Fix usage of cache key prefix - don't encrypt the prefix as part of the cache key, only the token (DuendeArchive#112)

RotemKir · Rotem · web-flow · commit 66bbf5096cc0 · 2020-11-23T10:56:09.000+01:00
Co-authored-by: Rotem &lt;rotemk@tipalti.local&gt;
diff --git a/src/Infrastructure/CacheExtensions.cs b/src/Infrastructure/CacheExtensions.cs
@@ -23,9 +23,9 @@ static CacheExtensions()
             Settings.Converters.Add(new ClaimConverter());
         }
 
-        public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCache cache, string token)
+        public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCache cache, string cacheKeyPrefix, string token)
         {
-            var bytes = await cache.GetAsync(token.Sha256()).ConfigureAwait(false);
+            var bytes = await cache.GetAsync($"{cacheKeyPrefix}{token.Sha256()}").ConfigureAwait(false);
 
             if (bytes == null)
             {
@@ -36,7 +36,7 @@ public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCac
             return JsonConvert.DeserializeObject<IEnumerable<Claim>>(json, Settings);
         }
 
-        public static async Task SetClaimsAsync(this IDistributedCache cache, string token, IEnumerable<Claim> claims, TimeSpan duration, ILogger logger)
+        public static async Task SetClaimsAsync(this IDistributedCache cache, string cacheKeyPrefix, string token, IEnumerable<Claim> claims, TimeSpan duration, ILogger logger)
         {
             var expClaim = claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Expiration);
             if (expClaim == null)
@@ -48,7 +48,7 @@ public static async Task SetClaimsAsync(this IDistributedCache cache, string tok
             var now = DateTimeOffset.UtcNow;
             var expiration = DateTimeOffset.FromUnixTimeSeconds(long.Parse(expClaim.Value));
             logger.LogDebug("Token will expire in {expiration}", expiration);
-            
+
 
             if (expiration <= now)
             {
@@ -70,7 +70,7 @@ public static async Task SetClaimsAsync(this IDistributedCache cache, string tok
             var bytes = Encoding.UTF8.GetBytes(json);
 
             logger.LogDebug("Setting cache item expiration to {expiration}", absoluteLifetime);
-            await cache.SetAsync(token.Sha256(), bytes, new DistributedCacheEntryOptions { AbsoluteExpiration = absoluteLifetime }).ConfigureAwait(false);
+            await cache.SetAsync($"{cacheKeyPrefix}{token.Sha256()}", bytes, new DistributedCacheEntryOptions { AbsoluteExpiration = absoluteLifetime }).ConfigureAwait(false);
         }
     }
 }
diff --git a/src/OAuth2IntrospectionHandler.cs b/src/OAuth2IntrospectionHandler.cs
@@ -24,7 +24,7 @@ public class OAuth2IntrospectionHandler : AuthenticationHandler<OAuth2Introspect
     {
         private readonly IDistributedCache _cache;
         private readonly ILogger<OAuth2IntrospectionHandler> _logger;
-        
+
         static readonly ConcurrentDictionary<string, Lazy<Task<AuthenticateResult>>> IntrospectionDictionary =
             new ConcurrentDictionary<string, Lazy<Task<AuthenticateResult>>>();
 
@@ -87,8 +87,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             // if caching is enable - let's check if we have a cached introspection
             if (Options.EnableCaching)
             {
-                var key = $"{Options.CacheKeyPrefix}{token}";
-                var claims = await _cache.GetClaimsAsync(key).ConfigureAwait(false);
+                var claims = await _cache.GetClaimsAsync(Options.CacheKeyPrefix, token).ConfigureAwait(false);
                 if (claims != null)
                 {
                     // find out if it is a cached inactive token
@@ -103,7 +102,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
                 _logger.LogTrace("Token is not cached.");
             }
-            
+
             // no cached result - let's make a network roundtrip to the introspection endpoint
             // this code block tries to make sure that we only do a single roundtrip, even when multiple requests
             // with the same token come in at the same time
@@ -114,19 +113,18 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     return new Lazy<Task<AuthenticateResult>>(async () =>
                     {
                         var response = await LoadClaimsForToken(token);
-                        
+
                         if (response.IsError)
                         {
                             _logger.LogError("Error returned from introspection endpoint: " + response.Error);
                             return await ReportNonSuccessAndReturn("Error returned from introspection endpoint: " + response.Error);
                         }
-                
+
                         if (response.IsActive)
                         {
                             if (Options.EnableCaching)
                             {
-                                var key = $"{Options.CacheKeyPrefix}{token}";
-                                await _cache.SetClaimsAsync(key, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
+                                await _cache.SetClaimsAsync(Options.CacheKeyPrefix, token, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);
                             }
 
                             return await CreateTicket(response.Claims, token);
@@ -135,13 +133,11 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                         {
                             if (Options.EnableCaching)
                             {
-                                var key = $"{Options.CacheKeyPrefix}{token}";
-
                                 // add an exp claim - otherwise caching will not work
                                 var claimsWithExp = response.Claims.ToList();
                                 claimsWithExp.Add(new Claim("exp",
                                     DateTimeOffset.UtcNow.Add(Options.CacheDuration).ToUnixTimeSeconds().ToString()));
-                                await _cache.SetClaimsAsync(key, claimsWithExp, Options.CacheDuration, _logger)
+                                await _cache.SetClaimsAsync(Options.CacheKeyPrefix, token, claimsWithExp, Options.CacheDuration, _logger)
                                     .ConfigureAwait(false);
                             }
 
diff --git a/test/Tests/Introspection.cs b/test/Tests/Introspection.cs
@@ -2,12 +2,17 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using FluentAssertions;
+using IdentityModel;
 using IdentityModel.AspNetCore.OAuth2Introspection;
 using IdentityModel.Client;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.Extensions.DependencyInjection;
 using Newtonsoft.Json;
 using System;
 using System.Collections.Generic;
 using System.Net;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Tests.Util;
 using Xunit;
@@ -207,15 +212,47 @@ public async Task ActiveToken_With_SavedToken_And_Caching()
             var expectedToken = "expected_token";
             var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Active, TimeSpan.FromHours(1));
 
-            var client = PipelineFactory.CreateClient((o) =>
+            var server = PipelineFactory.CreateServer((o) =>
             {
                 _options(o);
 
                 o.SaveToken = true;
                 o.EnableCaching = true;
                 o.CacheDuration = TimeSpan.FromMinutes(10);
             }, handler, true);
+            var client = server.CreateClient();
+            client.SetBearerToken(expectedToken);
+
+            var firstResponse = await client.GetAsync("http://test");
+            firstResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            var secondResponse = await client.GetAsync("http://test");
+            secondResponse.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            var responseDataStr = await secondResponse.Content.ReadAsStringAsync();
+            var responseData = JsonConvert.DeserializeObject<Dictionary<string, string>>(responseDataStr);
+
+            responseData.Should().Contain("token", expectedToken);
+            AssertCacheItemExists(server, string.Empty, expectedToken);
+        }
 
+        [Fact]
+        public async Task ActiveToken_With_SavedToken_And_Caching_With_Cache_Key_Prefix()
+        {
+            var expectedToken = "expected_token";
+            var cacheKeyPrefix = "KeyPrefix";
+            var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Active, TimeSpan.FromHours(1));
+
+            var server = PipelineFactory.CreateServer((o) =>
+            {
+                _options(o);
+
+                o.SaveToken = true;
+                o.EnableCaching = true;
+                o.CacheKeyPrefix = cacheKeyPrefix;
+                o.CacheDuration = TimeSpan.FromMinutes(10);
+            }, handler, true);
+            var client = server.CreateClient();
             client.SetBearerToken(expectedToken);
 
             var firstResponse = await client.GetAsync("http://test");
@@ -228,6 +265,7 @@ public async Task ActiveToken_With_SavedToken_And_Caching()
             var responseData = JsonConvert.DeserializeObject<Dictionary<string, string>>(responseDataStr);
 
             responseData.Should().Contain("token", expectedToken);
+            AssertCacheItemExists(server, cacheKeyPrefix, expectedToken);
         }
 
         [Fact]
@@ -236,15 +274,15 @@ public async Task Repeated_active_token_with_caching_enabled_should_hit_cache()
             var expectedToken = "expected_token";
             var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Active, TimeSpan.FromHours(1));
 
-            var client = PipelineFactory.CreateClient((o) =>
+            var server = PipelineFactory.CreateServer((o) =>
             {
                 _options(o);
-                
+
                 o.SaveToken = true;
                 o.EnableCaching = true;
                 o.CacheDuration = TimeSpan.FromMinutes(10);
             }, handler, true);
-
+            var client = server.CreateClient();
             client.SetBearerToken(expectedToken);
 
             var firstResponse = await client.GetAsync("http://test");
@@ -255,6 +293,7 @@ public async Task Repeated_active_token_with_caching_enabled_should_hit_cache()
             handler.SentIntrospectionRequest = false;
             var secondResponse = await client.GetAsync("http://test");
             handler.SentIntrospectionRequest.Should().BeFalse();
+            AssertCacheItemExists(server, string.Empty, expectedToken);
         }
 
         [Fact]
@@ -263,15 +302,15 @@ public async Task Repeated_inactive_token_with_caching_enabled_should_hit_cache(
             var expectedToken = "expected_token";
             var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Inactive);
 
-            var client = PipelineFactory.CreateClient((o) =>
+            var server = PipelineFactory.CreateServer((o) =>
             {
                 _options(o);
 
                 o.SaveToken = true;
                 o.EnableCaching = true;
                 o.CacheDuration = TimeSpan.FromMinutes(10);
             }, handler, true);
-
+            var client = server.CreateClient();
             client.SetBearerToken(expectedToken);
 
             var firstResponse = await client.GetAsync("http://test");
@@ -283,6 +322,7 @@ public async Task Repeated_inactive_token_with_caching_enabled_should_hit_cache(
             var secondResponse = await client.GetAsync("http://test");
             secondResponse.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
             handler.SentIntrospectionRequest.Should().BeFalse();
+            AssertCacheItemExists(server, string.Empty, expectedToken);
         }
 
         [Fact]
@@ -300,5 +340,13 @@ public async Task ActiveToken_With_Discovery_Unavailable_On_First_Request()
             var result = await client.GetAsync("http://test");
             result.StatusCode.Should().Be(HttpStatusCode.OK);
         }
+
+        private void AssertCacheItemExists(TestServer testServer, string cacheKeyPrefix, string token)
+        {
+            var cache = testServer.Services.GetService<IDistributedCache>();
+            var cacheItem = cache.GetString($"{cacheKeyPrefix}{token.ToSha256()}");
+
+            cacheItem.Should().NotBeNullOrEmpty();
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,9 @@ static CacheExtensions()`
`23`	`23`	`Settings.Converters.Add(new ClaimConverter());`
`24`	`24`	`}`
`25`	`25`
`26`		`- public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCache cache, string token)`
	`26`	`+ public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCache cache, string cacheKeyPrefix, string token)`
`27`	`27`	`{`
`28`		`- var bytes = await cache.GetAsync(token.Sha256()).ConfigureAwait(false);`
	`28`	`+ var bytes = await cache.GetAsync($"{cacheKeyPrefix}{token.Sha256()}").ConfigureAwait(false);`
`29`	`29`
`30`	`30`	`if (bytes == null)`
`31`	`31`	`{`
`@@ -36,7 +36,7 @@ public static async Task<IEnumerable<Claim>> GetClaimsAsync(this IDistributedCac`
`36`	`36`	`return JsonConvert.DeserializeObject<IEnumerable<Claim>>(json, Settings);`
`37`	`37`	`}`
`38`	`38`
`39`		`- public static async Task SetClaimsAsync(this IDistributedCache cache, string token, IEnumerable<Claim> claims, TimeSpan duration, ILogger logger)`
	`39`	`+ public static async Task SetClaimsAsync(this IDistributedCache cache, string cacheKeyPrefix, string token, IEnumerable<Claim> claims, TimeSpan duration, ILogger logger)`
`40`	`40`	`{`
`41`	`41`	`var expClaim = claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Expiration);`
`42`	`42`	`if (expClaim == null)`
`@@ -48,7 +48,7 @@ public static async Task SetClaimsAsync(this IDistributedCache cache, string tok`
`48`	`48`	`var now = DateTimeOffset.UtcNow;`
`49`	`49`	`var expiration = DateTimeOffset.FromUnixTimeSeconds(long.Parse(expClaim.Value));`
`50`	`50`	`logger.LogDebug("Token will expire in {expiration}", expiration);`
`51`		`-`
	`51`	`+`
`52`	`52`
`53`	`53`	`if (expiration <= now)`
`54`	`54`	`{`
`@@ -70,7 +70,7 @@ public static async Task SetClaimsAsync(this IDistributedCache cache, string tok`
`70`	`70`	`var bytes = Encoding.UTF8.GetBytes(json);`
`71`	`71`
`72`	`72`	`logger.LogDebug("Setting cache item expiration to {expiration}", absoluteLifetime);`
`73`		`- await cache.SetAsync(token.Sha256(), bytes, new DistributedCacheEntryOptions { AbsoluteExpiration = absoluteLifetime }).ConfigureAwait(false);`
	`73`	`+ await cache.SetAsync($"{cacheKeyPrefix}{token.Sha256()}", bytes, new DistributedCacheEntryOptions { AbsoluteExpiration = absoluteLifetime }).ConfigureAwait(false);`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public class OAuth2IntrospectionHandler : AuthenticationHandler<OAuth2Introspect`
`24`	`24`	`{`
`25`	`25`	`private readonly IDistributedCache _cache;`
`26`	`26`	`private readonly ILogger<OAuth2IntrospectionHandler> _logger;`
`27`		`-`
	`27`	`+`
`28`	`28`	`static readonly ConcurrentDictionary<string, Lazy<Task<AuthenticateResult>>> IntrospectionDictionary =`
`29`	`29`	`new ConcurrentDictionary<string, Lazy<Task<AuthenticateResult>>>();`
`30`	`30`
`@@ -87,8 +87,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`87`	`87`	`// if caching is enable - let's check if we have a cached introspection`
`88`	`88`	`if (Options.EnableCaching)`
`89`	`89`	`{`
`90`		`- var key = $"{Options.CacheKeyPrefix}{token}";`
`91`		`- var claims = await _cache.GetClaimsAsync(key).ConfigureAwait(false);`
	`90`	`+ var claims = await _cache.GetClaimsAsync(Options.CacheKeyPrefix, token).ConfigureAwait(false);`
`92`	`91`	`if (claims != null)`
`93`	`92`	`{`
`94`	`93`	`// find out if it is a cached inactive token`
`@@ -103,7 +102,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`103`	`102`
`104`	`103`	`_logger.LogTrace("Token is not cached.");`
`105`	`104`	`}`
`106`		`-`
	`105`	`+`
`107`	`106`	`// no cached result - let's make a network roundtrip to the introspection endpoint`
`108`	`107`	`// this code block tries to make sure that we only do a single roundtrip, even when multiple requests`
`109`	`108`	`// with the same token come in at the same time`
`@@ -114,19 +113,18 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`114`	`113`	`return new Lazy<Task<AuthenticateResult>>(async () =>`
`115`	`114`	`{`
`116`	`115`	`var response = await LoadClaimsForToken(token);`
`117`		`-`
	`116`	`+`
`118`	`117`	`if (response.IsError)`
`119`	`118`	`{`
`120`	`119`	`_logger.LogError("Error returned from introspection endpoint: " + response.Error);`
`121`	`120`	`return await ReportNonSuccessAndReturn("Error returned from introspection endpoint: " + response.Error);`
`122`	`121`	`}`
`123`		`-`
	`122`	`+`
`124`	`123`	`if (response.IsActive)`
`125`	`124`	`{`
`126`	`125`	`if (Options.EnableCaching)`
`127`	`126`	`{`
`128`		`- var key = $"{Options.CacheKeyPrefix}{token}";`
`129`		`- await _cache.SetClaimsAsync(key, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);`
	`127`	`+ await _cache.SetClaimsAsync(Options.CacheKeyPrefix, token, response.Claims, Options.CacheDuration, _logger).ConfigureAwait(false);`
`130`	`128`	`}`
`131`	`129`
`132`	`130`	`return await CreateTicket(response.Claims, token);`
`@@ -135,13 +133,11 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`135`	`133`	`{`
`136`	`134`	`if (Options.EnableCaching)`
`137`	`135`	`{`
`138`		`- var key = $"{Options.CacheKeyPrefix}{token}";`
`139`		`-`
`140`	`136`	`// add an exp claim - otherwise caching will not work`
`141`	`137`	`var claimsWithExp = response.Claims.ToList();`
`142`	`138`	`claimsWithExp.Add(new Claim("exp",`
`143`	`139`	`DateTimeOffset.UtcNow.Add(Options.CacheDuration).ToUnixTimeSeconds().ToString()));`
`144`		`- await _cache.SetClaimsAsync(key, claimsWithExp, Options.CacheDuration, _logger)`
	`140`	`+ await _cache.SetClaimsAsync(Options.CacheKeyPrefix, token, claimsWithExp, Options.CacheDuration, _logger)`
`145`	`141`	`.ConfigureAwait(false);`
`146`	`142`	`}`
`147`	`143`