Sketch out auth utils class

Author: JimBobSquarePants

…geSharp.Web.Providers.AWS/AsyncHelper.cs src/ImageSharp.Web/AsyncHelper.cssrc/ImageSharp.Web.Providers.AWS/AsyncHelper.cs renamed to src/ImageSharp.Web/AsyncHelper.cs src/ImageSharp.Web.Providers.AWS/AsyncHelper.cs renamed to src/ImageSharp.Web/AsyncHelper.cs

@@ -13,11 +13,12 @@ namespace SixLabors.ImageSharp.Web
     /// </summary>
     internal static class AsyncHelper
     {
-        private static readonly TaskFactory TaskFactory = new
-            (CancellationToken.None,
-            TaskCreationOptions.None,
-            TaskContinuationOptions.None,
-            TaskScheduler.Default);
+        private static readonly TaskFactory TaskFactory
+            = new(
+                CancellationToken.None,
+                TaskCreationOptions.None,
+                TaskContinuationOptions.None,
+                TaskScheduler.Default);
 
         /// <summary>
         /// Executes an async <see cref="Task"/> method synchronously.

src/ImageSharp.Web/CaseHandlingUriBuilder.cs

@@ -14,6 +14,7 @@ namespace SixLabors.ImageSharp.Web
     /// </summary>
     public static class CaseHandlingUriBuilder
     {
+        private static readonly Uri FallbackBaseUri = new("http://localhost/");
         private static readonly SpanAction<char, (bool LowerInvariant, string Host, string PathBase, string Path, string Query)> InitializeAbsoluteUriStringSpanAction = new(InitializeAbsoluteUriString);
 
         /// <summary>
@@ -127,13 +128,11 @@ public static string Encode(CaseHandling handling, Uri uri)
             }
             else
             {
-                string components = uri.GetComponents(UriComponents.SerializationInfoString, UriFormat.UriEscaped);
-                if (handling == CaseHandling.LowerInvariant)
-                {
-                    return components.ToLowerInvariant();
-                }
-
-                return components;
+                Uri faux = new(FallbackBaseUri, uri);
+                return BuildRelative(
+                    handling,
+                    pathBase: PathString.FromUriComponent(faux),
+                    query: QueryString.FromUriComponent(faux));
             }
         }
 

src/ImageSharp.Web/Commands/QueryCollectionRequestParser.cs

@@ -3,7 +3,6 @@
 
 using System.Collections.Generic;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Primitives;
 
 namespace SixLabors.ImageSharp.Web.Commands
@@ -22,11 +21,8 @@ public CommandCollection ParseRequestCommands(HttpContext context)
                 return new();
             }
 
-            // TODO: Investigate skipping the double allocation here.
-            // In .NET 6 we can directly use the QueryStringEnumerable type and enumerate stright to our command collection
-            Dictionary<string, StringValues> parsed = QueryHelpers.ParseQuery(context.Request.QueryString.ToUriComponent());
             CommandCollection transformed = new();
-            foreach (KeyValuePair<string, StringValues> pair in parsed)
+            foreach (KeyValuePair<string, StringValues> pair in context.Request.Query)
             {
                 // Use the indexer for both set and query. This replaces any previously parsed values.
                 transformed[pair.Key] = pair.Value[pair.Value.Count - 1];

src/ImageSharp.Web/FormatUtilities.cs

@@ -34,10 +34,7 @@ public FormatUtilities(IOptions<ImageSharpMiddlewareOptions> options)
             {
                 string[] extensions = imageFormat.FileExtensions.ToArray();
 
-                foreach (string extension in extensions)
-                {
-                    this.extensions.Add(extension);
-                }
+                this.extensions.AddRange(extensions);
 
                 this.extensionsByMimeType[imageFormat.DefaultMimeType] = extensions[0];
             }

src/ImageSharp.Web/ImageSharp.Web.csproj

@@ -36,6 +36,7 @@
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1'">
     <PackageReference Include="Microsoft.AspNetCore.Hosting.Abstractions" />
+    <PackageReference Include="Microsoft.AspNetCore.Http" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" />
     <PackageReference Include="Microsoft.AspNetCore.Http.Extensions" />
     <PackageReference Include="Microsoft.AspNetCore.WebUtilities" />

src/ImageSharp.Web/ImageSharpRequestAuthorizationUtilities.cs

@@ -0,0 +1,180 @@
+// Copyright (c) Six Labors.
+// Licensed under the Apache License, Version 2.0.
+
+using System;
+using System.Collections.Generic;
+using System.Runtime.CompilerServices;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+#if !NETCOREAPP3_0_OR_GREATER
+using Microsoft.AspNetCore.Http.Internal;
+#endif
+
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Extensions.Options;
+using SixLabors.ImageSharp.Web.Commands;
+using SixLabors.ImageSharp.Web.Middleware;
+using SixLabors.ImageSharp.Web.Processors;
+
+namespace SixLabors.ImageSharp.Web
+{
+    /// <summary>
+    /// Contains various helper methods for authorizing image requests.
+    /// </summary>
+    public sealed class ImageSharpRequestAuthorizationUtilities
+    {
+        /// <summary>
+        /// The command used by image requests for transporting Hash-based Message Authentication Code (HMAC) tokens.
+        /// </summary>
+        public const string TokenCommand = HMACUtilities.TokenCommand;
+
+        private static readonly Uri FallbackBaseUri = new("http://localhost/");
+        private readonly HashSet<string> knownCommands;
+        private readonly ImageSharpMiddlewareOptions options;
+        private readonly IRequestParser requestParser;
+        private readonly IServiceProvider serviceProvider;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="ImageSharpRequestAuthorizationUtilities"/> class.
+        /// </summary>
+        /// <param name="options">The middleware configuration options.</param>
+        /// <param name="requestParser">An <see cref="IRequestParser"/> instance used to parse image requests for commands.</param>
+        /// <param name="processors">A collection of <see cref="IImageWebProcessor"/> instances used to process images.</param>
+        /// <param name="serviceProvider">The service provider.</param>
+        public ImageSharpRequestAuthorizationUtilities(
+            IOptions<ImageSharpMiddlewareOptions> options,
+            IRequestParser requestParser,
+            IEnumerable<IImageWebProcessor> processors,
+            IServiceProvider serviceProvider)
+        {
+            Guard.NotNull(options, nameof(options));
+            Guard.NotNull(requestParser, nameof(requestParser));
+            Guard.NotNull(processors, nameof(processors));
+            Guard.NotNull(serviceProvider, nameof(serviceProvider));
+
+            HashSet<string> commands = new(StringComparer.OrdinalIgnoreCase);
+            foreach (IImageWebProcessor processor in processors)
+            {
+                foreach (string command in processor.Commands)
+                {
+                    commands.Add(command);
+                }
+            }
+
+            this.knownCommands = commands;
+            this.options = options.Value;
+        }
+
+        /// <summary>
+        /// Strips any unknown commands from the command collection.
+        /// </summary>
+        /// <param name="commands">The unsanitized command collection.</param>
+        public void StripUnknownCommands(CommandCollection commands)
+        {
+            if (commands?.Count > 0)
+            {
+                // Strip out any unknown commands, if needed.
+                var keys = new List<string>(commands.Keys);
+                for (int i = keys.Count - 1; i >= 0; i--)
+                {
+                    if (!this.knownCommands.Contains(keys[i]))
+                    {
+                        commands.RemoveAt(i);
+                    }
+                }
+            }
+        }
+
+        /// <summary>
+        /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// </summary>
+        /// <param name="uri">The uri to compute the code from.</param>
+        /// <returns>The computed HMAC.</returns>
+        public string ComputeHMAC(string uri)
+            => this.ComputeHMAC(new Uri(uri));
+
+        /// <summary>
+        /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// </summary>
+        /// <param name="uri">The uri to compute the code from.</param>
+        /// <returns>The computed HMAC.</returns>
+        public string ComputeHMAC(Uri uri)
+            => AsyncHelper.RunSync(() => this.ComputeHMACAsync(uri));
+
+        /// <summary>
+        /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// </summary>
+        /// <param name="uri">The uri to compute the code from.</param>
+        /// <returns>The computed HMAC.</returns>
+        public Task<string> ComputeHMACAsync(string uri)
+            => this.ComputeHMACAsync(new Uri(uri));
+
+        /// <summary>
+        /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// </summary>
+        /// <param name="uri">The uri to compute the code from.</param>
+        /// <returns>The computed HMAC.</returns>
+        public async Task<string> ComputeHMACAsync(Uri uri)
+        {
+            byte[] secret = this.options.HMACSecretKey;
+            if (secret is null || secret.Length == 0)
+            {
+                return null;
+            }
+
+            // We need to generate a HttpRequest to use the rest of the services.
+            DefaultHttpContext context = new() { RequestServices = this.serviceProvider };
+            HttpRequest request = context.Request;
+
+            ToComponents(
+                uri,
+                out HostString host,
+                out PathString path,
+                out QueryString queryString,
+                out QueryCollection query);
+
+            request.Host = host;
+            request.Path = path;
+            request.QueryString = queryString;
+            request.Query = query;
+
+            CommandCollection commands = this.requestParser.ParseRequestCommands(context);
+
+            // The provided URI should not contain invalid commands since image URI geneneration
+            // should be tightly controlled by the running application but we will strip any out anyway.
+            this.StripUnknownCommands(commands);
+
+            ImageCommandContext imageCommandContext = new(context, commands, null, null);
+            return await this.options.OnComputeHMACAsync(imageCommandContext, secret);
+        }
+
+        private static void ToComponents(
+            Uri uri,
+            out HostString host,
+            out PathString path,
+            out QueryString queryString,
+            out QueryCollection query)
+        {
+            if (uri.IsAbsoluteUri)
+            {
+                host = HostString.FromUriComponent(uri);
+                path = PathString.FromUriComponent(uri);
+                queryString = QueryString.FromUriComponent(uri);
+                query = GetQueryComponent(queryString);
+            }
+            else
+            {
+                Uri faux = new(FallbackBaseUri, uri);
+                host = default;
+                path = PathString.FromUriComponent(faux);
+                queryString = QueryString.FromUriComponent(faux);
+                query = GetQueryComponent(queryString);
+            }
+        }
+
+        [MethodImpl(MethodImplOptions.AggressiveInlining)]
+        private static QueryCollection GetQueryComponent(QueryString query)
+            => new(QueryHelpers.ParseQuery(query.Value));
+    }
+}

src/ImageSharp.Web/PathUtilities.cs

@@ -1,7 +1,6 @@
 // Copyright (c) Six Labors.
 // Licensed under the Apache License, Version 2.0.
 
-using System;
 using System.IO;
 
 namespace SixLabors.ImageSharp.Web
@@ -25,16 +24,5 @@ internal static string EnsureTrailingSlash(string path)
 
             return path;
         }
-
-        /// <summary>
-        /// Determines whether the <paramref name="path" /> is located underneath the specified <paramref name="rootPath" />.
-        /// </summary>
-        /// <param name="path">The fully qualified path to test.</param>
-        /// <param name="rootPath">The root path (needs to end with a directory separator).</param>
-        /// <returns>
-        ///   <c>true</c> if the path is located underneath the specified root path; otherwise, <c>false</c>.
-        /// </returns>
-        internal static bool IsUnderneathRoot(string path, string rootPath)
-            => path.StartsWith(rootPath, StringComparison.OrdinalIgnoreCase);
     }
 }