public void AuthenticatedPrincipalContainsMappedClaims()
{
var callerCertificate = new X509Certificate2(Convert.FromBase64String(ClientCertificateAuthenticationHandlerTests.Base64Certificate), ClientCertificateAuthenticationHandlerTests.CertificatePassword);
var storeCertificate = new X509Certificate2(Convert.FromBase64String(ClientCertificateAuthenticationHandlerTests.Base64Certificate), ClientCertificateAuthenticationHandlerTests.CertificatePassword);
var mapping = new ClientCertificateClaimsMap();
mapping.AddCertificate(storeCertificate.Thumbprint, new Dictionary <string, string>
{
{ CustomClaimTypes.MayAccessPriviledgedOperations, "true" },
{ CustomClaimTypes.Partner, "SQUIRE" }
});
var config = new ClientCertificateAuthenticationConfiguration
{
Enabled = true,
EnforceLocalCertificateValidation = false,
SerializedCertificateClaimsMapping = mapping.Serialize()
};
var mockClock = new Mock <IClock>();
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockHandler = new Mock <ClientCertificateAuthenticationHandler>(config, mockClock.Object)
{
CallBase = true
};
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var requestContext = new HttpRequestContext();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var authcontext = new HttpAuthenticationContext(actionContext, null);
requestContext.ClientCertificate = callerCertificate;
controllerContext.RequestContext = requestContext;
controllerContext.Request = request;
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
request.Properties.Add(HttpPropertyKeys.RequestContextKey, requestContext);
request.Properties.Add(HttpPropertyKeys.ClientCertificateKey, requestContext.ClientCertificate);
mockClock.Setup(clock => clock.GetCurrentInstant()).Returns(Instant.FromDateTimeUtc(storeCertificate.NotBefore.AddDays(1).ToUniversalTime()));
mockHandler.Protected()
.Setup <X509Certificate2>("SearchForCertificate", ItExpr.Is <string>(thumb => String.Equals(thumb, storeCertificate.Thumbprint, StringComparison.OrdinalIgnoreCase)), ItExpr.IsAny <bool>())
.Returns(storeCertificate);
var principal = mockHandler.Object.Authenticate(new Dictionary <string, string>(), authcontext) as ClaimsPrincipal;
principal.Should().NotBeNull("because the certificate was valid and a claims principal should have been returned");
var identity = principal.Identity as ClaimsIdentity;
identity.Should().NotBeNull("becaue the principal should contain a valid indentity");
foreach (var mappedClaim in mapping[callerCertificate.Thumbprint])
{
var identityClaim = identity.FindFirst(claim => claim.Type == mappedClaim.Key);
identityClaim.Should().NotBeNull($"because the { mappedClaim.Key } claim should exist");
identityClaim.Value.Should().Be(mappedClaim.Value, $"because the claim value for { mappedClaim.Key } should match the mapping");
}
}
public void AuthenticateSucceedsForValidCertificates()
{
var callerCertificate = new X509Certificate2(Convert.FromBase64String(ClientCertificateAuthenticationHandlerTests.Base64Certificate), ClientCertificateAuthenticationHandlerTests.CertificatePassword);
var storeCertificate = new X509Certificate2(Convert.FromBase64String(ClientCertificateAuthenticationHandlerTests.Base64Certificate), ClientCertificateAuthenticationHandlerTests.CertificatePassword);
var mapping = new ClientCertificateClaimsMap();
mapping.AddCertificate(storeCertificate.Thumbprint, new Dictionary <string, string>
{
{ CustomClaimTypes.MayAccessPriviledgedOperations, "true" },
{ CustomClaimTypes.Partner, "SQUIRE" }
});
var config = new ClientCertificateAuthenticationConfiguration
{
Enabled = true,
EnforceLocalCertificateValidation = false,
SerializedCertificateClaimsMapping = mapping.Serialize()
};
var mockClock = new Mock <IClock>();
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockHandler = new Mock <ClientCertificateAuthenticationHandler>(config, mockClock.Object)
{
CallBase = true
};
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var requestContext = new HttpRequestContext();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var authcontext = new HttpAuthenticationContext(actionContext, null);
requestContext.ClientCertificate = callerCertificate;
controllerContext.RequestContext = requestContext;
controllerContext.Request = request;
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
request.Properties.Add(HttpPropertyKeys.RequestContextKey, requestContext);
request.Properties.Add(HttpPropertyKeys.ClientCertificateKey, requestContext.ClientCertificate);
mockClock.Setup(clock => clock.GetCurrentInstant()).Returns(Instant.FromDateTimeUtc(storeCertificate.NotBefore.AddDays(1).ToUniversalTime()));
mockHandler.Protected()
.Setup <X509Certificate2>("SearchForCertificate", ItExpr.Is <string>(thumb => String.Equals(thumb, storeCertificate.Thumbprint, StringComparison.OrdinalIgnoreCase)), ItExpr.IsAny <bool>())
.Returns(storeCertificate)
.Verifiable();
var result = mockHandler.Object.Authenticate(new Dictionary <string, string>(), authcontext);
result.Should().NotBeNull("because the certificate was valid");
mockHandler.VerifyAll();
}