public async Task JwtAuthorizedRoute_EmitSecurityEventsWhenRequested_RunsAuthorization(bool emitSecurityEvents)
{
// Arrange
var spySink = new InMemorySink();
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
services.AddMvc(opt => opt.Filters.AddJwtTokenAuthorization(jwt => jwt.EmitSecurityEvents = emitSecurityEvents));
})
.ConfigureHost(host => host.UseSerilog((context, config) => config.WriteTo.Sink(spySink)));
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
string accessToken = $"Bearer {_bogusGenerator.Random.AlphaNumeric(10)}.{_bogusGenerator.Random.AlphaNumeric(50)}";
var request = HttpRequestBuilder
.Get(HealthController.GetRoute)
.WithHeader(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
IEnumerable <LogEvent> logEvents = spySink.DequeueLogEvents();
Assert.True(emitSecurityEvents == logEvents.Any(logEvent =>
{
string message = logEvent.RenderMessage();
return(message.Contains("EventType") && message.Contains("Security"));
}));
}
}
}
public async Task SharedAccessKeyAuthorizedRoute_EmitsSecurityEventsWhenRequested_RunsAuthentication(bool emitsSecurityEvents)
{
// Arrange
var spySink = new InMemorySink();
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
services.AddSecretStore(stores => stores.AddInMemory(SecretName, $"secret-{Guid.NewGuid()}"))
.AddMvc(opt => opt.Filters.AddSharedAccessKeyAuthenticationOnHeader(HeaderName, SecretName, authOptions =>
{
authOptions.EmitSecurityEvents = emitsSecurityEvents;
}));
})
.ConfigureHost(host => host.UseSerilog((context, config) =>
config.WriteTo.Sink(spySink)));
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(HealthController.GetRoute);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
IEnumerable <LogEvent> logEvents = spySink.DequeueLogEvents();
Assert.True(emitsSecurityEvents == logEvents.Any(logEvent =>
{
string message = logEvent.RenderMessage();
return(message.Contains("EventType") && message.Contains("Security"));
}));
}
}
}
public async Task SharedAccessKeyAuthorizedRoute_DoesntEmitSecurityEventsByDefault_RunsAuthentication()
{
// Arrange
var spySink = new InMemorySink();
var options = new TestApiServerOptions()
.ConfigureServices(services => services.AddSecretStore(stores => stores.AddInMemory(SecretName, $"secret-{Guid.NewGuid()}")))
.ConfigureHost(host => host.UseSerilog((context, config) =>
config.WriteTo.Sink(spySink)));
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(SharedAccessKeyAuthenticationController.AuthorizedGetRoute);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
IEnumerable <LogEvent> logEvents = spySink.DequeueLogEvents();
Assert.DoesNotContain(logEvents, logEvent =>
{
string message = logEvent.RenderMessage();
return(message.Contains("EventType") && message.Contains("Security"));
});
}
}
}
private static void AssertLoggedCorrelationProperties(InMemorySink testSink, CorrelationInfo correlationInfo)
{
KeyValuePair <string, LogEventPropertyValue>[] properties =
testSink.DequeueLogEvents()
.SelectMany(ev => ev.Properties)
.ToArray();
Assert.Contains(
properties.Where(prop => prop.Key == TransactionIdPropertyName),
prop => correlationInfo.TransactionId == prop.Value.ToStringValue());
Assert.Contains(
properties.Where(prop => prop.Key == OperationIdPropertyName),
prop => correlationInfo.OperationId == prop.Value.ToStringValue());
}
public async Task SharedAccessKeyAuthorizedRoute_EmitsSecurityEventsWhenRequested_RunsAuthentication(bool emitsSecurityEvents)
{
// Arrange
const string issuerKey = "issuer";
var spySink = new InMemorySink();
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build());
services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=issuer"))
.AddSingleton(certificateValidator)
.AddMvc(opt => opt.Filters.AddCertificateAuthentication(authOptions =>
{
authOptions.EmitSecurityEvents = emitsSecurityEvents;
}));
})
.ConfigureHost(host => host.UseSerilog((context, config) => config.WriteTo.Sink(spySink)));
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
IEnumerable <LogEvent> logEvents = spySink.DequeueLogEvents();
Assert.True(emitsSecurityEvents == logEvents.Any(logEvent =>
{
string message = logEvent.RenderMessage();
return(message.Contains("EventType") && message.Contains("Security"));
}));
}
}
}
public async Task CertificateAuthorizedRoute_EmitsSecurityEventsWhenRequested_RunsAuthentication()
{
// Arrange
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithSubject("unrecognized-subject-name"))
{
var spySink = new InMemorySink();
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.SecretProvider, SubjectKey)
.Build());
services.AddSecretStore(stores => stores.AddInMemory(SubjectKey, "CN=subject"))
.AddClientCertificate(clientCertificate)
.AddSingleton(certificateValidator);
})
.ConfigureHost(host => host.UseSerilog((context, config) => config.WriteTo.Sink(spySink)));
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(CertificateAuthenticationOnMethodController.AuthorizedGetRouteEmitSecurityEvents);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
IEnumerable <LogEvent> logEvents = spySink.DequeueLogEvents();
Assert.Contains(logEvents, logEvent =>
{
string message = logEvent.RenderMessage();
return(message.Contains("EventType") && message.Contains("Security"));
});
}
}
}
}