public void InvalidAudienceTest_Hostname()
{
// Arrange
string iothubHostName = "testiothub.azure-devices.net";
string edgehubHostName = "edgehub1";
string deviceId = "d1";
var underlyingAuthenticator = Mock.Of <IAuthenticator>();
var deviceScopeIdentitiesCache = Mock.Of <IDeviceScopeIdentitiesCache>();
string key = GetKey();
var authenticator = new DeviceScopeTokenAuthenticator(deviceScopeIdentitiesCache, iothubHostName, edgehubHostName, underlyingAuthenticator, true, true);
var identity = Mock.Of <IDeviceIdentity>(d => d.DeviceId == deviceId && d.Id == deviceId);
string token = GetDeviceToken("edgehub2", deviceId, key);
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(edgehubHostName, token);
string audience = sharedAccessSignature.Audience;
// Act
bool isAuthenticated = authenticator.ValidateAudience(audience, identity);
// Assert
Assert.False(isAuthenticated);
Mock.Get(underlyingAuthenticator).VerifyAll();
}
public async Task TestSafeCreateNewToken_ShouldReturnSasToken_DeviceIdWithChars()
{
// Arrange
string deviceId = "[email protected]#st";
string moduleId = "$edgeAgent";
var httpClient = new Mock <ISignatureProvider>();
httpClient.Setup(p => p.SignAsync(moduleId, this.generationId, It.IsAny <string>())).Returns(Task.FromResult(this.signature));
var moduleAuthenticationWithHsm = new ModuleAuthenticationWithHsm(httpClient.Object, deviceId, moduleId, this.generationId);
// Act
string sasToken = await moduleAuthenticationWithHsm.GetTokenAsync(this.iotHub);
SharedAccessSignature token = SharedAccessSignature.Parse(iotHub, sasToken);
string audience = string.Format(CultureInfo.InvariantCulture, "{0}/devices/{1}/modules/{2}",
this.iotHub,
WebUtility.UrlEncode(deviceId),
WebUtility.UrlEncode(moduleId));
// Assert
httpClient.Verify();
Assert.IsNotNull(sasToken);
Assert.AreEqual(this.signature, token.Signature);
Assert.AreEqual(audience, token.Audience);
Assert.AreEqual(string.Empty, token.KeyName);
}
public void InvalidAuthChainTest_UnauthorizedActor()
{
// Arrange
string iothubHostName = "testiothub.azure-devices.net";
string edgehubHostName = "edgehub1";
string rootEdgeId = "rootEdge";
string actorEdgeId = "childEdge";
string leafDeviceId = "leaf";
var authChain = Option.Some <string>(leafDeviceId + ";" + "NotActorEdge" + ";" + rootEdgeId);
var underlyingAuthenticator = Mock.Of <IAuthenticator>();
var deviceScopeIdentitiesCache = new Mock <IDeviceScopeIdentitiesCache>();
string key = GetKey();
deviceScopeIdentitiesCache.Setup(d => d.GetAuthChain(It.Is <string>(i => i == leafDeviceId)))
.ReturnsAsync(authChain);
var authenticator = new DeviceScopeTokenAuthenticator(deviceScopeIdentitiesCache.Object, iothubHostName, edgehubHostName, underlyingAuthenticator, true, true);
var identity = Mock.Of <IDeviceIdentity>(d => d.DeviceId == leafDeviceId && d.Id == leafDeviceId);
string token = GetDeviceToken(iothubHostName, actorEdgeId, Constants.EdgeHubModuleId, key);
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(iothubHostName, token);
string audience = sharedAccessSignature.Audience;
// Act
bool isAuthenticated = authenticator.ValidateAudience(audience, identity, authChain);
// Assert
Assert.False(isAuthenticated);
}
public void AuthenticateThrowsInvalidSASTest()
{
var sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetNonExpiredToken());
var rule = new SharedAccessSignatureAuthorizationRule();
Assert.Throws <UnauthorizedAccessException>(() => sas.Authenticate(rule));
}
protected override (Option <string> deviceId, Option <string> moduleId) GetActorId(ITokenCredentials credentials)
{
// Parse the deviceId and moduleId out of the token's audience
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(this.iothubHostName, credentials.Token);
(string hostName, string deviceId, Option <string> moduleId) = this.ParseAudience(sharedAccessSignature.Audience);
return(Option.Some(deviceId), moduleId);
}
public void AuthenticateThrowsIsExpiredTest()
{
var sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetAlmostExpiredToken());
var rule = new SharedAccessSignatureAuthorizationRule();
Thread.Sleep(5 * 1000);
Assert.Throws <UnauthorizedAccessException>(() => sas.Authenticate(rule));
}
public static bool IsTokenExpired(string hostName, string token)
{
try
{
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(hostName, token);
return(sharedAccessSignature.IsExpired());
}
catch (UnauthorizedAccessException)
{
return(true);
}
}
public void IsExpiredTest()
{
var sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetAlmostExpiredToken());
Thread.Sleep(5 * 1000);
Assert.True(sas.IsExpired());
sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetNonExpiredToken());
Assert.False(sas.IsExpired());
}
public static DateTime GetTokenExpiry(string hostName, string token)
{
try
{
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(hostName, token);
DateTime expiryTime = sharedAccessSignature.ExpiresOn.ToUniversalTime();
return(expiryTime);
}
catch (UnauthorizedAccessException)
{
return(DateTime.MinValue);
}
}
bool TryGetSharedAccessSignature(string token, IIdentity identity, out SharedAccessSignature sharedAccessSignature)
{
try
{
sharedAccessSignature = SharedAccessSignature.Parse(this.iothubHostName, token);
return(true);
}
catch (Exception e)
{
Events.ErrorParsingToken(identity, e);
sharedAccessSignature = null;
return(false);
}
}
bool IsValid(IClientCredentials clientCredentials, string token)
{
try
{
SharedAccessSignature sharedAccessSignature = SharedAccessSignature.Parse(this.iotHubHostName, token);
DateTime expiryTime = sharedAccessSignature.ExpiresOn.ToUniversalTime();
return(expiryTime > DateTime.UtcNow);
}
catch (Exception e)
{
Events.ErrorValidatingCachedToken(clientCredentials.Identity, e);
return(false);
}
}
public void AuthenticateSucceedsWhenValidSASWithSecondaryKeyTest()
{
var sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetNonExpiredToken());
var json = new JObject
{
["keyName"] = "test",
["primaryKey"] = "YmFk",
["secondaryKey"] = "test"
};
var rule = JsonConvert.DeserializeObject <SharedAccessSignatureAuthorizationRule>(json.ToString());
this.AssertNoThrow(() => sas.Authenticate(rule));
}
string GetAuthHeader(HttpContext context)
{
string authHeader = context.GetAuthHeader();
SharedAccessSignature sharedAccessSignature;
try
{
sharedAccessSignature = SharedAccessSignature.Parse(this.iotHubName, authHeader);
}
catch (Exception ex)
{
throw new AuthenticationException($"Cannot parse SharedAccessSignature because of the following error - {ex.Message}", ex);
}
return(authHeader);
}
public void TestBuildSasToken_ShouldReturnSasToken()
{
string audience = "iothub.test/devices/device1/modules/module1";
string signature = "signature";
DateTime expiresOn = DateTime.UtcNow.AddMinutes(10);
TimeSpan secondsFromBaseTime = expiresOn.Subtract(SharedAccessSignatureConstants.EpochTime);
string expiry = secondsFromBaseTime.TotalSeconds.ToString(CultureInfo.InvariantCulture);
string sasTokenString = SasTokenBuilder.BuildSasToken(audience, signature, expiry);
SharedAccessSignature token = SharedAccessSignature.Parse("iothub.test", sasTokenString);
Assert.AreEqual(WebUtility.UrlDecode(audience), token.Audience);
Assert.AreEqual(signature, token.Signature);
Assert.AreEqual(string.Empty, token.KeyName);
Assert.AreEqual(SharedAccessSignatureConstants.EpochTime + TimeSpan.FromSeconds(double.Parse(expiry, CultureInfo.InvariantCulture)), token.ExpiresOn);
}
internal static (string token, string audience) ValidateAndParseMessage(string iotHubHostName, AmqpMessage message)
{
string type = message.ApplicationProperties.Map[CbsConstants.PutToken.Type] as string;
if (!CbsConstants.SupportedTokenTypes.Any(t => string.Equals(type, t, StringComparison.OrdinalIgnoreCase)))
{
throw new InvalidOperationException("Cbs message missing Type property");
}
if (string.IsNullOrEmpty(message.ApplicationProperties.Map[CbsConstants.PutToken.Audience] as string))
{
throw new InvalidOperationException("Cbs message missing audience property");
}
if (!(message.ApplicationProperties.Map[CbsConstants.Operation] is string operation) ||
!operation.Equals(CbsConstants.PutToken.OperationValue, StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException($"Cbs message missing operation value {CbsConstants.PutToken.OperationValue}");
}
string token = message.ValueBody.Value as string;
if (string.IsNullOrEmpty(token))
{
throw new InvalidOperationException("Cbs message does not contain a valid token");
}
try
{
SharedAccessSignature.Parse(iotHubHostName, token);
}
catch (Exception e)
{
throw new InvalidOperationException("Cbs message does not contain a valid token", e);
}
string audience = message.ApplicationProperties.Map[CbsConstants.PutToken.Audience] as string;
return(token, audience);
}
public void ParseThrowsWithSharedAccessSignatureMissingFromRawTokenTest() => Assert.Throws <FormatException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, MISSING_SHAREDACCESSSIGNATURE_RAW_TOKEN));
public void ParseThrowsWithEmptyIotHubNameTest() => Assert.Throws <ArgumentNullException>(() => SharedAccessSignature.Parse(string.Empty, EXPIRED_RAW_TOKEN));
public void ParseThrowsWithWhiteSpaceIotHubNameTest() => Assert.Throws <ArgumentNullException>(() => SharedAccessSignature.Parse(WHITE_SPACE, EXPIRED_RAW_TOKEN));
public void ParseThrowsWithEmptyRawTokenTest() => Assert.Throws <ArgumentNullException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, string.Empty));
public void ParseThrowsWithWhiteSpaceRawTokenTest() => Assert.Throws <ArgumentNullException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, WHITE_SPACE));
public void AuthenticateThrowsWhenRuleIsNullTest()
{
var sas = SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetNonExpiredToken());
Assert.Throws <ArgumentNullException>(() => sas.Authenticate(null));
}
public void ParseDoesNotThrowWithNonExpiredRawTokenTest() => this.AssertNoThrow(() => SharedAccessSignature.Parse(IOT_HUB_NAME, this.GetNonExpiredToken()));
public void ParseThrowsWithExpiredRawTokenTest() => Assert.Throws <UnauthorizedAccessException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, EXPIRED_RAW_TOKEN));
public void ParseThrowsWithsrMissingFromRawTokenTest() => Assert.Throws <FormatException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, BAD_TOKEN_MISSING_ENCODING_AUDIENCE));
public void ParseThrowsWithExpiryMissingFromRawTokenTest() => Assert.Throws <FormatException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, BAD_TOKEN_MISSING_EXPIRY));
public void ParseThrowsWithBadRawTokenTest() => Assert.Throws <FormatException>(() => SharedAccessSignature.Parse(IOT_HUB_NAME, BAD_TOKEN));
