Merge branch 'release-1.20' of https://github.com/genexuslabs/DotNetClasses into release-1.20

# Conflicts:
#	dotnet/test/Directory.Build.props

Author: claudiamurialdo

dotnet/src/dotnetframework/GxClasses/Domain/GxCollections.cs

@@ -736,9 +736,9 @@ public void AddObjectProperty(object prop, bool includeState)
 				if (bc != null)
 					jarray.Add(bc.GetJSONObject(includeState));
 				else
-					jarray.Add(ijsonprop.GetJSONObject());
-			}
-			else if (prop is DateTime)
+						jarray.Add(ijsonprop.GetJSONObject());
+				}
+				else if (prop is DateTime)
 			{
 				jarray.Add(DateTimeUtil.TToC2((DateTime)prop, false));
 			}
@@ -1568,12 +1568,32 @@ public void AddObjectProperty(string name, object prop, bool includeState, bool
 						JsonObj.Put(name, prop);
 					}
 				}
+				else if (prop is decimal)
+				{
+					JsonObj.Put(name, RemoveInternalTrailingZeroes((decimal)prop));
+				}
 				else
 				{
 					JsonObj.Put(name, prop);
 				}
 			}
 		}
+		static decimal RemoveInternalTrailingZeroes(decimal dec)
+		{
+			if (GetDecimalScale(dec) > 0)
+			{
+				string strdec = dec.ToString(CultureInfo.InvariantCulture);
+				return decimal.Parse(strdec.Contains(".") ? strdec.TrimEnd('0').TrimEnd('.') : strdec, CultureInfo.InvariantCulture);
+			}
+			else
+				return dec;
+
+		}
+		static int GetDecimalScale(decimal value)
+		{
+			int[] bits = decimal.GetBits(value);
+			return (bits[3] >> 16) & 0xFF;
+		}
 		public Object GetJSONObject(bool includeState, bool includeNoInitialized)
 		{
 			JsonObj.Clear();
@@ -2065,7 +2085,6 @@ public object Item(int index, int i)
 			return innerArray[index][i];
 		}
 	}
-
 	[CollectionDataContract(Name = "GxUnknownObjectCollection")]
 	[KnownType(typeof(GxSimpleCollection<object>))]
 	[KnownType(typeof(GxStringCollection))]
@@ -2420,13 +2439,14 @@ public interface IGxCollection<T> : IGxCollection
 	{
 		T GetNumeric(int idx);
 	}
-
 	public interface IGxExternalObject
 	{
 		object ExternalInstance { get; set; }
 	}
 	public class GXExternalCollection<T> : IGxCollection where T : IGxExternalObject
 	{
+		// T represents the type of the SDT wrapper for the external instance. E.g SdtWorkflowUser
+		// Instance is a list of ExternalType, whose concrete type is unknown. E.g. GXflow.API.User
 		IList instance;
 
 		public string _containedType;

dotnet/src/dotnetframework/GxClasses/Middleware/GXHttp.cs

@@ -1707,21 +1707,29 @@ protected string GetObjectAccessWebToken(String cmpCtx)
 			return GetSecureSignedToken(cmpCtx, string.Empty, this.context);
 		}
 
-		protected string GetSecureSignedToken(String cmpCtx, object Value, IGxContext context)
+		protected string GetSecureSignedToken(String cmpCtx, object value, IGxContext context)
 		{
-			return GetSecureSignedToken(cmpCtx, Serialize(Value), context);
+			if (value is IGxJSONSerializable)
+				return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(value as IGxJSONSerializable), context);
+			else
+				return GetSecureSignedToken(cmpCtx, Serialize(value), context);
 		}
 
 		protected string GetSecureSignedToken(String cmpCtx, GxUserType Value, IGxContext context)
 		{
-			return GetSecureSignedToken(cmpCtx, Serialize(Value), context);
+			return GetSecureSignedHashedToken(cmpCtx, SecureTokenHelper.GetTokenValue(Value), context);
 		}
 
 
 		protected string GetSecureSignedToken(string cmpCtx, string value, IGxContext context)
 		{
 			return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, value, SecureTokenHelper.SecurityMode.Sign, context);
 		}
+		private string GetSecureSignedHashedToken(string cmpCtx, TokenValue tokenValue, IGxContext context)
+		{
+			return WebSecurityHelper.Sign(PgmInstanceId(cmpCtx), string.Empty, tokenValue, SecureTokenHelper.SecurityMode.Sign, context);
+		}
+		
 		protected bool VerifySecureSignedToken(string cmpCtx, Object value, string pic, string signedToken, IGxContext context)
 		{
 			GxUserType SDT = value as GxUserType;

dotnet/src/dotnetframework/GxClasses/Security/WebSecurity.cs

@@ -32,6 +32,15 @@ public static string Sign(string pgmName, string issuer, string value, SecurityM
         {            
             return SecureTokenHelper.Sign(new WebSecureToken { ProgramName = pgmName, Issuer = issuer, Value = string.IsNullOrEmpty(value) ? string.Empty: StripInvalidChars(value) }, mode, GetSecretKey(context));
         }
+		internal static string Sign(string pgmName, string issuer, TokenValue tokenValue, SecurityMode mode, IGxContext context)
+		{
+			return SecureTokenHelper.Sign(new WebSecureToken {
+				ProgramName = pgmName,
+				Issuer = issuer,
+				ValueType = tokenValue.ValueType,
+				Value = string.IsNullOrEmpty(tokenValue.Value) ? string.Empty : StripInvalidChars(tokenValue.Value) },
+				mode, GetSecretKey(context));
+		}
 
         private static string GetSecretKey(IGxContext context)
         {
@@ -88,30 +97,63 @@ public static bool Verify(string pgmName, string issuer, string value, string jw
 
 		internal static bool VerifySecureSignedSDTToken(string cmpCtx, IGxCollection value, string signedToken, IGxContext context)
 		{
-			WebSecureToken Token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
-			if (Token == null)
+			WebSecureToken token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
+			if (token == null)
 				return false;
-			IGxCollection PayloadObject = (IGxCollection)value.Clone();
-			PayloadObject.FromJSonString(Token.Value);
-			return GxUserType.IsEqual(value, PayloadObject);
+			if (token.ValueType == SecureTokenHelper.ValueTypeHash) 
+			{
+				return VerifyTokenHash(value.ToJSonString(), token);
+			}
+			else
+			{
+				IGxCollection PayloadObject = (IGxCollection)value.Clone();
+				PayloadObject.FromJSonString(token.Value);
+				return GxUserType.IsEqual(value, PayloadObject);
+			}
 		}
 
 		internal static bool VerifySecureSignedSDTToken(string cmpCtx, GxUserType value, string signedToken, IGxContext context)
 		{
-			WebSecureToken Token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
-			if (Token == null)
+			WebSecureToken token = SecureTokenHelper.getWebSecureToken(signedToken, GetSecretKey(context));
+			if (token == null)
 				return false;
-			GxUserType PayloadObject = (GxUserType)value.Clone();
-			PayloadObject.FromJSonString(Token.Value);
-			return GxUserType.IsEqual(value, PayloadObject);
-		}
+			if (token.ValueType == ValueTypeHash) 
+			{
+				return VerifyTokenHash(value.ToJSonString(), token); 
+			}
+			else
+			{
+				GxUserType PayloadObject = (GxUserType)value.Clone();
+				PayloadObject.FromJSonString(token.Value);
+				return GxUserType.IsEqual(value, PayloadObject);
+			}
 
+		}
 
+		private static bool VerifyTokenHash(string payloadJsonString, WebSecureToken token)
+		{
+			string hash = GetHash(payloadJsonString);
+			if (hash != token.Value)
+			{
+				GXLogging.Error(_log, $"WebSecurity Token Verification error - Hash mismatch '{hash}' <> '{token.Value}'");
+				GXLogging.Debug(_log, "Payload TokenOriginalValue: " + payloadJsonString);
+				return false;
+			}
+			return true;
+		}
+	}
+	internal class TokenValue
+	{
+		internal string Value { get; set; }
+		internal string ValueType { get; set; }
 	}
+
 	[SecuritySafeCritical]
 	public static class SecureTokenHelper
     {
         private static readonly ILog _log = LogManager.GetLogger(typeof(GeneXus.Web.Security.SecureTokenHelper));
+		internal const string ValueTypeHash = "hash";
+		const int MaxTokenValueLength = 1024;
 
         public enum SecurityMode
         {
@@ -128,6 +170,10 @@ internal static WebSecureToken getWebSecureToken(string signedToken, string secr
 			using (var hmac = new System.Security.Cryptography.HMACSHA256(bSecretKey))
 			{
 				var handler = new JwtSecurityTokenHandler();
+				if (signedToken.Length >= handler.MaximumTokenSizeInBytes)
+				{
+					handler.MaximumTokenSizeInBytes = signedToken.Length + 1;
+				}
 				var validationParameters = new TokenValidationParameters
 				{
 					ClockSkew = TimeSpan.FromMinutes(1),
@@ -139,6 +185,7 @@ internal static WebSecureToken getWebSecureToken(string signedToken, string secr
 				WebSecureToken outToken = new WebSecureToken();
 				var claims = handler.ValidateToken(signedToken, validationParameters, out securityToken);
 				outToken.Value = claims.Identities.First().Claims.First(c => c.Type == WebSecureToken.GXVALUE).Value;
+				outToken.ValueType = claims.Identities.First().Claims.First(c => c.Type == WebSecureToken.GXVALUE_TYPE)?.Value ?? string.Empty;
 				return outToken;
 			}
 		}
@@ -156,7 +203,8 @@ public static string Sign(WebSecureToken token, SecurityMode mode, string secret
 							new Claim(WebSecureToken.GXISSUER, token.Issuer),
 							new Claim(WebSecureToken.GXPROGRAM, token.ProgramName),
 							new Claim(WebSecureToken.GXVALUE, token.Value),
-							new Claim(WebSecureToken.GXEXPIRATION, token.Expiration.Subtract(new DateTime(1970, 1, 1)).TotalSeconds.ToString())
+							new Claim(WebSecureToken.GXEXPIRATION, token.Expiration.Subtract(new DateTime(1970, 1, 1)).TotalSeconds.ToString()),
+							new Claim(WebSecureToken.GXVALUE_TYPE, token.ValueType ?? string.Empty)
 							}),
 						notBefore: DateTime.UtcNow,
 						expires: token.Expiration,
@@ -204,10 +252,38 @@ internal static bool Verify(string jwtToken, WebSecureToken outToken, string sec
 				}
 			}
 			return ok;
-		}          
-    }
+		}
+		internal static TokenValue GetTokenValue(IGxJSONSerializable obj)
+		{
+	
+			string jsonString = obj.ToJSonString();
 
-    [DataContract]
+			if (jsonString.Length > MaxTokenValueLength)
+			{
+				string hash = GetHash(jsonString);
+				GXLogging.Debug(_log, $"GetTokenValue: TokenValue is too long, using hash: {hash} instead of original value.");
+				GXLogging.Debug(_log, $"Server TokenOriginalValue:" + jsonString);
+				return new TokenValue() { Value = hash, ValueType = ValueTypeHash };
+			}
+			else
+			{
+				GXLogging.Debug(_log, $"GetTokenValue:" + jsonString);
+				return new TokenValue() { Value = jsonString };
+			}
+		}
+		internal static string GetHash(string jsonString)
+		{
+			using (var sha256 = System.Security.Cryptography.SHA256.Create())
+			{
+				byte[] hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(jsonString));
+				jsonString = Convert.ToBase64String(hashBytes);
+				return jsonString;
+			}
+		}
+
+	}
+
+	[DataContract]
     public abstract class SecureToken : IGxJSONSerializable
     {
         public abstract string ToJSonString();
@@ -237,8 +313,9 @@ public class WebSecureToken: SecureToken
         internal const string GXPROGRAM = "gx-pgm";
         internal const string GXVALUE = "gx-val";
         internal const string GXEXPIRATION = "gx-exp";
+		internal const string GXVALUE_TYPE = "gx-val-type";
 
-        [DataMember(Name = GXISSUER, IsRequired = true, EmitDefaultValue = false)]
+		[DataMember(Name = GXISSUER, IsRequired = true, EmitDefaultValue = false)]
         public string Issuer { get; set; }
 
 		[DataMember(Name = GXPROGRAM, IsRequired = true, EmitDefaultValue = false)]
@@ -250,7 +327,9 @@ public class WebSecureToken: SecureToken
         [DataMember(Name = GXEXPIRATION, EmitDefaultValue = false)]
         public DateTime Expiration { get; set; }
 
-        public WebSecureToken()
+		[DataMember(Name = GXVALUE_TYPE, EmitDefaultValue = false)]
+		public string ValueType { get; set; }
+		public WebSecureToken()
         {
             Expiration = DateTime.Now.AddDays(15);			
 		}
@@ -263,6 +342,7 @@ public override bool FromJSonString(string s)
                 this.Value = wt.Value;
                 this.ProgramName = wt.ProgramName;
                 this.Issuer = wt.Issuer;
+				this.ValueType = wt.ValueType;
                 return true;
             }
             catch (Exception)