Breaking: Replace .SetRequireRequestSignature() and .AddSigningKey with .SetRequestSignatureOptions()

lilith · lilith · commit 64410259dcdf · 2020-10-29T18:00:07.000-06:00
diff --git a/README.md b/README.md
@@ -198,10 +198,14 @@ namespace Imageflow.Server.Example
                     .SetCommand("width", "1024")
                     .SetCommand("height", "1024")
                     .SetCommand("mode", "max"))
-                //When set to true, this only allows urls with a &signature, returning 403 if missing/invalid. 
-                //Use Imazen.Common.Helpers.Signatures.SignRequest(string pathAndQuery, string signingKey) to generate
-                .SetRequireRequestSignature(false)
-                .AddRequestSigningKey("test key")
+                // When set, this only allows urls with a &signature, returning 403 if missing/invalid. 
+                // Use Imazen.Common.Helpers.Signatures.SignRequest(string pathAndQuery, string signingKey) to generate
+                //.ForPrefix allows you to set less restrictive rules for subfolders. 
+                // For example, you may want to allow unmodified requests through with SignatureRequired.ForQuerystringRequests
+                .SetRequestSignatureOptions(
+                        new RequestSignatureOptions(SignatureRequired.ForAllRequests, new []{"test key"})
+                            .ForPrefix("/logos/", StringComparison.Ordinal, 
+                                SignatureRequired.ForQuerystringRequests, new []{"test key"}))
                 // It's a good idea to limit image sizes for security. Requests causing these to be exceeded will fail
                 // The last argument to FrameSizeLimit() is the maximum number of megapixels
                 .SetJobSecurityOptions(new SecurityOptions()
diff --git a/examples/Imageflow.Server.Example/Startup.cs b/examples/Imageflow.Server.Example/Startup.cs
@@ -127,10 +127,14 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                     .SetCommand("width", "1024")
                     .SetCommand("height", "1024")
                     .SetCommand("mode", "max"))
-                //When set to true, this only allows urls with a &signature, returning 403 if missing/invalid. 
-                //Use Imazen.Common.Helpers.Signatures.SignRequest(string pathAndQuery, string signingKey) to generate
-                .SetRequireRequestSignature(false)
-                .AddRequestSigningKey("test key")
+                // When set, this only allows urls with a &signature, returning 403 if missing/invalid. 
+                // Use Imazen.Common.Helpers.Signatures.SignRequest(string pathAndQuery, string signingKey) to generate
+                //.ForPrefix allows you to set less restrictive rules for subfolders. 
+                // For example, you may want to allow unmodified requests through with SignatureRequired.ForQuerystringRequests
+                .SetRequestSignatureOptions(
+                    new RequestSignatureOptions(SignatureRequired.ForAllRequests, new []{"test key"})
+                        .ForPrefix("/logos/", StringComparison.Ordinal, 
+                            SignatureRequired.ForQuerystringRequests, new []{"test key"}))
                 // It's a good idea to limit image sizes for security. Requests causing these to be exceeded will fail
                 // The last argument to FrameSizeLimit() is the maximum number of megapixels
                 .SetJobSecurityOptions(new SecurityOptions()
diff --git a/src/Imageflow.Server/ImageJobInfo.cs b/src/Imageflow.Server/ImageJobInfo.cs
@@ -219,15 +219,22 @@ private bool ProcessRewritesAndAuthorization(HttpContext context, ImageflowMiddl
 
         private bool VerifySignature(HttpContext context, ImageflowMiddlewareOptions options)
         {
+            if (options.RequestSignatureOptions == null) return true;
+
+            var (requirement, signingKeys) = options.RequestSignatureOptions
+                .GetRequirementForPath(context.Request.Path.Value);
+
+            var queryString = context.Request.QueryString.ToString();
+
             var pathAndQuery = context.Request.PathBase.HasValue
                 ? "/" + context.Request.PathBase.Value.TrimStart('/')
                 : "";
-            pathAndQuery += context.Request.Path.ToString() + context.Request.QueryString.ToString();
+            pathAndQuery += context.Request.Path.ToString() + queryString;
 
             pathAndQuery = Signatures.NormalizePathAndQueryForSigning(pathAndQuery);
             if (context.Request.Query.TryGetValue("signature", out var actualSignature))
             {
-                foreach (var key in options.SigningKeys)
+                foreach (var key in signingKeys)
                 {
                     var expectedSignature = Signatures.SignString(pathAndQuery, key, 16);
                     if (expectedSignature == actualSignature) return true;
@@ -238,9 +245,17 @@ private bool VerifySignature(HttpContext context, ImageflowMiddlewareOptions opt
 
             }
 
-            // A missing signature is only a problem if they are required
-            if (!options.RequireRequestSignature) return true;
-
+            if (requirement == SignatureRequired.Never)
+            {
+                return true;
+            }
+            if (requirement == SignatureRequired.ForQuerystringRequests)
+            {
+                if (queryString.Length <= 0) return true;
+                
+                AuthorizedMessage = "Image processing requests must be signed. No &signature query key found. ";
+                return false;
+            }
             AuthorizedMessage = "Image requests must be signed. No &signature query key found. ";
             return false;
 
diff --git a/src/Imageflow.Server/ImageflowMiddlewareOptions.cs b/src/Imageflow.Server/ImageflowMiddlewareOptions.cs
@@ -33,11 +33,10 @@ public ImageflowMiddlewareOptions()
         public bool MapWebRoot { get; set; }
 
         public bool UsePresetsExclusively { get; set; }
-
-        public bool RequireRequestSignature { get; set; }
         
         public string DefaultCacheControlString { get; set; }
         
+        public RequestSignatureOptions RequestSignatureOptions { get; set; }
         public SecurityOptions JobSecurityOptions { get; set; }
         
         internal readonly List<UrlHandler<Action<UrlEventArgs>>> Rewrite = new List<UrlHandler<Action<UrlEventArgs>>>();
@@ -52,8 +51,6 @@ public ImageflowMiddlewareOptions()
         internal readonly Dictionary<string, string> CommandDefaults = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
         
         internal readonly Dictionary<string, PresetOptions> Presets = new Dictionary<string, PresetOptions>(StringComparer.OrdinalIgnoreCase);
-
-        internal readonly List<string> SigningKeys = new List<string>();
         
         internal readonly List<ExtensionlessPath> ExtensionlessPaths = new List<ExtensionlessPath>();
         /// <summary>
@@ -84,9 +81,9 @@ public ImageflowMiddlewareOptions HandleExtensionlessRequestsUnder(string prefix
             return this;
         }
         
-        public ImageflowMiddlewareOptions AddRequestSigningKey(string key)
+        public ImageflowMiddlewareOptions SetRequestSignatureOptions(RequestSignatureOptions options)
         {
-            SigningKeys.Add(key);
+            RequestSignatureOptions = options;
             return this;
         }
         
@@ -112,12 +109,6 @@ public ImageflowMiddlewareOptions AddWatermarkingHandler(string pathPrefix, Acti
             return this;
         }
         
-        public ImageflowMiddlewareOptions SetRequireRequestSignature(bool value)
-        {
-            RequireRequestSignature = value;
-            return this;
-        }
-        
         public ImageflowMiddlewareOptions SetMapWebRoot(bool value)
         {
             MapWebRoot = value;
diff --git a/src/Imageflow.Server/RequestSignatureOptions.cs b/src/Imageflow.Server/RequestSignatureOptions.cs
@@ -0,0 +1,66 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Imageflow.Server
+{
+    public enum SignatureRequired
+    {
+        ForAllRequests,
+        ForQuerystringRequests,
+        Never
+    }
+
+    internal struct SignaturePrefix
+    {
+        internal string Prefix { get; set; }
+        internal StringComparison PrefixComparison { get; set; }
+        internal SignatureRequired Requirement { get; set; }
+        internal List<string> SigningKeys { get; set; }
+
+
+    }
+    public class RequestSignatureOptions
+    {
+        internal SignatureRequired DefaultRequirement { get; }
+        internal List<string> DefaultSigningKeys { get; }
+
+        internal List<SignaturePrefix> Prefixes { get; } = new List<SignaturePrefix>();
+        
+
+        public RequestSignatureOptions(SignatureRequired defaultRequirement, IEnumerable<string> defaultSigningKeys)
+        {
+            DefaultRequirement = defaultRequirement;
+            DefaultSigningKeys = defaultSigningKeys.ToList();
+        }
+
+        public RequestSignatureOptions ForPrefix(string prefix, StringComparison prefixComparison,
+            SignatureRequired requirement, IEnumerable<string> signingKeys)
+        {
+            Prefixes.Add(new SignaturePrefix()
+            {
+                Prefix = prefix,
+                PrefixComparison =  prefixComparison,
+                Requirement = requirement,
+                SigningKeys = signingKeys.ToList()
+            });
+            return this;
+        }
+
+        internal Tuple<SignatureRequired, ICollection<string>> GetRequirementForPath(string path)
+        {
+            if (path != null)
+            {
+                foreach (var p in Prefixes)
+                {
+                    if (path.StartsWith(p.Prefix, p.PrefixComparison))
+                    {
+                        return new Tuple<SignatureRequired, ICollection<string>>(p.Requirement, p.SigningKeys);
+                    }
+                }
+            }
+            return new Tuple<SignatureRequired, ICollection<string>>(DefaultRequirement, DefaultSigningKeys);
+        }
+
+    }
+}
diff --git a/tests/Imageflow.Server.Tests/IntegrationTest.cs b/tests/Imageflow.Server.Tests/IntegrationTest.cs
@@ -361,7 +361,9 @@ public async void TestRequestSigning()
         {
             const string key = "test key";
             using (var contentRoot = new TempContentRoot()
-                .AddResource("images/fire umbrella.jpg", "TestFiles.fire-umbrella-small.jpg"))
+                .AddResource("images/fire umbrella.jpg", "TestFiles.fire-umbrella-small.jpg")
+                .AddResource("images/query/umbrella.jpg", "TestFiles.fire-umbrella-small.jpg")
+                .AddResource("images/never/umbrella.jpg", "TestFiles.fire-umbrella-small.jpg"))
             {
 
                 var hostBuilder = new HostBuilder()
@@ -375,8 +377,13 @@ public async void TestRequestSigning()
                                 .SetMapWebRoot(false)
                                 // Maps / to ContentRootPath/images
                                 .MapPath("/", Path.Combine(contentRoot.PhysicalPath, "images"))
-                                .SetRequireRequestSignature(true)
-                                .AddRequestSigningKey(key)
+                                .SetRequestSignatureOptions(
+                                    new RequestSignatureOptions(SignatureRequired.ForAllRequests, 
+                                            new []{key})
+                                        .ForPrefix("/query/", StringComparison.Ordinal, 
+                                            SignatureRequired.ForQuerystringRequests, new []{key})
+                                        .ForPrefix("/never/", StringComparison.Ordinal, SignatureRequired.Never,
+                                            new string[]{}))
                                 );
                         });
                     });
@@ -394,11 +401,21 @@ public async void TestRequestSigning()
                 using var signedEncodedUnmodifiedResponse = await client.GetAsync(signedEncodedUnmodifiedUrl);
                 signedEncodedUnmodifiedResponse.EnsureSuccessStatusCode();
 
-                // var unsignedUnmodifiedUrl = "/fire%20umbrella.jpg";
-                // using var unsignedUnmodifiedResponse = await client.GetAsync(unsignedUnmodifiedUrl);
-                // unsignedUnmodifiedResponse.EnsureSuccessStatusCode();
-                //
-                //
+                var unsignedUnmodifiedUrl = "/query/umbrella.jpg";
+                using var unsignedUnmodifiedResponse = await client.GetAsync(unsignedUnmodifiedUrl);
+                unsignedUnmodifiedResponse.EnsureSuccessStatusCode();
+                
+                using var unsignedResponse2 = await client.GetAsync("/query/umbrella.jpg?width=1");
+                Assert.Equal(HttpStatusCode.Forbidden,unsignedResponse2.StatusCode);
+
+                var unsignedUnmodifiedUrl2 = "/never/umbrella.jpg";
+                using var unsignedUnmodifiedResponse2 = await client.GetAsync(unsignedUnmodifiedUrl2);
+                unsignedUnmodifiedResponse2.EnsureSuccessStatusCode();
+                
+                var unsignedModifiedUrl = "/never/umbrella.jpg?width=1";
+                using var unsignedModifiedResponse = await client.GetAsync(unsignedModifiedUrl);
+                unsignedModifiedResponse.EnsureSuccessStatusCode();
+                
                 var signedEncodedUrl = Imazen.Common.Helpers.Signatures.SignRequest("/fire%20umbrella.jpg?width=1", key);
                 using var signedEncodedResponse = await client.GetAsync(signedEncodedUrl);
                 signedEncodedResponse.EnsureSuccessStatusCode();
