7.0.15 release

      - [ENHANCEMENT] added argon2 sha256 methods -- GetArgon2SHA256 and VerifyArgon2SHA256
      - [BUG FIX] moved where  trace.TrcRequestVerb = requestMethod; as if blockedurls used then verb wouldn't be set
      - [BUG FIX] updated GatherTraceInformation to  take in an IRequest interface and check the interface type to determine the parameters
      - [ENHANCEMENT]  upgraded EnyimMemcachedCore from 3.2.1 to 3.2.3
      - [ENHANCEMENT] upgraded Microsoft.Extensions.DependencyInjection from 8.0.0 to 8.0.1
      - [ENHANCEMENT] upgraded Microsoft.Extensions.Logging from 8.0.0 to 8.0.1
      - [ENHANCEMENT] upgraded System.Diagnostics.PerformanceCounter from 8.0.0 to 8.0.1
      - [ENHANCEMENT] upgraded System.DirectoryServices.AccountManagement from 8.0.0 to 8.0.1

Author: lanesCSO

rls/packages/API.Library.7.0.15.nupkg

@@ -12,17 +12,19 @@
     <PackageId>API.Library</PackageId>
     <Product>API Library</Product>
     <Copyright>Central Statistics Office, Ireland</Copyright>
-    <Version>7.0.14</Version>
+    <Version>7.0.15</Version>
     <Authors>Central Statistics Office, Ireland</Authors>
     <SignAssembly>False</SignAssembly>
     <RepositoryUrl>https://github.com/CSOIreland/Server-API-Library</RepositoryUrl>
     <PackageReleaseNotes>
-      - [ENHANCEMENT] updated code to allow application pool to start if memcache is unavailable
-      - [ENHANCEMENT] removed ApplicationLoaded flag from api as if there is no API config loaded on application startup then let an exception be thrown that is not caught
-      - [ENHANCEMENT] updated ICacheConfig to allow API_MEMCACHED_ENABLED to be set in Code
-      - [ENHANCEMENT] updated MemCacheD constructor to have the stats query within try catch Block
-      - [ENHANCEMENT] updated ConsoleConfiguration.cs to remove ApplicationLoaded flag
-      - [BUG FIX] updated ReadJSONSettings to return null if the version that is being looked for is not there
+      - [ENHANCEMENT] added argon2 sha256 methods -- GetArgon2SHA256 and VerifyArgon2SHA256
+      - [BUG FIX] moved where  trace.TrcRequestVerb = requestMethod; as if blockedurls used then verb wouldn't be set
+      - [BUG FIX] updated GatherTraceInformation to  take in an IRequest interface and check the interface type to determine the parameters
+      - [ENHANCEMENT]  upgraded EnyimMemcachedCore from 3.2.1 to 3.2.3
+      - [ENHANCEMENT] upgraded Microsoft.Extensions.DependencyInjection from 8.0.0 to 8.0.1
+      - [ENHANCEMENT] upgraded Microsoft.Extensions.Logging from 8.0.0 to 8.0.1
+      - [ENHANCEMENT] upgraded System.Diagnostics.PerformanceCounter from 8.0.0 to 8.0.1
+      - [ENHANCEMENT] upgraded System.DirectoryServices.AccountManagement from 8.0.0 to 8.0.1
     </PackageReleaseNotes>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
     <RestoreLockedMode>true</RestoreLockedMode>
@@ -45,15 +47,16 @@
 	</ItemGroup>
 
 	<ItemGroup>
-		<PackageReference Include="EnyimMemcachedCore" Version="3.2.1" />
+		<PackageReference Include="EnyimMemcachedCore" Version="3.2.3" />
+		<PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
 		<PackageReference Include="log4net" Version="2.0.17" />
 		<PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
-		<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
-		<PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0" />
+		<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
+		<PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.1" />
 		<PackageReference Include="Microsoft.Extensions.Logging.Log4Net.AspNetCore" Version="8.0.0" />
 		<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-		<PackageReference Include="System.Diagnostics.PerformanceCounter" Version="8.0.0" />
-		<PackageReference Include="System.DirectoryServices.AccountManagement" Version="8.0.0" />
+		<PackageReference Include="System.Diagnostics.PerformanceCounter" Version="8.0.1" />
+		<PackageReference Include="System.DirectoryServices.AccountManagement" Version="8.0.1" />
 	</ItemGroup>
 
 
@@ -76,4 +79,11 @@
     <DebugType>portable</DebugType>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)'=='Debug'">
+    <IncludeSymbols>true</IncludeSymbols>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>Portable</DebugType>
+  </PropertyGroup>
+
+
 </Project>

src/API.Library/API.Library.csproj

@@ -479,13 +479,23 @@ internal Cookie CheckCookie(string SessionCookieName, HttpContext httpContext)
             }
             return sessionCookie;
         }
-
-        internal void GatherTraceInformation(dynamic apiRequest, Trace trace)
+        
+        internal void GatherTraceInformation(IRequest apiRequest, Trace trace)
         {
             if (ApiServicesHelper.ApiConfiguration.API_TRACE_ENABLED)
             {
+                Type type = apiRequest.GetType();
+                if (type == typeof(JSONRPC_API))
+                {
+                    trace.TrcParams = MaskParameters(apiRequest.parameters.ToString());
+                }
+                else if (type == typeof(RESTful_API) || type == typeof(Static_API))
+                {
+                    //in non jsonrpc its a list of strings
+                    trace.TrcParams = MaskParameters(apiRequest.parameters[0]);
+                }
+
                 //gather trace information
-                trace.TrcParams = MaskParameters(apiRequest.parameters.ToString());
                 trace.TrcIp = apiRequest.ipAddress;
                 trace.TrcUseragent = apiRequest.userAgent;
                 trace.TrcMethod = apiRequest.method;

src/API.Library/Entities/API.Common.cs

@@ -4,6 +4,10 @@
 using System.Net;
 using System.Security.Cryptography;
 using System.Text;
+using Konscious.Security.Cryptography;
+using System.DirectoryServices.ActiveDirectory;
+using System.Threading;
+using System;
 
 namespace API
 {
@@ -41,10 +45,11 @@ public static string GetMD5(string input)
         }
 
         /// <summary>
-        /// Geberate the SHA256 hash of the input parameter
+        /// Generate the SHA256 hash of the input parameter
         /// </summary>
         /// <param name="input"></param>
         /// <returns></returns>
+        [ObsoleteAttribute("This property is obsolete. Use NewProperty GetArgon2SHA256.", false)]
         public static string GetSHA256(string input)
         {
             // Create a SHA256   
@@ -66,6 +71,148 @@ public static string GetSHA256(string input)
             }
         }
 
+
+
+        /// <summary>
+        /// Generate the SHA256 hash of the input parameter using argon2 and a salt
+        /// uses https://github.com/kmaragon/Konscious.Security.Cryptography
+        /// </summary>
+        /// <param name="input"></param>
+        /// <returns></returns>
+        public static string GetArgon2SHA256(string input)
+        {
+
+            //declare minimum allowable values
+            //number between 1 and 10. -- High-security scenarios: 4–10 iterations (more iterations increase the time cost, making attacks more difficult).
+            const int minNumIterations = 4;
+
+            //Moderate-security scenarios: 64 MB (65536 KB) to 128 MB (131072 KB).
+            // High - security scenarios: 256 MB(262144 KB) to 1 GB(1048576 KB) for sensitive data.
+            const int minMemorySize = 65536; //64mb of memory
+
+            //Low - security scenarios: 1–2(single - threaded hashing).
+            //High - security scenarios: 4–8, depending on available CPU cores.For stronger security,
+            //  it's recommended to align this with the number of cores on your system.
+
+            //min set as 1 as every machine will have 1 thread
+            const int minDegreeOfParallelism = 1;
+
+            var argon2 = new Argon2id(Encoding.UTF8.GetBytes(input));
+
+            var salt = ApiServicesHelper.ApiConfiguration.Settings["API_ENCRYPTION_SALT"];
+            var sDegreeOfParallelism = ApiServicesHelper.ApiConfiguration.Settings["API_ENCRYPTION_DEGREEE_OF_PARALLELISM"];
+            var sMemorySize = ApiServicesHelper.ApiConfiguration.Settings["API_ENCRYPTION_MEMORYSIZE"];
+            var sIterations = ApiServicesHelper.ApiConfiguration.Settings["API_ENCRYPTION_ITERATIONS"];
+
+
+            if (string.IsNullOrEmpty(salt))
+            {
+                throw new Exception("API_ENCRYPTION_SALT must be defined");
+            }
+
+            int iDegreeOfParallelism = 0;
+            if (!string.IsNullOrEmpty(sDegreeOfParallelism))
+            {
+                //check its a number
+                bool DegreeOfParallelismFlag = int.TryParse(sDegreeOfParallelism, out iDegreeOfParallelism);
+
+                if (!DegreeOfParallelismFlag)
+                {
+                    throw new Exception("API_ENCRYPTION_DEGREEE_OF_PARALLELISM must be a valid number");
+
+                }
+            }
+            else
+            {
+                //minimum number of threads to use.
+                iDegreeOfParallelism = minDegreeOfParallelism;
+            }
+
+            int iMemorySize = 0;
+            if (!string.IsNullOrEmpty(sMemorySize))
+            {
+                //check its a number
+                bool MemorySizeFlag = int.TryParse(sMemorySize, out iMemorySize);
+
+                if (!MemorySizeFlag)
+                {
+                    throw new Exception("API_ENCRYPTION_MEMORYSIZE must be a valid number");
+
+                }
+            }
+            else
+            {
+                //default value of 64mb memory
+                iMemorySize = minMemorySize;
+            }
+
+            int iIterations = 0;
+            if (!string.IsNullOrEmpty(sIterations))
+            {
+                //check its a number
+                bool IterationsFlag = int.TryParse(sIterations, out iIterations);
+
+                if (!IterationsFlag)
+                {
+                    throw new Exception("API_ENCRYPTION_ITERATIONS must be a valid number");
+
+                }
+            }
+            else
+            {
+                //minimum number of iteration required
+                iIterations = minNumIterations;
+            }
+
+            if(iDegreeOfParallelism < minDegreeOfParallelism)
+            {
+                iDegreeOfParallelism = minDegreeOfParallelism; //mandatory minimum value
+                Log.Instance.Error("The number for DegreeOfParallelism specified for encryption is using the default value, as value supplied is to small");
+            }
+
+            if (iMemorySize < minMemorySize)
+            {
+                iMemorySize = minMemorySize; //mandatory minimum memory size of 64mb 
+                Log.Instance.Error("The number for MemorySize specified for encryption is using the default value, as value supplied is to small");
+            }
+
+            if (iIterations < minNumIterations)
+            {
+                iIterations = minNumIterations; //mandatory number of iterations for security
+                Log.Instance.Error("The number of iterations specified for encryption is using the default value, as value supplied is to small");
+            }
+
+            argon2.Salt = Encoding.UTF8.GetBytes(salt);
+            argon2.DegreeOfParallelism = iDegreeOfParallelism; //number of thread;
+            argon2.MemorySize = iMemorySize; //memory in KB (64mb)
+            argon2.Iterations = iIterations; //number of iterations
+
+            // generate the hash
+            return Convert.ToBase64String(argon2.GetBytes(32)); //256 but hash
+        }
+
+
+        /// <summary>
+        /// Verify that new hash is equal to existing hash
+        /// /// </summary>
+        /// <param name="input"></param>
+        /// <returns></returns>
+        public static bool VerifyArgon2SHA256(string input, string expectedHash)
+        {
+
+            string newSha256 = GetArgon2SHA256(input);
+
+            //if hashes are the same thrn return true
+            if (newSha256.Equals(expectedHash)) {
+                return true;
+            }
+            else
+            {
+                return false;
+            }
+
+        }
+
         /// <summary>
         /// Serialize to JSON ignoring looping references
         /// </summary>

src/API.Library/Entities/Utility.cs

@@ -117,7 +117,8 @@ public async Task InvokeAsync(HttpContext context)
                     context.Request.EnableBuffering();
                     string incomingUrl = context.Request.Path.ToString();
                     var requestMethod = context.Request.Method;
-
+                    //set the trace verb
+                    trace.TrcRequestVerb = requestMethod;
 
                     if (ApiServicesHelper.BlockedRequests.urls != null)
                     {
@@ -133,8 +134,7 @@ public async Task InvokeAsync(HttpContext context)
                             }
                         }
                     }
-                    //set the trace verb
-                    trace.TrcRequestVerb = requestMethod;
+                
 
                     incomingUrl = incomingUrl.ToLower();
                     switch (true)
@@ -301,7 +301,9 @@ public async Task InvokeAsync(HttpContext context)
 
 
                             if (string.IsNullOrEmpty(trace.TrcMethod))
+                            {
                                 trace.TrcErrorPath = MaskParameters(context.Request.Path.ToString());
+                            }
 
                             Trace_ADO.Create(trace);