public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs)
{
this._verbs = new AcceptVerbsAttribute(verbs);
this._validator = new ValidateAntiForgeryTokenAttribute()
{
};
}
public void EnumToArray()
{
// Arrange
IDictionary <string, HttpVerbs> enumValues = EnumToDictionary <HttpVerbs>();
var allCombinations = EnumerableToCombinations(enumValues);
// Act & assert
foreach (var combination in allCombinations)
{
// generate all the names + values in this combination
List <string> aggrNames = new List <string>();
HttpVerbs aggrValues = (HttpVerbs)0;
foreach (var entry in combination)
{
aggrNames.Add(entry.Key);
aggrValues |= entry.Value;
}
// get the resulting array
string[] array = AcceptVerbsAttribute.EnumToArray(aggrValues);
var aggrNamesOrdered = aggrNames.OrderBy(name => name, StringComparer.OrdinalIgnoreCase);
var arrayOrdered = array.OrderBy(name => name, StringComparer.OrdinalIgnoreCase);
bool match = aggrNamesOrdered.SequenceEqual(arrayOrdered, StringComparer.OrdinalIgnoreCase);
if (!match)
{
string message = String.Format(_invalidEnumFormatString, aggrValues,
aggrNames.Aggregate((a, b) => a + ", " + b),
array.Aggregate((a, b) => a + ", " + b));
Assert.Fail(message);
}
}
}
public static MethodInfo ActionExists(Controller controller, string actionName, HttpVerbs expectedVerbs, params Type[] paramTypes)
{
if (controller == null)
{
throw new ArgumentNullException("controller");
}
if (string.IsNullOrEmpty(actionName))
{
throw new ArgumentNullException("actionName");
}
int actualVerbs = 0;
MethodInfo action = controller.GetType().GetMethod(actionName, paramTypes);
Assert.IsNotNull(action, string.Format("The specified action '{0}' could not be found.", actionName));
AcceptVerbsAttribute acceptVerb = Attribute.GetCustomAttribute(action, typeof(AcceptVerbsAttribute)) as AcceptVerbsAttribute;
if (acceptVerb == null)
{
actualVerbs = (int)HttpVerbs.Get;
}
else
{
actualVerbs = (int)Enum.Parse(typeof(HttpVerbs), string.Join(", ", acceptVerb.Verbs.ToArray()), true);
}
Assert.AreEqual <int>(actualVerbs, (int)expectedVerbs);
return(action);
}
/// <summary>
/// Initializes a new instance of the <see cref="CustomValidateAntiForgeryTokenAttribute"/> class.
/// </summary>
/// <param name="verbs">The verbs.</param>
/// <param name="salt">The salt.</param>
public CustomValidateAntiForgeryTokenAttribute(HttpVerbs verbs, string salt)
{
_verbs = new AcceptVerbsAttribute(verbs);
_validator = new ValidateAntiForgeryTokenAttribute
{
Salt = salt
};
}
public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs, string salt)
{
this._verbs = new AcceptVerbsAttribute(verbs);
this._validator = new ValidateAntiForgeryTokenAttribute()
{
// Salt = salt
};
}
public void IsValidForRequestThrowsIfControllerContextIsNull()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
// Act & Assert
Assert.ThrowsArgumentNull(
delegate { attr.IsValidForRequest(null, null); }, "controllerContext");
}
public void IsValidForRequestThrowsIfControllerContextIsNull()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
// Act & Assert
Assert.ThrowsArgumentNull(
delegate { attr.IsValidForRequest(null, null); }, "controllerContext");
}
public override bool IsValidForRequest(ControllerContext cc, MethodInfo mi)
{
var result = true;
if (AcceptVerbs.HasValue)
{
result = new AcceptVerbsAttribute(AcceptVerbs.Value).IsValidForRequest(cc, mi);
}
return(result);
}
/// <summary>
/// Initializes a new instance of the <see cref="CustomValidateAntiForgeryTokenAttribute"/> class.
/// </summary>
/// <param name="verbs">The verbs.</param>
/// <param name="salt">The salt.</param>
public CustomValidateAntiForgeryTokenAttribute(HttpVerbs verbs, string salt)
{
Verbs = verbs;
Salt = salt;
AcceptVerbsAttribute = new AcceptVerbsAttribute(Verbs);
Validator = new ValidateAntiForgeryTokenAttribute
{
Salt = Salt
};
}
public void IsValidForRequestReturnsTrueIfHttpVerbIsOverridden()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("put");
ControllerContext context = GetControllerContextWithHttpVerb("POST", "PUT", null, null);
// Act
bool result = attr.IsValidForRequest(context, null);
// Assert
Assert.True(result);
}
public void IsValidForRequestReturnsTrueIfHttpVerbIsInVerbsCollection()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
ControllerContext context = GetControllerContextWithHttpVerb("POST");
// Act
bool result = attr.IsValidForRequest(context, null);
// Assert
Assert.True(result);
}
public void IsValidForRequestReturnsTrueIfHttpVerbIsOverridden()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("put");
ControllerContext context = GetControllerContextWithHttpVerb("POST", "PUT", null, null);
// Act
bool result = attr.IsValidForRequest(context, null);
// Assert
Assert.IsTrue(result);
}
public void IsValidForRequestReturnsTrueIfHttpVerbIsInVerbsCollection()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
ControllerContext context = GetControllerContextWithHttpVerb("POST");
// Act
bool result = attr.IsValidForRequest(context, null);
// Assert
Assert.IsTrue(result);
}
/// <summary>
/// More advanced configuration: allows to provide actions to be ignored from the check.
/// </summary>
/// <param name="verbs">HTTP request type for which anti forgery checks will be performed. Typically a POST.</param>
/// <param name="actionsToNotValidate">A list of case insensitive strings carrying action names for which anti forgery checks should not be performed.
/// Typically you might want to exclude POSTs which don't submit any [important] data and hence data tampering risk does not exist.</param>
public ValidateAntiForgeryTokenControllerLevelAttribute(HttpVerbs verbs, params string[] actionsToNotValidate)
{
// use custom order to make sure this filter runs after any authorization filters
// otherwise the principal on the thread/request will not be set and the anti forgery check will fail
Order = 100;
_verbs = new AcceptVerbsAttribute(verbs);
if (actionsToNotValidate != null)
{
_actionsToNotValidate = actionsToNotValidate.Select(x => x.ToLower()).ToArray();
}
}
public void VerbsPropertyFromEnumConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute(HttpVerbs.Get | HttpVerbs.Post);
// Act
ReadOnlyCollection <string> collection = attr.Verbs as ReadOnlyCollection <string>;
// Assert
Assert.NotNull(collection);
Assert.Equal(2, collection.Count);
Assert.Equal("GET", collection[0]);
Assert.Equal("POST", collection[1]);
}
protected override ActionDescriptor FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, string actionName)
{
if (actionName == restActionToken)
{
// cleanup the restActionToken we set earlier
controllerContext.RequestContext.RouteData.Values["action"] = null;
List <ActionDescriptor> matches = new List <ActionDescriptor>();
foreach (ActionDescriptor ad in controllerDescriptor.GetCanonicalActions())
{
object[] acceptVerbs = ad.GetCustomAttributes(typeof(AcceptVerbsAttribute), false);
if (acceptVerbs.Length > 0)
{
foreach (object o in acceptVerbs)
{
AcceptVerbsAttribute ava = o as AcceptVerbsAttribute;
if (ava != null)
{
if (ava.Verbs.Contains(controllerContext.HttpContext.Request.GetHttpMethodOverride().ToUpperInvariant()))
{
matches.Add(ad);
}
}
}
}
}
switch (matches.Count)
{
case 0:
break;
case 1:
ActionDescriptor ad = matches[0];
actionName = ad.ActionName;
controllerContext.RequestContext.RouteData.Values["action"] = actionName;
return(ad);
default:
StringBuilder matchesString = new StringBuilder(matches[0].ActionName);
for (int index = 1; index < matches.Count; index++)
{
matchesString.Append(", ");
matchesString.Append(matches[index].ActionName);
}
return(new ResourceErrorActionDescriptor(controllerDescriptor, HttpStatusCode.Conflict, string.Format(CultureInfo.CurrentCulture, "Error dispatching on controller {0}, conflicting actions matched: (1)", controllerDescriptor.ControllerName, matchesString.ToString())));
}
}
return(base.FindAction(controllerContext, controllerDescriptor, actionName) ??
new ResourceErrorActionDescriptor(controllerDescriptor, HttpStatusCode.NotFound, string.Format(CultureInfo.CurrentCulture, "Error dispatching on controller {0}, no actions matched", controllerDescriptor.ControllerName)));
}
public void VerbsPropertyFromStringArrayConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
// Act
ReadOnlyCollection <string> collection = attr.Verbs as ReadOnlyCollection <string>;
// Assert
Assert.NotNull(collection);
Assert.Equal(2, collection.Count);
Assert.Equal("get", collection[0]);
Assert.Equal("post", collection[1]);
}
/// <summary>
/// More advanced configuration: allows to provide actions to be ignored from the check.
/// </summary>
/// <param name="verbs">HTTP request type for which anti forgery checks will be performed. Typically a POST.</param>
/// <param name="actionsToNotValidate">A list of case insensitive strings carrying action names for which anti forgery checks should not be performed.
/// Typically you might want to exclude POSTs which don't submit any [important] data and hence data tampering risk does not exist.</param>
public ValidateAntiForgeryTokenOnControllerAttribute(HttpVerbs verbs, params string[] actionsToNotValidate)
{
// n o t e: must use custom order to make sure this filter runs after our CommunispaceAuthorize filter
// otherwise the principal on the thread/request will not be set and the anti forgery check will fail
// because of the mismatched user names in the token vs. current
Order = 100;
_verbs = new AcceptVerbsAttribute(verbs);
if (actionsToNotValidate != null)
{
_actionsToNotValidate = actionsToNotValidate.Select(x => x.ToLower()).ToArray();
}
}
public void VerbsPropertyFromStringArrayConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
// Act
ReadOnlyCollection <string> collection = attr.Verbs as ReadOnlyCollection <string>;
// Assert
Assert.IsNotNull(collection, "Verbs property should have returned read-only collection.");
Assert.AreEqual(2, collection.Count);
Assert.AreEqual("get", collection[0]);
Assert.AreEqual("post", collection[1]);
}
public void VerbsPropertyFromEnumConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute(HttpVerbs.Get | HttpVerbs.Post);
// Act
ReadOnlyCollection <string> collection = attr.Verbs as ReadOnlyCollection <string>;
// Assert
Assert.IsNotNull(collection, "Verbs property should have returned read-only collection.");
Assert.AreEqual(2, collection.Count);
Assert.AreEqual("GET", collection[0]);
Assert.AreEqual("POST", collection[1]);
}
protected SecurityControllerBase(IUserIdentity userIdentity, IAppSensor appSensor)
{
if (appSensor == null)
{
throw new ArgumentNullException("appSensor");
}
if (userIdentity == null)
{
throw new ArgumentNullException("userIdentity");
}
_verbs = new AcceptVerbsAttribute(HttpVerbs.Post);
_validator = new ValidateAntiForgeryTokenAttribute();
Logger = Log.Logger;
_userIdentity = userIdentity;
_appSensor = appSensor;
}
public override bool IsValidForRequest(ControllerContext cc, MethodInfo mi)
{
bool result = true;
if (AcceptVerbs.HasValue)
result = new AcceptVerbsAttribute(AcceptVerbs.Value).IsValidForRequest(cc, mi);
if (result && EnsureXSRFSafe)
{
if (!AcceptVerbs.HasValue || (AcceptVerbs.Value & HttpVerbs.Post) == 0)
throw new ArgumentException(
"When this.XSRFSafe is true, this.AcceptVerbs must include HttpVerbs.Post");
result = new XSRFSafeAttribute().IsValidForRequest(cc, mi);
}
return result;
}
public void VerbsPropertyFromEnumConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute(HttpVerbs.Get | HttpVerbs.Post);
// Act
ReadOnlyCollection<string> collection = attr.Verbs as ReadOnlyCollection<string>;
// Assert
Assert.NotNull(collection);
Assert.Equal(2, collection.Count);
Assert.Equal("GET", collection[0]);
Assert.Equal("POST", collection[1]);
}
public AntiForgeryTokenFilter(HttpVerbs verbs)
{
_verbs = new AcceptVerbsAttribute(verbs);
}
public UnsealedAcceptVerbsAttribute(HttpVerbs verbs)
{
_Verbs = new AcceptVerbsAttribute(verbs);
}
public GlobalValidateAntiForgeryToken(HttpVerbs verbs)
{
this._verbs = new AcceptVerbsAttribute(verbs);
this._validator = new ValidateAntiForgeryTokenAttribute();
}
protected AntiForgeryControllerBase(HttpVerbs verbs)
{
_verbs = new AcceptVerbsAttribute(verbs);
_validator = new ValidateAntiForgeryTokenAttribute();
}
public ValidateAntiForgeryTokenOnVerbsAttribute(HttpVerbs verbs)
{
_validator = new ValidateAntiForgeryTokenAttribute();
_verbs = new AcceptVerbsAttribute(verbs);
}
public void VerbsPropertyFromStringArrayConstructor()
{
// Arrange
AcceptVerbsAttribute attr = new AcceptVerbsAttribute("get", "post");
// Act
ReadOnlyCollection<string> collection = attr.Verbs as ReadOnlyCollection<string>;
// Assert
Assert.NotNull(collection);
Assert.Equal(2, collection.Count);
Assert.Equal("get", collection[0]);
Assert.Equal("post", collection[1]);
}