public void SetUp()
{
store = new ApplicationMemoryStore();
if (!UntrustedWebRequest.WhitelistHosts.Contains("localhost"))
{
UntrustedWebRequest.WhitelistHosts.Add("localhost");
}
}
/// <summary>
/// Generates a new <see cref="OpenIdRelyingParty"/> whose direct messages
/// will be automatically handled by an internal <see cref="OpenIdProvider"/>
/// that uses the shared <see cref="ProviderStore"/>.
/// </summary>
internal static OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, NameValueCollection fields)
{
var rp = new OpenIdRelyingParty(store, requestUrl ?? GetFullUrl(ConsumerPage), fields ?? new NameValueCollection());
if (fields == null || fields.Count == 0)
{
Assert.IsNull(rp.Response);
}
rp.DirectMessageChannel = new DirectMessageTestRedirector(ProviderStore);
return(rp);
}
/// <summary>
/// Creates the relying party instance used to generate authentication requests.
/// </summary>
/// <returns>The instantiated relying party.</returns>
private OpenIdRelyingParty CreateRelyingParty()
{
// If we're in stateful mode, first use the explicitly given one on this control if there
// is one. Then try the configuration file specified one. Finally, use the default
// in-memory one that's built into OpenIdRelyingParty.
IRelyingPartyApplicationStore store = this.Stateless ? null :
(this.CustomApplicationStore ?? DotNetOpenAuthSection.Configuration.OpenId.RelyingParty.ApplicationStore.CreateInstance(OpenIdRelyingParty.HttpApplicationStore));
var rp = new OpenIdRelyingParty(store);
// Only set RequireSsl to true, as we don't want to override
// a .config setting of true with false.
if (this.RequireSsl)
{
rp.SecuritySettings.RequireSsl = true;
}
return(rp);
}
OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, IDictionary <string, string> query)
{
// Initialize settings with defaults and config section
Settings = Configuration.SecuritySettings.CreateSecuritySettings();
Settings.RequireSslChanged += new EventHandler(Settings_RequireSslChanged);
this.Store = store;
if (store != null)
{
store.ClearExpiredAssociations(); // every so often we should do this.
}
if (requestUrl != null)
{
if (query == null)
{
throw new ArgumentNullException("query");
}
this.request = requestUrl;
this.query = query;
}
}
/// <summary>
/// Uses an RPs stored association to resign an altered message from a Provider,
/// to simulate a Provider that deliberately sent a bad message in an attempt
/// to thwart RP security.
/// </summary>
internal static void Resign(NameValueCollection nvc, IRelyingPartyApplicationStore store)
{
Debug.Assert(nvc != null);
Debug.Assert(store != null);
var dict = Util.NameValueCollectionToDictionary(nvc);
Protocol protocol = Protocol.Detect(dict);
Uri providerEndpoint = new Uri(nvc[protocol.openid.op_endpoint]);
string assoc_handle = nvc[protocol.openid.assoc_handle];
Association assoc = store.GetAssociation(providerEndpoint, assoc_handle);
Debug.Assert(assoc != null, "Association not found in RP's store. Maybe you're communicating with a hosted OP instead of the TestSupport one?");
IList <string> signed = nvc[protocol.openid.signed].Split(',');
var subsetDictionary = new Dictionary <string, string>();
foreach (string signedKey in signed)
{
string keyName = protocol.openid.Prefix + signedKey;
subsetDictionary.Add(signedKey, dict[keyName]);
}
nvc[protocol.openid.sig] = Convert.ToBase64String(assoc.Sign(subsetDictionary, signed));
}
internal static IAuthenticationResponse CreateRelyingPartyResponse(IRelyingPartyApplicationStore store, IResponse providerResponse, bool requireSsl)
{
if (providerResponse == null)
{
throw new ArgumentNullException("providerResponse");
}
var opAuthWebResponse = (Response)providerResponse;
var opAuthResponse = (EncodableResponse)opAuthWebResponse.EncodableMessage;
var rp = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
opAuthResponse.EncodedFields.ToNameValueCollection());
rp.Settings.RequireSsl = requireSsl;
// Get the response now, before trying the replay attack. The Response
// property is lazily-evaluated, so the replay attack can be evaluated first
// and pass, while this one that SUPPOSED to pass fails, if we don't force it now.
var response = rp.Response;
// Side-track to test for replay attack while we're at it.
// This simulates a network sniffing user who caught the
// authenticating query en route to either the user agent or
// the consumer, and tries the same query to the consumer in an
// attempt to spoof the identity of the authenticating user.
try {
Logger.Info("Attempting replay attack...");
var replayRP = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
opAuthResponse.EncodedFields.ToNameValueCollection());
replayRP.Settings.RequireSsl = requireSsl;
Assert.AreNotEqual(AuthenticationStatus.Authenticated, replayRP.Response.Status, "Replay attack succeeded!");
} catch (OpenIdException) { // nonce already used
// another way to pass
}
// Return the result of the initial response (not the replay attack one).
return(response);
}
internal static void ResetStores()
{
RelyingPartyStore = new ApplicationMemoryStore();
ProviderStore = new ProviderMemoryStore();
}
internal static void ResetStores()
{
RelyingPartyStore = new ApplicationMemoryStore();
ProviderStore = new ProviderMemoryStore();
}
static void verifyNonceUnused(IDictionary <string, string> query, ServiceEndpoint endpoint, IRelyingPartyApplicationStore store)
{
if (endpoint.Protocol.Version.Major < 2)
{
return; // nothing to validate
}
if (store == null)
{
return; // we'll pass verifying the nonce responsibility to the OP
}
Logger.Debug("Verifying nonce is unused...");
var nonce = new Nonce(Util.GetRequiredArg(query, endpoint.Protocol.openid.response_nonce), true);
nonce.Consume(store);
}
/// <summary>
/// Creates the relying party instance used to generate authentication requests.
/// </summary>
/// <param name="store">The store to pass to the relying party constructor.</param>
/// <returns>The instantiated relying party.</returns>
protected virtual OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store) {
return new OpenIdRelyingParty(store);
}
/// <summary>
/// Generates a new <see cref="OpenIdRelyingParty"/> ready to process a
/// response from an <see cref="OpenIdProvider"/>.
/// </summary>
internal static IAuthenticationResponse CreateRelyingPartyResponse(IRelyingPartyApplicationStore store, IResponse providerResponse)
{
return CreateRelyingPartyResponse(store, providerResponse, false);
}
public OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, NameValueCollection query) :
this(store, requestUrl, Util.NameValueCollectionToDictionary(query)) {
}
OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, IDictionary<string, string> query) {
// Initialize settings with defaults and config section
Settings = Configuration.SecuritySettings.CreateSecuritySettings();
Settings.RequireSslChanged += new EventHandler(Settings_RequireSslChanged);
this.Store = store;
if (store != null) {
store.ClearExpiredAssociations(); // every so often we should do this.
}
if (requestUrl != null) {
if (query == null) throw new ArgumentNullException("query");
this.request = requestUrl;
this.query = query;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingParty"/> class.
/// </summary>
/// <param name="applicationStore">The application store. If <c>null</c>, the relying party will always operate in "dumb mode".</param>
public OpenIdRelyingParty(IRelyingPartyApplicationStore applicationStore)
: this(applicationStore, applicationStore)
{
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdRelyingParty"/> class.
/// </summary>
/// <param name="applicationStore">The application store. If null, the relying party will always operate in "dumb mode".</param>
public OpenIdRelyingParty(IRelyingPartyApplicationStore applicationStore)
: this(applicationStore, applicationStore) {
}
/// <summary>
/// Uses an RPs stored association to resign an altered message from a Provider,
/// to simulate a Provider that deliberately sent a bad message in an attempt
/// to thwart RP security.
/// </summary>
internal static void Resign(NameValueCollection nvc, IRelyingPartyApplicationStore store)
{
Debug.Assert(nvc != null);
Debug.Assert(store != null);
var dict = Util.NameValueCollectionToDictionary(nvc);
Protocol protocol = Protocol.Detect(dict);
Uri providerEndpoint = new Uri(nvc[protocol.openid.op_endpoint]);
string assoc_handle = nvc[protocol.openid.assoc_handle];
Association assoc = store.GetAssociation(providerEndpoint, assoc_handle);
Debug.Assert(assoc != null, "Association not found in RP's store. Maybe you're communicating with a hosted OP instead of the TestSupport one?");
IList<string> signed = nvc[protocol.openid.signed].Split(',');
var subsetDictionary = new Dictionary<string, string>();
foreach (string signedKey in signed) {
string keyName = protocol.openid.Prefix + signedKey;
subsetDictionary.Add(signedKey, dict[keyName]);
}
nvc[protocol.openid.sig] = Convert.ToBase64String(assoc.Sign(subsetDictionary, signed));
}
/// <summary>
/// Creates the relying party instance used to generate authentication requests.
/// </summary>
/// <param name="store">The store to pass to the relying party constructor.</param>
/// <returns>The instantiated relying party.</returns>
protected override OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store)
{
return(new OpenIdAjaxRelyingParty(store));
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdAjaxRelyingParty"/> class.
/// </summary>
/// <param name="applicationStore">The application store. If <c>null</c>, the relying party will always operate in "dumb mode".</param>
public OpenIdAjaxRelyingParty(IRelyingPartyApplicationStore applicationStore)
: base(applicationStore) {
Reporting.RecordFeatureUse(this);
}
public OpenIdRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, NameValueCollection query) :
this(store, requestUrl, Util.NameValueCollectionToDictionary(query))
{
}
internal static OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store, NameValueCollection fields)
{
return(CreateRelyingParty(store, null, fields));
}
/// <summary>
/// Initializes a new instance of the <see cref="OpenIdAjaxRelyingParty"/> class.
/// </summary>
/// <param name="applicationStore">The application store. If <c>null</c>, the relying party will always operate in "dumb mode".</param>
public OpenIdAjaxRelyingParty(IRelyingPartyApplicationStore applicationStore)
: base(applicationStore)
{
Reporting.RecordFeatureUse(this);
}
/// <summary>
/// Generates a new <see cref="OpenIdRelyingParty"/> whose direct messages
/// will be automatically handled by an internal <see cref="OpenIdProvider"/>
/// that uses the shared <see cref="ProviderStore"/>.
/// </summary>
internal static OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store, Uri requestUrl, NameValueCollection fields)
{
var rp = new OpenIdRelyingParty(store, requestUrl ?? GetFullUrl(ConsumerPage), fields ?? new NameValueCollection());
if (fields == null || fields.Count == 0) {
Assert.IsNull(rp.Response);
}
rp.DirectMessageChannel = new DirectMessageTestRedirector(ProviderStore);
return rp;
}
public void SetUp() {
store = new ApplicationMemoryStore();
if (!UntrustedWebRequest.WhitelistHosts.Contains("localhost"))
UntrustedWebRequest.WhitelistHosts.Add("localhost");
}
/// <summary>
/// Generates a new <see cref="OpenIdRelyingParty"/> ready to process a
/// response from an <see cref="OpenIdProvider"/>.
/// </summary>
internal static IAuthenticationResponse CreateRelyingPartyResponse(IRelyingPartyApplicationStore store, IResponse providerResponse)
{
return(CreateRelyingPartyResponse(store, providerResponse, false));
}
internal static OpenIdRelyingParty CreateRelyingParty(IRelyingPartyApplicationStore store, NameValueCollection fields)
{
return CreateRelyingParty(store, null, fields);
}
internal static IAuthenticationResponse CreateRelyingPartyResponse(IRelyingPartyApplicationStore store, IResponse providerResponse, bool requireSsl)
{
if (providerResponse == null) throw new ArgumentNullException("providerResponse");
var opAuthWebResponse = (Response)providerResponse;
var opAuthResponse = (EncodableResponse)opAuthWebResponse.EncodableMessage;
var rp = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
opAuthResponse.EncodedFields.ToNameValueCollection());
rp.Settings.RequireSsl = requireSsl;
// Get the response now, before trying the replay attack. The Response
// property is lazily-evaluated, so the replay attack can be evaluated first
// and pass, while this one that SUPPOSED to pass fails, if we don't force it now.
var response = rp.Response;
// Side-track to test for replay attack while we're at it.
// This simulates a network sniffing user who caught the
// authenticating query en route to either the user agent or
// the consumer, and tries the same query to the consumer in an
// attempt to spoof the identity of the authenticating user.
try {
Logger.Info("Attempting replay attack...");
var replayRP = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
opAuthResponse.EncodedFields.ToNameValueCollection());
replayRP.Settings.RequireSsl = requireSsl;
Assert.AreNotEqual(AuthenticationStatus.Authenticated, replayRP.Response.Status, "Replay attack succeeded!");
} catch (OpenIdException) { // nonce already used
// another way to pass
}
// Return the result of the initial response (not the replay attack one).
return response;
}
