public StubOwinMiddleware(
int statusCode,
AuthenticationResponseChallenge challenge = null,
AuthenticationResponseRevoke revoke = null,
AuthenticationResponseGrant grant = null)
: base(null)
{
this.statusCode = statusCode;
this.challenge = challenge;
this.revoke = revoke;
this.grant = grant;
}
public void SignIn(AuthenticationProperties properties, params ClaimsIdentity[] identities)
{
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke != null)
{
// Scan the sign-outs's and remove any with a matching auth type.
string[] filteredSignOuts = priorRevoke.AuthenticationTypes
.Where(authType => !identities.Any(identity => identity.AuthenticationType.Equals(authType, StringComparison.Ordinal)))
.ToArray();
if (filteredSignOuts.Length < priorRevoke.AuthenticationTypes.Length)
{
if (filteredSignOuts.Length == 0)
{
AuthenticationResponseRevoke = null;
}
else
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(filteredSignOuts);
}
}
}
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant == null)
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(identities), properties);
}
else
{
ClaimsIdentity[] mergedIdentities = priorGrant.Principal.Identities.Concat(identities).ToArray();
if (properties != null)
{
// Update prior properties
foreach (var propertiesPair in properties.Dictionary)
{
priorGrant.Properties.Dictionary[propertiesPair.Key] = propertiesPair.Value;
}
}
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(mergedIdentities), priorGrant.Properties);
}
}
public void SignOut(AuthenticationProperties properties, string[] authenticationTypes)
{
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant != null)
{
// Scan the sign-in's and remove any with a matching auth type.
ClaimsIdentity[] filteredIdentities = priorGrant.Principal.Identities
.Where(identity => !authenticationTypes.Contains(identity.AuthenticationType, StringComparer.Ordinal))
.ToArray();
if (filteredIdentities.Length < priorGrant.Principal.Identities.Count())
{
if (filteredIdentities.Length == 0)
{
AuthenticationResponseGrant = null;
}
else
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(filteredIdentities), priorGrant.Properties);
}
}
}
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke == null)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes, properties);
}
else
{
if (properties != null && !object.ReferenceEquals(properties.Dictionary, priorRevoke.Properties.Dictionary))
{
// Update prior properties
foreach (var propertiesPair in properties.Dictionary)
{
priorRevoke.Properties.Dictionary[propertiesPair.Key] = propertiesPair.Value;
}
}
// Cumulative auth types
string[] mergedAuthTypes = priorRevoke.AuthenticationTypes.Concat(authenticationTypes).ToArray();
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(mergedAuthTypes, priorRevoke.Properties);
}
}
public void SignOut(string[] authenticationTypes)
{
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant != null)
{
// Scan the sign-in's and remove any with a matching auth type.
ClaimsIdentity[] filteredIdentities = priorGrant.Principal.Identities
.Where(identity => !authenticationTypes.Contains(identity.AuthenticationType, StringComparer.Ordinal))
.ToArray();
if (filteredIdentities.Length < priorGrant.Principal.Identities.Count())
{
if (filteredIdentities.Length == 0)
{
AuthenticationResponseGrant = null;
}
else
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(filteredIdentities), priorGrant.Properties);
}
}
}
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke == null)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes);
}
else
{
// Cumulative auth types
string[] mergedAuthTypes = priorRevoke.AuthenticationTypes.Concat(authenticationTypes).ToArray();
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(mergedAuthTypes);
}
}
public void SignOut(string[] authenticationTypes)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes);
}
private async Task KentorAuthServicesAuthenticationMiddleware_CreatesRedirectOnAuthRevoke_PreservesRedirect(
string location, string expectedUrl, string path = "/Account/LogOut")
{
var revoke = new AuthenticationResponseRevoke(new string[0]);
var options = new KentorAuthServicesAuthenticationOptions(true);
((SPOptions)options.SPOptions).PublicOrigin = new Uri("https://sp.example.com/ExternalPath/");
var subject = new KentorAuthServicesAuthenticationMiddleware(
new StubOwinMiddleware(303, revoke: revoke),
CreateAppBuilder(),
options);
var context = OwinTestHelpers.CreateOwinContext();
context.Request.Scheme = "http";
context.Request.Host = new HostString("sp-internal.example.com");
context.Request.PathBase = new PathString("/AppPath");
context.Request.Path = new PathString(path);
context.Response.Headers["Location"] = location;
Thread.CurrentPrincipal = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "NameId", null, "https://idp.example.com"),
new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
await subject.Invoke(context);
var cookieValue = context.Response.Headers["Set-Cookie"].Split(';', '=')[1]
.Replace('_', '/').Replace('-', '+').Replace('.', '=');
var returnUrl = Encoding.UTF8.GetString(options.DataProtector.Unprotect(
Convert.FromBase64String(cookieValue)));
returnUrl.Should().Be(expectedUrl);
}
public void SignOut(string[] authenticationTypes)
{
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant != null)
{
// Scan the sign-in's and remove any with a matching auth type.
ClaimsIdentity[] filteredIdentities = priorGrant.Principal.Identities
.Where(identity => !authenticationTypes.Contains(identity.AuthenticationType, StringComparer.Ordinal))
.ToArray();
if (filteredIdentities.Length < priorGrant.Principal.Identities.Count())
{
if (filteredIdentities.Length == 0)
{
AuthenticationResponseGrant = null;
}
else
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(filteredIdentities), priorGrant.Properties);
}
}
}
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke == null)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes);
}
else
{
// Cumulative auth types
string[] mergedAuthTypes = priorRevoke.AuthenticationTypes.Concat(authenticationTypes).ToArray();
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(mergedAuthTypes);
}
}
public void SignIn(AuthenticationProperties properties, params ClaimsIdentity[] identities)
{
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke != null)
{
// Scan the sign-outs's and remove any with a matching auth type.
string[] filteredSignOuts = priorRevoke.AuthenticationTypes
.Where(authType => !identities.Any(identity => identity.AuthenticationType.Equals(authType, StringComparison.Ordinal)))
.ToArray();
if (filteredSignOuts.Length < priorRevoke.AuthenticationTypes.Length)
{
if (filteredSignOuts.Length == 0)
{
AuthenticationResponseRevoke = null;
}
else
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(filteredSignOuts);
}
}
}
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant == null)
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(identities), properties);
}
else
{
ClaimsIdentity[] mergedIdentities = priorGrant.Principal.Identities.Concat(identities).ToArray();
if (properties != null)
{
// Update prior properties
foreach (var propertiesPair in properties.Dictionary)
{
priorGrant.Properties.Dictionary[propertiesPair.Key] = propertiesPair.Value;
}
}
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(mergedIdentities), priorGrant.Properties);
}
}
public async Task GivenNextMiddlewareRevokesAuth_ItRemovesForceSslCookie()
{
// Arrange
var context = Fakes.CreateOwinContext();
var next = Fakes.CreateOwinMiddleware();
var app = new AppBuilder();
var revoke = new AuthenticationResponseRevoke(new string[0]);
next.Setup(n => n.Invoke(context))
.Returns<IOwinContext>(c =>
{
c.Authentication.AuthenticationResponseRevoke = revoke;
return Task.FromResult<object>(null);
});
context.Request
.SetUrl("http://nuget.local/foo/bar/baz?qux=qooz");
var middleware = new ForceSslWhenAuthenticatedMiddleware(next.Object, app, "ForceSSL", 443);
// Act
await middleware.Invoke(context);
// Assert
OwinAssert.DeletesCookie(context.Response, "ForceSSL");
}
public async Task KentorAuthServicesAuthenticationMiddleware_CreatesRedirectOnAuthRevoke()
{
var revoke = new AuthenticationResponseRevoke(new string[0]);
var options = new KentorAuthServicesAuthenticationOptions(true);
((SPOptions)options.SPOptions).PublicOrigin = new Uri("https://sp.example.com/ExternalPath/");
var subject = new KentorAuthServicesAuthenticationMiddleware(
new StubOwinMiddleware(200, revoke: revoke),
CreateAppBuilder(),
options);
var context = OwinTestHelpers.CreateOwinContext();
context.Request.Scheme = "http";
context.Request.Host = new HostString("sp-internal.example.com");
context.Request.PathBase = new PathString("/InternalPath");
context.Request.Path = new PathString("/LoggedOut");
Thread.CurrentPrincipal = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "NameId", null, "https://idp.example.com"),
new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
await subject.Invoke(context);
context.Response.StatusCode.Should().Be(303);
context.Response.Headers["Location"].Should().StartWith("https://idp.example.com/logout?SAMLRequest");
var returnUrl = ExtractRequestState(options.DataProtector, context).ReturnUrl;
returnUrl.Should().Be("https://sp.example.com/ExternalPath/LoggedOut");
}
public async Task KentorAuthServicesAuthenticationMiddleware_CreatesRedirectOnAuthRevoke_UsesAuthPropsReturnUrl()
{
var authPropsReturnUrl = "http://sp.exmample.com/AuthPropsLogout";
var revoke = new AuthenticationResponseRevoke(
new string[0],
new AuthenticationProperties { RedirectUri = authPropsReturnUrl });
var options = new KentorAuthServicesAuthenticationOptions(true);
options.SPOptions.PublicOrigin = new Uri("https://sp.example.com/ExternalPath/");
var subject = new KentorAuthServicesAuthenticationMiddleware(
new StubOwinMiddleware(303, revoke: revoke),
CreateAppBuilder(),
options);
var context = OwinTestHelpers.CreateOwinContext();
context.Response.Headers["Location"] = "http://sp.example.com/locationHeader";
context.Request.User = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(AuthServicesClaimTypes.LogoutNameIdentifier, ",,,,NameId", null, "https://idp.example.com"),
new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
await subject.Invoke(context);
var cookieValue = context.Response.Headers["Set-Cookie"].Split(';', '=')[1];
var returnUrl = new StoredRequestState(options.DataProtector.Unprotect(
HttpRequestData.GetBinaryData(cookieValue))).ReturnUrl;
returnUrl.Should().Be(authPropsReturnUrl);
}
public async Task KentorAuthServicesAuthenticationMiddleware_AuthRevoke_HonorsCommandResultHandled()
{
var revoke = new AuthenticationResponseRevoke(new string[0]);
var options = new KentorAuthServicesAuthenticationOptions(true)
{
Notifications = new KentorAuthServicesNotifications
{
LogoutCommandResultCreated = cr =>
{
cr.HandledResult = true;
}
}
};
var subject = new KentorAuthServicesAuthenticationMiddleware(
new StubOwinMiddleware(200, revoke: revoke),
CreateAppBuilder(),
options);
var context = OwinTestHelpers.CreateOwinContext();
context.Request.Scheme = "http";
context.Request.Host = new HostString("sp-internal.example.com");
context.Request.PathBase = new PathString("/InternalPath");
context.Request.Path = new PathString("/LoggedOut");
context.Request.User = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(ClaimTypes.NameIdentifier, "NameId", null, "https://idp.example.com"),
new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
await subject.Invoke(context);
context.Response.StatusCode.Should().Be(200);
}
public void Revoke(string[] authenticationTypes)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes);
}
private async Task KentorAuthServicesAuthenticationMiddleware_CreatesRedirectOnAuthRevoke_PreservesRedirect(
string location, string expectedUrl, string path = "/Account/LogOut", AuthenticationProperties authProps = null)
{
var revoke = new AuthenticationResponseRevoke(new string[0]);
var options = new KentorAuthServicesAuthenticationOptions(true);
options.SPOptions.PublicOrigin = new Uri("https://sp.example.com/ExternalPath/");
var subject = new KentorAuthServicesAuthenticationMiddleware(
new StubOwinMiddleware(303, revoke: revoke),
CreateAppBuilder(),
options);
var context = OwinTestHelpers.CreateOwinContext();
context.Request.Scheme = "http";
context.Request.Host = new HostString("sp-internal.example.com");
context.Request.PathBase = new PathString("/AppPath");
context.Request.Path = new PathString(path);
context.Response.Headers["Location"] = location;
context.Request.User = new ClaimsPrincipal(
new ClaimsIdentity(new Claim[]
{
new Claim(AuthServicesClaimTypes.LogoutNameIdentifier, ",,,,NameId", null, "https://idp.example.com"),
new Claim(AuthServicesClaimTypes.SessionIndex, "SessionId", null, "https://idp.example.com")
}, "Federation"));
await subject.Invoke(context);
var cookieValue = context.Response.Headers["Set-Cookie"].Split(';', '=')[1];
var returnUrl = new StoredRequestState(options.DataProtector.Unprotect(
HttpRequestData.GetBinaryData(cookieValue))).ReturnUrl;
returnUrl.Should().Be(expectedUrl);
}
public void SignOut(AuthenticationProperties properties, string[] authenticationTypes)
{
AuthenticationResponseGrant priorGrant = AuthenticationResponseGrant;
if (priorGrant != null)
{
// Scan the sign-in's and remove any with a matching auth type.
ClaimsIdentity[] filteredIdentities = priorGrant.Principal.Identities
.Where(identity => !authenticationTypes.Contains(identity.AuthenticationType, StringComparer.Ordinal))
.ToArray();
if (filteredIdentities.Length < priorGrant.Principal.Identities.Count())
{
if (filteredIdentities.Length == 0)
{
AuthenticationResponseGrant = null;
}
else
{
AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(filteredIdentities), priorGrant.Properties);
}
}
}
AuthenticationResponseRevoke priorRevoke = AuthenticationResponseRevoke;
if (priorRevoke == null)
{
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(authenticationTypes, properties);
}
else
{
if (properties != null && !object.ReferenceEquals(properties.Dictionary, priorRevoke.Properties.Dictionary))
{
// Update prior properties
foreach (var propertiesPair in properties.Dictionary)
{
priorRevoke.Properties.Dictionary[propertiesPair.Key] = propertiesPair.Value;
}
}
// Cumulative auth types
string[] mergedAuthTypes = priorRevoke.AuthenticationTypes.Concat(authenticationTypes).ToArray();
AuthenticationResponseRevoke = new AuthenticationResponseRevoke(mergedAuthTypes, priorRevoke.Properties);
}
}
