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveBasicConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveBasicConfiguration.cs deleted file mode 100644 index ba649fe5..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveBasicConfiguration.cs +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; -using System.ComponentModel; -using NWebsec.Core.Fluent; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP directive configuration. - /// - public interface ICspDirectiveBasicConfiguration : IFluentInterface - { - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool Enabled { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool NoneSrc { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool SelfSrc { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - IEnumerable CustomSources { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveConfiguration.cs deleted file mode 100644 index 9664da8f..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveConfiguration.cs +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.ComponentModel; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP directive configuration. - /// - public interface ICspDirectiveConfiguration : ICspDirectiveUnsafeInlineConfiguration - { - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool UnsafeEvalSrc { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveUnsafeInlineConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveUnsafeInlineConfiguration.cs deleted file mode 100644 index e0784537..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspDirectiveUnsafeInlineConfiguration.cs +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.ComponentModel; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP directive configuration. - /// - public interface ICspDirectiveUnsafeInlineConfiguration : ICspDirectiveBasicConfiguration - { - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - bool UnsafeInlineSrc { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - [EditorBrowsable(EditorBrowsableState.Never)] - string Nonce { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspHeaderConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspHeaderConfiguration.cs deleted file mode 100644 index f2295e33..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspHeaderConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface ICspHeaderConfiguration - { - bool Enabled { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspPluginTypesDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspPluginTypesDirectiveConfiguration.cs deleted file mode 100644 index 8a3f9c10..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspPluginTypesDirectiveConfiguration.cs +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP sandbox directive configuration. - /// - public interface ICspPluginTypesDirectiveConfiguration - { - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool Enabled { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - IEnumerable MediaTypes { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspReportUriDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspReportUriDirectiveConfiguration.cs deleted file mode 100644 index 7d1d48d0..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspReportUriDirectiveConfiguration.cs +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface ICspReportUriDirectiveConfiguration - { - bool Enabled { get; set; } - - bool EnableBuiltinHandler { get; set; } - - IEnumerable ReportUris { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspSandboxDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspSandboxDirectiveConfiguration.cs deleted file mode 100644 index e3fee873..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspSandboxDirectiveConfiguration.cs +++ /dev/null @@ -1,49 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP sandbox directive configuration. - /// - public interface ICspSandboxDirectiveConfiguration - { - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool Enabled { get; set; } - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowForms { get; set; } - - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowPointerLock { get; set; } - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowPopups { get; set; } - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowSameOrigin { get; set; } - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowScripts { get; set; } - /// - /// Infrastructure. Not intended to be used by your code directly. An attempt to hide this from Intellisense has been - /// made. - /// - bool AllowTopNavigation { get; set; } - - - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ICspUpgradeDirectiveConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ICspUpgradeDirectiveConfiguration.cs deleted file mode 100644 index 36ce749f..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ICspUpgradeDirectiveConfiguration.cs +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - /// - /// Defines the properties required for CSP sandbox directive configuration. - /// - public interface ICspUpgradeDirectiveConfiguration - { - bool Enabled { get; set; } - - int HttpsPort { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IHpkpCertConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IHpkpCertConfiguration.cs deleted file mode 100644 index 6e3921d2..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IHpkpCertConfiguration.cs +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Security.Cryptography.X509Certificates; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IHpkpCertConfiguration - { - string ThumbPrint { get; set; } - StoreLocation StoreLocation { get; set; } - StoreName Storename { get; set; } - string SpkiPinValue { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IHpkpConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IHpkpConfiguration.cs deleted file mode 100644 index 17478218..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IHpkpConfiguration.cs +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IHpkpConfiguration - { - IEnumerable Pins { get; set; } - TimeSpan MaxAge { get; set; } - bool IncludeSubdomains { get; set; } - string ReportUri { get; set; } - bool HttpsOnly { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IHpkpPinConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IHpkpPinConfiguration.cs deleted file mode 100644 index 28e90353..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IHpkpPinConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IHpkpPinConfiguration - { - string Pin { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IHstsConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IHstsConfiguration.cs deleted file mode 100644 index e7b9d6fe..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IHstsConfiguration.cs +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IHstsConfiguration - { - TimeSpan MaxAge { get; set; } - - bool IncludeSubdomains { get; set; } - - bool Preload { get; set; } - - bool HttpsOnly { get; set; } - - bool UpgradeInsecureRequests { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IRedirectValidationConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IRedirectValidationConfiguration.cs deleted file mode 100644 index ec65e254..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IRedirectValidationConfiguration.cs +++ /dev/null @@ -1,18 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IRedirectValidationConfiguration - { - bool Enabled { get; set; } - - /// - /// URIs allowed for redirect. Strings in this list should be created with Uri.AbsoluteUri to assure consistency. - /// - IEnumerable AllowedUris { get; set; } - - ISameHostHttpsRedirectConfiguration SameHostRedirectConfiguration { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ISameHostHttpsRedirectConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ISameHostHttpsRedirectConfiguration.cs deleted file mode 100644 index 34bae86f..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ISameHostHttpsRedirectConfiguration.cs +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface ISameHostHttpsRedirectConfiguration - { - bool Enabled { get; set; } - int[] Ports { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/ISimpleBooleanConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/ISimpleBooleanConfiguration.cs deleted file mode 100644 index 358e3630..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/ISimpleBooleanConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface ISimpleBooleanConfiguration - { - bool Enabled { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IXFrameOptionsConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IXFrameOptionsConfiguration.cs deleted file mode 100644 index e4670685..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IXFrameOptionsConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IXFrameOptionsConfiguration - { - XfoPolicy Policy { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IXRobotsTagConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IXRobotsTagConfiguration.cs deleted file mode 100644 index 61cd9f45..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IXRobotsTagConfiguration.cs +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IXRobotsTagConfiguration - { - bool Enabled { get; set; } - - bool NoIndex { get; set; } - - bool NoFollow { get; set; } - - bool NoSnippet { get; set; } - - bool NoArchive { get; set; } - - bool NoOdp { get; set; } - - bool NoTranslate { get; set; } - - bool NoImageIndex { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/IXXssProtectionConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/IXXssProtectionConfiguration.cs deleted file mode 100644 index a3f6bb69..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/IXXssProtectionConfiguration.cs +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public interface IXXssProtectionConfiguration - { - XXssPolicy Policy { get; set; } - - bool BlockMode { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/RedirectValidationConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/RedirectValidationConfiguration.cs deleted file mode 100644 index b79dc5e2..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/RedirectValidationConfiguration.cs +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Collections.Generic; - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - internal class RedirectValidationConfiguration : IRedirectValidationConfiguration - { - public RedirectValidationConfiguration() - { - AllowedUris = new string[0]; - SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration(); - } - - public bool Enabled { get; set; } - public IEnumerable AllowedUris { get; set; } - public ISameHostHttpsRedirectConfiguration SameHostRedirectConfiguration { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/SameHostHttpsRedirectConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/SameHostHttpsRedirectConfiguration.cs deleted file mode 100644 index 8f6fd881..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/SameHostHttpsRedirectConfiguration.cs +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class SameHostHttpsRedirectConfiguration : ISameHostHttpsRedirectConfiguration - { - public SameHostHttpsRedirectConfiguration() - { - Ports = new int[0]; - } - - public bool Enabled { get; set; } - public int[] Ports { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/SimpleBooleanConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/SimpleBooleanConfiguration.cs deleted file mode 100644 index 87178674..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/SimpleBooleanConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class SimpleBooleanConfiguration : ISimpleBooleanConfiguration - { - public bool Enabled { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/Validation/HpkpConfigurationValidator.cs b/external/NWebsec/HttpHeaders/Configuration/Validation/HpkpConfigurationValidator.cs deleted file mode 100644 index 1f642f6a..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/Validation/HpkpConfigurationValidator.cs +++ /dev/null @@ -1,55 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using System.Text.RegularExpressions; - -namespace NWebsec.Core.HttpHeaders.Configuration.Validation -{ - public class HpkpConfigurationValidator - { - private static readonly string[] ValidSchemes = { "http", "https" }; - - public void ValidateNumberOfPins(IHpkpConfiguration hpkpConfig) - { - if (hpkpConfig.MaxAge > TimeSpan.Zero && hpkpConfig.Pins.Count() < 2) - { - throw new Exception("You must supply two or more HPKP pins. One should represent a certificate currently in use, you should also include a backup pin for a cert/key not (yet) in use."); - } - } - - public void ValidateRawPin(string pin) - { - var bytes = Convert.FromBase64String(pin); - - if (bytes.Length != 32) - { - throw new Exception("Expected a 256 bit pin value, it was " + bytes.Length * 8 + " bits: " + pin); - } - } - - public void ValidateThumbprint(string thumbPrint) - { - if (Regex.IsMatch(thumbPrint, "^([a-fA-F0-9]{2} ?){19}[a-fA-F0-9]{2}$")) - { - return; - } - - throw new Exception("Malformed thumbprint, expected 20 HEX octets without any leading or trailing whitespace, was: " + thumbPrint); - } - - public void ValidateReportUri(string reportUri) - { - Uri result; - if (!Uri.TryCreate(reportUri, UriKind.Absolute, out result)) - { - throw new Exception("Report URIs must be absolute URIs. This is not: " + reportUri); - } - - if (!ValidSchemes.Any(s => s.Equals(result.Scheme))) - { - throw new Exception("Report URIs must have the http or https scheme. Got: " + reportUri); - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/Validation/HstsConfigurationValidator.cs b/external/NWebsec/HttpHeaders/Configuration/Validation/HstsConfigurationValidator.cs deleted file mode 100644 index 7cd89510..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/Validation/HstsConfigurationValidator.cs +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.HttpHeaders.Configuration.Validation -{ - public class HstsConfigurationValidator - { - public void Validate(IHstsConfiguration hstsConfig) - { - if (!hstsConfig.Preload) return; - - if (hstsConfig.UpgradeInsecureRequests) - { - throw new Exception("The Preload setting cannot be combined with the UpgradeInsecureRequests setting. Use one or the other."); - } - - if (hstsConfig.MaxAge.TotalSeconds < 10886400 || !hstsConfig.IncludeSubdomains) - { - throw new Exception("HSTS max age must be at least 18 weeks and includesubdomains must be enabled to use the preload directive."); - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/Validation/Rfc2045MediaTypeValidator.cs b/external/NWebsec/HttpHeaders/Configuration/Validation/Rfc2045MediaTypeValidator.cs deleted file mode 100644 index 9868aed2..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/Validation/Rfc2045MediaTypeValidator.cs +++ /dev/null @@ -1,51 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using System.Text.RegularExpressions; - -namespace NWebsec.Core.HttpHeaders.Configuration.Validation -{ - public class Rfc2045MediaTypeValidator - { - private static readonly string[] ValidTypes = { "application", "audio", "image","model", "text", "video" }; - - public void Validate(string mediaType) - { - if (String.IsNullOrEmpty(mediaType)) throw new ArgumentException("String was null or empty", "mediaType"); - - var components = mediaType.Split(new[] { '/' }, 2); - var type = components[0]; - - if (!ValidTypes.Any(t => t.Equals(type, StringComparison.OrdinalIgnoreCase))) - { - var message = String.Format("Media type \"{0}\" did not match any of the expected types: {1}", mediaType, String.Join(", ", ValidTypes)); - throw new Exception(message); - } - - if (components.Length != 2) - { - throw new Exception("Invalid format for media type. Expected \"type/subtype\" but was: " + mediaType); - } - - var subType = components[1]; - - if (!Regex.IsMatch(subType, @"^[\x00-\x7F]*$")) - { - throw new Exception("Subtype contained characters from outside the US-ASCII range, was: " + subType); - } - - if (Regex.IsMatch(subType, @"[\x00-\x20\x7F]+")) - { - throw new Exception("Subtype contained the space character, or an ASCII control character."); - } - - var escapedTspecials = @"[()<>@,;:""\\/[\]?=]+"; - - if (Regex.IsMatch(subType, escapedTspecials)) - { - throw new Exception("Subtype contained one of the forbidden tspecial characters: " + Regex.Unescape(escapedTspecials)); - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/Validation/XRobotsTagConfigurationValidator.cs b/external/NWebsec/HttpHeaders/Configuration/Validation/XRobotsTagConfigurationValidator.cs deleted file mode 100644 index 0f2efa91..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/Validation/XRobotsTagConfigurationValidator.cs +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.HttpHeaders.Configuration.Validation -{ - public class XRobotsTagConfigurationValidator - { - public void Validate(IXRobotsTagConfiguration xRobotsConfig) - { - if (!xRobotsConfig.Enabled) return; - - if (xRobotsConfig.NoArchive || - xRobotsConfig.NoFollow || - xRobotsConfig.NoImageIndex || - xRobotsConfig.NoIndex || - xRobotsConfig.NoOdp || - xRobotsConfig.NoSnippet || - xRobotsConfig.NoTranslate) return; - throw new Exception( - "One or more directives must be enabled when header is enabled. Enable directives or disable header."); - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/XFrameOptionsConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/XFrameOptionsConfiguration.cs deleted file mode 100644 index 4fa4776b..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/XFrameOptionsConfiguration.cs +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class XFrameOptionsConfiguration : IXFrameOptionsConfiguration - { - public XfoPolicy Policy { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/XRobotsTagConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/XRobotsTagConfiguration.cs deleted file mode 100644 index 519c4656..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/XRobotsTagConfiguration.cs +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class XRobotsTagConfiguration : IXRobotsTagConfiguration - { - public bool Enabled { get; set; } - public bool NoIndex { get; set; } - public bool NoFollow { get; set; } - public bool NoSnippet { get; set; } - public bool NoArchive { get; set; } - public bool NoOdp { get; set; } - public bool NoTranslate { get; set; } - public bool NoImageIndex { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Configuration/XXssProtectionConfiguration.cs b/external/NWebsec/HttpHeaders/Configuration/XXssProtectionConfiguration.cs deleted file mode 100644 index 1e3b3c2e..00000000 --- a/external/NWebsec/HttpHeaders/Configuration/XXssProtectionConfiguration.cs +++ /dev/null @@ -1,10 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Configuration -{ - public class XXssProtectionConfiguration : IXXssProtectionConfiguration - { - public XXssPolicy Policy { get; set; } - public bool BlockMode { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Csp/CspSourceParseResult.cs b/external/NWebsec/HttpHeaders/Csp/CspSourceParseResult.cs deleted file mode 100644 index 2db98051..00000000 --- a/external/NWebsec/HttpHeaders/Csp/CspSourceParseResult.cs +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders.Csp -{ - internal class CspSourceParseResult - { - public string Scheme { get; set; } - public string Host { get; set; } - public string Port { get; set; } - public string PathAndQuery { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Csp/CspUriSource.cs b/external/NWebsec/HttpHeaders/Csp/CspUriSource.cs deleted file mode 100644 index 0b2b0575..00000000 --- a/external/NWebsec/HttpHeaders/Csp/CspUriSource.cs +++ /dev/null @@ -1,172 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Globalization; -using System.Linq; -using System.Text; -using System.Text.RegularExpressions; - -namespace NWebsec.Core.HttpHeaders.Csp -{ - public class CspUriSource - { - private const string HostRegex = @"^(\*\.)?([\p{Ll}\p{Lu}0-9\-]+)(\.[\p{Ll}\p{Lu}0-9\-]+)*$"; - private static readonly string SchemeOnlyRegex = "^[a-zA-Z]*[a-zA-Z0-9" + Regex.Escape("+.-") + "]:$"; - private static readonly string[] KnownSchemes = { "http", "https", "ws", "wss" }; - private readonly string _source; - - private CspUriSource(string source) - { - _source = source; - } - - // Returns the source as a string encoded according to the CSP spec. - public override string ToString() - { - return _source; - - } - - public static string EncodeUri(Uri uri) - { - - if (!uri.IsAbsoluteUri) - { - var uriString = uri.IsWellFormedOriginalString() ? uri.ToString() : Uri.EscapeUriString(uri.ToString()); - return EscapeReservedCspChars(uriString); - } - - var host = uri.Host; - var encodedHost = EncodeHostname(host); - - var needsReplacement = !host.Equals(encodedHost); - - var authority = uri.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped); - - if (needsReplacement) - { - authority = authority.Replace(host, encodedHost); - } - - if (uri.PathAndQuery.Equals("/")) - { - return authority; - } - - return authority + EscapeReservedCspChars(uri.PathAndQuery); - } - - public static CspUriSource Parse(string source) - { - if (String.IsNullOrEmpty(source)) throw new ArgumentException("Value was null or empty", "source"); - - if (source.Equals("*")) return new CspUriSource(source); - - Uri uriResult; //TODO figure out what happened to known schemes. - if (Uri.TryCreate(source, UriKind.Absolute, out uriResult) && KnownSchemes.Contains(uriResult.Scheme)) - { - return new CspUriSource(EncodeUri(uriResult)); - } - - //Scheme only source - if (Regex.IsMatch(source, SchemeOnlyRegex)) return new CspUriSource(source.ToLower()); - - var parseResult = ParseSourceComponents(source); - var sb = new StringBuilder(); - - if (!String.IsNullOrEmpty(parseResult.Scheme)) - { - if (!Regex.IsMatch(parseResult.Scheme, SchemeOnlyRegex)) - { - throw new InvalidCspSourceException("Invalid scheme in CSP source: " + source); - } - sb.Append(parseResult.Scheme.ToLower()).Append("//"); - } - - if (String.IsNullOrEmpty(parseResult.Host)) - { - throw new InvalidCspSourceException("Could not parse host in CSP source: " + source); - } - - if (!Regex.IsMatch(parseResult.Host, HostRegex)) - { - throw new InvalidCspSourceException("Invalid host in CSP source: " + source); - - } - - sb.Append(EncodeHostname(parseResult.Host.ToLower())); - - if (!String.IsNullOrEmpty(parseResult.Port)) - { - if (!ValidatePort(parseResult.Port)) - { - throw new InvalidCspSourceException("Invalid port in CSP source: " + source); - } - sb.Append(":").Append(parseResult.Port); - } - - if (!String.IsNullOrEmpty(parseResult.PathAndQuery)) - { - sb.Append(EscapeReservedCspChars(Uri.EscapeUriString(parseResult.PathAndQuery))); - } - - return new CspUriSource(sb.ToString()); - } - - private static CspSourceParseResult ParseSourceComponents(string uri) - { - const string regex = @"^((?.*?:)\/\/)?" + // match anything up to :// - @"(?.*?[^:\/])" + //then match anything up to a : or / - @"(:(?(.*?[^\/])))?" + //then match port if exists up to a / - @"(?\/.*)?$"; //grab the rest - - var re = new Regex(regex, RegexOptions.ExplicitCapture); - var result = re.Match(uri); - - if (!result.Success) - { - throw new InvalidCspSourceException("Malformed CSP source: " + uri); - } - - return new CspSourceParseResult - { - Scheme = result.Groups["scheme"].Value, - Host = result.Groups["host"].Value, - Port = result.Groups["port"].Value, - PathAndQuery = result.Groups["pathAndQuery"].Value - }; - } - - private static string EncodeHostname(string hostname) - { - var idn = new IdnMapping(); - - return idn.GetAscii(hostname); - } - - private static string EscapeReservedCspChars(string pathAndQuery) - { - char[] encodeChars = { ';', ',' }; - - if (pathAndQuery.IndexOfAny(encodeChars) == -1) - { - return pathAndQuery; - } - - var sb = new StringBuilder(pathAndQuery); - sb.Replace(";", "%3B"); - sb.Replace(",", "%2C"); - - return sb.ToString(); - } - - private static bool ValidatePort(string port) - { - if (port.Equals("*")) return true; - - int portNumber; - var isInt = Int32.TryParse(port, out portNumber); - return isInt && portNumber > 0 && portNumber <= 65535; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/Csp/InvalidCspSourceException.cs b/external/NWebsec/HttpHeaders/Csp/InvalidCspSourceException.cs deleted file mode 100644 index aa843f4a..00000000 --- a/external/NWebsec/HttpHeaders/Csp/InvalidCspSourceException.cs +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; - -namespace NWebsec.Core.HttpHeaders.Csp -{ - //[Serializable] - public class InvalidCspSourceException : Exception - { - public InvalidCspSourceException(string s) - : base(s) - { - } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/HeaderConstants.cs b/external/NWebsec/HttpHeaders/HeaderConstants.cs deleted file mode 100644 index b43f4c41..00000000 --- a/external/NWebsec/HttpHeaders/HeaderConstants.cs +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders -{ - public class HeaderConstants - { - public static readonly string XFrameOptionsHeader = "X-Frame-Options"; - public static readonly string XRobotsTagHeader = "X-Robots-Tag"; - public static readonly string StrictTransportSecurityHeader = "Strict-Transport-Security"; - public static readonly string XContentTypeOptionsHeader = "X-Content-Type-Options"; - public static readonly string XDownloadOptionsHeader = "X-Download-Options"; - public static readonly string XXssProtectionHeader = "X-XSS-Protection"; - public static readonly string ContentSecurityPolicyHeader = "Content-Security-Policy"; - public static readonly string ContentSecurityPolicyReportOnlyHeader = "Content-Security-Policy-Report-Only"; - public static readonly string HpkpHeader = "Public-Key-Pins"; - public static readonly string HpkpReportOnlyHeader = "Public-Key-Pins-Report-Only"; - - public static readonly string[] CspSourceList = - { - "'none'", - "'self'", - "'unsafe-inline'", - "'unsafe-eval'" - }; - - public static readonly string[] CspDirectives = - { - "default-src", - "script-src", - "object-src", - "style-src", - "img-src", - "media-src", - "frame-src", - "font-src", - "connect-src", - "report-uri" - }; - - public static readonly string[] CspSchemes = - { - "data:", - "https:", - "http:" - }; - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/HeaderGenerator.cs b/external/NWebsec/HttpHeaders/HeaderGenerator.cs deleted file mode 100644 index 32af7dea..00000000 --- a/external/NWebsec/HttpHeaders/HeaderGenerator.cs +++ /dev/null @@ -1,373 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Core.HttpHeaders -{ - public class HeaderGenerator : IHeaderGenerator - { - public HeaderResult CreateXRobotsTagResult(IXRobotsTagConfiguration xRobotsTagConfig, - IXRobotsTagConfiguration oldXRobotsTagConfig = null) - { - if (oldXRobotsTagConfig != null && oldXRobotsTagConfig.Enabled && xRobotsTagConfig.Enabled == false) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, HeaderConstants.XRobotsTagHeader); - } - - if (xRobotsTagConfig.Enabled == false) - { - return null; - } - - var sb = new StringBuilder(); - sb.Append(xRobotsTagConfig.NoIndex ? "noindex, " : String.Empty); - sb.Append(xRobotsTagConfig.NoFollow ? "nofollow, " : String.Empty); - sb.Append(xRobotsTagConfig.NoSnippet && !xRobotsTagConfig.NoIndex ? "nosnippet, " : String.Empty); - sb.Append(xRobotsTagConfig.NoArchive && !xRobotsTagConfig.NoIndex ? "noarchive, " : String.Empty); - sb.Append(xRobotsTagConfig.NoOdp && !xRobotsTagConfig.NoIndex ? "noodp, " : String.Empty); - sb.Append(xRobotsTagConfig.NoTranslate && !xRobotsTagConfig.NoIndex ? "notranslate, " : String.Empty); - sb.Append(xRobotsTagConfig.NoImageIndex ? "noimageindex" : String.Empty); - var value = sb.ToString().TrimEnd(' ', ','); - - if (value.Length == 0) return null; - - return new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XRobotsTagHeader, value); - } - - public HeaderResult CreateHstsResult(IHstsConfiguration hstsConfig) - { - if (hstsConfig.MaxAge < TimeSpan.Zero) return null; - - if (hstsConfig.Preload && (hstsConfig.MaxAge.TotalSeconds < 10886400 || !hstsConfig.IncludeSubdomains)) - { - return null; - } - - var seconds = (int)hstsConfig.MaxAge.TotalSeconds; - - var includeSubdomains = (hstsConfig.IncludeSubdomains ? "; includeSubdomains" : ""); - var preload = (hstsConfig.Preload ? "; preload" : ""); - var value = string.Format("max-age={0}{1}{2}", seconds, includeSubdomains, preload); - - return new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.StrictTransportSecurityHeader, - value); - } - - public HeaderResult CreateXContentTypeOptionsResult(ISimpleBooleanConfiguration xContentTypeOptionsConfig, - ISimpleBooleanConfiguration oldXContentTypeOptionsConfig = null) - { - if (oldXContentTypeOptionsConfig != null && oldXContentTypeOptionsConfig.Enabled && - !xContentTypeOptionsConfig.Enabled) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, HeaderConstants.XContentTypeOptionsHeader); - } - - return xContentTypeOptionsConfig.Enabled - ? new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XContentTypeOptionsHeader, "nosniff") - : null; - } - - public HeaderResult CreateXDownloadOptionsResult(ISimpleBooleanConfiguration xDownloadOptionsConfig, - ISimpleBooleanConfiguration oldXDownloadOptionsConfig = null) - { - if (oldXDownloadOptionsConfig != null && oldXDownloadOptionsConfig.Enabled && - !xDownloadOptionsConfig.Enabled) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, HeaderConstants.XDownloadOptionsHeader); - } - return xDownloadOptionsConfig.Enabled - ? new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XDownloadOptionsHeader, "noopen") - : null; - } - - public HeaderResult CreateXXssProtectionResult(IXXssProtectionConfiguration xXssProtectionConfig, - IXXssProtectionConfiguration oldXXssProtectionConfig = null) - { - if (oldXXssProtectionConfig != null && oldXXssProtectionConfig.Policy != XXssPolicy.Disabled && - xXssProtectionConfig.Policy == XXssPolicy.Disabled) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, HeaderConstants.XXssProtectionHeader); - } - - string value; - switch (xXssProtectionConfig.Policy) - { - case XXssPolicy.Disabled: - return null; - - case XXssPolicy.FilterDisabled: - value = "0"; - break; - - case XXssPolicy.FilterEnabled: - value = (xXssProtectionConfig.BlockMode ? "1; mode=block" : "1"); - break; - - default: - throw new NotImplementedException("Somebody apparently forgot to implement support for: " + - xXssProtectionConfig.Policy); - } - - return new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XXssProtectionHeader, value); - } - - public HeaderResult CreateXfoResult(IXFrameOptionsConfiguration xfoConfig, - IXFrameOptionsConfiguration oldXfoConfig = null) - { - if (oldXfoConfig != null && oldXfoConfig.Policy != XfoPolicy.Disabled && - xfoConfig.Policy == XfoPolicy.Disabled) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, HeaderConstants.XFrameOptionsHeader); - } - - switch (xfoConfig.Policy) - { - case XfoPolicy.Disabled: - return null; - - case XfoPolicy.Deny: - return new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XFrameOptionsHeader, "Deny"); - - case XfoPolicy.SameOrigin: - return new HeaderResult(HeaderResult.ResponseAction.Set, HeaderConstants.XFrameOptionsHeader, - "SameOrigin"); - - default: - throw new NotImplementedException("Apparently someone forgot to implement support for: " + - xfoConfig.Policy); - } - } - - public HeaderResult CreateHpkpResult(IHpkpConfiguration hpkpConfig, bool reportOnly) - { - if (hpkpConfig.MaxAge < TimeSpan.Zero || hpkpConfig.Pins == null || !hpkpConfig.Pins.Any()) return null; - - var headerName = reportOnly ? HeaderConstants.HpkpReportOnlyHeader : HeaderConstants.HpkpHeader; - - var seconds = (int)hpkpConfig.MaxAge.TotalSeconds; - //Unpinning. Save a few bytes by ignoring other directives. - if (seconds == 0) - { - return new HeaderResult(HeaderResult.ResponseAction.Set, headerName, "max-age=" + seconds); - } - - var sb = new StringBuilder(); - sb.Append("max-age=").Append(seconds).Append(";"); - - if (hpkpConfig.IncludeSubdomains) - { - sb.Append("includeSubdomains;"); - } - - foreach (var pin in hpkpConfig.Pins) - { - sb.Append("pin-").Append(pin).Append(";"); - } - - if (string.IsNullOrEmpty(hpkpConfig.ReportUri)) - { - sb.Remove(sb.Length - 1, 1); - } - else - { - sb.Append("report-uri=\"").Append(hpkpConfig.ReportUri).Append("\""); - } - - var value = sb.ToString(); - - return new HeaderResult(HeaderResult.ResponseAction.Set, headerName, value); - } - - public HeaderResult CreateCspResult(ICspConfiguration cspConfig, bool reportOnly, - string builtinReportHandlerUri = null, ICspConfiguration oldCspConfig = null) - { - var headerValue = cspConfig.Enabled ? CreateCspHeaderValue(cspConfig, builtinReportHandlerUri) : null; - - if (oldCspConfig != null && oldCspConfig.Enabled) - { - if (!cspConfig.Enabled || headerValue == null) - { - return new HeaderResult(HeaderResult.ResponseAction.Remove, - (reportOnly ? HeaderConstants.ContentSecurityPolicyReportOnlyHeader : HeaderConstants.ContentSecurityPolicyHeader)); - - } - } - - if (!cspConfig.Enabled || headerValue == null) - { - return null; - } - - return new HeaderResult(HeaderResult.ResponseAction.Set, - (reportOnly ? HeaderConstants.ContentSecurityPolicyReportOnlyHeader : HeaderConstants.ContentSecurityPolicyHeader), headerValue); - } - - private string CreateCspHeaderValue(ICspConfiguration config, string builtinReportHandlerUri = null) - { - var sb = new StringBuilder(); - - AppendDirective(sb, "default-src", GetDirectiveList(config.DefaultSrcDirective)); - AppendDirective(sb, "script-src", GetDirectiveList(config.ScriptSrcDirective)); - AppendDirective(sb, "object-src", GetDirectiveList(config.ObjectSrcDirective)); - AppendDirective(sb, "style-src", GetDirectiveList(config.StyleSrcDirective)); - AppendDirective(sb, "img-src", GetDirectiveList(config.ImgSrcDirective)); - AppendDirective(sb, "media-src", GetDirectiveList(config.MediaSrcDirective)); - AppendDirective(sb, "frame-src", GetDirectiveList(config.FrameSrcDirective)); - AppendDirective(sb, "font-src", GetDirectiveList(config.FontSrcDirective)); - AppendDirective(sb, "connect-src", GetDirectiveList(config.ConnectSrcDirective)); - AppendDirective(sb, "base-uri", GetDirectiveList(config.BaseUriDirective)); - AppendDirective(sb, "child-src", GetDirectiveList(config.ChildSrcDirective)); - AppendDirective(sb, "form-action", GetDirectiveList(config.FormActionDirective)); - AppendDirective(sb, "frame-ancestors", GetDirectiveList(config.FrameAncestorsDirective)); - AppendDirective(sb, "plugin-types", GetPluginTypesDirectiveList(config.PluginTypesDirective)); - AppendDirective(sb, "sandbox", GetSandboxDirectiveList(config.SandboxDirective)); - AppendUpgradeDirective(sb, "upgrade-insecure-requests", config.UpgradeInsecureRequestsDirective); - - if (sb.Length == 0) return null; - - AppendDirective(sb, "report-uri", - GetReportUriList(config.ReportUriDirective, builtinReportHandlerUri)); - - //Get rid of trailing ; - sb.Length--; - return sb.ToString(); - } - - private void AppendDirective(StringBuilder sb, string directiveName, List sources) - { - if (sources == null) return; - - sb.Append(directiveName); - - foreach (var source in sources) - { - sb.Append(' ').Append(source); - } - - sb.Append(';'); - } - - private void AppendUpgradeDirective(StringBuilder sb, string directiveName, ICspUpgradeDirectiveConfiguration config) - { - if (!config.Enabled) return; - - sb.Append(directiveName); - sb.Append(';'); - } - - private List GetDirectiveList(ICspDirectiveConfiguration directive) - { - if (directive == null || !directive.Enabled) - return null; - - var sources = new List(); - - if (directive.NoneSrc) - { - sources.Add("'none'"); - } - - if (directive.SelfSrc) - { - sources.Add("'self'"); - } - - if (directive.UnsafeInlineSrc) - { - sources.Add("'unsafe-inline'"); - } - - if (!String.IsNullOrEmpty(directive.Nonce)) - { - var nonce = $"'nonce-{directive.Nonce}'"; - sources.Add(nonce); - } - - if (directive.UnsafeEvalSrc) - { - sources.Add("'unsafe-eval'"); - } - - if (directive.CustomSources != null) - { - sources.AddRange(directive.CustomSources); - } - - return sources.Count > 0 ? sources : null; - } - - private List GetPluginTypesDirectiveList(ICspPluginTypesDirectiveConfiguration directive) - { - if (directive == null || !directive.Enabled || !directive.MediaTypes.Any()) - return null; - - //We know there are MediaTypes, so not null. - return new List(directive.MediaTypes); - } - - private List GetSandboxDirectiveList(ICspSandboxDirectiveConfiguration directive) - { - if (directive == null || !directive.Enabled) - return null; - - var sources = new List(); - - if (directive.AllowForms) - { - sources.Add("allow-forms"); - } - - if (directive.AllowPointerLock) - { - sources.Add("allow-pointer-lock"); - } - - if (directive.AllowPopups) - { - sources.Add("allow-popups"); - } - - if (directive.AllowSameOrigin) - { - sources.Add("allow-same-origin"); - } - - if (directive.AllowScripts) - { - sources.Add("allow-scripts"); - } - - if (directive.AllowTopNavigation) - { - sources.Add("allow-top-navigation"); - } - - return sources; //We want to return empty list and not null - } - - private List GetReportUriList(ICspReportUriDirectiveConfiguration directive, - string builtinReportHandlerUri = null) - { - if (directive == null || !directive.Enabled) - return null; - - var reportUris = new List(); - - if (directive.EnableBuiltinHandler) - { - reportUris.Add(builtinReportHandlerUri); - } - - if (directive.ReportUris != null) - { - reportUris.AddRange(directive.ReportUris); - } - - return reportUris.Count > 0 ? reportUris : null; - } - } -} diff --git a/external/NWebsec/HttpHeaders/HeaderResult.cs b/external/NWebsec/HttpHeaders/HeaderResult.cs deleted file mode 100644 index 1a330aba..00000000 --- a/external/NWebsec/HttpHeaders/HeaderResult.cs +++ /dev/null @@ -1,25 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders -{ - public class HeaderResult - { - public enum ResponseAction - { - Set = 0, - Remove = 1 - } - - public HeaderResult(ResponseAction action, string name, string value = null) - { - Action = action; - Name = name; - Value = value; - } - - - public ResponseAction Action { get; set; } - public string Name { get; set; } - public string Value { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/IHeaderGenerator.cs b/external/NWebsec/HttpHeaders/IHeaderGenerator.cs deleted file mode 100644 index f2ea02a9..00000000 --- a/external/NWebsec/HttpHeaders/IHeaderGenerator.cs +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Core.HttpHeaders -{ - public interface IHeaderGenerator - { - HeaderResult CreateXRobotsTagResult(IXRobotsTagConfiguration xRobotsTagConfig, - IXRobotsTagConfiguration oldXRobotsTagConfig = null); - - HeaderResult CreateHstsResult(IHstsConfiguration hstsConfig); - - HeaderResult CreateXContentTypeOptionsResult(ISimpleBooleanConfiguration xContentTypeOptionsConfig, - ISimpleBooleanConfiguration oldXContentTypeOptionsConfig = null); - - HeaderResult CreateXDownloadOptionsResult(ISimpleBooleanConfiguration xDownloadOptionsConfig, - ISimpleBooleanConfiguration oldXDownloadOptionsConfig = null); - - HeaderResult CreateXXssProtectionResult(IXXssProtectionConfiguration xXssProtectionConfig, - IXXssProtectionConfiguration oldXXssProtectionConfig = null); - - HeaderResult CreateXfoResult(IXFrameOptionsConfiguration xfoConfig, - IXFrameOptionsConfiguration oldXfoConfig = null); - - HeaderResult CreateCspResult(ICspConfiguration cspConfig, bool reportOnly, - string builtinReportHandlerUri = null, ICspConfiguration oldCspConfig = null); - - HeaderResult CreateHpkpResult(IHpkpConfiguration hpkpConfig, bool reportOnly); - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/XXssPolicy.cs b/external/NWebsec/HttpHeaders/XXssPolicy.cs deleted file mode 100644 index 03e9055c..00000000 --- a/external/NWebsec/HttpHeaders/XXssPolicy.cs +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders -{ - public enum XXssPolicy - { - /// Specifies that the X-Xss-Protection header should not be set in the HTTP response. - Disabled, - - /// - /// Specifies that the X-Xss-Protection header should be set in the HTTP response, explicitly disabling the IE XSS - /// filter. - /// - FilterDisabled, - - /// - /// Specifies that the X-Xss-Protection header should be set in the HTTP response, explicitly enabling the IE XSS - /// filter. - /// - FilterEnabled - } -} \ No newline at end of file diff --git a/external/NWebsec/HttpHeaders/XfoPolicy.cs b/external/NWebsec/HttpHeaders/XfoPolicy.cs deleted file mode 100644 index 37a9a77a..00000000 --- a/external/NWebsec/HttpHeaders/XfoPolicy.cs +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -namespace NWebsec.Core.HttpHeaders -{ - public enum XfoPolicy - { - /// Specifies that the X-Frame-Options header should not be set in the HTTP response. - Disabled, - - /// - /// Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to not - /// display the page when it is loaded in an iframe. - /// - Deny, - - /// - /// Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to - /// display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page. - /// - SameOrigin - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentCspOptions.cs b/external/NWebsec/IFluentCspOptions.cs deleted file mode 100644 index b9264df7..00000000 --- a/external/NWebsec/IFluentCspOptions.cs +++ /dev/null @@ -1,142 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using NWebsec.Core.Fluent; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for Content-Security-Options. - /// - public interface IFluentCspOptions : IFluentInterface - { - /// - /// Configures the default-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions DefaultSources(Action configurer); - - /// - /// Configures the script-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions ScriptSources(Action configurer); - - /// - /// Configures the object-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions ObjectSources(Action configurer); - - /// - /// Configures the style-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions StyleSources(Action configurer); - - /// - /// Configures the image-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions ImageSources(Action configurer); - - /// - /// Configures the media-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions MediaSources(Action configurer); - - /// - /// Configures the frame-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions FrameSources(Action configurer); - - /// - /// Configures the font-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions FontSources(Action configurer); - - /// - /// Configures the connect-src directive (CSP 1.0). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions ConnectSources(Action configurer); - - /// - /// Configures the base-uri directive (CSP 2). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions BaseUris(Action configurer); - - /// - /// Configures the child-src directive (CSP 2). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions ChildSources(Action configurer); - - /// - /// Configures the form-action directive (CSP 2). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions FormActions(Action configurer); - - /// - /// Configures the fram-ancestors directive (CSP 2). - /// - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions FrameAncestors(Action configurer); - - /// - /// Configures the plugin-types directive (CSP 2). - /// - /// An that configures the media types for the directive. - /// The current instance. - IFluentCspOptions PluginTypes(Action configurer); - - /// - /// Enables the sandbox directive (CSP 2) without further ado. - /// - /// Support for this directive was optional in CSP 1.0, but is mandatory as of CSP 2. - /// The current instance. - IFluentCspOptions Sandbox(); - - /// - /// Configures the sandbox directive (CSP 2) with one or more sources. - /// - /// Support for this directive was optional in CSP 1.0, but is mandatory as of CSP 2. - /// An that configures the sources for the directive. - /// The current instance. - IFluentCspOptions Sandbox(Action configurer); - - /// - /// Enables the upgrade-insecure-requests directive and redirects conformant UAs to HTTPS. - /// - /// This directive is not part of CSP 1.0 or CSP 2, but is described in a separate specification. - /// The HTTPS port. Defaults to 443. - /// The current instance. - IFluentCspOptions UpgradeInsecureRequests(int httpsPort = 443); - - /// - /// Configures the report-uri directive (CSP 1.0). Support for absolute URIs was introduced in CSP 2. - /// - /// An that configures the report URIs. - /// The current instance. - IFluentCspOptions ReportUris(Action configurer); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentCspPluginTypesDirective.cs b/external/NWebsec/IFluentCspPluginTypesDirective.cs deleted file mode 100644 index 6a216b8f..00000000 --- a/external/NWebsec/IFluentCspPluginTypesDirective.cs +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - public interface IFluentCspPluginTypesDirective : IFluentInterface - { - /// - /// Sets the media types for the CSP plugin-types directive. - /// - void MediaTypes(params string[] pluginType); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentCspReportUriDirective.cs b/external/NWebsec/IFluentCspReportUriDirective.cs deleted file mode 100644 index 4d0f1205..00000000 --- a/external/NWebsec/IFluentCspReportUriDirective.cs +++ /dev/null @@ -1,18 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure report URIs. - /// - public interface IFluentCspReportUriDirective : IFluentInterface - { - /// - /// Sets report URIs for the CSP directive. - /// - /// One or more report URIs. - void Uris(params string[] reportUris); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentCspSandboxDirective.cs b/external/NWebsec/IFluentCspSandboxDirective.cs deleted file mode 100644 index a9e47f69..00000000 --- a/external/NWebsec/IFluentCspSandboxDirective.cs +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - public interface IFluentCspSandboxDirective : IFluentInterface - { - /// - /// Sets the 'allow-forms' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowForms(); - - /// - /// Sets the 'allow-pointer-lock' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowPointerLock(); - - /// - /// Sets the 'allow-popups' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowPopups(); - - /// - /// Sets the 'allow-same-origin' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowSameOrigin(); - - /// - /// Sets the 'allow-scripts' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowScripts(); - - /// - /// Sets the 'allow-top-navigation' source for the CSP sandbox directive. - /// - IFluentCspSandboxDirective AllowTopNavigation(); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentHpkpOptions.cs b/external/NWebsec/IFluentHpkpOptions.cs deleted file mode 100644 index 71a1459a..00000000 --- a/external/NWebsec/IFluentHpkpOptions.cs +++ /dev/null @@ -1,62 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Security.Cryptography.X509Certificates; -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for Http Strict Transport Security. - /// - public interface IFluentHpkpOptions : IFluentInterface - { - /// - /// Specifies the max age for the HPKP header. - /// - /// The number of days added to max age. - /// The number of hours added to max age. - /// The number of minutes added to max age. - /// The number of seconds added to max age. - /// The current instance. - /// Thrown if a negative value was supplied in any of the parameters. - IFluentHpkpOptions MaxAge(int days = 0, int hours = 0, int minutes = 0, int seconds = 0); - - /// - /// Enables the IncludeSubdomains directive in the HPKP header. - /// - /// The current instance. - IFluentHpkpOptions IncludeSubdomains(); - - /// - /// Specifies a report URI where the browser can send HPKP violations. - /// - /// The report URI, which is an absolute URI with scheme http or https. - /// The current instance. - IFluentHpkpOptions ReportUri(string reportUri); - - /// - /// Specifies that the HPKP header should also be set for HTTP responses. The header is always set for HTTPS responses. - /// - /// The HPKP standard specifies that the header should only be set over secure connections, which is the default behavior. - /// This configuration option exists to accomodate websites running behind an SSL terminator. - /// The current instance. - IFluentHpkpOptions AllResponses(); - - /// - /// Specifies one or more certificate pins to include in the HPKP header. A certificate pin is the Base64 encoded SHA-256 hash value of a certficate's SPKI. - /// - /// One or more certficate pin values. - /// The current instance. - IFluentHpkpOptions Sha256Pins(params string[] pins); - - /// - /// Specifies a certificate that should be pinned in the HPKP header. - /// - /// The certificate thumbprint. - /// The for the certificate. The default is . - /// The for the certificate. The default is . - /// The current instance. - IFluentHpkpOptions PinCertificate(string thumbprint, StoreLocation storeLocation = StoreLocation.LocalMachine, StoreName storeName = StoreName.My); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentHstsOptions.cs b/external/NWebsec/IFluentHstsOptions.cs deleted file mode 100644 index 0e27633f..00000000 --- a/external/NWebsec/IFluentHstsOptions.cs +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for Http Strict Transport Security. - /// - public interface IFluentHstsOptions : IFluentInterface - { - /// - /// Specifies the max age for the HSTS header. - /// - /// The number of days added to max age. - /// The number of hours added to max age. - /// The number of minutes added to max age. - /// The number of seconds added to max age. - /// The current instance. - /// Thrown if a negative value was supplied in any of the parameters. - IFluentHstsOptions MaxAge(int days = 0, int hours = 0, int minutes = 0, int seconds = 0); - - /// - /// Enables the IncludeSubdomains directive in the Hsts header. - /// - /// The current instance. - IFluentHstsOptions IncludeSubdomains(); - - /// - /// Enables the Preload directive in the HSTS header. MaxAge must be at least 18 weeks, and IncludeSubdomains must be enabled. - /// - /// Read more about preloaded HSTS sites at www.chromium.org/sts - /// The current instance. - IFluentHstsOptions Preload(); - - /// - /// Sets the HSTS header only when the user agent signals that it supports the upgrade-insecure-requests CSP directive. - /// - /// This setting is intended to be used in combination with the upgrade-insecure-requests CSP directive. - /// The current instance. - IFluentHstsOptions UpgradeInsecureRequests(); - - /// - /// Specifies that the HSTS header should also be set for HTTP responses. The header is always set for HTTPS responses. - /// - /// The HSTS standard specifies that the header should only be set over secure connections, which is the default behavior. - /// This configuration option exists to accomodate websites running behind an SSL terminator. - /// The current instance. - IFluentHstsOptions AllResponses(); - - /// - /// Specifies that the HSTS header should be set for HTTPS responses only. - /// - /// The current instance. - [Obsolete("This method is deprecated as the default has been changed to HTTPS only.", false)] - IFluentHstsOptions HttpsOnly(); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentRedirectValidationOptions.cs b/external/NWebsec/IFluentRedirectValidationOptions.cs deleted file mode 100644 index edc80103..00000000 --- a/external/NWebsec/IFluentRedirectValidationOptions.cs +++ /dev/null @@ -1,26 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for redirect validation. - /// - public interface IFluentRedirectValidationOptions : IFluentInterface - { - /// - /// Configures the allowed redirect destinations. These must be well formed absolute URIs. - /// - /// Allowed redirect destinations. - /// The current instance. - IFluentRedirectValidationOptions AllowedDestinations(params string[] uris); - - /// - /// Allows same host redirects to HTTPS. - /// - /// Allowed destination port(s) for redirects to HTTPS. The default HTTPS port (443) is assumed if no values are configured. - /// The current instance. - IFluentRedirectValidationOptions AllowSameHostRedirectsToHttps(params int[] httpsPorts); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentXFrameOptions.cs b/external/NWebsec/IFluentXFrameOptions.cs deleted file mode 100644 index 895649ab..00000000 --- a/external/NWebsec/IFluentXFrameOptions.cs +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for X-Frame-Options. - /// - public interface IFluentXFrameOptions : IFluentInterface - { - /// - /// Enables the Deny directive. - /// - void Deny(); - - /// - /// Enables the SameOrigin directive. - /// - void SameOrigin(); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentXRobotsTagOptions.cs b/external/NWebsec/IFluentXRobotsTagOptions.cs deleted file mode 100644 index 905503db..00000000 --- a/external/NWebsec/IFluentXRobotsTagOptions.cs +++ /dev/null @@ -1,54 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for X-Robots-Tag. - /// - public interface IFluentXRobotsTagOptions : IFluentInterface - { - /// - /// Enables the noindex directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoIndex(); - - /// - /// Enables the nofollow directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoFollow(); - - /// - /// Enables the nosnippet directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoSnippet(); - - /// - /// Enables the noarchive directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoArchive(); - - /// - /// Enables the noodp directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoOdp(); - - /// - /// Enables the notranslate directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoTranslate(); - - /// - /// Enables the noimageindex directive. - /// - /// The current instance. - IFluentXRobotsTagOptions NoImageIndex(); - } -} \ No newline at end of file diff --git a/external/NWebsec/IFluentXXssProtectionOptions.cs b/external/NWebsec/IFluentXXssProtectionOptions.cs deleted file mode 100644 index 6be70b39..00000000 --- a/external/NWebsec/IFluentXXssProtectionOptions.cs +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.Fluent; - -namespace NWebsec.Middleware -{ - /// - /// Fluent interface to configure options for X-Xss-Protection. - /// - public interface IFluentXXssProtectionOptions : IFluentInterface - { - /// - /// Configures the header to explicitly disable protection. - /// - void Disabled(); - - /// - /// Configures the header to explicitly enable protection. - /// - void Enabled(); - - /// - /// Configures the header to explicitly enable protection with block mode. - /// - void EnabledWithBlockMode(); - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/CspMiddleware.cs b/external/NWebsec/Middleware/CspMiddleware.cs deleted file mode 100644 index 6f1c26f6..00000000 --- a/external/NWebsec/Middleware/CspMiddleware.cs +++ /dev/null @@ -1,88 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Threading.Tasks; -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; -using NWebsec.Middleware.Helpers; - -namespace NWebsec.Middleware.Middleware -{ - public class CspMiddleware - { - private readonly ICspConfiguration _config; - private readonly HeaderResult _headerResult; - private readonly bool _reportOnly; - private readonly RequestDelegate _next; - - public CspMiddleware(RequestDelegate next, ICspConfiguration options, bool reportOnly) - { - _next = next; - _config = options; - _reportOnly = reportOnly; - - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateCspResult(_config, reportOnly); - } - - public async Task Invoke(HttpContext context) - { - - if (HandleUpgradeInsecureRequest(context)) - { - return; - } - - SetCspHeaders(context); - - if (_next != null) - { - await _next(context); - } - - } - - internal bool HandleUpgradeInsecureRequest(HttpContext context) - { - //Already on https. - if (context.Request.IsHttps) return false; - - //CSP upgrade-insecure-requests is disabled - if (!_config.Enabled || !_config.UpgradeInsecureRequestsDirective.Enabled) return false; - - if (!CspUpgradeHelper.UaSupportsUpgradeInsecureRequests(context)) return false; - - var upgradeUri = new UriBuilder($"https://{context.Request.Host}") - { - Port = _config.UpgradeInsecureRequestsDirective.HttpsPort, - Path = context.Request.PathBase + context.Request.Path - }; - - //Redirect - context.Response.Headers["Vary"] = "Upgrade-Insecure-Requests"; - context.Response.Headers["Location"] = upgradeUri.Uri.AbsoluteUri; - context.Response.StatusCode = 307; - return true; - } - - internal void SetCspHeaders(HttpContext context) - { - if (_reportOnly) - { - context.GetNWebsecContext().CspReportOnly = _config; - } - else - { - context.GetNWebsecContext().Csp = _config; - } - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - context.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/HpkpMiddleware.cs b/external/NWebsec/Middleware/HpkpMiddleware.cs deleted file mode 100644 index 2a744860..00000000 --- a/external/NWebsec/Middleware/HpkpMiddleware.cs +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - - public class HpkpMiddleware : MiddlewareBase - { - private readonly IHpkpConfiguration _config; - private readonly HeaderResult _headerResult; - - public HpkpMiddleware(RequestDelegate next, HpkpOptions options, bool reportOnly) - : base(next) - { - _config = options.Config; - - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateHpkpResult(_config, reportOnly); - } - - internal override void PreInvokeNext(HttpContext context) - { - - if (_config.HttpsOnly && !context.Request.IsHttps) - { - return; - } - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - context.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/HstsMiddleware.cs b/external/NWebsec/Middleware/HstsMiddleware.cs deleted file mode 100644 index 84cd404f..00000000 --- a/external/NWebsec/Middleware/HstsMiddleware.cs +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; -using NWebsec.Middleware.Helpers; - -namespace NWebsec.Middleware.Middleware -{ - - public class HstsMiddleware : MiddlewareBase - { - private readonly IHstsConfiguration _config; - private readonly HeaderResult _headerResult; - private const string Https = "https"; - - public HstsMiddleware(RequestDelegate next, HstsOptions options) - : base(next) - { - _config = options; - - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateHstsResult(_config); - } - - internal override void PreInvokeNext(HttpContext context) - { - - if (_config.HttpsOnly && !context.Request.IsHttps) - { - return; - } - - if (_config.UpgradeInsecureRequests && !CspUpgradeHelper.UaSupportsUpgradeInsecureRequests(context)) - { - return; - } - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - context.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/MiddleWareBase.cs b/external/NWebsec/Middleware/MiddleWareBase.cs deleted file mode 100644 index 7227d537..00000000 --- a/external/NWebsec/Middleware/MiddleWareBase.cs +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.Threading.Tasks; -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; - -namespace NWebsec.Middleware.Middleware -{ - public class MiddlewareBase - { - private readonly RequestDelegate _next; - - public MiddlewareBase(RequestDelegate next) - { - _next = next; - } - - public async Task Invoke(HttpContext context) - { - - PreInvokeNext(context); - - if (_next != null) - { - await _next(context); - } - - PostInvokeNext(context); - } - - internal virtual void PreInvokeNext(HttpContext context) - { - } - - internal virtual void PostInvokeNext(HttpContext context) - { - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/RedirectValidationMiddleware.cs b/external/NWebsec/Middleware/RedirectValidationMiddleware.cs deleted file mode 100644 index eff6c6fa..00000000 --- a/external/NWebsec/Middleware/RedirectValidationMiddleware.cs +++ /dev/null @@ -1,39 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core; - -namespace NWebsec.Middleware.Middleware -{ - - public class RedirectValidationMiddleware : MiddlewareBase - { - private readonly RedirectValidationOptions _config; - private readonly RedirectValidator _redirectValidator; - - public RedirectValidationMiddleware(RequestDelegate next, RedirectValidationOptions options) - : base(next) - { - _config = options; - _redirectValidator = new RedirectValidator(); - } - - internal override void PostInvokeNext(HttpContext context) - { - var statusCode = context.Response.StatusCode; - - if (!_redirectValidator.IsRedirectStatusCode(statusCode)) - { - return; - } - - var scheme = context.Request.Scheme; - var hostandport = context.Request.Host; - var requestUri = new Uri(scheme + "://" + hostandport); - - _redirectValidator.ValidateRedirect(statusCode, context.Response.Headers["Location"], requestUri, _config); - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/XContentTypeOptionsMiddleware.cs b/external/NWebsec/Middleware/XContentTypeOptionsMiddleware.cs deleted file mode 100644 index be22465d..00000000 --- a/external/NWebsec/Middleware/XContentTypeOptionsMiddleware.cs +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - public class XContentTypeOptionsMiddleware : MiddlewareBase - { - private readonly ISimpleBooleanConfiguration _config; - private readonly HeaderResult _headerResult; - - public XContentTypeOptionsMiddleware(RequestDelegate next) - : base(next) - { - _config = new SimpleBooleanConfiguration { Enabled = true }; - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateXContentTypeOptionsResult(_config); - } - - internal override void PreInvokeNext(HttpContext owinEnvironment) - { - owinEnvironment.GetNWebsecContext().XContentTypeOptions = _config; - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - owinEnvironment.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/XDownloadOptionsMiddleware.cs b/external/NWebsec/Middleware/XDownloadOptionsMiddleware.cs deleted file mode 100644 index 2347028a..00000000 --- a/external/NWebsec/Middleware/XDownloadOptionsMiddleware.cs +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - public class XDownloadOptionsMiddleware : MiddlewareBase - { - private readonly ISimpleBooleanConfiguration _config; - private readonly HeaderResult _headerResult; - - public XDownloadOptionsMiddleware(RequestDelegate next) - : base(next) - { - _config = new SimpleBooleanConfiguration { Enabled = true }; - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateXDownloadOptionsResult(_config); - } - - internal override void PreInvokeNext(HttpContext owinEnvironment) - { - owinEnvironment.GetNWebsecContext().XDownloadOptions = _config; - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - owinEnvironment.Response.Headers[_headerResult.Name]= _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/XRobotsTagMiddleware.cs b/external/NWebsec/Middleware/XRobotsTagMiddleware.cs deleted file mode 100644 index 3c1a29e1..00000000 --- a/external/NWebsec/Middleware/XRobotsTagMiddleware.cs +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - - public class XRobotsTagMiddleware : MiddlewareBase - { - private readonly IXRobotsTagConfiguration _config; - private readonly HeaderResult _headerResult; - - public XRobotsTagMiddleware(RequestDelegate next, XRobotsTagOptions options) - : base(next) - { - _config = options.Config; - - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateXRobotsTagResult(_config); - } - - internal override void PreInvokeNext(HttpContext owinEnvironment) - { - owinEnvironment.GetNWebsecContext().XRobotsTag = _config; - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - owinEnvironment.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/XXssMiddleware.cs b/external/NWebsec/Middleware/XXssMiddleware.cs deleted file mode 100644 index ed285016..00000000 --- a/external/NWebsec/Middleware/XXssMiddleware.cs +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - public class XXssMiddleware : MiddlewareBase - { - private readonly IXXssProtectionConfiguration _config; - private readonly HeaderResult _headerResult; - - public XXssMiddleware(RequestDelegate next, XXssProtectionOptions options) - : base(next) - { - _config = options; - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateXXssProtectionResult(_config); - } - - internal override void PreInvokeNext(HttpContext owinEnvironment) - { - owinEnvironment.GetNWebsecContext().XXssProtection = _config; - - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - owinEnvironment.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/Middleware/XfoMiddleware.cs b/external/NWebsec/Middleware/XfoMiddleware.cs deleted file mode 100644 index d91648b7..00000000 --- a/external/NWebsec/Middleware/XfoMiddleware.cs +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using Microsoft.AspNetCore.Builder; -using Microsoft.AspNetCore.Http; -using NWebsec.Core.Extensions; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware.Middleware -{ - public class XfoMiddleware : MiddlewareBase - { - private readonly IXFrameOptionsConfiguration _config; - private readonly HeaderResult _headerResult; - - public XfoMiddleware(RequestDelegate next, XFrameOptions options) - : base(next) - { - _config = options; - var headerGenerator = new HeaderGenerator(); - _headerResult = headerGenerator.CreateXfoResult(_config); - } - - internal override void PreInvokeNext(HttpContext owinEnvironment) - { - owinEnvironment.GetNWebsecContext().XFrameOptions = _config; - if (_headerResult.Action == HeaderResult.ResponseAction.Set) - { - owinEnvironment.Response.Headers[_headerResult.Name] = _headerResult.Value; - } - } - } -} \ No newline at end of file diff --git a/external/NWebsec/NWebsec.xproj b/external/NWebsec/NWebsec.xproj deleted file mode 100644 index 21daa66c..00000000 --- a/external/NWebsec/NWebsec.xproj +++ /dev/null @@ -1,21 +0,0 @@ - - - - 14.0 - $(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion) - - - - 38c8e88f-1d01-466f-b47d-6d67f13c1594 - NWebsec.Middleware - .\obj - .\bin\ - - - 2.0 - - - True - - - \ No newline at end of file diff --git a/external/NWebsec/NWebsecContext.cs b/external/NWebsec/NWebsecContext.cs deleted file mode 100644 index 649467f3..00000000 --- a/external/NWebsec/NWebsecContext.cs +++ /dev/null @@ -1,28 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Core -{ - public class NWebsecContext - { - public static readonly string ContextKey = "nwebsec.Context"; - - public ISimpleBooleanConfiguration NoCacheHeaders { get; set; } - public ISimpleBooleanConfiguration XContentTypeOptions { get; set; } - public ISimpleBooleanConfiguration XDownloadOptions { get; set; } - public IXFrameOptionsConfiguration XFrameOptions { get; set; } - public IXRobotsTagConfiguration XRobotsTag { get; set; } - public IXXssProtectionConfiguration XXssProtection { get; set; } - public ICspConfiguration Csp { get; set; } - public ICspConfiguration CspReportOnly { get; set; } - - public ConfigurationOverrides ConfigOverrides { get; set; } - } - - public class ConfigurationOverrides - { - public ICspConfiguration CspOverride { get; set; } - public ICspConfiguration CspReportOnlyOverride { get; set; } - } -} \ No newline at end of file diff --git a/external/NWebsec/RedirectValidationOptions.cs b/external/NWebsec/RedirectValidationOptions.cs deleted file mode 100644 index ea147e33..00000000 --- a/external/NWebsec/RedirectValidationOptions.cs +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Collections.Generic; -using System.Globalization; -using System.Linq; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class RedirectValidationOptions : IRedirectValidationConfiguration, IFluentRedirectValidationOptions - { - public RedirectValidationOptions() - { - Enabled = true; - AllowedUris = new string[0]; - SameHostRedirectConfiguration = new SameHostHttpsRedirectConfiguration(); - } - - public bool Enabled { get; set; } - public IEnumerable AllowedUris { get; set; } - public ISameHostHttpsRedirectConfiguration SameHostRedirectConfiguration { get; set; } - - public IFluentRedirectValidationOptions AllowedDestinations(params string[] uris) - { - if (uris.Length == 0) throw new ArgumentException("You must supply at least one redirect URI."); - - var validatedUris = new List(); - - foreach (var uri in uris) - { - Uri result; - if (!Uri.TryCreate(uri, UriKind.Absolute, out result)) - { - throw new ArgumentException("Redirect URIs must be well formed absolute URIs. Offending URI: " + uri); - } - validatedUris.Add(result.AbsoluteUri); - } - - AllowedUris = validatedUris.ToArray(); - return this; - } - - public IFluentRedirectValidationOptions AllowSameHostRedirectsToHttps(params int[] httpsPorts) - { - var invalidPorts = httpsPorts.Where(p => p < 1 || p > 65535).ToArray(); - - if (invalidPorts.Length > 0) - { - var ports = String.Join(" ", invalidPorts.Select(p => p.ToString(CultureInfo.InvariantCulture)).ToArray()); - var invalidPortNumberMessage = "Invalid ports configured. Port number(s) must be in the range 1-65535. Offending ports: " + ports; - throw new ArgumentOutOfRangeException(invalidPortNumberMessage); - } - - SameHostRedirectConfiguration.Enabled = true; - SameHostRedirectConfiguration.Ports = httpsPorts; - - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/RedirectValidator.cs b/external/NWebsec/RedirectValidator.cs deleted file mode 100644 index 028f6a27..00000000 --- a/external/NWebsec/RedirectValidator.cs +++ /dev/null @@ -1,83 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System; -using System.Linq; -using NWebsec.Core.Exceptions; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Core -{ - public class RedirectValidator - { - public void ValidateRedirect(int statusCode, string locationHeader, Uri requestAuthority, - IRedirectValidationConfiguration config) - { - if (!config.Enabled) - { - return; - } - - //Not a redirect - if (!IsRedirectStatusCode(statusCode)) - { - return; - } - - //No location header - if (String.IsNullOrEmpty(locationHeader)) - { - return; - } - - Uri locationUri; - if (!Uri.TryCreate(locationHeader, UriKind.RelativeOrAbsolute, out locationUri)) - { - throw new Exception("Unable to parse location header value as URI. Value was: " + locationHeader); - } - - //Relative Uri - if (!locationUri.IsAbsoluteUri) - { - return; - } - - // Same origin TODO look into URL encoding - if (locationUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.SafeUnescaped).Equals(requestAuthority.GetComponents(UriComponents.SchemeAndServer,UriFormat.SafeUnescaped))) - { - return; - } - - //Same host https - if (config.SameHostRedirectConfiguration.Enabled && locationUri.Scheme.Equals("https") && requestAuthority.Host.Equals(locationUri.Host)) - { - var sameHostConfig = config.SameHostRedirectConfiguration; - - if (sameHostConfig.Ports.Length == 0 && locationUri.IsDefaultPort) - { - return; - } - - if (sameHostConfig.Ports.Contains(locationUri.Port)) - { - return; - } - throw new RedirectValidationException("A potentially dangerous redirect was detected. Allow same host redirects to this port number in configuration if the redirect was intended. Offending redirect: " + locationHeader); - } - - // Allowed Uri - if (config.AllowedUris.Any(locationUri.AbsoluteUri.StartsWith)) - { - return; - } - - throw new RedirectValidationException( - "A potentially dangerous redirect was detected. Add the destination to the whitelist in configuration if the redirect was intended. Offending redirect: " + - locationHeader); - } - - public bool IsRedirectStatusCode(int statusCode) - { - return statusCode >= 300 && statusCode < 400 && statusCode != 304; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/XFrameOptions.cs b/external/NWebsec/XFrameOptions.cs deleted file mode 100644 index 4ff567f4..00000000 --- a/external/NWebsec/XFrameOptions.cs +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class XFrameOptions : IXFrameOptionsConfiguration, IFluentXFrameOptions - { - internal XFrameOptions() - { - Policy = XfoPolicy.Disabled; - } - - public XfoPolicy Policy { get; set; } - - public void Deny() - { - Policy = XfoPolicy.Deny; - } - - public void SameOrigin() - { - Policy = XfoPolicy.SameOrigin; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/XRobotsTagOptions.cs b/external/NWebsec/XRobotsTagOptions.cs deleted file mode 100644 index d6961886..00000000 --- a/external/NWebsec/XRobotsTagOptions.cs +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class XRobotsTagOptions : IFluentXRobotsTagOptions - { - internal XRobotsTagOptions() - { - Config = new XRobotsTagConfiguration(); - } - - internal XRobotsTagConfiguration Config { get; private set; } - - public IFluentXRobotsTagOptions NoIndex() - { - Config.NoIndex = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoFollow() - { - Config.NoFollow = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoSnippet() - { - Config.NoSnippet = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoArchive() - { - Config.NoArchive = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoOdp() - { - Config.NoOdp = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoTranslate() - { - Config.NoTranslate = Config.Enabled = true; - return this; - } - - public IFluentXRobotsTagOptions NoImageIndex() - { - Config.NoImageIndex = Config.Enabled = true; - return this; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/XXssProtectionOptions.cs b/external/NWebsec/XXssProtectionOptions.cs deleted file mode 100644 index 8618e7e1..00000000 --- a/external/NWebsec/XXssProtectionOptions.cs +++ /dev/null @@ -1,38 +0,0 @@ -// Copyright (c) André N. Klingsheim. See License.txt in the project root for license information. - -using System.ComponentModel; -using NWebsec.Core.HttpHeaders; -using NWebsec.Core.HttpHeaders.Configuration; - -namespace NWebsec.Middleware -{ - public class XXssProtectionOptions : IXXssProtectionConfiguration, IFluentXXssProtectionOptions - { - internal XXssProtectionOptions() - { - Policy = XXssPolicy.Disabled; - } - - [EditorBrowsable(EditorBrowsableState.Never)] - public XXssPolicy Policy { get; set; } - - [EditorBrowsable(EditorBrowsableState.Never)] - public bool BlockMode { get; set; } - - public void Disabled() - { - Policy = XXssPolicy.FilterDisabled; - } - - public void Enabled() - { - Policy = XXssPolicy.FilterEnabled; - } - - public void EnabledWithBlockMode() - { - Policy = XXssPolicy.FilterEnabled; - BlockMode = true; - } - } -} \ No newline at end of file diff --git a/external/NWebsec/project.json b/external/NWebsec/project.json deleted file mode 100644 index 888ae43e..00000000 --- a/external/NWebsec/project.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "version": "1.0.0-internal-*", - - "description": "NWebsec middleware for ASP.NET 5 applications. NWebsec helps you set important security headers and detect potentially dangerous redirects. See project website for documentation.", - "authors": [ "André N. Klingsheim" ], - - "packOptions": { - "title": "NWebsec.Middleware (ASP.NET 5)", - "releaseNotes": "This release includes core functions for the NWebsec security libaries.", - "owners": [ "André N. Klingsheim" ], - "copyright": "Copyright © 2014 - 2015", - "tags": [ "NWebsec Security AspNet AppSec" ], - "projectUrl": "https://docs.nwebsec.com/en/latest/", - "licenseUrl": "https://github.com/NWebsec/NWebsec/blob/master/LICENSE", - "iconUrl": "https://klings.blob.core.windows.net/nwebsecicon/nwebsec_nuget.png", - }, - - "shared": "**/**.cs", - - "frameworks": { - "net451": { }, - - "netstandard1.3": { - "dependencies": { - "Microsoft.CSharp": "4.0.1-rc2-24027", - "System.Runtime": "4.1.0-rc2-24027" - }, - - "imports": [ - "dotnet5.4", - "portable-net451+win8" - ] - } - }, - - "dependencies": { - "Microsoft.AspNetCore.Http.Abstractions": "1.0.0-rc2-final" - } -} diff --git a/samples/Mvc.Server/Startup.cs b/samples/Mvc.Server/Startup.cs index 439516b3..7c3f37cd 100644 --- a/samples/Mvc.Server/Startup.cs +++ b/samples/Mvc.Server/Startup.cs @@ -11,7 +11,7 @@ using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using Mvc.Server.Models; using Mvc.Server.Services; -using NWebsec.Middleware; +using NWebsec.AspNetCore.Middleware; using OpenIddict; using OpenIddict.Models; diff --git a/src/OpenIddict.Security/OpenIddictExtensions.cs b/src/OpenIddict.Security/OpenIddictExtensions.cs index 95b782f6..2d7329ba 100644 --- a/src/OpenIddict.Security/OpenIddictExtensions.cs +++ b/src/OpenIddict.Security/OpenIddictExtensions.cs @@ -1,7 +1,7 @@ using System; using JetBrains.Annotations; using Microsoft.AspNetCore.Cors.Infrastructure; -using NWebsec.Middleware; +using NWebsec.AspNetCore.Middleware; namespace Microsoft.AspNetCore.Builder { public static class OpenIddictExtensions { diff --git a/src/OpenIddict.Security/project.json b/src/OpenIddict.Security/project.json index 7e3b01aa..303290a4 100644 --- a/src/OpenIddict.Security/project.json +++ b/src/OpenIddict.Security/project.json @@ -35,16 +35,16 @@ "dependencies": { "JetBrains.Annotations": { "type": "build", "version": "10.1.4" }, "Microsoft.AspNetCore.Cors": "1.0.0-rc2-final", - "NWebsec": { "target": "project", "type": "build" }, + "NWebsec.AspNetCore.Middleware": "1.0.0-gamma-5", "OpenIddict.Core": { "target": "project" } }, "frameworks": { "net451": { }, - "netstandard1.4": { + "netstandard1.5": { "imports": [ - "dotnet5.5", + "dotnet5.6", "portable-net451+win8" ] }