public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData_SuppressHeuristics()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock <HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
IAntiForgeryConfig config = new MockAntiForgeryConfig()
{
SuppressIdentityHeuristicChecks = true
};
IClaimUidExtractor claimUidExtractor = new Mock <MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor
);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Null(fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_AnonymousUser()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock <HttpContextBase>().Object;
Mock <IIdentity> mockIdentity = new Mock <IIdentity>();
mockIdentity.Setup(o => o.IsAuthenticated).Returns(false);
IAntiForgeryConfig config = new MockAntiForgeryConfig();
TokenValidator validator = new TokenValidator(config: config, claimUidExtractor: null);
// Act
var fieldToken = validator.GenerateFormToken(
httpContext,
mockIdentity.Object,
cookieToken
);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Null(fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock <HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
IAntiForgeryConfig config = new MockAntiForgeryConfig();
IClaimUidExtractor claimUidExtractor = new Mock <MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor
);
// Act & assert
var ex = Assert.Throws <InvalidOperationException>(
() => validator.GenerateFormToken(httpContext, identity, cookieToken)
);
Assert.Equal(
@"The provided identity of type 'System.Web.Helpers.AntiXsrf.Test.TokenValidatorTest+MyAuthenticatedIdentityWithoutUsername' is marked IsAuthenticated = true but does not have a value for Name. By default, the anti-forgery system requires that all authenticated identities have a unique Name. If it is not possible to provide a unique Name for this identity, consider setting the static property AntiForgeryConfig.AdditionalDataProvider to an instance of a type that can provide some form of unique identifier for the current user.",
ex.Message
);
}
public void GenerateFormToken_AnonymousUser()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken() { IsSessionToken = true };
HttpContextBase httpContext = new Mock<HttpContextBase>().Object;
Mock<IIdentity> mockIdentity = new Mock<IIdentity>();
mockIdentity.Setup(o => o.IsAuthenticated).Returns(false);
IAntiForgeryConfig config = new MockAntiForgeryConfig();
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: null);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, mockIdentity.Object, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(null, fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_ClaimsBasedIdentity()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock <HttpContextBase>().Object;
IIdentity identity = new GenericIdentity("some-identity");
MockAntiForgeryConfig config = new MockAntiForgeryConfig()
{
UniqueClaimTypeIdentifier = "unique-identifier"
};
BinaryBlob expectedClaimUid = new BinaryBlob(256);
Mock <MockableClaimUidExtractor> mockClaimUidExtractor = new Mock <MockableClaimUidExtractor>();
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)).Returns((object)expectedClaimUid);
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: mockClaimUidExtractor.Object);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(expectedClaimUid, fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_AuthenticatedWithoutUsername_WithAdditionalData()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock <HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
Mock <IAntiForgeryAdditionalDataProvider> mockAdditionalDataProvider = new Mock <IAntiForgeryAdditionalDataProvider>();
mockAdditionalDataProvider.Setup(o => o.GetAdditionalData(httpContext)).Returns("additional-data");
IAntiForgeryConfig config = new MockAntiForgeryConfig()
{
AdditionalDataProvider = mockAdditionalDataProvider.Object
};
IClaimUidExtractor claimUidExtractor = new Mock <MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(null, fieldToken.ClaimUid);
Assert.Equal("additional-data", fieldToken.AdditionalData);
}
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken()
{
IsSessionToken = true
};
HttpContextBase httpContext = new Mock<HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
IAntiForgeryConfig config = new MockAntiForgeryConfig();
IClaimUidExtractor claimUidExtractor = new Mock<MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor);
// Act & assert
var ex = Assert.Throws<InvalidOperationException>(() => validator.GenerateFormToken(httpContext, identity, cookieToken));
Assert.Equal(@"The provided identity of type 'System.Web.Helpers.AntiXsrf.Test.TokenValidatorTest+MyAuthenticatedIdentityWithoutUsername' is marked IsAuthenticated = true but does not have a value for Name. By default, the anti-forgery system requires that all authenticated identities have a unique Name. If it is not possible to provide a unique Name for this identity, consider setting the static property AntiForgeryConfig.AdditionalDataProvider to an instance of a type that can provide some form of unique identifier for the current user.", ex.Message);
}
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData_SuppressHeuristics()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken() { IsSessionToken = true };
HttpContextBase httpContext = new Mock<HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
IAntiForgeryConfig config = new MockAntiForgeryConfig()
{
SuppressIdentityHeuristicChecks = true
};
IClaimUidExtractor claimUidExtractor = new Mock<MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(null, fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_ClaimsBasedIdentity()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken() { IsSessionToken = true };
HttpContextBase httpContext = new Mock<HttpContextBase>().Object;
IIdentity identity = new GenericIdentity("some-identity");
MockAntiForgeryConfig config = new MockAntiForgeryConfig()
{
UniqueClaimTypeIdentifier = "unique-identifier"
};
BinaryBlob expectedClaimUid = new BinaryBlob(256);
Mock<MockableClaimUidExtractor> mockClaimUidExtractor = new Mock<MockableClaimUidExtractor>();
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)).Returns((object)expectedClaimUid);
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: mockClaimUidExtractor.Object);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(expectedClaimUid, fieldToken.ClaimUid);
Assert.Equal("", fieldToken.AdditionalData);
}
public void GenerateFormToken_AuthenticatedWithoutUsername_WithAdditionalData()
{
// Arrange
AntiForgeryToken cookieToken = new AntiForgeryToken() { IsSessionToken = true };
HttpContextBase httpContext = new Mock<HttpContextBase>().Object;
IIdentity identity = new MyAuthenticatedIdentityWithoutUsername();
Mock<IAntiForgeryAdditionalDataProvider> mockAdditionalDataProvider = new Mock<IAntiForgeryAdditionalDataProvider>();
mockAdditionalDataProvider.Setup(o => o.GetAdditionalData(httpContext)).Returns("additional-data");
IAntiForgeryConfig config = new MockAntiForgeryConfig()
{
AdditionalDataProvider = mockAdditionalDataProvider.Object
};
IClaimUidExtractor claimUidExtractor = new Mock<MockableClaimUidExtractor>().Object;
TokenValidator validator = new TokenValidator(
config: config,
claimUidExtractor: claimUidExtractor);
// Act
var fieldToken = validator.GenerateFormToken(httpContext, identity, cookieToken);
// Assert
Assert.NotNull(fieldToken);
Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
Assert.False(fieldToken.IsSessionToken);
Assert.Equal("", fieldToken.Username);
Assert.Equal(null, fieldToken.ClaimUid);
Assert.Equal("additional-data", fieldToken.AdditionalData);
}
