public void AuthorizationBaselineTests()
{
string key = "VGhpcyBpcyBhIHNhbXBsZSBzdHJpbmc=";
for (int i = 0; i < this.AuthorizationBaseline.Length; i++)
{
string[] baseline = this.AuthorizationBaseline[i];
string[] baselineResults = this.AuthorizationBaselineResults[i];
RequestNameValueCollection nvc = new();
nvc.Add(HttpConstants.HttpHeaders.XDate, baseline[4]);
Uri uri = new Uri(baseline[0]);
string authorization = AuthorizationHelper.GenerateKeyAuthorizationSignature(
verb: baseline[2],
uri: uri,
headers: nvc,
stringHMACSHA256Helper: new StringHMACSHA256Hash(key));
string authorization2 = AuthorizationHelper.GenerateKeyAuthorizationSignature(
verb: baseline[2],
resourceId: baseline[1],
resourceType: baseline[3],
headers: nvc,
new StringHMACSHA256Hash(key),
out string payload2);
string authorization3 = AuthorizationHelper.GenerateKeyAuthorizationSignature(
verb: baseline[2],
resourceId: baseline[1],
resourceType: baseline[3],
headers: nvc,
key);
Assert.AreEqual(authorization, baselineResults[0]);
Assert.AreEqual(authorization2, baselineResults[0]);
Assert.AreEqual(authorization3, baselineResults[0]);
Assert.AreEqual(payload2.Replace("\n", "[n]"), baselineResults[1]);
AuthorizationHelper.ParseAuthorizationToken(authorization, out ReadOnlyMemory <char> typeOutput1, out ReadOnlyMemory <char> versionoutput1, out ReadOnlyMemory <char> tokenOutput1);
Assert.AreEqual("master", typeOutput1.ToString());
AuthorizationHelper.ParseAuthorizationToken(authorization2, out ReadOnlyMemory <char> typeOutput2, out ReadOnlyMemory <char> versionoutput2, out ReadOnlyMemory <char> tokenOutput2);
Assert.AreEqual("master", typeOutput2.ToString());
AuthorizationHelper.ParseAuthorizationToken(authorization3, out ReadOnlyMemory <char> typeOutput3, out ReadOnlyMemory <char> versionoutput3, out ReadOnlyMemory <char> tokenOutput3);
Assert.AreEqual("master", typeOutput3.ToString());
Assert.IsTrue(AuthorizationHelper.CheckPayloadUsingKey(tokenOutput1, baseline[2], baseline[1], baseline[3], nvc, key));
Assert.IsTrue(AuthorizationHelper.CheckPayloadUsingKey(tokenOutput2, baseline[2], baseline[1], baseline[3], nvc, key));
Assert.IsTrue(AuthorizationHelper.CheckPayloadUsingKey(tokenOutput3, baseline[2], baseline[1], baseline[3], nvc, key));
}
}
public void AuthorizationGenerateAndCheckKeyAuthSignature()
{
Random r = new Random();
byte[] hashKey = new byte[16];
r.NextBytes(hashKey);
string key = Convert.ToBase64String(hashKey);
foreach (string method in this.HttpMethods)
{
foreach (string resourceType in this.ResourceTypesArray)
{
foreach (string resourceName in this.ResourceNameValues)
{
RequestNameValueCollection nvc = new();
nvc.Add(HttpConstants.HttpHeaders.XDate, new DateTime(2020, 02, 01, 10, 00, 00).ToString("r"));
string authorizationKey = AuthorizationHelper.GenerateKeyAuthorizationSignature(
method,
resourceName,
resourceType,
nvc,
new StringHMACSHA256Hash(key),
out string payload);
AuthorizationHelper.ParseAuthorizationToken(authorizationKey,
out ReadOnlyMemory <char> typeOutput,
out ReadOnlyMemory <char> versionOutput,
out ReadOnlyMemory <char> tokenOutput);
Assert.AreEqual("master", typeOutput.ToString());
Assert.IsTrue(AuthorizationHelper.CheckPayloadUsingKey(
tokenOutput,
method,
resourceName,
resourceType,
nvc,
key));
}
}
}
}
public async Task ValidateAzureKeyCredentialGatewayModeUpdateAsync()
{
const int defaultStatusCode = 401;
const int defaultSubStatusCode = 50000;
const int authMisMatchStatusCode = 70000;
string originalKey = CosmosClientTests.NewRamdonMasterKey();
string newKey = CosmosClientTests.NewRamdonResourceToken();
string currentKey = originalKey;
Mock <IHttpHandler> mockHttpHandler = new Mock <IHttpHandler>();
mockHttpHandler.Setup(x => x.SendAsync(
It.IsAny <HttpRequestMessage>(),
It.IsAny <CancellationToken>()))
.Returns((HttpRequestMessage request, CancellationToken cancellationToken) => {
HttpResponseMessage responseMessage = new HttpResponseMessage((HttpStatusCode)defaultStatusCode);
if (request.RequestUri != VmMetadataApiHandler.vmMetadataEndpointUrl)
{
bool authHeaderPresent = request.Headers.TryGetValues(Documents.HttpConstants.HttpHeaders.Authorization, out IEnumerable <string> authValues);
Assert.IsTrue(authHeaderPresent);
Assert.AreNotEqual(0, authValues.Count());
AuthorizationHelper.GetResourceTypeAndIdOrFullName(request.RequestUri, out _, out string resourceType, out string resourceIdValue);
AuthorizationHelper.ParseAuthorizationToken(authValues.First(),
out ReadOnlyMemory <char> authType,
out ReadOnlyMemory <char> _,
out ReadOnlyMemory <char> tokenFromAuthHeader);
bool authValidated = false;
if (MemoryExtensions.Equals(authType.Span, Documents.Constants.Properties.ResourceToken.AsSpan(), StringComparison.OrdinalIgnoreCase))
{
authValidated = HttpUtility.UrlDecode(authValues.First()) == currentKey;
}
else
{
authValidated = AuthorizationHelper.CheckPayloadUsingKey(
tokenFromAuthHeader,
request.Method.Method,
resourceIdValue,
resourceType,
request.Headers.Aggregate(new NameValueCollectionWrapper(), (c, kvp) => { c.Add(kvp.Key, kvp.Value); return(c); }),
currentKey);
}
int subStatusCode = authValidated ? defaultSubStatusCode : authMisMatchStatusCode;
responseMessage.Headers.Add(Documents.WFConstants.BackendHeaders.SubStatus, subStatusCode.ToString());
}
return(Task.FromResult(responseMessage));
});
AzureKeyCredential masterKeyCredential = new AzureKeyCredential(originalKey);
using (CosmosClient client = new CosmosClient(
CosmosClientTests.AccountEndpoint,
masterKeyCredential,
new CosmosClientOptions()
{
HttpClientFactory = () => new HttpClient(new HttpHandlerHelper(mockHttpHandler.Object)),
EnableClientTelemetry = false,
}))
{
Container container = client.GetContainer(Guid.NewGuid().ToString(), Guid.NewGuid().ToString());
Func <int, int, Task> authValidation = async(int statusCode, int subStatusCode) =>
{
try
{
await container.ReadItemAsync <ToDoActivity>(Guid.NewGuid().ToString(), new Cosmos.PartitionKey(Guid.NewGuid().ToString()));
Assert.Fail("Expected client to throw a authentication exception");
}
catch (CosmosException ex)
{
Assert.AreEqual(statusCode, (int)ex.StatusCode, ex.ToString());
Assert.AreEqual(subStatusCode, ex.SubStatusCode, ex.ToString());
}
};
// Key(V1)
await authValidation(defaultStatusCode, defaultSubStatusCode);
// Update key(V2) and let the auth validation fail
masterKeyCredential.Update(newKey);
await authValidation(defaultStatusCode, authMisMatchStatusCode);
// Updated Key(V2) and now lets succeed auth validation
Interlocked.Exchange(ref currentKey, newKey);
await authValidation(defaultStatusCode, defaultSubStatusCode);
}
}
