Merge pull request #399 from justcoding121/develop

honfika · web-flow · commit 96d9775f7da1 · 2018-03-28T12:52:52.000+02:00
merge to beta
diff --git a/Titanium.Web.Proxy/Extensions/StringExtensions.cs b/Titanium.Web.Proxy/Extensions/StringExtensions.cs
@@ -14,5 +14,10 @@ internal static bool ContainsIgnoreCase(this string str, string value)
         {
             return CultureInfo.CurrentCulture.CompareInfo.IndexOf(str, value, CompareOptions.IgnoreCase) >= 0;
         }
+
+        internal static int IndexOfIgnoreCase(this string str, string value)
+        {
+            return CultureInfo.CurrentCulture.CompareInfo.IndexOf(str, value, CompareOptions.IgnoreCase);
+        }
     }
 }
diff --git a/Titanium.Web.Proxy/Network/WinAuth/Security/State.cs b/Titanium.Web.Proxy/Network/WinAuth/Security/State.cs
@@ -7,12 +7,24 @@ namespace Titanium.Web.Proxy.Network.WinAuth.Security
     /// </summary>
     internal class State
     {
+        /// <summary>
+        /// States during Windows Authentication
+        /// </summary>
+        public enum WinAuthState
+        {
+            UNAUTHORIZED,
+            INITIAL_TOKEN,
+            FINAL_TOKEN,
+            AUTHORIZED
+        };
+
         internal State()
         {
             Credentials = new Common.SecurityHandle(0);
             Context = new Common.SecurityHandle(0);
 
             LastSeen = DateTime.Now;
+            AuthState = WinAuthState.UNAUTHORIZED;
         }
 
         /// <summary>
@@ -30,10 +42,16 @@ internal State()
         /// </summary>
         internal DateTime LastSeen;
 
+        /// <summary>
+        /// Current state of the authentication process
+        /// </summary>
+        internal WinAuthState AuthState;
+
         internal void ResetHandles()
         {
             Credentials.Reset();
             Context.Reset();
+            AuthState = WinAuthState.UNAUTHORIZED;
         }
 
         internal void UpdatePresence()
diff --git a/Titanium.Web.Proxy/Network/WinAuth/Security/WinAuthEndPoint.cs b/Titanium.Web.Proxy/Network/WinAuth/Security/WinAuthEndPoint.cs
@@ -38,11 +38,9 @@ internal static byte[] AcquireInitialSecurityToken(string hostname, string authS
 
             try
             {
-                int result;
-
                 var state = new State();
 
-                result = AcquireCredentialsHandle(
+                int result = AcquireCredentialsHandle(
                     WindowsIdentity.GetCurrent().Name,
                     authScheme,
                     SecurityCredentialsOutbound,
@@ -79,6 +77,7 @@ internal static byte[] AcquireInitialSecurityToken(string hostname, string authS
                     return null;
                 }
 
+                state.AuthState = State.WinAuthState.INITIAL_TOKEN;
                 token = clientToken.GetBytes();
                 authStates.Add(requestId, state);
             }
@@ -109,13 +108,11 @@ internal static byte[] AcquireFinalSecurityToken(string hostname, byte[] serverC
 
             try
             {
-                int result;
-
                 var state = authStates[requestId];
 
                 state.UpdatePresence();
 
-                result = InitializeSecurityContext(ref state.Credentials,
+                int result = InitializeSecurityContext(ref state.Credentials,
                     ref state.Context,
                     hostname,
                     StandardContextAttributes,
@@ -135,7 +132,7 @@ internal static byte[] AcquireFinalSecurityToken(string hostname, byte[] serverC
                     return null;
                 }
 
-                authStates.Remove(requestId);
+                state.AuthState = State.WinAuthState.FINAL_TOKEN;
                 token = clientToken.GetBytes();
             }
             finally
@@ -166,6 +163,49 @@ internal static async void ClearIdleStates(int stateCacheTimeOutMinutes)
             await Task.Delay(1000 * 60);
         }
 
+        /// <summary>
+        /// Validates that the current WinAuth state of the connection matches the 
+        /// expectation, used to detect failed authentication
+        /// </summary>
+        /// <param name="requestId"></param>
+        /// <param name="expectedAuthState"></param>
+        /// <returns></returns>
+        internal static bool ValidateWinAuthState(Guid requestId, State.WinAuthState expectedAuthState)
+        {
+            var stateExists = authStates.TryGetValue(requestId, out var state);
+
+            if (expectedAuthState == State.WinAuthState.UNAUTHORIZED)
+            {
+                // Validation before initial token
+                return stateExists == false ||
+                       state.AuthState == State.WinAuthState.UNAUTHORIZED ||
+                       state.AuthState == State.WinAuthState.AUTHORIZED; // Server may require re-authentication on an open connection
+            }
+
+            if (expectedAuthState == State.WinAuthState.INITIAL_TOKEN)
+            {
+                // Validation before final token
+                return stateExists &&
+                       (state.AuthState == State.WinAuthState.INITIAL_TOKEN ||
+                        state.AuthState == State.WinAuthState.AUTHORIZED); // Server may require re-authentication on an open connection
+            }
+
+            throw new Exception("Unsupported validation of WinAuthState");
+        }
+
+        /// <summary>
+        /// Set the AuthState to authorized and update the connection state lifetime
+        /// </summary>
+        /// <param name="requestId"></param>
+        internal static void AuthenticatedResponse(Guid requestId)
+        {
+            if (authStates.TryGetValue(requestId, out var state))
+            {
+                state.AuthState = State.WinAuthState.AUTHORIZED;
+                state.UpdatePresence();
+            }
+        }
+
         #region Native calls to secur32.dll
 
         [DllImport("secur32.dll", SetLastError = true)]
diff --git a/Titanium.Web.Proxy/ResponseHandler.cs b/Titanium.Web.Proxy/ResponseHandler.cs
@@ -7,6 +7,7 @@
 using Titanium.Web.Proxy.EventArguments;
 using Titanium.Web.Proxy.Exceptions;
 using Titanium.Web.Proxy.Extensions;
+using Titanium.Web.Proxy.Network.WinAuth.Security;
 
 namespace Titanium.Web.Proxy
 {
@@ -31,9 +32,16 @@ private async Task HandleHttpSessionResponse(SessionEventArgs args)
                 args.ReRequest = false;
 
                 //check for windows authentication
-                if (isWindowsAuthenticationEnabledAndSupported && response.StatusCode == (int)HttpStatusCode.Unauthorized)
+                if (isWindowsAuthenticationEnabledAndSupported)
                 {
-                    await Handle401UnAuthorized(args);
+                    if (response.StatusCode == (int)HttpStatusCode.Unauthorized)
+                    {
+                        await Handle401UnAuthorized(args);
+                    }
+                    else
+                    {
+                        WinAuthEndPoint.AuthenticatedResponse(args.WebSession.RequestId);
+                    }
                 }
 
                 response.OriginalHasBody = response.HasBody;
diff --git a/Titanium.Web.Proxy/WinAuthHandler.cs b/Titanium.Web.Proxy/WinAuthHandler.cs
@@ -3,9 +3,11 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Titanium.Web.Proxy.EventArguments;
+using Titanium.Web.Proxy.Extensions;
 using Titanium.Web.Proxy.Http;
 using Titanium.Web.Proxy.Models;
 using Titanium.Web.Proxy.Network.WinAuth;
+using Titanium.Web.Proxy.Network.WinAuth.Security;
 
 namespace Titanium.Web.Proxy
 {
@@ -84,6 +86,15 @@ internal async Task Handle401UnAuthorized(SessionEventArgs args)
             {
                 string scheme = authSchemes.FirstOrDefault(x => authHeader.Value.Equals(x, StringComparison.OrdinalIgnoreCase));
 
+                var expectedAuthState = scheme == null ? State.WinAuthState.INITIAL_TOKEN : State.WinAuthState.UNAUTHORIZED;
+
+                if (!WinAuthEndPoint.ValidateWinAuthState(args.WebSession.RequestId, expectedAuthState))
+                {
+                    // Invalid state, create proper error message to client
+                    await RewriteUnauthorizedResponse(args);
+                    return;
+                }
+
                 var request = args.WebSession.Request;
 
                 //clear any existing headers to avoid confusing bad servers
@@ -108,7 +119,7 @@ internal async Task Handle401UnAuthorized(SessionEventArgs args)
                 //challenge value will start with any of the scheme selected
                 else
                 {
-                    scheme = authSchemes.FirstOrDefault(x => authHeader.Value.StartsWith(x, StringComparison.OrdinalIgnoreCase) &&
+                    scheme = authSchemes.First(x => authHeader.Value.StartsWith(x, StringComparison.OrdinalIgnoreCase) &&
                                                              authHeader.Value.Length > x.Length + 1);
 
                     string serverToken = authHeader.Value.Substring(scheme.Length + 1);
@@ -134,5 +145,46 @@ internal async Task Handle401UnAuthorized(SessionEventArgs args)
                 args.ReRequest = true;
             }
         }
+
+        /// <summary>
+        /// Rewrites the response body for failed authentication
+        /// </summary>
+        /// <param name="args"></param>
+        /// <returns></returns>
+        internal async Task RewriteUnauthorizedResponse(SessionEventArgs args)
+        {
+            var response = args.WebSession.Response;
+
+            // Strip authentication headers to avoid credentials prompt in client web browser
+            foreach (var authHeaderName in authHeaderNames)
+            {
+                response.Headers.RemoveHeader(authHeaderName);
+            }
+
+            // Add custom div to body to clarify that the proxy (not the client browser) failed authentication
+            string authErrorMessage = "<div class=\"inserted-by-proxy\"><h2>NTLM authentication through Titanium.Web.Proxy (" +
+                                      args.ProxyClient.TcpClient.Client.LocalEndPoint +
+                                      ") failed. Please check credentials.</h2></div>";
+            string originalErrorMessage = "<div class=\"inserted-by-proxy\"><h3>Response from remote web server below.</h3></div><br/>";
+            string body = await args.GetResponseBodyAsString();
+            int idx = body.IndexOfIgnoreCase("<body>");
+            if (idx >= 0)
+            {
+                var bodyPos = idx + "<body>".Length;
+                body = body.Insert(bodyPos, authErrorMessage + originalErrorMessage);
+            }
+            else
+            {
+                // Cannot parse response body, replace it
+                body = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">" +
+                       "<html xmlns=\"http://www.w3.org/1999/xhtml\">" +
+                       "<body>" +
+                       authErrorMessage +
+                       "</body>" +
+                       "</html>";
+            }
+
+            args.SetResponseBodyString(body);
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,10 @@ internal static bool ContainsIgnoreCase(this string str, string value)`
`14`	`14`	`{`
`15`	`15`	`return CultureInfo.CurrentCulture.CompareInfo.IndexOf(str, value, CompareOptions.IgnoreCase) >= 0;`
`16`	`16`	`}`
	`17`	`+`
	`18`	`+ internal static int IndexOfIgnoreCase(this string str, string value)`
	`19`	`+ {`
	`20`	`+ return CultureInfo.CurrentCulture.CompareInfo.IndexOf(str, value, CompareOptions.IgnoreCase);`
	`21`	`+ }`
`17`	`22`	`}`
`18`	`23`	`}`