Replace Python with C# scripting for per-request scripts
Problem
Some forms of API authentication combine portions of the HTTP request with a secret. Recently we have had several customers request this feature, a workaround exists using the legacy configuration file and a deprecated version of Python 2.7. This is not optimal as customers must manually upgrade the configuration file if changes are made, such as adding a new check.
An additional problem with using IronPython for these scripts is they are unable
to call methods that return or accept Span<T>
types. This is a known limitation in
the IronPython runtime. Microsoft is currently updating APIs to use Span<T>
instead of string
or byte[]
. As such long-term solution is needed before releasing the new per-request
scripts.
Proposal
Replace IronPython with C# Scripting. Users of API Security would provide a C# Script that will be compiled and called from API Security.
Special Script Headers
Special script headers occur at the beginning of the script with the #cmd
format.
Add Reference
In order to support adding references to .NET assemblies (libraries/packages), a special comment type in the format of #r 'PATH/TO/ASSEMBLY.DLL'
can be added at the top of a script file. This will be found and the referenced assemblies loaded into the script context.
//#r 'jose-jwt'
//#r 'System.Security.Cryptography'
//#r 'MyCustomPackage.dll'
class MyPerRequestScript : IPerRequestScript
{
public void OnRequest(HttpRequest req, byte[] body)
{
// Update req object
}
}
Default assembly references
System.Security.Cryptography
Peach.Web
Peach.Web.Network
Expected script implementation
The script should contain one top-level class that implements the IPerRequestScript
.
class MyPerRequestScript : IPerRequestScript
{
public MyPerRequestScript(ILogger logger)
{
// Initialization
}
public void OnRequest(Request req, byte[] body)
{
// Update req object
}
}