Modify digest service to fail if wrong type of authentication is sent

mconnew · StephenBonikowsky · commit 3d3e5962f25a · 2018-03-26T16:11:54.000-07:00
diff --git a/src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/DigestServiceAuthorizationManager.cs b/src/System.Private.ServiceModel/tools/IISHostedWcfService/App_code/DigestServiceAuthorizationManager.cs
@@ -58,11 +58,16 @@ public override bool CheckAccess(OperationContext operationContext, ref Message
             }
              
             var digestState = new DigestAuthenticationState(operationContext, GetRealm(ref message));
-            if (!digestState.IsRequestDigestAuth)
+            if (string.IsNullOrEmpty(digestState.AuthMechanism)) // No authentication requested
             {
                 return UnauthorizedResponse(digestState);
             }
 
+            if (!digestState.IsRequestDigestAuth) // Authentication requested but not Digest
+            {
+                return BadAuthenticationResponse(digestState, operationContext);
+            }
+
             string password;
             if (!GetPassword(ref message, digestState.Username, out password))
             {
@@ -90,6 +95,21 @@ public virtual string GetRealm(ref Message message)
 
         public abstract bool GetPassword(ref Message message, string username, out string password);
 
+        private bool BadAuthenticationResponse(DigestAuthenticationState digestState, OperationContext operationContext)
+        {
+            object responsePropertyObject;
+            if (!operationContext.OutgoingMessageProperties.TryGetValue(HttpResponseMessageProperty.Name, out responsePropertyObject))
+            {
+                responsePropertyObject = new HttpResponseMessageProperty();
+                operationContext.OutgoingMessageProperties[HttpResponseMessageProperty.Name] = responsePropertyObject;
+            }
+
+            var responseMessageProperty = (HttpResponseMessageProperty)responsePropertyObject;
+            responseMessageProperty.StatusCode = HttpStatusCode.Forbidden;
+            responseMessageProperty.StatusDescription = "Authentication should use Digest auth, received " + digestState.AuthMechanism + " auth instead";
+            return false;
+        }
+
         private bool UnauthorizedResponse(DigestAuthenticationState digestState)
         {
             digestState.NonceExpiryTime = GetNonceExpiryTime();
@@ -120,7 +140,7 @@ public void ApplyDispatchBehavior(ServiceDescription serviceDescription, Service
 
         private struct DigestAuthenticationState
         {
-            private const string DigestAuthenticationMechanism = "Digest ";
+            private const string DigestAuthenticationMechanism = "Digest";
             private const int DigestAuthenticationMechanismLength = 7; // DigestAuthenticationMechanism.Length;
             private const string UriAuthenticationParameter = "uri";
             private const string UsernameAuthenticationParameter = "username";
@@ -145,7 +165,7 @@ public DigestAuthenticationState(OperationContext operationContext, string realm
                 _password = null;
                 _authorized = new bool?();
                 _authorizationHeader = GetAuthorizationHeader(operationContext, out _method);
-                if (_authorizationHeader.Length < DigestAuthenticationMechanismLength || !_authorizationHeader.StartsWith(DigestAuthenticationMechanism))
+                if (!_authorizationHeader.StartsWith(DigestAuthenticationMechanism))
                 {
                     _authorized = false;
                     _nonceString = string.Empty;
@@ -179,7 +199,27 @@ public bool Authorized
                 }
             }
 
-            public bool IsRequestDigestAuth { get { return _authorizationHeader.StartsWith(DigestAuthenticationMechanism); } }
+            public bool IsRequestDigestAuth 
+            {
+                get
+                {
+                    return AuthMechanism.Equals(DigestAuthenticationMechanism);
+                }
+            }
+
+            public string AuthMechanism
+            {
+                get
+                {
+                    string[] authMechAndData = _authorizationHeader.Split(' ');
+                    if (authMechAndData.Length >= 2)
+                    {
+                        return authMechAndData[0];
+                    }
+
+                    return string.Empty;
+                }
+            }
 
             public string Nonce { get { return _nonceString; } }
 
@@ -267,7 +307,7 @@ private string CalculateHash(string plaintext)
 
             public void SetChallengeResponse(HttpStatusCode statusCode, string statusDescription)
             {
-                StringBuilder authChallenge = new StringBuilder(DigestAuthenticationMechanism);
+                StringBuilder authChallenge = new StringBuilder(DigestAuthenticationMechanism).Append(' ');
                 authChallenge.AppendFormat(RealmAuthenticationParameter + "=\"{0}\", ", _realm);
                 authChallenge.AppendFormat(NonceAuthenticationParameter + "=\"{0}\", ", Nonce);
                 authChallenge.Append("opaque=\"0000000000000000\", ");
