public void Ctor() {
PolicyResponse resp = new PolicyResponse();
Assert.IsNotNull(resp.ActualPolicies);
Assert.AreEqual(0, resp.ActualPolicies.Count);
Assert.IsNull(resp.AuthenticationTimeUtc);
Assert.IsNull(resp.NistAssuranceLevel);
}
public void AuthenticationTimeUtcConvertsToUtc() {
PolicyResponse resp = new PolicyResponse();
resp.AuthenticationTimeUtc = someLocalTime;
Assert.IsNotNull(resp.AuthenticationTimeUtc);
Assert.AreEqual(DateTimeKind.Utc, resp.AuthenticationTimeUtc.Value.Kind);
Assert.AreEqual(someLocalTime.ToUniversalTime(), resp.AuthenticationTimeUtc.Value);
}
public void AddPolicies() {
PolicyResponse resp = new PolicyResponse();
resp.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
resp.ActualPolicies.Add(AuthenticationPolicies.PhishingResistant);
Assert.AreEqual(2, resp.ActualPolicies.Count);
Assert.AreEqual(AuthenticationPolicies.MultiFactor, resp.ActualPolicies[0]);
Assert.AreEqual(AuthenticationPolicies.PhishingResistant, resp.ActualPolicies[1]);
}
public void AuthenticationTimeUtcSetNull() {
PolicyResponse resp = new PolicyResponse();
resp.AuthenticationTimeUtc = null;
Assert.IsNull(resp.AuthenticationTimeUtc);
resp.AuthenticationTimeUtc = someUtcTime;
Assert.IsNotNull(resp.AuthenticationTimeUtc);
resp.AuthenticationTimeUtc = null;
Assert.IsNull(resp.AuthenticationTimeUtc);
}
public void AddPolicyMultipleTimes() {
// Although this isn't really the desired behavior (we'd prefer to see an
// exception thrown), since we're using a List<string> internally we can't
// expect anything better (for now). But if this is ever fixed, by all means
// change this test to expect an exception or something else.
PolicyResponse resp = new PolicyResponse();
resp.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
resp.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
Assert.AreEqual(2, resp.ActualPolicies.Count);
}
public void AssuranceLevels()
{
PolicyResponse resp = new PolicyResponse();
Assert.AreEqual(0, resp.AssuranceLevels.Count);
resp.NistAssuranceLevel = NistAssuranceLevel.Level2;
Assert.AreEqual(1, resp.AssuranceLevels.Count);
Assert.AreEqual("2", resp.AssuranceLevels[Constants.AssuranceLevels.NistTypeUri]);
resp.AssuranceLevels[Constants.AssuranceLevels.NistTypeUri] = "3";
Assert.AreEqual(NistAssuranceLevel.Level3, resp.NistAssuranceLevel);
resp.AssuranceLevels.Clear();
Assert.IsNull(resp.NistAssuranceLevel);
}
public void Full() {
var request = new PolicyRequest();
request.MaximumAuthenticationAge = TimeSpan.FromMinutes(10);
request.PreferredAuthLevelTypes.Add(Constants.AssuranceLevels.NistTypeUri);
request.PreferredAuthLevelTypes.Add("customAuthLevel");
request.PreferredPolicies.Add(AuthenticationPolicies.MultiFactor);
request.PreferredPolicies.Add(AuthenticationPolicies.PhishingResistant);
var response = new PolicyResponse();
response.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
response.ActualPolicies.Add(AuthenticationPolicies.PhishingResistant);
response.AuthenticationTimeUtc = DateTime.UtcNow - TimeSpan.FromMinutes(5);
response.AssuranceLevels[Constants.AssuranceLevels.NistTypeUri] = "1";
response.AssuranceLevels["customlevel"] = "ABC";
response.NistAssuranceLevel = NistAssuranceLevel.Level2;
ExtensionTestUtilities.Roundtrip(Protocol.Default, new[] { request }, new[] { response });
}
/// <summary>
/// Determines whether the specified <see cref="T:System.Object"/> is equal to the current <see cref="T:System.Object"/>.
/// </summary>
/// <param name="obj">The <see cref="T:System.Object"/> to compare with the current <see cref="T:System.Object"/>.</param>
/// <returns>
/// true if the specified <see cref="T:System.Object"/> is equal to the current <see cref="T:System.Object"/>; otherwise, false.
/// </returns>
/// <exception cref="T:System.NullReferenceException">
/// The <paramref name="obj"/> parameter is null.
/// </exception>
public override bool Equals(object obj)
{
PolicyResponse other = obj as PolicyResponse;
if (other == null)
{
return(false);
}
if (this.AuthenticationTimeUtc != other.AuthenticationTimeUtc)
{
return(false);
}
if (this.AssuranceLevels.Count != other.AssuranceLevels.Count)
{
return(false);
}
foreach (var pair in this.AssuranceLevels)
{
if (!other.AssuranceLevels.Contains(pair))
{
return(false);
}
}
if (this.ActualPolicies.Count != other.ActualPolicies.Count)
{
return(false);
}
foreach (string policy in this.ActualPolicies)
{
if (!other.ActualPolicies.Contains(policy))
{
return(false);
}
}
return(true);
}
protected void Yes_Click(object sender, EventArgs e)
{
var sregRequest = ProviderEndpoint.PendingAuthenticationRequest.GetExtension<ClaimsRequest>();
ClaimsResponse sregResponse = null;
if (sregRequest != null) {
sregResponse = this.profileFields.GetOpenIdProfileFields(sregRequest);
ProviderEndpoint.PendingAuthenticationRequest.AddResponseExtension(sregResponse);
}
var papeRequest = ProviderEndpoint.PendingAuthenticationRequest.GetExtension<PolicyRequest>();
PolicyResponse papeResponse = null;
if (papeRequest != null) {
papeResponse = new PolicyResponse();
papeResponse.NistAssuranceLevel = NistAssuranceLevel.InsufficientForLevel1;
ProviderEndpoint.PendingAuthenticationRequest.AddResponseExtension(papeResponse);
}
ProviderEndpoint.PendingAuthenticationRequest.IsAuthenticated = true;
Debug.Assert(ProviderEndpoint.PendingAuthenticationRequest.IsResponseReady, "Setting authentication should be all that's necessary.");
ProviderEndpoint.SendResponse();
}
protected void Yes_Click(object sender, EventArgs e) {
if (!Page.IsValid) {
return;
}
if (this.OAuthPanel.Visible) {
string grantedScope = null;
if (this.oauthPermission.Checked) {
// This SIMPLE sample merely uses the realm as the consumerKey,
// but in a real app this will probably involve a database lookup to translate
// the realm to a known consumerKey.
grantedScope = string.Empty; // we don't scope individual access rights on this sample
}
OAuthHybrid.ServiceProvider.AttachAuthorizationResponse(ProviderEndpoint.PendingRequest, grantedScope);
}
var sregRequest = ProviderEndpoint.PendingRequest.GetExtension<ClaimsRequest>();
ClaimsResponse sregResponse = null;
if (sregRequest != null) {
sregResponse = this.profileFields.GetOpenIdProfileFields(sregRequest);
ProviderEndpoint.PendingRequest.AddResponseExtension(sregResponse);
}
var papeRequest = ProviderEndpoint.PendingRequest.GetExtension<PolicyRequest>();
PolicyResponse papeResponse = null;
if (papeRequest != null) {
papeResponse = new PolicyResponse();
papeResponse.NistAssuranceLevel = NistAssuranceLevel.InsufficientForLevel1;
ProviderEndpoint.PendingRequest.AddResponseExtension(papeResponse);
}
if (ProviderEndpoint.PendingAuthenticationRequest != null) {
ProviderEndpoint.PendingAuthenticationRequest.IsAuthenticated = true;
} else {
ProviderEndpoint.PendingAnonymousRequest.IsApproved = true;
}
Debug.Assert(ProviderEndpoint.PendingRequest.IsResponseReady, "Setting authentication should be all that's necessary.");
ProviderEndpoint.SendResponse();
}
public void AuthenticationTimeUtcSetUnspecified() {
PolicyResponse resp = new PolicyResponse();
resp.AuthenticationTimeUtc = someUnspecifiedTime;
}
public void AuthenticationTimeUtcSetUtc() {
PolicyResponse resp = new PolicyResponse();
resp.AuthenticationTimeUtc = someUtcTime;
Assert.AreEqual(someUtcTime, resp.AuthenticationTimeUtc);
}
/// <summary>
/// Called when the Provider is preparing to send a response to an authentication request.
/// </summary>
/// <param name="request">The request that is configured to generate the outgoing response.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// <c>true</c> if this behavior owns this request and wants to stop other behaviors
/// from handling it; <c>false</c> to allow other behaviors to process this request.
/// </returns>
async Task<bool> IProviderBehavior.OnOutgoingResponseAsync(Provider.IAuthenticationRequest request, CancellationToken cancellationToken) {
bool result = false;
// Nothing to do for negative assertions.
if (!request.IsAuthenticated.Value) {
return result;
}
var requestInternal = (Provider.AuthenticationRequest)request;
var responseMessage = (IProtocolMessageWithExtensions)await requestInternal.GetResponseAsync(cancellationToken);
// Only apply our special policies if the RP requested it.
var papeRequest = request.GetExtension<PolicyRequest>();
if (papeRequest != null) {
var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
if (papeResponse == null) {
request.AddResponseExtension(papeResponse = new PolicyResponse());
}
if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.USGovernmentTrustLevel1)) {
result = true;
if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.USGovernmentTrustLevel1)) {
papeResponse.ActualPolicies.Add(AuthenticationPolicies.USGovernmentTrustLevel1);
}
// The spec requires that the OP perform discovery and if that fails, it must either sternly
// warn the user of a potential threat or just abort the authentication.
// We can't verify that the OP displayed anything to the user at this level, but we can
// at least verify that the OP performed the discovery on the realm and halt things if it didn't.
ErrorUtilities.VerifyHost(requestInternal.HasRealmDiscoveryBeenPerformed, BehaviorStrings.RealmDiscoveryNotPerformed);
}
if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);
// Mask the user's identity with a PPID.
ErrorUtilities.VerifyHost(PpidIdentifierProvider != null, BehaviorStrings.PpidProviderNotGiven);
Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
// Indicate that the RP is receiving a PPID claimed_id
if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
}
}
if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.NoPersonallyIdentifiableInformation)) {
ErrorUtilities.VerifyProtocol(
!responseMessage.Extensions.OfType<ClaimsResponse>().Any() &&
!responseMessage.Extensions.OfType<FetchResponse>().Any(),
BehaviorStrings.PiiIncludedWithNoPiiPolicy);
// If no PII is given in extensions, and the claimed_id is a PPID, then we can state we issue no PII.
if (papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.NoPersonallyIdentifiableInformation)) {
papeResponse.ActualPolicies.Add(AuthenticationPolicies.NoPersonallyIdentifiableInformation);
}
}
}
Reporting.RecordEventOccurrence(this, "OP");
}
return result;
}
/// <summary>
/// Called when the Provider is preparing to send a response to an authentication request.
/// </summary>
/// <param name="request">The request that is configured to generate the outgoing response.</param>
/// <param name="cancellationToken">The cancellation token.</param>
/// <returns>
/// <c>true</c> if this behavior owns this request and wants to stop other behaviors
/// from handling it; <c>false</c> to allow other behaviors to process this request.
/// </returns>
async Task<bool> IProviderBehavior.OnOutgoingResponseAsync(IAuthenticationRequest request, CancellationToken cancellationToken) {
// Nothing to do for negative assertions.
if (!request.IsAuthenticated.Value) {
return false;
}
var requestInternal = (Provider.AuthenticationRequest)request;
var responseMessage = (IProtocolMessageWithExtensions)await requestInternal.GetResponseAsync(cancellationToken);
// Only apply our special policies if the RP requested it.
var papeRequest = request.GetExtension<PolicyRequest>();
if (papeRequest != null) {
if (papeRequest.PreferredPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
ErrorUtilities.VerifyProtocol(request.ClaimedIdentifier == request.LocalIdentifier, OpenIdStrings.DelegatingIdentifiersNotAllowed);
if (PpidIdentifierProvider == null) {
Logger.OpenId.Error(BehaviorStrings.PpidProviderNotGiven);
return false;
}
// Mask the user's identity with a PPID.
if (PpidIdentifierProvider.IsUserLocalIdentifier(request.LocalIdentifier)) {
Identifier ppidIdentifier = PpidIdentifierProvider.GetIdentifier(request.LocalIdentifier, request.Realm);
requestInternal.ResetClaimedAndLocalIdentifiers(ppidIdentifier);
}
// Indicate that the RP is receiving a PPID claimed_id
var papeResponse = responseMessage.Extensions.OfType<PolicyResponse>().SingleOrDefault();
if (papeResponse == null) {
request.AddResponseExtension(papeResponse = new PolicyResponse());
}
if (!papeResponse.ActualPolicies.Contains(AuthenticationPolicies.PrivatePersonalIdentifier)) {
papeResponse.ActualPolicies.Add(AuthenticationPolicies.PrivatePersonalIdentifier);
}
Reporting.RecordEventOccurrence(this, string.Empty);
}
}
return false;
}
/// <summary>
/// Sends a positive or a negative assertion, based on how the pending request is currently marked.
/// </summary>
/// <returns>An MVC redirect result.</returns>
public ActionResult SendAssertion()
{
var pendingRequest = ProviderEndpoint.PendingRequest;
var authReq = pendingRequest as IAuthenticationRequest;
var anonReq = pendingRequest as IAnonymousRequest;
ProviderEndpoint.PendingRequest = null; // clear session static so we don't do this again
if (pendingRequest == null)
{
throw new InvalidOperationException("There's no pending authentication request!");
}
// Set safe defaults if somehow the user ended up (perhaps through XSRF) here before electing to send data to the RP.
if (anonReq != null && !anonReq.IsApproved.HasValue)
{
anonReq.IsApproved = false;
}
if (authReq != null && !authReq.IsAuthenticated.HasValue)
{
authReq.IsAuthenticated = false;
}
if (authReq != null && authReq.IsAuthenticated.Value)
{
if (authReq.IsDirectedIdentity)
{
authReq.LocalIdentifier = Models.User.GetClaimedIdentifierForUser(User.Identity.Name);
}
if (!authReq.IsDelegatedIdentifier)
{
authReq.ClaimedIdentifier = authReq.LocalIdentifier;
}
}
// Respond to AX/sreg extension requests only on a positive result.
if ((authReq != null && authReq.IsAuthenticated.Value) ||
(anonReq != null && anonReq.IsApproved.Value))
{
// Look for a Simple Registration request. When the AXFetchAsSregTransform behavior is turned on
// in the web.config file as it is in this sample, AX requests will come in as SReg requests.
var claimsRequest = pendingRequest.GetExtension<ClaimsRequest>();
if (claimsRequest != null)
{
var claimsResponse = claimsRequest.CreateResponse();
// This simple respond to a request check may be enhanced to only respond to an individual attribute
// request if the user consents to it explicitly, in which case this response extension creation can take
// place in the confirmation page action rather than here.
if (claimsRequest.Email != DemandLevel.NoRequest)
{
claimsResponse.Email = User.Identity.Name; // +"@dotnetopenauth.net";
}
pendingRequest.AddResponseExtension(claimsResponse);
}
// Look for PAPE requests.
var papeRequest = pendingRequest.GetExtension<PolicyRequest>();
if (papeRequest != null)
{
var papeResponse = new PolicyResponse();
if (papeRequest.MaximumAuthenticationAge.HasValue)
{
papeResponse.AuthenticationTimeUtc = this.FormsAuth.SignedInTimestampUtc;
}
pendingRequest.AddResponseExtension(papeResponse);
}
}
return OpenIdProvider.PrepareResponse(pendingRequest).AsActionResult();
}
public void Serialize() {
PolicyResponse resp = new PolicyResponse();
IMessageWithEvents respEvents = resp;
var fields = this.MessageDescriptions.GetAccessor(resp);
respEvents.OnSending();
Assert.AreEqual(1, fields.Count);
Assert.IsTrue(fields.ContainsKey("auth_policies"));
Assert.AreEqual(AuthenticationPolicies.None, fields["auth_policies"]);
resp.ActualPolicies.Add(AuthenticationPolicies.PhishingResistant);
respEvents.OnSending();
Assert.AreEqual(1, fields.Count);
Assert.AreEqual(AuthenticationPolicies.PhishingResistant, fields["auth_policies"]);
resp.ActualPolicies.Add(AuthenticationPolicies.PhysicalMultiFactor);
respEvents.OnSending();
Assert.AreEqual(1, fields.Count);
Assert.AreEqual(
AuthenticationPolicies.PhishingResistant + " " + AuthenticationPolicies.PhysicalMultiFactor,
fields["auth_policies"]);
resp.AuthenticationTimeUtc = DateTime.UtcNow;
respEvents.OnSending();
Assert.AreEqual(2, fields.Count);
Assert.IsTrue(fields.ContainsKey("auth_time"));
resp.NistAssuranceLevel = NistAssuranceLevel.Level3;
respEvents.OnSending();
Assert.AreEqual(4, fields.Count);
Assert.IsTrue(fields.ContainsKey("auth_level.ns.nist"));
Assert.AreEqual(Constants.AssuranceLevels.NistTypeUri, fields["auth_level.ns.nist"]);
Assert.IsTrue(fields.ContainsKey("auth_level.nist"));
Assert.AreEqual("3", fields["auth_level.nist"]);
resp.AssuranceLevels.Add("custom", "CU");
respEvents.OnSending();
Assert.AreEqual(6, fields.Count);
Assert.IsTrue(fields.ContainsKey("auth_level.ns.alias2"));
Assert.AreEqual("custom", fields["auth_level.ns.alias2"]);
Assert.IsTrue(fields.ContainsKey("auth_level.alias2"));
Assert.AreEqual("CU", fields["auth_level.alias2"]);
// and make sure the NIST is still there.
Assert.IsTrue(fields.ContainsKey("auth_level.ns.nist"));
Assert.AreEqual(Constants.AssuranceLevels.NistTypeUri, fields["auth_level.ns.nist"]);
Assert.IsTrue(fields.ContainsKey("auth_level.nist"));
Assert.AreEqual("3", fields["auth_level.nist"]);
}
public async Task Trivial() {
var request = new PolicyRequest();
var response = new PolicyResponse();
await this.RoundtripAsync(Protocol.Default, new[] { request }, new[] { response });
}
public void Trivial() {
var request = new PolicyRequest();
var response = new PolicyResponse();
ExtensionTestUtilities.Roundtrip(Protocol.Default, new[] { request }, new[] { response });
}
public void NistAssuranceLevelSetVarious() {
PolicyResponse resp = new PolicyResponse();
resp.NistAssuranceLevel = NistAssuranceLevel.Level1;
Assert.AreEqual(NistAssuranceLevel.Level1, resp.NistAssuranceLevel);
resp.NistAssuranceLevel = null;
Assert.IsNull(resp.NistAssuranceLevel);
resp.NistAssuranceLevel = NistAssuranceLevel.InsufficientForLevel1;
Assert.AreEqual(NistAssuranceLevel.InsufficientForLevel1, resp.NistAssuranceLevel);
}
public void EqualsTest() {
PolicyResponse resp = new PolicyResponse();
PolicyResponse resp2 = new PolicyResponse();
Assert.AreEqual(resp, resp2);
Assert.AreNotEqual(resp, null);
Assert.AreNotEqual(null, resp);
// Test ActualPolicies list comparison
resp.ActualPolicies.Add(AuthenticationPolicies.PhishingResistant);
Assert.AreNotEqual(resp, resp2);
resp2.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
Assert.AreNotEqual(resp, resp2);
resp2.ActualPolicies.Clear();
resp2.ActualPolicies.Add(AuthenticationPolicies.PhishingResistant);
Assert.AreEqual(resp, resp2);
// Test ActualPolicies list comparison when that list is not in the same order.
resp.ActualPolicies.Add(AuthenticationPolicies.MultiFactor);
Assert.AreNotEqual(resp, resp2);
resp2.ActualPolicies.Insert(0, AuthenticationPolicies.MultiFactor);
Assert.AreEqual(resp, resp2);
// Test AuthenticationTimeUtc comparison.
resp.AuthenticationTimeUtc = DateTime.Now;
Assert.AreNotEqual(resp, resp2);
resp2.AuthenticationTimeUtc = resp.AuthenticationTimeUtc;
Assert.AreEqual(resp, resp2);
resp2.AuthenticationTimeUtc += TimeSpan.FromSeconds(1);
Assert.AreNotEqual(resp, resp2);
resp2.AuthenticationTimeUtc = resp.AuthenticationTimeUtc;
Assert.AreEqual(resp, resp2);
// Test NistAssuranceLevel comparison.
resp.NistAssuranceLevel = NistAssuranceLevel.InsufficientForLevel1;
Assert.AreNotEqual(resp, resp2);
resp2.NistAssuranceLevel = NistAssuranceLevel.InsufficientForLevel1;
Assert.AreEqual(resp, resp2);
resp.NistAssuranceLevel = NistAssuranceLevel.Level2;
Assert.AreNotEqual(resp, resp2);
resp2.NistAssuranceLevel = NistAssuranceLevel.Level2;
Assert.AreEqual(resp, resp2);
// Test AssuranceLevels comparison.
resp.AssuranceLevels.Add("custom", "b");
Assert.AreNotEqual(resp, resp2);
resp2.AssuranceLevels.Add("custom", "2");
Assert.AreNotEqual(resp, resp2);
resp2.AssuranceLevels["custom"] = "b";
Assert.AreEqual(resp, resp2);
resp.AssuranceLevels[Constants.AssuranceLevels.NistTypeUri] = "1";
Assert.AreNotEqual(resp, resp2);
resp2.AssuranceLevels[Constants.AssuranceLevels.NistTypeUri] = "1";
Assert.AreEqual(resp, resp2);
}
