Merge release/2.2 from aspnet/BasicMiddleware

Author: Nate McMaster

src/Middleware/HostFiltering/sample/HostFilteringSample.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.1;net461</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.2;net461</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>

src/Middleware/HostFiltering/src/HostFilteringMiddleware.cs

@@ -102,7 +102,11 @@ private IList<StringSegment> EnsureConfigured()
                 throw new InvalidOperationException("No allowed hosts were configured.");
             }
 
-            _logger.LogDebug("Allowed hosts: " + string.Join("; ", allowedHosts));
+            if (_logger.IsEnabled(LogLevel.Debug))
+            {
+                _logger.LogDebug("Allowed hosts: {Hosts}", string.Join("; ", allowedHosts));
+            }
+
             _allowedHosts = allowedHosts;
             return _allowedHosts;
         }
@@ -148,29 +152,26 @@ private bool CheckHost(HttpContext context, IList<StringSegment> allowedHosts)
                 // Http/1.1 requires the header but the value may be empty.
                 if (!_options.AllowEmptyHosts)
                 {
-                    _logger.LogInformation($"{context.Request.Protocol} request rejected due to missing or empty host header.");
+                    _logger.LogInformation("{Protocol} request rejected due to missing or empty host header.", context.Request.Protocol);
                     return false;
                 }
-                if (_logger.IsEnabled(LogLevel.Debug))
-                {
-                    _logger.LogDebug($"{context.Request.Protocol} request allowed with missing or empty host header.");
-                }
+                _logger.LogDebug("{Protocol} request allowed with missing or empty host header.", context.Request.Protocol);
                 return true;
             }
 
             if (_allowAnyNonEmptyHost == true)
             {
-                _logger.LogTrace($"All hosts are allowed.");
+                _logger.LogTrace("All hosts are allowed.");
                 return true;
             }
 
             if (HostString.MatchesAny(host, allowedHosts))
             {
-                _logger.LogTrace($"The host '{host}' matches an allowed host.");
+                _logger.LogTrace("The host '{Host}' matches an allowed host.", host);
                 return true;
             }
 
-            _logger.LogInformation($"The host '{host}' does not match an allowed host.");
+            _logger.LogInformation("The host '{Host}' does not match an allowed host.", host);
             return false;
         }
     }

src/Middleware/HttpOverrides/sample/HttpOverridesSample.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.1;net461</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.2;net461</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>

src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs

@@ -233,7 +233,7 @@ public void ApplyForwarders(HttpContext context)
                     if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
                     {
                         // Stop at the first unknown remote IP, but still apply changes processed so far.
-                        _logger.LogDebug(1, $"Unknown proxy: {currentValues.RemoteIpAndPort}");
+                        _logger.LogDebug(1, "Unknown proxy: {RemoteIpAndPort}", currentValues.RemoteIpAndPort);
                         break;
                     }
 
@@ -248,12 +248,12 @@ public void ApplyForwarders(HttpContext context)
                     else if (!string.IsNullOrEmpty(set.IpAndPortText))
                     {
                         // Stop at the first unparsable IP, but still apply changes processed so far.
-                        _logger.LogDebug(1, $"Unparsable IP: {set.IpAndPortText}");
+                        _logger.LogDebug(1, "Unparsable IP: {IpAndPortText}", set.IpAndPortText);
                         break;
                     }
                     else if (_options.RequireHeaderSymmetry)
                     {
-                        _logger.LogWarning(2, $"Missing forwarded IPAddress.");
+                        _logger.LogWarning(2, "Missing forwarded IPAddress.");
                         return;
                     }
                 }
@@ -349,6 +349,14 @@ public void ApplyForwarders(HttpContext context)
 
         private bool CheckKnownAddress(IPAddress address)
         {
+            if (address.IsIPv4MappedToIPv6)
+            {
+                var ipv4Address = address.MapToIPv4();
+                if (CheckKnownAddress(ipv4Address))
+                {
+                    return true;
+                }
+            }
             if (_options.KnownProxies.Contains(address))
             {
                 return true;

src/Middleware/HttpOverrides/src/Internal/IPEndPointParser.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System.Globalization;
 using System.Net;
 
 namespace Microsoft.AspNetCore.HttpOverrides.Internal
@@ -62,7 +63,7 @@ public static bool TryParse(string addressWithPort, out IPEndPoint endpoint)
                 if (portPart != null)
                 {
                     int port;
-                    if (int.TryParse(portPart, out port))
+                    if (int.TryParse(portPart, NumberStyles.None, CultureInfo.InvariantCulture, out port))
                     {
                         endpoint = new IPEndPoint(address, port);
                         return true;

src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs

@@ -822,5 +822,48 @@ public async Task PartiallyEnabledForwardsPartiallyChangesRequest()
             Assert.Equal("localhost", context.Request.Host.ToString());
             Assert.Equal("Protocol", context.Request.Scheme);
         }
+
+        [Theory]
+        [InlineData("22.33.44.55,::ffff:127.0.0.1", "", "", "22.33.44.55")]
+        [InlineData("22.33.44.55,::ffff:172.123.142.121", "172.123.142.121", "", "22.33.44.55")]
+        [InlineData("22.33.44.55,::ffff:172.123.142.121", "::ffff:172.123.142.121", "", "22.33.44.55")]
+        [InlineData("22.33.44.55,::ffff:172.123.142.121,172.32.24.23", "", "172.0.0.0/8", "22.33.44.55")]
+        [InlineData("2a00:1450:4009:802::200e,2a02:26f0:2d:183::356e,::ffff:172.123.142.121,172.32.24.23", "", "172.0.0.0/8,2a02:26f0:2d:183::1/64", "2a00:1450:4009:802::200e")]
+        [InlineData("22.33.44.55,2a02:26f0:2d:183::356e,::ffff:127.0.0.1", "2a02:26f0:2d:183::356e", "", "22.33.44.55")]
+        public async Task XForwardForIPv4ToIPv6Mapping(string forHeader, string knownProxies, string knownNetworks, string expectedRemoteIp)
+        {
+            var options = new ForwardedHeadersOptions
+            {
+                ForwardedHeaders = ForwardedHeaders.XForwardedFor,
+                ForwardLimit = null,
+            };
+
+            foreach (var knownProxy in knownProxies.Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries))
+            {
+                var proxy = IPAddress.Parse(knownProxy);
+                options.KnownProxies.Add(proxy);
+            }
+            foreach (var knownNetwork in knownNetworks.Split(new string[] { "," }, options:StringSplitOptions.RemoveEmptyEntries))
+            {
+                var knownNetworkParts = knownNetwork.Split('/');
+                var networkIp = IPAddress.Parse(knownNetworkParts[0]);
+                var prefixLength = int.Parse(knownNetworkParts[1]);
+                options.KnownNetworks.Add(new IPNetwork(networkIp, prefixLength));
+            }
+
+            var builder = new WebHostBuilder()
+                .Configure(app =>
+                {
+                    app.UseForwardedHeaders(options);
+                });
+            var server = new TestServer(builder);
+
+            var context = await server.SendAsync(c =>
+            {
+                c.Request.Headers["X-Forwarded-For"] = forHeader;
+            });
+
+            Assert.Equal(expectedRemoteIp, context.Connection.RemoteIpAddress.ToString());
+        }
     }
 }

src/Middleware/HttpsPolicy/sample/HttpsPolicySample.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFrameworks>net461;netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>netcoreapp2.2;net461</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>

src/Middleware/HttpsPolicy/src/HstsMiddleware.cs

@@ -6,6 +6,9 @@
 using System.Globalization;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.HttpsPolicy.Internal;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
@@ -24,13 +27,15 @@ public class HstsMiddleware
         private readonly RequestDelegate _next;
         private readonly StringValues _strictTransportSecurityValue;
         private readonly IList<string> _excludedHosts;
+        private readonly ILogger _logger;
 
         /// <summary>
         /// Initialize the HSTS middleware.
         /// </summary>
         /// <param name="next"></param>
         /// <param name="options"></param>
-        public HstsMiddleware(RequestDelegate next, IOptions<HstsOptions> options)
+        /// <param name="loggerFactory"></param>
+        public HstsMiddleware(RequestDelegate next, IOptions<HstsOptions> options, ILoggerFactory loggerFactory)
         {
             if (options == null)
             {
@@ -46,20 +51,39 @@ public HstsMiddleware(RequestDelegate next, IOptions<HstsOptions> options)
             var preload = hstsOptions.Preload ? Preload : StringSegment.Empty;
             _strictTransportSecurityValue = new StringValues($"max-age={maxAge}{includeSubdomains}{preload}");
             _excludedHosts = hstsOptions.ExcludedHosts;
+            _logger = loggerFactory.CreateLogger<HstsMiddleware>();
         }
 
+        /// <summary>
+        /// Initialize the HSTS middleware.
+        /// </summary>
+        /// <param name="next"></param>
+        /// <param name="options"></param>
+        public HstsMiddleware(RequestDelegate next, IOptions<HstsOptions> options)
+            : this(next, options, NullLoggerFactory.Instance) { }
+
         /// <summary>
         /// Invoke the middleware.
         /// </summary>
         /// <param name="context">The <see cref="HttpContext"/>.</param>
         /// <returns></returns>
         public Task Invoke(HttpContext context)
         {
-            if (context.Request.IsHttps && !IsHostExcluded(context.Request.Host.Host))
+            if (!context.Request.IsHttps)
+            {
+                _logger.SkippingInsecure();
+                return _next(context);
+            }
+
+            if (IsHostExcluded(context.Request.Host.Host))
             {
-                context.Response.Headers[HeaderNames.StrictTransportSecurity] = _strictTransportSecurityValue;
+                _logger.SkippingExcludedHost(context.Request.Host.Host);
+                return _next(context);
             }
 
+            context.Response.Headers[HeaderNames.StrictTransportSecurity] = _strictTransportSecurityValue;
+            _logger.AddingHstsHeader();
+
             return _next(context);
         }
 

src/Middleware/HttpsPolicy/src/HttpsRedirectionOptions.cs

@@ -22,7 +22,7 @@ public class HttpsRedirectionOptions
         /// If the HttpsPort is not set, we will try to get the HttpsPort from the following:
         /// 1. HTTPS_PORT environment variable
         /// 2. IServerAddressesFeature
-        /// 3. 443 (or not set) 
+        /// If that fails then the middleware will log a warning and turn off.
         /// </remarks>
         public int? HttpsPort { get; set; }
     }

src/Middleware/HttpsPolicy/src/internal/HstsLoggingExtensions.cs

@@ -0,0 +1,37 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.HttpsPolicy.Internal
+{
+    internal static class HstsLoggingExtensions
+    {
+        private static readonly Action<ILogger, Exception> _notSecure;
+        private static readonly Action<ILogger, string, Exception> _excludedHost;
+        private static readonly Action<ILogger, Exception> _addingHstsHeader;
+
+        static HstsLoggingExtensions()
+        {
+            _notSecure = LoggerMessage.Define(LogLevel.Debug, 1, "The request is insecure. Skipping HSTS header.");
+            _excludedHost = LoggerMessage.Define<string>(LogLevel.Debug, 2, "The host '{host}' is excluded. Skipping HSTS header.");
+            _addingHstsHeader = LoggerMessage.Define(LogLevel.Trace, 3, "Adding HSTS header to response.");
+        }
+
+        public static void SkippingInsecure(this ILogger logger)
+        {
+            _notSecure(logger, null);
+        }
+
+        public static void SkippingExcludedHost(this ILogger logger, string host)
+        {
+            _excludedHost(logger, host, null);
+        }
+
+        public static void AddingHstsHeader(this ILogger logger)
+        {
+            _addingHstsHeader(logger, null);
+        }
+    }
+}