public void CreateAuthorizationRequest_should_have_expected_result()
{
var date = new DateTime(2020, 03, 12, 14, 23, 46);
var accessKeyId = "permanentuser";
var secretAccessKey = "FAKEFAKEFAKEFAKEFAKEfakefakefakefakefake";
var salt = new byte[] { 64, 230, 20, 164, 223, 96, 92, 144, 3, 240, 27, 110, 97, 65, 200, 11, 157, 162, 141, 4, 149, 86, 91, 108, 189, 194, 100, 90, 249, 219, 155, 235, };
var host = "sts.amazonaws.com";
var expectedAuthorizationHeader = "AWS4-HMAC-SHA256 " +
"Credential=permanentuser/20200312/us-east-1/sts/aws4_request, " +
"SignedHeaders=content-length;content-type;host;x-amz-date;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce, " +
"Signature=6872b9199b47dc983a95f9113a096c9b4e63bb6ddf39030161b1f092ab616df2";
var expectedTimestamp = "20200312T142346Z";
AwsSignatureVersion4.CreateAuthorizationRequest(
date,
accessKeyId,
SecureStringHelper.ToSecureString(secretAccessKey),
sessionToken: null,
salt,
host,
out var actualAuthorizationHeader,
out var actualTimestamp);
actualAuthorizationHeader.Should().Be(expectedAuthorizationHeader);
actualTimestamp.Should().Be(expectedTimestamp);
}
public void CreateAuthorizationRequest_with_session_token_should_have_expected_result()
{
var date = new DateTime(2020, 03, 12, 14, 23, 46);
var accessKeyId = "permanentuser";
var secretAccessKey = "FAKEFAKEFAKEFAKEFAKEfakefakefakefakefake";
var sessionToken = "MXUpbuzwzPo67WKCNYtdBq47taFtIpt+SVx58hNx1/jSz37h9d67dtUOg0ejKrv83u8ai+VFZxMx=";
var salt = new byte[] { 64, 230, 20, 164, 223, 96, 92, 144, 3, 240, 27, 110, 97, 65, 200, 11, 157, 162, 141, 4, 149, 86, 91, 108, 189, 194, 100, 90, 249, 219, 155, 235, };
var host = "sts.amazonaws.com";
var expectedAuthorizationHeader = "AWS4-HMAC-SHA256 " +
"Credential=permanentuser/20200312/us-east-1/sts/aws4_request, " +
"SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-mongodb-gs2-cb-flag;x-mongodb-server-nonce, " +
"Signature=d60ee7fe01c82631583a7534fe017e1840fd5975faf1593252e91c54573a93ae";
var expectedTimestamp = "20200312T142346Z";
AwsSignatureVersion4.CreateAuthorizationRequest(
date,
accessKeyId,
SecureStringHelper.ToSecureString(secretAccessKey),
sessionToken,
salt,
host,
out var actualAuthorizationHeader,
out var actualTimestamp);
actualAuthorizationHeader.Should().Be(expectedAuthorizationHeader);
actualTimestamp.Should().Be(expectedTimestamp);
}
public void Authenticate_should_have_expected_result(
[Values(false, true)] bool async)
{
var dateTime = DateTime.UtcNow;
var clientNonce = __randomByteGenerator.Generate(ClientNonceLength);
var serverNonce = Combine(clientNonce, __randomByteGenerator.Generate(ClientNonceLength));
var host = "sts.amazonaws.com";
var credential = new UsernamePasswordCredential("$external", "permanentuser", "FAKEFAKEFAKEFAKEFAKEfakefakefakefakefake");
AwsSignatureVersion4.CreateAuthorizationRequest(
dateTime,
credential.Username,
credential.Password,
null,
serverNonce,
host,
out var authHeader,
out var timestamp);
var mockClock = new Mock <IClock>();
mockClock.Setup(x => x.UtcNow).Returns(dateTime);
var mockRandomByteGenerator = new Mock <IRandomByteGenerator>();
mockRandomByteGenerator.Setup(x => x.Generate(It.IsAny <int>())).Returns(clientNonce);
var expectedClientFirstMessage = new BsonDocument
{
{ "r", clientNonce },
{ "p", (int)'n' }
};
var expectedClientSecondMessage = new BsonDocument
{
{ "a", authHeader },
{ "d", timestamp }
};
var serverFirstMessage = new BsonDocument
{
{ "s", serverNonce },
{ "h", host }
};
var saslStartCommandResponse = MessageHelper.BuildCommandResponse(RawBsonDocumentHelper.FromJson(
$"{{ conversationId : 1, done : false, payload : BinData(0,\"{ToBase64(serverFirstMessage.ToBson())}\"), ok : 1 }}"));
var saslContinueCommandResponse = MessageHelper.BuildCommandResponse(RawBsonDocumentHelper.FromJson(
"{ conversationId : 1, done : true, payload : BinData(0,\"\"), ok : 1}"));
var subject = new MongoAWSAuthenticator(credential, null, mockRandomByteGenerator.Object, mockClock.Object, serverApi: null);
var connection = new MockConnection(__serverId);
connection.EnqueueCommandResponseMessage(saslStartCommandResponse);
connection.EnqueueCommandResponseMessage(saslContinueCommandResponse);
connection.Description = __descriptionCommandWireProtocol;
if (async)
{
subject.AuthenticateAsync(connection, __descriptionCommandWireProtocol, CancellationToken.None).GetAwaiter().GetResult();
}
else
{
subject.Authenticate(connection, __descriptionCommandWireProtocol, CancellationToken.None);
}
SpinWait.SpinUntil(() => connection.GetSentMessages().Count >= 2, TimeSpan.FromSeconds(5)).Should().BeTrue();
var sentMessages = MessageHelper.TranslateMessagesToBsonDocuments(connection.GetSentMessages());
sentMessages.Count.Should().Be(2);
var actualRequestId0 = sentMessages[0]["requestId"].AsInt32;
var actualRequestId1 = sentMessages[1]["requestId"].AsInt32;
var expectedFirstMessage = GetExpectedSaslStartCommandMessage(actualRequestId0, expectedClientFirstMessage);
var expectedSecondMessage = GetExpectedSaslContinueCommandMessage(actualRequestId1, expectedClientSecondMessage);
sentMessages[0].Should().Be(expectedFirstMessage);
sentMessages[1].Should().Be(expectedSecondMessage);
}
public void Authenticate_with_session_token_should_have_expected_result(
[Values(false, true)] bool async)
{
var dateTime = DateTime.UtcNow;
var clientNonce = __randomByteGenerator.Generate(ClientNonceLength);
var serverNonce = Combine(clientNonce, __randomByteGenerator.Generate(ClientNonceLength));
var host = "sts.amazonaws.com";
var credential = new UsernamePasswordCredential("$external", "permanentuser", "FAKEFAKEFAKEFAKEFAKEfakefakefakefakefake");
var sessionToken = "MXUpbuzwzPo67WKCNYtdBq47taFtIpt+SVx58hNx1/jSz37h9d67dtUOg0ejKrv83u8ai+VFZxMx=";
AwsSignatureVersion4.CreateAuthorizationRequest(
dateTime,
credential.Username,
credential.Password,
sessionToken,
serverNonce,
host,
out var authorizationHeader,
out var timestamp);
var mockClock = new Mock <IClock>();
mockClock.Setup(x => x.UtcNow).Returns(dateTime);
var mockRandomByteGenerator = new Mock <IRandomByteGenerator>();
mockRandomByteGenerator.Setup(x => x.Generate(It.IsAny <int>())).Returns(clientNonce);
var expectedClientFirstMessage = new BsonDocument
{
{ "r", clientNonce },
{ "p", (int)'n' }
};
var expectedClientSecondMessage = new BsonDocument
{
{ "a", authorizationHeader },
{ "d", timestamp },
{ "t", sessionToken }
};
var serverFirstMessage = new BsonDocument
{
{ "s", serverNonce },
{ "h", host }
};
var saslStartReply = MessageHelper.BuildReply <RawBsonDocument>(RawBsonDocumentHelper.FromJson(
$"{{ conversationId : 1, done : false, payload : BinData(0,\"{ToBase64(serverFirstMessage.ToBson())}\"), ok : 1}}"));
var saslContinueReply = MessageHelper.BuildReply <RawBsonDocument>(RawBsonDocumentHelper.FromJson(
"{ conversationId : 1, done : true, payload : BinData(0,\"\"), ok : 1}"));
var properties = new[] { new KeyValuePair <string, string>("AWS_SESSION_TOKEN", sessionToken) };
var subject = new MongoAWSAuthenticator(credential, properties, mockRandomByteGenerator.Object, mockClock.Object, serverApi: null);
var connection = new MockConnection(__serverId);
connection.EnqueueReplyMessage(saslStartReply);
connection.EnqueueReplyMessage(saslContinueReply);
if (async)
{
subject.AuthenticateAsync(connection, __descriptionQueryWireProtocol, CancellationToken.None).GetAwaiter().GetResult();
}
else
{
subject.Authenticate(connection, __descriptionQueryWireProtocol, CancellationToken.None);
}
SpinWait.SpinUntil(() => connection.GetSentMessages().Count >= 2, TimeSpan.FromSeconds(5)).Should().BeTrue();
var sentMessages = MessageHelper.TranslateMessagesToBsonDocuments(connection.GetSentMessages());
sentMessages.Count.Should().Be(2);
var actualRequestId0 = sentMessages[0]["requestId"].AsInt32;
var actualRequestId1 = sentMessages[1]["requestId"].AsInt32;
var expectedFirstMessage = GetExpectedSaslStartQueryMessage(actualRequestId0, expectedClientFirstMessage);
var expectedSecondMessage = GetExpectedSaslContinueQueryMessage(actualRequestId1, expectedClientSecondMessage);
sentMessages[0].Should().Be(expectedFirstMessage);
sentMessages[1].Should().Be(expectedSecondMessage);
}
