Add OAuthProxyHttpMessageHandlerBuilder helper

Change CreateOAuthClient to use helper and add SSRF protections
Wire through SSRF protection in ProxyHttpMessageHandlerBuilder
Add SSRF protection and proxy support to JetStream

Author: blowdart

CHANGELOG.md

@@ -17,8 +17,6 @@
 * Added override on `ToString()` on `AtProtoCredential` to return a redacted string in case of accidental logging.
 * Added default SSRF protections to `AtProtoAgent`, `AtProtoHttpClient` and `AtProtoJetStream` with [idunno.Security.Ssrf](https://github.com/blowdart/idunno.Security.Ssrf/blob/main/src/idunno.Security.Ssrf/).
   This can be disabled by passing your own `HttpClient`.
-  * Note: If you set a proxyUri that uses https://localhost or http://localhost then the SSRF protections will be disabled
-    for localhost access automatically.
 * Added `AllowLoopback` parameter to `BuildOAuth2LoginUri` to allow loopback addresses in discovered URIs for testing and development purposes. This is disabled by default.
 
 ### idunno.AtProto.Types

Directory.Packages.props

@@ -11,7 +11,7 @@
     <PackageVersion Include="DnsClient" Version="1.8.0" />
     <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="7.0.1" />
     <PackageVersion Include="Duende.IdentityModel.OidcClient.Extensions" Version="7.0.1" />
-    <PackageVersion Include="idunno.Security.Ssrf" Version="2.1.0-prerelease.ga732cc9dbc" />
+    <PackageVersion Include="idunno.Security.Ssrf" Version="3.0.0" />
     <PackageVersion Include="JunitXml.TestLogger" Version="7.1.0" />
     <PackageVersion Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" />
     <PackageVersion Include="Microsoft.CodeCoverage" Version="18.3.0" />

src/idunno.AtProto/Agent.cs

@@ -65,66 +65,13 @@ protected Agent(HttpClientOptions? httpClientOptions, JsonOptions? jsonOptions,
             JsonOptions = jsonOptions;
         }
 
-        bool checkCrl;
-        if (httpClientOptions is null)
-        {
-            checkCrl = true;
-        }
-        else
-        {
-            checkCrl = httpClientOptions.CheckCertificateRevocationList;
-        }
-
         _loggerFactory = loggerFactory;
-
-        IServiceCollection services = new ServiceCollection();
         _httpClientOptions = httpClientOptions;
 
-        bool allowLoopback = false;
-        bool allowInsecureProtocols = false;
-
-        IWebProxy? proxy = null;
-        SslClientAuthenticationOptions? sslOptions = null;
-
-        if (_httpClientOptions?.ProxyUri is not null)
-        {
-            proxy = new WebProxy(_httpClientOptions.ProxyUri);
-            if (_httpClientOptions.ProxyUri.IsLoopback)
-            {
-                allowLoopback = true;
-            }
-
-            if (_httpClientOptions.ProxyUri.Scheme.Equals("http", StringComparison.OrdinalIgnoreCase))
-            {
-                allowInsecureProtocols = true;
-            }
-        }
-
-        if (!checkCrl)
-        {
-            sslOptions = new SslClientAuthenticationOptions
-            {
-                CertificateRevocationCheckMode = X509RevocationMode.NoCheck
-            };
-        }
-
+        IServiceCollection services = new ServiceCollection();
         services
             .AddHttpClient(HttpClientName, client => InternalConfigureHttpClient(client, _httpClientOptions?.HttpUserAgent, _httpClientOptions?.Timeout))
-            .ConfigurePrimaryHttpMessageHandler(() => SsrfSocketsHttpHandlerFactory.Create(
-                connectionStrategy: ConnectionStrategy.None,
-                additionalUnsafeNetworks: null,
-                additionalUnsafeIpAddresses: null,
-                connectTimeout: _httpClientOptions?.Timeout,
-                allowInsecureProtocols: allowInsecureProtocols,
-                allowLoopback: allowLoopback,
-                failMixedResults: true,
-                allowAutoRedirect: false,
-                automaticDecompression: DecompressionMethods.All,
-                proxy: proxy,
-                sslOptions: sslOptions,
-                loggerFactory: loggerFactory
-                ));
-
+            .ConfigurePrimaryHttpMessageHandler(ProxyHttpMessageHandlerBuilder);
         _serviceProvider = services.BuildServiceProvider();
 
         HttpClientFactory = _serviceProvider.GetService<IHttpClientFactory>()!;
@@ -211,30 +158,11 @@ protected HttpClient ConfigureHttpClient(HttpClient client)
     /// <summary>
     /// Creates a client handler to configure proxy setup with the initialization parameters specified when creating the agent.
     /// </summary>
-    /// <returns>An <see cref="SocketsHttpHandler"/> configured to any proxy specified when the agent was created.</returns>
-    protected SocketsHttpHandler BuildProxyHttpClientHandler()
+    /// <returns>An <see cref="HttpMessageHandler"/> configured to any proxy specified when the agent was created.</returns>
+    protected HttpMessageHandler ProxyHttpMessageHandlerBuilder()
     {
-        IWebProxy? proxy = null;
         SslClientAuthenticationOptions? sslOptions = null;
 
-        bool allowLoopback = false;
-        bool allowInsecureProtocols = false;
-
-        if (_httpClientOptions?.ProxyUri is not null)
-        {
-            proxy = new WebProxy(_httpClientOptions.ProxyUri);
-
-            if (_httpClientOptions.ProxyUri.IsLoopback)
-            {
-                allowLoopback = true;
-            }
-
-            if (_httpClientOptions.ProxyUri.Scheme.Equals("http", StringComparison.OrdinalIgnoreCase))
-            {
-                allowInsecureProtocols = true;
-            }
-        }
-
         if (_httpClientOptions?.CheckCertificateRevocationList == false)
         {
             sslOptions = new SslClientAuthenticationOptions
@@ -243,19 +171,34 @@ protected SocketsHttpHandler BuildProxyHttpClientHandler()
             };
         }
 
-        return SsrfSocketsHttpHandlerFactory.Create(
-                        connectionStrategy: ConnectionStrategy.None,
-                        additionalUnsafeNetworks: null,
-                        additionalUnsafeIpAddresses: null,
-                        connectTimeout: _httpClientOptions?.Timeout,
-                        allowInsecureProtocols: allowInsecureProtocols,
-                        allowLoopback: allowLoopback,
-                        failMixedResults: true,
-                        allowAutoRedirect: false,
-                        automaticDecompression: DecompressionMethods.All,
-                        proxy: proxy,
-                        sslOptions: sslOptions,
-                        loggerFactory: _loggerFactory);
+        SsrfOptions options = new()
+        {
+            ConnectionStrategy = ConnectionStrategy.None,
+            AdditionalUnsafeNetworks = [],
+            AdditionalUnsafeIpAddresses = [],
+            ConnectTimeout = _httpClientOptions?.Timeout,
+            AllowInsecureProtocols = false,
+            AllowLoopback = false,
+            FailMixedResults = true,
+            AllowAutoRedirect = false,
+            AutomaticDecompression = DecompressionMethods.All,
+            SslOptions = sslOptions
+        };
+
+
+        if (_httpClientOptions?.ProxyUri is not null)
+        {
+            options.Proxy = new WebProxy(_httpClientOptions.ProxyUri);
+            return new ProxiedSsrfDelegatingHandler(
+                options: options,
+                loggerFactory: _loggerFactory);
+        }
+        else
+        {
+            return SsrfSocketsHttpHandlerFactory.Create(
+                options: options,
+                loggerFactory: _loggerFactory);
+        }
     }
 
     private static void InternalConfigureHttpClient(HttpClient client, string? httpUserAgent = null, TimeSpan? timeout = null)

src/idunno.AtProto/AtProtoHttpClient.cs

@@ -43,7 +43,6 @@ public class AtProtoHttpClient(string? serviceProxy = null, ILoggerFactory? logg
                         failMixedResults: true,
                         allowAutoRedirect: false,
                         automaticDecompression: DecompressionMethods.All,
-                        proxy: null,
                         sslOptions: null,
                         loggerFactory: loggerFactory);
 

src/idunno.AtProto/Authentication/AtProtoAgent.cs

@@ -3,7 +3,9 @@
 
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
+using System.Net.Security;
 using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json;
 using System.Timers;
@@ -15,6 +17,7 @@
 
 using idunno.AtProto.Authentication;
 using idunno.AtProto.Events;
+using idunno.Security;
 
 namespace idunno.AtProto;
 
@@ -144,7 +147,7 @@ protected internal virtual void InternalOnCredentialsUpdatedCallBack(AtProtoCred
     /// <returns>The new <see cref="OAuthClient"/> instance.</returns>
     public OAuthClient CreateOAuthClient()
     {
-        return new OAuthClient(ConfigureHttpClient, BuildProxyHttpClientHandler, LoggerFactory, Options?.OAuthOptions);
+        return new OAuthClient(ConfigureHttpClient, OAuthProxyHttpMessageHandlerBuilder, LoggerFactory, Options?.OAuthOptions);
     }
 
     /// <summary>
@@ -157,14 +160,67 @@ public OAuthClient CreateOAuthClient(OAuthLoginState state)
     {
         ArgumentNullException.ThrowIfNull(state);
 
-        var oAuthClient = new OAuthClient(ConfigureHttpClient, BuildProxyHttpClientHandler, LoggerFactory, Options?.OAuthOptions)
+        var oAuthClient = new OAuthClient(ConfigureHttpClient, OAuthProxyHttpMessageHandlerBuilder, LoggerFactory, Options?.OAuthOptions)
         {
             State = state
         };
 
         return oAuthClient;
     }
 
+    /// <summary>
+    /// Builds a preconfigured <see cref="HttpMessageHandler"/> to use for making requests during the OAuth flow, with SSRF protections in place.
+    /// If a proxy is configured in <see cref="Options"/>, the handler will be configured to route requests through the proxy while still applying SSRF protections
+    /// to the ultimate endpoints being called.
+    /// If the OAuth return URI configured in <see cref="Options"/> is using HTTP or is a loopback address, the handler will be configured to allow insecure protocols or
+    /// loopback addresses respectively, but will still apply SSRF protections to all other endpoints.
+    /// </summary>
+    /// <returns>A preconfigured <see cref="HttpMessageHandler"/> instance.</returns>
+    private HttpMessageHandler OAuthProxyHttpMessageHandlerBuilder()
+    {
+        SslClientAuthenticationOptions? sslOptions = null;
+
+        if (_httpClientOptions?.CheckCertificateRevocationList == false)
+        {
+            sslOptions = new SslClientAuthenticationOptions
+            {
+                CertificateRevocationCheckMode = X509RevocationMode.NoCheck
+            };
+        }
+
+        bool allowInsecureProtocols = Options?.OAuthOptions?.ReturnUri != null && Options.OAuthOptions.ReturnUri.Scheme == Uri.UriSchemeHttp;
+        bool allowLoopback = Options?.OAuthOptions?.ReturnUri != null && Options.OAuthOptions.ReturnUri.IsLoopback;
+
+        SsrfOptions options = new()
+        {
+            ConnectionStrategy = ConnectionStrategy.None,
+            AdditionalUnsafeNetworks = [],
+            AdditionalUnsafeIpAddresses = [],
+            ConnectTimeout = _httpClientOptions?.Timeout,
+            AllowInsecureProtocols = allowInsecureProtocols,
+            AllowLoopback = allowLoopback,
+            FailMixedResults = true,
+            AllowAutoRedirect = false,
+            AutomaticDecompression = DecompressionMethods.All,
+            SslOptions = sslOptions
+        };
+
+
+        if (_httpClientOptions?.ProxyUri is not null)
+        {
+            options.Proxy = new WebProxy(_httpClientOptions.ProxyUri);
+            return new ProxiedSsrfDelegatingHandler(
+                options: options,
+                loggerFactory: LoggerFactory);
+        }
+        else
+        {
+            return SsrfSocketsHttpHandlerFactory.Create(
+                options: options,
+                loggerFactory: LoggerFactory);
+        }
+    }
+
     /// <summary>
     /// Builds an OAuth authorization URI for starting the OAuth flow.
     /// </summary>

src/idunno.AtProto/Authentication/OAuthClient.cs

@@ -30,7 +30,7 @@ public class OAuthClient
     private OidcClient? _oidcClient;
 
     private readonly Func<HttpClient, HttpClient> _clientConfigurationHandler = (httpClient) => { return httpClient; };
-    private readonly Func<SocketsHttpHandler> _innerFactoryHandler = () => { throw new OAuthException("Handler factory not configured"); };
+    private readonly Func<HttpMessageHandler> _innerFactoryHandler = () => { throw new OAuthException("Handler factory not configured"); };
     private readonly ILoggerFactory _loggerFactory;
     private readonly ILogger<OAuthClient> _logger;
 
@@ -53,7 +53,7 @@ private OAuthClient(ILoggerFactory? loggerFactory = null, OAuthOptions? options
 
     internal OAuthClient(
         Func<HttpClient, HttpClient> httpClientConfigurator,
-        Func<SocketsHttpHandler> innerHandlerFactory,
+        Func<HttpMessageHandler> innerHandlerFactory,
         ILoggerFactory? loggerFactory = null,
         OAuthOptions? options = null) : this(loggerFactory, options)
     {
@@ -329,7 +329,7 @@ public async Task<Uri> BuildOAuth2LoginUri(
 
         AtProtoHttpResult<ServerDescription> serverDescriptionResult;
 
-        using (SocketsHttpHandler handler = _innerFactoryHandler())
+        using (HttpMessageHandler handler = _innerFactoryHandler())
         using (var httpClient = new HttpClient(handler))
         {
             _clientConfigurationHandler(httpClient);
@@ -529,7 +529,7 @@ internal async Task<Uri> BuildOAuth2LogoutUri(
                 }
 
                 AtProtoHttpResult<ServerDescription> serverDescriptionResult;
-                using (SocketsHttpHandler handler = _innerFactoryHandler())
+                using (HttpMessageHandler handler = _innerFactoryHandler())
                 using (var httpClient = new HttpClient(handler))
                 {
                     _clientConfigurationHandler(httpClient);