public void ShouldFailValidationDueToMissingKey()
{
// Arrange
Mock <IHmacKeyRepository> mockKeyRepo = new Mock <IHmacKeyRepository>();
mockKeyRepo.Setup(r => r.GetHmacKeyForUsername(It.IsAny <string>())).Returns((string)null);
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, mockKeyRepo.Object);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
HttpRequestBase request = CreateRequest(dateString);
HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request);
signatureData.Key = "TestKey";
string signature = signer.CreateSignature(signatureData);
request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format(
HmacConstants.AuthorizationHeaderFormat,
configuration.AuthorizationScheme,
signature);
// Act
HmacValidationResult result = validator.ValidateHttpRequest(request);
// Assert
Assert.IsNotNull(result);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(result.ResultCode, HmacValidationResultCode.KeyMissing);
}
public void ShouldFailValidationDueToMissingDate()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
IHmacSigner signer = new HmacSigner(configuration, _keyRepository);
HmacValidator validator = new HmacValidator(configuration, signer);
DateTimeOffset dateTimeOffset = DateTimeOffset.UtcNow.AddMinutes(-3);
string dateString = dateTimeOffset.ToString(HmacConstants.DateHeaderFormat, _dateHeaderCulture);
HttpRequestBase request = CreateRequest(dateString);
HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request);
string signature = signer.CreateSignature(signatureData);
request.Headers[HmacConstants.AuthorizationHeaderName] = string.Format(
HmacConstants.AuthorizationHeaderFormat,
configuration.AuthorizationScheme,
signature);
request.Headers.Remove(HmacConstants.DateHeaderName);
// Act
HmacValidationResult result = validator.ValidateHttpRequest(request);
// Assert
Assert.IsNotNull(result);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(result.ResultCode, HmacValidationResultCode.DateMissing);
}
/// <summary>
/// Validates an entire HTTP request message.
/// </summary>
/// <param name="request">The HTTP request to validate.</param>
/// <returns>The result of the validation as a <see cref="HmacValidationResult"/> object.</returns>
/// <remarks>
/// The following validation logic is used:
/// - The Date header must be present if a maximum request age is configured, but cannot be older than the configured value;
/// - The username header must be present when the user header name has been configured;
/// - The key must be found for the request;
/// - The Authorization header must be present, must have the correct authorization scheme and must contain a signature;
/// - The signature created from the extracted signature data must match the one on the Authorization header.
///
/// In case the request contains a body:
/// - The Content-MD5 header value must match an MD5 hash of the body, if Content-MD5 validation was enabled in the configuration.
/// </remarks>
/// <exception cref="ArgumentNullException">The request is null.</exception>
/// <exception cref="HmacConfigurationException">One or more of the configuration parameters are invalid.</exception>
public virtual HmacValidationResult ValidateHttpRequest(HttpRequestMessage request)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request), "The request cannot be null.");
}
HmacRequestWrapper requestWrapper = new HmacRequestWrapper(request);
HmacSignatureData signatureData = HmacSigner.GetSignatureDataFromHttpRequest(request);
return(ValidateHttpRequest(requestWrapper, signatureData));
}
public void ShouldGetSignatureDataFromHttpRequest()
{
// Arrange
IHmacConfiguration configuration = CreateConfiguration();
string dateString = CreateHttpDateString();
HttpRequestBase request = CreateRequest(dateString);
HmacSigner signer = new HmacSigner(configuration, _keyRepository);
// Act
HmacSignatureData signatureData = signer.GetSignatureDataFromHttpRequest(request);
// Assert
Assert.IsNotNull(signatureData);
Assert.AreEqual(_keyRepository.Key, signatureData.Key);
Assert.AreEqual(request.HttpMethod, signatureData.HttpMethod);
Assert.AreEqual(_base64Md5Hash, signatureData.ContentMd5);
Assert.AreEqual(ContentType, signatureData.ContentType);
Assert.AreEqual(dateString, signatureData.Date);
Assert.AreEqual(_keyRepository.Username, signatureData.Username);
Assert.AreEqual(Url, signatureData.RequestUri);
Assert.IsNotNull(signatureData.Headers);
Assert.IsTrue(signatureData.Headers.Count > 0);
}