public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied()
{
// Arrange.
const string BaseRequestUri = "http://www.testsite.com";
const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue";
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri);
var mockResponse = new Mock <HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s);
var settings = new Settings {
Mode = Mode.On,
Paths =
{
new TestPathSetting("/Manage")
}
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl);
}
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri()
{
const string BaseRequestUri = "http://www.testsite.com";
const string ApplicationPathRequestUri = "/MySuperDuperApplication";
const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx";
const string QueryRequestUri = "?Param=SomeValue";
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri);
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
var mockResponse = new Mock <HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s);
var settings = new Settings {
Mode = Mode.On,
BaseSecureUri = "https://secure.someotherwebsite.com/testsite/"
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl);
}
public void IsSecureConnectionReturnsFalseIfNoHeaderMatchesAnOffloadHeader()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "SOME_HEADER", "some-value" }
});
var settings = new Settings {
OffloadedSecurityHeaders = "SSL_REQUEST=on"
};
var evaluator = new HeadersSecurityEvaluator();
// Act.
var result = evaluator.IsSecureConnection(mockRequest.Object, settings);
// Assert.
Assert.False(result);
}
public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
var mockResponse = new Mock <HttpResponseBase>();
var settings = new Settings();
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "SSL_REQUEST", "on" },
{ "OTHER_HEADER", "some-value" }
});
settings.OffloadedSecurityHeaders = "SSL_REQUEST=";
var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "OTHER_HEADER", "some-value" }
});
var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Null(targetUrlForAlreadySecuredRequest);
Assert.Null(targetUrlForAlreadyInsecureRequest);
}
public void IsSecureConnectionReturnsTrueIfHeaderMatchesAnOffloadHeader()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "SOME_HEADER", "some-value" },
{ "SSL_REQUEST", "on" }
});
var settings = new Settings();
var evaluator = new HeadersSecurityEvaluator();
// Act.
settings.OffloadedSecurityHeaders = "SSL_REQUEST=on";
var resultWithHeaderValueMatch = evaluator.IsSecureConnection(mockRequest.Object, settings);
settings.OffloadedSecurityHeaders = "SSL_REQUEST=";
var resultWithJustHeaderPresent = evaluator.IsSecureConnection(mockRequest.Object, settings);
// Assert.
Assert.True(resultWithHeaderValueMatch);
Assert.True(resultWithJustHeaderPresent);
}
