Wire up utils

Author: JimBobSquarePants

src/ImageSharp.Web/Commands/PresetOnlyQueryCollectionRequestParser.cs

@@ -33,13 +33,16 @@ public PresetOnlyQueryCollectionRequestParser(IOptions<PresetOnlyQueryCollection
         /// <inheritdoc/>
         public CommandCollection ParseRequestCommands(HttpContext context)
         {
-            if (context.Request.Query.Count == 0 || !context.Request.Query.ContainsKey(QueryKey))
+            IQueryCollection queryCollection = context.Request.Query;
+            if (queryCollection is null
+                || queryCollection.Count == 0
+                || !queryCollection.ContainsKey(QueryKey))
             {
                 // We return new here and below to ensure the collection is still mutable via events.
                 return new();
             }
 
-            StringValues query = context.Request.Query[QueryKey];
+            StringValues query = queryCollection[QueryKey];
             string requestedPreset = query[query.Count - 1];
             if (this.presets.TryGetValue(requestedPreset, out CommandCollection collection))
             {

src/ImageSharp.Web/Commands/QueryCollectionRequestParser.cs

@@ -15,7 +15,8 @@ public sealed class QueryCollectionRequestParser : IRequestParser
         /// <inheritdoc/>
         public CommandCollection ParseRequestCommands(HttpContext context)
         {
-            if (context.Request.Query.Count == 0)
+            IQueryCollection query = context.Request.Query;
+            if (query is null || query.Count == 0)
             {
                 // We return new to ensure the collection is still mutable via events.
                 return new();

src/ImageSharp.Web/DependencyInjection/ServiceCollectionExtensions.cs

@@ -60,6 +60,8 @@ private static void AddDefaultServices(
 
             builder.SetRequestParser<QueryCollectionRequestParser>();
 
+            builder.Services.AddSingleton<ImageSharpRequestAuthorizationUtilities>();
+
             builder.SetCache<PhysicalFileSystemCache>();
 
             builder.SetCacheKey<UriRelativeLowerInvariantCacheKey>();

src/ImageSharp.Web/ImageSharpRequestAuthorizationUtilities.cs

@@ -54,13 +54,16 @@ public ImageSharpRequestAuthorizationUtilities(
             Guard.NotNull(options, nameof(options));
             Guard.NotNull(requestParser, nameof(requestParser));
             Guard.NotNull(processors, nameof(processors));
+            Guard.NotNull(commandParser, nameof(commandParser));
             Guard.NotNull(serviceProvider, nameof(serviceProvider));
 
             this.options = options.Value;
+            this.requestParser = requestParser;
             this.commandParser = commandParser;
             this.parserCulture = this.options.UseInvariantParsingCulture
                 ? CultureInfo.InvariantCulture
                 : CultureInfo.CurrentCulture;
+            this.serviceProvider = serviceProvider;
 
             HashSet<string> commands = new(StringComparer.OrdinalIgnoreCase);
             foreach (IImageWebProcessor processor in processors)
@@ -101,7 +104,7 @@ public void StripUnknownCommands(CommandCollection commands)
         /// <param name="handling">The command collection handling.</param>
         /// <returns>The computed HMAC.</returns>
         public string ComputeHMAC(string uri, CommandHandling handling)
-            => this.ComputeHMAC(new Uri(uri), handling);
+            => this.ComputeHMAC(new Uri(uri, UriKind.RelativeOrAbsolute), handling);
 
         /// <summary>
         /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
@@ -110,7 +113,7 @@ public string ComputeHMAC(string uri, CommandHandling handling)
         /// <param name="handling">The command collection handling.</param>
         /// <returns>The computed HMAC.</returns>
         public Task<string> ComputeHMACAsync(string uri, CommandHandling handling)
-            => this.ComputeHMACAsync(new Uri(uri), handling);
+            => this.ComputeHMACAsync(new Uri(uri, UriKind.RelativeOrAbsolute), handling);
 
         /// <summary>
         /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
@@ -155,7 +158,7 @@ public Task<string> ComputeHMACAsync(Uri uri, CommandHandling handling)
         /// <param name="handling">The command collection handling.</param>
         /// <returns>The computed HMAC.</returns>
         public string ComputeHMAC(HostString host, PathString path, QueryString queryString, CommandHandling handling)
-            => this.ComputeHMAC(host, path, queryString, handling);
+            => this.ComputeHMAC(host, path, queryString, new(QueryHelpers.ParseQuery(queryString.Value)), handling);
 
         /// <summary>
         /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
@@ -225,6 +228,29 @@ public async Task<string> ComputeHMACAsync(HttpContext context, CommandHandling
             return await this.options.OnComputeHMACAsync(imageCommandContext, secret);
         }
 
+        /// <summary>
+        /// Compute a Hash-based Message Authentication Code (HMAC) for request authentication.
+        /// </summary>
+        /// <param name="context">Contains information about the current image request and parsed commands.</param>
+        /// <param name="handling">The command collection handling.</param>
+        /// <returns>The computed HMAC.</returns>
+        internal async Task<string> ComputeHMACAsync(ImageCommandContext context, CommandHandling handling)
+        {
+            byte[] secret = this.options.HMACSecretKey;
+            if (secret is null || secret.Length == 0)
+            {
+                return null;
+            }
+
+            CommandCollection commands = this.requestParser.ParseRequestCommands(context.Context);
+            if (handling == CommandHandling.Sanitize)
+            {
+                this.StripUnknownCommands(commands);
+            }
+
+            return await this.options.OnComputeHMACAsync(context, secret);
+        }
+
         private static void ToComponents(
             Uri uri,
             out HostString host,

src/ImageSharp.Web/Middleware/ImageSharpMiddleware.cs

@@ -92,11 +92,6 @@ private static readonly ConcurrentTLruCache<string, string> HMACTokenLru
         /// </summary>
         private readonly ICacheHash cacheHash;
 
-        /// <summary>
-        /// The collection of known commands gathered from the processors.
-        /// </summary>
-        private readonly HashSet<string> knownCommands;
-
         /// <summary>
         /// Contains various helper methods based on the current configuration.
         /// </summary>
@@ -117,6 +112,11 @@ private static readonly ConcurrentTLruCache<string, string> HMACTokenLru
         /// </summary>
         private readonly AsyncKeyReaderWriterLock<string> asyncKeyLock;
 
+        /// <summary>
+        /// Contains helpers that allow authorization of image requests.
+        /// </summary>
+        private readonly ImageSharpRequestAuthorizationUtilities authorizationUtilities;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="ImageSharpMiddleware"/> class.
         /// </summary>
@@ -131,7 +131,8 @@ private static readonly ConcurrentTLruCache<string, string> HMACTokenLru
         /// <param name="cacheHash">An <see cref="ICacheHash"/>instance used for calculating cached file names.</param>
         /// <param name="commandParser">The command parser.</param>
         /// <param name="formatUtilities">Contains various format helper methods based on the current configuration.</param>
-        /// <param name="asyncKeyLock">The async key lock</param>
+        /// <param name="asyncKeyLock">The async key lock.</param>
+        /// <param name="requestAuthorizationUtilities">Contains helpers that allow authorization of image requests.</param>
         public ImageSharpMiddleware(
             RequestDelegate next,
             IOptions<ImageSharpMiddlewareOptions> options,
@@ -144,7 +145,8 @@ public ImageSharpMiddleware(
             ICacheHash cacheHash,
             CommandParser commandParser,
             FormatUtilities formatUtilities,
-            AsyncKeyReaderWriterLock<string> asyncKeyLock)
+            AsyncKeyReaderWriterLock<string> asyncKeyLock,
+            ImageSharpRequestAuthorizationUtilities requestAuthorizationUtilities)
         {
             Guard.NotNull(next, nameof(next));
             Guard.NotNull(options, nameof(options));
@@ -158,6 +160,7 @@ public ImageSharpMiddleware(
             Guard.NotNull(commandParser, nameof(commandParser));
             Guard.NotNull(formatUtilities, nameof(formatUtilities));
             Guard.NotNull(asyncKeyLock, nameof(asyncKeyLock));
+            Guard.NotNull(requestAuthorizationUtilities, nameof(requestAuthorizationUtilities));
 
             this.next = next;
             this.options = options.Value;
@@ -172,20 +175,10 @@ public ImageSharpMiddleware(
                 ? CultureInfo.InvariantCulture
                 : CultureInfo.CurrentCulture;
 
-            var commands = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-            foreach (IImageWebProcessor processor in this.processors)
-            {
-                foreach (string command in processor.Commands)
-                {
-                    commands.Add(command);
-                }
-            }
-
-            this.knownCommands = commands;
-
             this.logger = loggerFactory.CreateLogger<ImageSharpMiddleware>();
             this.formatUtilities = formatUtilities;
             this.asyncKeyLock = asyncKeyLock;
+            this.authorizationUtilities = requestAuthorizationUtilities;
         }
 
         /// <summary>
@@ -197,31 +190,6 @@ public ImageSharpMiddleware(
 
         private async Task Invoke(HttpContext httpContext, bool retry)
         {
-            CommandCollection commands = this.requestParser.ParseRequestCommands(httpContext);
-
-            // First check for a HMAC token and capture before the command is stripped out.
-            byte[] secret = this.options.HMACSecretKey;
-            bool checkHMAC = false;
-            string token = null;
-            if (secret?.Length > 0)
-            {
-                checkHMAC = true;
-                token = commands.GetValueOrDefault(HMACUtilities.TokenCommand);
-            }
-
-            if (commands.Count > 0)
-            {
-                // Strip out any unknown commands, if needed.
-                var keys = new List<string>(commands.Keys);
-                for (int i = keys.Count - 1; i >= 0; i--)
-                {
-                    if (!this.knownCommands.Contains(keys[i]))
-                    {
-                        commands.RemoveAt(i);
-                    }
-                }
-            }
-
             // Get the correct provider for the request
             IImageProvider provider = null;
             foreach (IImageProvider resolver in this.providers)
@@ -240,6 +208,19 @@ private async Task Invoke(HttpContext httpContext, bool retry)
                 return;
             }
 
+            CommandCollection commands = this.requestParser.ParseRequestCommands(httpContext);
+
+            // First check for a HMAC token and capture before the command is stripped out.
+            byte[] secret = this.options.HMACSecretKey;
+            bool checkHMAC = false;
+            string token = null;
+            if (secret?.Length > 0)
+            {
+                checkHMAC = true;
+                token = commands.GetValueOrDefault(ImageSharpRequestAuthorizationUtilities.TokenCommand);
+            }
+
+            this.authorizationUtilities.StripUnknownCommands(commands);
             ImageCommandContext imageCommandContext = new(httpContext, commands, this.commandParser, this.parserCulture);
 
             // At this point we know that this is an image request so should attempt to compute a validating HMAC.
@@ -253,7 +234,9 @@ private async Task Invoke(HttpContext httpContext, bool retry)
                 //
                 // As a rule all image requests should contain valid commands only.
                 // Key generation uses string.Create under the hood with very low allocation so should be good enough as a cache key.
-                hmac = await HMACTokenLru.GetOrAddAsync(httpContext.Request.GetEncodedUrl(), _ => this.options.OnComputeHMACAsync(imageCommandContext, secret));
+                hmac = await HMACTokenLru.GetOrAddAsync(
+                    httpContext.Request.GetEncodedUrl(),
+                    _ => this.authorizationUtilities.ComputeHMACAsync(imageCommandContext, CommandHandling.None));
             }
 
             await this.options.OnParseCommandsAsync.Invoke(imageCommandContext);

tests/ImageSharp.Web.Tests/TestUtilities/AuthenticatedServerTestBase.cs

@@ -1,10 +1,10 @@
 // Copyright (c) Six Labors.
 // Licensed under the Apache License, Version 2.0.
 
-using System;
 using System.Net;
 using System.Net.Http;
 using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
 using Xunit;
 using Xunit.Abstractions;
 
@@ -13,9 +13,16 @@ namespace SixLabors.ImageSharp.Web.Tests.TestUtilities
     public abstract class AuthenticatedServerTestBase<TFixture> : ServerTestBase<TFixture>
          where TFixture : AuthenticatedTestServerFixture
     {
+        private readonly ImageSharpRequestAuthorizationUtilities authorizationUtilities;
+        private readonly string relativeImageSouce;
+
         protected AuthenticatedServerTestBase(TFixture fixture, ITestOutputHelper outputHelper, string imageSource)
             : base(fixture, outputHelper, imageSource)
         {
+            this.authorizationUtilities =
+                       this.Fixture.Services.GetRequiredService<ImageSharpRequestAuthorizationUtilities>();
+
+            this.relativeImageSouce = this.ImageSource.Replace("http://localhost", string.Empty);
         }
 
         [Fact]
@@ -38,12 +45,9 @@ public async Task CanRejectUnauthorizedRequestAsync()
 
         protected override string AugmentCommand(string command)
         {
-            // Mimic the lowecase relative url format used by the token and default options.
-            string uri = (this.ImageSource + command).Replace("http://localhost", string.Empty);
-            uri = CaseHandlingUriBuilder.Encode(CaseHandlingUriBuilder.CaseHandling.LowerInvariant, uri);
-
-            string token = HMACUtilities.ComputeHMACSHA256(uri, AuthenticatedTestServerFixture.HMACSecretKey);
-            return command + "&" + HMACUtilities.TokenCommand + "=" + token;
+            string uri = this.relativeImageSouce + command;
+            string token = this.authorizationUtilities.ComputeHMAC(uri, CommandHandling.Sanitize);
+            return command + "&" + ImageSharpRequestAuthorizationUtilities.TokenCommand + "=" + token;
         }
     }
 }