public static void Register(HttpConfiguration config)
{
// Web API configuration and services
// Web API routes
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
// return JSON instead of XML as default
var appXmlType = config.Formatters.XmlFormatter.SupportedMediaTypes
.FirstOrDefault(t => t.MediaType == "application/xml");
config.Formatters.XmlFormatter.SupportedMediaTypes.Remove(appXmlType);
// use camelCase in JSON
var jsonFormatter = config.Formatters.OfType <JsonMediaTypeFormatter>().First();
jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
// ReSharper disable once UnusedVariable
var requireHttpsAttribute = new RequireHttpsAttribute();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
#if !DEBUG
config.Filters.Add(requireHttpsAttribute);
#endif
}
public void OnAuthorization_RedirectsToHttpsEndpoint_ForCustomSslPort(
string url,
int?sslPort,
string expectedUrl)
{
// Arrange
var options = Options.Create(new MvcOptions());
var uri = new Uri(url);
var requestContext = new DefaultHttpContext();
requestContext.RequestServices = CreateServices(sslPort);
requestContext.Request.Scheme = "http";
requestContext.Request.Method = "GET";
requestContext.Request.Host = HostString.FromUriComponent(uri);
requestContext.Request.Path = PathString.FromUriComponent(uri);
requestContext.Request.QueryString = QueryString.FromUriComponent(uri);
var authContext = CreateAuthorizationContext(requestContext);
var attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.NotNull(authContext.Result);
var result = Assert.IsType <RedirectResult>(authContext.Result);
Assert.Equal(expectedUrl, result.Url);
}
public void OnAuthorization_RedirectsToHttpsEndpoint_WithSpecifiedStatusCodeAndRequireHttpsPermanentOption(bool?permanent, bool requireHttpsPermanent)
{
var requestContext = new DefaultHttpContext();
requestContext.RequestServices = CreateServices(null, requireHttpsPermanent);
requestContext.Request.Scheme = "http";
requestContext.Request.Method = "GET";
var authContext = CreateAuthorizationContext(requestContext);
var attr = new RequireHttpsAttribute();
if (permanent.HasValue)
{
attr.Permanent = permanent.Value;
}
;
// Act
attr.OnAuthorization(authContext);
// Assert
var result = Assert.IsType <RedirectResult>(authContext.Result);
Assert.Equal(permanent ?? requireHttpsPermanent, result.Permanent);
}
public void OnAuthorizationRedirectsIfPermanentConstructorParameterIsAndRequestIsNotSecureAndMethodIsGet(
bool permanent
)
{
// Arrange
Mock <AuthorizationContext> mockAuthContext = new Mock <AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext
.Setup(c => c.HttpContext.Request.RawUrl)
.Returns("/alpha/bravo/charlie?q=quux");
mockAuthContext
.Setup(c => c.HttpContext.Request.Url)
.Returns(new Uri("http://www.example.com:8080/foo/bar/baz"));
AuthorizationContext authContext = mockAuthContext.Object;
RequireHttpsAttribute attr = new RequireHttpsAttribute(permanent);
// Act
attr.OnAuthorization(authContext);
RedirectResult result = authContext.Result as RedirectResult;
// Assert
Assert.Equal(permanent, attr.Permanent);
Assert.NotNull(result);
Assert.Equal("https://www.example.com/alpha/bravo/charlie?q=quux", result.Url);
Assert.Equal(permanent, result.Permanent);
}
private static void ConfigureMvc(IServiceCollection services)
{
services.AddMvc(options =>
{
var requireHttpsFilter = new RequireHttpsAttribute();
options.Filters.Add(requireHttpsFilter);
});
}
private void ConfigureMvc(IServiceCollection services)
{
services.AddMvc(options =>
{
var requireHttpsFilter = new RequireHttpsAttribute();
options.Filters.Add(requireHttpsFilter);
options.EnableEndpointRouting = false;
});
}
public void OnAuthorizationThrowsIfFilterContextIsNull()
{
// Arrange
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act & assert
Assert.ThrowsArgumentNull(
delegate { attr.OnAuthorization(null); }, "filterContext");
}
public void OnAuthorizationThrowsIfFilterContextIsNull()
{
// Arrange
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act & assert
Assert.ThrowsArgumentNull(
delegate { attr.OnAuthorization(null); }, "filterContext");
}
public static MvcOptions RequireSsl([NotNull] this MvcOptions thisValue)
{
RequireHttpsAttribute requireHttps = thisValue.Filters.OfType <RequireHttpsAttribute>().FirstOrDefault();
if (requireHttps == null)
{
thisValue.Filters.Add <RequireHttpsAttribute>();
}
return(thisValue);
}
private static void ConfigureMvc(IServiceCollection services)
{
services.AddMvc(options =>
{
var requireHttpsFilter = new RequireHttpsAttribute();
options.Filters.Add(requireHttpsFilter);
var authorizationPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
var authorizeFilter = new AuthorizeFilter(authorizationPolicy);
options.Filters.Add(authorizeFilter);
});
}
public void OnAuthorizationThrowsIfRequestIsNotSecureAndMethodIsNotGet()
{
// Arrange
Mock <AuthorizationContext> mockAuthContext = new Mock <AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.HttpMethod).Returns("post");
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
AuthorizationContext authContext = mockAuthContext.Object;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act & assert
Assert.Throws <InvalidOperationException>(
delegate { attr.OnAuthorization(authContext); },
@"The requested resource can only be accessed via SSL.");
}
public void OnAuthorization_AllowsTheRequestIfItIsHttps()
{
// Arrange
var requestContext = new DefaultHttpContext();
requestContext.Request.Scheme = "https";
var authContext = CreateAuthorizationContext(requestContext);
var attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.Null(authContext.Result);
}
public static void Configure(IAppBuilder appBuilder, ILifetimeScope container)
{
var config = new HttpConfiguration();
config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
var requireHttpsAttribute = new RequireHttpsAttribute();
#if !DEBUG
config.Filters.Add(requireHttpsAttribute);
#endif
// return JSON instead of XML by default
var appXmlType = config.Formatters.XmlFormatter.SupportedMediaTypes
.FirstOrDefault(t => t.MediaType == "application/xml");
config.Formatters.XmlFormatter.SupportedMediaTypes.Remove(appXmlType);
// use camelCase in JSON
var jsonFormatter = config.Formatters.OfType <JsonMediaTypeFormatter>().First();
jsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
// standardize datetime format
jsonFormatter.SerializerSettings.DateFormatHandling = DateFormatHandling.IsoDateFormat;
IsoDateTimeConverter dateConverter = new IsoDateTimeConverter
{
DateTimeFormat = "yyyy'-'MM'-'dd'T'HH':'mm':'ss.fff'Z'"
};
jsonFormatter.SerializerSettings.Converters.Add(dateConverter);
appBuilder.UseAutofacWebApi(config);
appBuilder.UseWebApi(config);
appBuilder.UseFileServer(new FileServerOptions
{
EnableDefaultFiles = false,
RequestPath = new PathString("/images")
});
}
public void OnAuthorizationDoesNothingIfRequestIsSecure()
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(true);
AuthorizationContext authContext = mockAuthContext.Object;
ViewResult result = new ViewResult();
authContext.Result = result;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.Same(result, authContext.Result);
}
public void OnAuthorization_RedirectsToHttpsEndpoint_ForNonHttpsGetRequests(
string host,
string pathBase,
string path,
string queryString,
string expectedUrl)
{
// Arrange
var requestContext = new DefaultHttpContext();
requestContext.RequestServices = CreateServices();
requestContext.Request.Scheme = "http";
requestContext.Request.Method = "GET";
requestContext.Request.Host = HostString.FromUriComponent(host);
if (pathBase != null)
{
requestContext.Request.PathBase = new PathString(pathBase);
}
if (path != null)
{
requestContext.Request.Path = new PathString(path);
}
if (queryString != null)
{
requestContext.Request.QueryString = new QueryString(queryString);
}
var authContext = CreateAuthorizationContext(requestContext);
var attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.NotNull(authContext.Result);
var result = Assert.IsType <RedirectResult>(authContext.Result);
Assert.False(result.Permanent);
Assert.Equal(expectedUrl, result.Url);
}
public void OnAuthorization_SignalsBadRequestStatusCode_ForNonHttpsAndNonGetRequests(string method)
{
// Arrange
var requestContext = new DefaultHttpContext();
requestContext.RequestServices = CreateServices();
requestContext.Request.Scheme = "http";
requestContext.Request.Method = method;
var authContext = CreateAuthorizationContext(requestContext);
var attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.NotNull(authContext.Result);
var result = Assert.IsType <StatusCodeResult>(authContext.Result);
Assert.Equal(StatusCodes.Status403Forbidden, result.StatusCode);
}
public void OnAuthorizationRedirectsIfRequestIsNotSecureAndMethodIsGet()
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.Setup(c => c.HttpContext.Request.RawUrl).Returns("/alpha/bravo/charlie?q=quux");
mockAuthContext.Setup(c => c.HttpContext.Request.Url).Returns(new Uri("http://www.example.com:8080/foo/bar/baz"));
AuthorizationContext authContext = mockAuthContext.Object;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
RedirectResult result = authContext.Result as RedirectResult;
// Assert
Assert.NotNull(result);
Assert.Equal("https://www.example.com/alpha/bravo/charlie?q=quux", result.Url);
}
public void OnAuthorizationDoesNothingIfRequestIsSecure()
{
// Arrange
Mock <AuthorizationContext> mockAuthContext = new Mock <AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(true);
AuthorizationContext authContext = mockAuthContext.Object;
ViewResult result = new ViewResult();
authContext.Result = result;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
// Assert
Assert.Same(result, authContext.Result);
}
public void OnAuthorizationRedirectsIfRequestIsNotSecureAndMethodIsGet()
{
// Arrange
Mock <AuthorizationContext> mockAuthContext = new Mock <AuthorizationContext>();
mockAuthContext.Expect(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.Expect(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.Expect(c => c.HttpContext.Request.RawUrl).Returns("/alpha/bravo/charlie?q=quux");
mockAuthContext.Expect(c => c.HttpContext.Request.Url).Returns(new Uri("http://www.example.com:8080/foo/bar/baz"));
AuthorizationContext authContext = mockAuthContext.Object;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act
attr.OnAuthorization(authContext);
RedirectResult result = authContext.Result as RedirectResult;
// Assert
Assert.IsNotNull(result, "Result should have been a RedirectResult.");
Assert.AreEqual("https://www.example.com/alpha/bravo/charlie?q=quux", result.Url);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
if (filterContext.HttpContext.Request.IsLocal)
{
return;
}
if (!AppContext.Configuration.RequireRootHost)
{
return;
}
if (!filterContext.HttpContext.Request.Url.Host.StartsWith("www."))
{
return;
}
if (filterContext.HttpContext.Request.HttpMethod != "GET")
{
throw new InvalidOperationException("RequireRootHost_MustRemoveWwW");
}
var httpsPort = RequireHttpsAttribute.GetHttpsPort();
if (httpsPort == null)
{
return;
}
filterContext.Result = new RedirectResult($"https://{filterContext.HttpContext.Request.Url.Host.Remove(0, 4)}:{httpsPort}{filterContext.HttpContext.Request.RawUrl}");
}
public void Setup()
{
context = new HttpActionContext(new HttpControllerContext(new HttpRequestContext(), new HttpRequestMessage(HttpMethod.Get, new Uri("https://www.server.domain")), new HttpControllerDescriptor(), Substitute.For<IHttpController>()),
new ReflectedHttpActionDescriptor());
sut = new RequireHttpsAttribute();
}
public void OnAuthorizationThrowsIfRequestIsNotSecureAndMethodIsNotGet()
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>();
mockAuthContext.Setup(c => c.HttpContext.Request.HttpMethod).Returns("post");
mockAuthContext.Setup(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
AuthorizationContext authContext = mockAuthContext.Object;
RequireHttpsAttribute attr = new RequireHttpsAttribute();
// Act & assert
Assert.Throws<InvalidOperationException>(
delegate { attr.OnAuthorization(authContext); },
@"The requested resource can only be accessed via SSL.");
}
public void Setup()
{
context = new HttpActionContext(new HttpControllerContext(new HttpRequestContext(), new HttpRequestMessage(HttpMethod.Get, new Uri("https://www.server.domain")), new HttpControllerDescriptor(), Substitute.For <IHttpController>()),
new ReflectedHttpActionDescriptor());
sut = new RequireHttpsAttribute();
}
