public void EvaluateReturnsIgnoreAppropriatelyWhenRequestIsAjax()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/getdata/");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity resultForNonAjaxRequest = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
var queryString = new NameValueCollection {
{ RequestEvaluator.XRequestedWithHeaderKey, RequestEvaluator.AjaxRequestHeaderValue }
};
mockRequest.Setup(req => req.QueryString).Returns(queryString);
RequestSecurity resultForAjaxRequest = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
_fixture.Settings.IgnoreAjaxRequests = false;
RequestSecurity resultForAjaxRequestWithIgnoreOff = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.NotEqual(RequestSecurity.Ignore, resultForNonAjaxRequest);
Assert.Equal(RequestSecurity.Ignore, resultForAjaxRequest);
Assert.NotEqual(RequestSecurity.Ignore, resultForAjaxRequestWithIgnoreOff);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestPathIndicatesImage()
{
// Arrange.
var pathsToTest = new[] {
"/non-typical-image.psd",
"/Media/Document.pdf",
"/Images/SomeService/",
"/Images/SomeService/?someKey=someValue",
"/images/img-handler.ashx",
"/images/img-handler.ashx?some-key=some-value",
"/Manage/Images/indicator-alert.bmp",
"/info/signs/sign1.gif",
"/faavicon.ico",
"/Media/logo.jpg",
"/Media/other-logo.jpeg",
"/SomeImage.png",
"/drawings/machine.design.svg",
"/Info/some-image.tiff",
"/Info/another-image.tif",
"/OtherResource.axd/resourceImage.webp",
"/OddBall.xbm",
"/Manage/Images/indicator-alert.bmp?someKey=someValue",
"/info/signs/sign1.gif#hash",
"/faavicon.ico?flag",
"/Media/logo.jpg?some-key=some-value&other-key=other-value",
"/Media/other-logo.jpeg?someKey=someValue#here",
"/SomeImage.png?someKey=someValue&otherKey=otherValue#here-nor-there",
"/drawings/machine.design.svg#hash.sub",
"/Info/some-image.tiff?some.key=some.value",
"/Info/another-image.tif?some.key=some.value#hash.sub",
"/OtherResource.axd/resourceImage.webp?",
"/OddBall.xbm?#"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 2; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 2; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}
/// <summary>
/// EndRequest is used to trigger the appropriate redirection. There are
/// currently three scenarios that require special redirections.
/// <list>
/// <item>
/// Request is unauthenticated and is being routed to the FormsLoginUrl
/// (typically caused by UrlAuthorizationModule). This request needs to
/// be intercepted to change the 'ReturnUrl' parameter to 'serviceName'
/// </item>
/// <item>
/// Request contains a CAS ticket in the URL. This request needs to be
/// redirected back to itself without the 'ticket' parameter in order to
/// avoid potential infinite automatic ticket validation loops for when
/// a the ticket in the URL has expired or was revoked and the Renew
/// configuration parameter is set.
/// </item>
/// <item>
/// Request is authenticated, but is not authorized to access the
/// requested resource (by UrlAuthorizationModule). If the CAS is
/// configured with a NotAuthorizedUrl, the request is redirected to
/// that page. Otherwise, it is redirected to the CAS login page with
/// a forced 'Renew' property (to prevent infinite redirect loops).
/// </item>
/// </list>
/// </summary>
/// <param name="sender">The HttpApplication that sent the request</param>
/// <param name="e">Not used</param>
private static void OnEndRequest(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = context.Request;
if (RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
{
logger.Debug("Starting EndRequest for " + request.RawUrl);
if (RequestEvaluator.GetRequestRequiresGateway())
{
logger.Info(" Performing Gateway Authentication");
CasAuthentication.GatewayAuthenticate(true);
}
else if (RequestEvaluator.GetUserDoesNotAllowSessionCookies())
{
logger.Info(" Cookies not supported. Redirecting to Cookies Required Page");
CasAuthentication.RedirectToCookiesRequiredPage();
}
else if (RequestEvaluator.GetRequestHasCasTicket())
{
logger.Info(" Redirecting from login callback");
CasAuthentication.RedirectFromLoginCallback();
}
else if (RequestEvaluator.GetRequestHasGatewayParameter())
{
logger.Info(" Redirecting from failed gateway callback");
CasAuthentication.RedirectFromFailedGatewayCallback();
}
else if (RequestEvaluator.GetRequestIsUnauthorized() && !String.IsNullOrEmpty(CasAuthentication.NotAuthorizedUrl))
{
logger.Info(" Redirecting to Unauthorized Page");
CasAuthentication.RedirectToNotAuthorizedPage();
}
else if (RequestEvaluator.GetRequestIsUnauthorized())
{
logger.Info(" Redirecting to CAS Login Page (Unauthorized without NotAuthorizedUrl defined)");
CasAuthentication.RedirectToLoginPage(true);
}
else if (RequestEvaluator.GetRequestIsUnAuthenticated())
{
logger.Info(" Redirecting to CAS Login Page");
CasAuthentication.RedirectToLoginPage();
}
//Async post backs from UpdatePanels suppress the standard Forms Authentication redirect causing the above checks to fail.
else if (RequestEvaluator.IsAsyncPostBackRequest() && !RequestEvaluator.CheckUrlAccessForCurrentPrincipal())
{
context.Response.Redirect(UrlUtil.ConstructLoginRedirectUrl(false, CasAuthentication.Renew), false);
}
logger.Debug("Ending EndRequest for " + request.RawUrl);
}
else
{
logger.Debug("No EndRequest processing for " + request.RawUrl);
}
}
/// <summary>
/// EndRequest is used to trigger the appropriate redirection. There are
/// currently three scenarios that require special redirections.
/// <list>
/// <item>
/// Request is unauthenticated and is being routed to the FormsLoginUrl
/// (typically caused by UrlAuthorizationModule). This request needs to
/// be intercepted to change the 'ReturnUrl' parameter to 'serviceName'
/// </item>
/// <item>
/// Request contains a CAS ticket in the URL. This request needs to be
/// redirected back to itself without the 'ticket' parameter in order to
/// avoid potential infinite automatic ticket validation loops for when
/// a the ticket in the URL has expired or was revoked and the Renew
/// configuration parameter is set.
/// </item>
/// <item>
/// Request is authenticated, but is not authorized to access the
/// requested resource (by UrlAuthorizationModule). If the CAS is
/// configured with a NotAuthorizedUrl, the request is redirected to
/// that page. Otherwise, it is redirected to the CAS login page with
/// a forced 'Renew' property (to prevent infinite redirect loops).
/// </item>
/// </list>
/// </summary>
/// <param name="sender">The HttpApplication that sent the request</param>
/// <param name="e">Not used</param>
private static void OnEndRequest(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = context.Request;
if (RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
{
logger.Debug("Starting EndRequest for " + request.RawUrl);
if (RequestEvaluator.GetRequestRequiresGateway())
{
logger.Info(" Performing Gateway Authentication");
CasAuthentication.GatewayAuthenticate(true);
}
else if (RequestEvaluator.GetUserDoesNotAllowSessionCookies())
{
logger.Info(" Cookies not supported. Redirecting to Cookies Required Page");
CasAuthentication.RedirectToCookiesRequiredPage();
}
else if (RequestEvaluator.GetRequestHasCasTicket())
{
logger.Info(" Redirecting from login callback");
CasAuthentication.RedirectFromLoginCallback();
}
else if (RequestEvaluator.GetRequestHasGatewayParameter())
{
logger.Info(" Redirecting from failed gateway callback");
CasAuthentication.RedirectFromFailedGatewayCallback();
}
else if (RequestEvaluator.GetRequestIsUnauthorized() && !String.IsNullOrEmpty(CasAuthentication.NotAuthorizedUrl))
{
logger.Info(" Redirecting to Unauthorized Page");
CasAuthentication.RedirectToNotAuthorizedPage();
}
else if (RequestEvaluator.GetRequestIsUnauthorized())
{
logger.Info(" Redirecting to CAS Login Page (Unauthorized without NotAuthorizedUrl defined)");
CasAuthentication.RedirectToLoginPage(true);
}
else if (RequestEvaluator.GetRequestIsUnAuthenticated())
{
logger.Info(" Redirecting to CAS Login Page");
CasAuthentication.RedirectToLoginPage();
}
logger.Debug("Ending EndRequest for " + request.RawUrl);
}
else
{
logger.Debug("No EndRequest processing for " + request.RawUrl);
}
}
public void EvaluateReturnsInsecureWhenNoSettingsPathsMatchRequestPath()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/Info/AboutUs.aspx");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.Equal(RequestSecurity.Insecure, security);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestPathIndicatesStyleSheet()
{
// Arrange.
var pathsToTest = new[] {
"/non-typical-image.psd",
"/Media/Document.pdf",
"/Styles/SomeService/",
"/StyleSheets/SomeService/?someKey=someValue",
"/styles/img-handler.ashx",
"/stylesheets/img-handler.ashx?some-key=some-value",
"/normalize.css",
"/Media/Styles/Site.css",
"/normalize.css?someKey=someValue",
"/Media/Styles/Site.css#hash",
"/normalize.css?flag",
"/Media/Styles/Site.css?some-key=some-value&other-key=other-value",
"/normalize.css?someKey=someValue#here",
"/Media/Styles/Site.css?someKey=someValue&otherKey=otherValue#here-nor-there",
"/normalize.alternative.css#hash.sub",
"/Media/Styles/Site.css?some.key=some.value",
"/normalize.css?some.key=some.value#hash.sub",
"/Media/Styles/Site.css/resourceImage.webp?",
"/normalize.css?#"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 2; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 2; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}
public void EvaluateReturnsSecureWhenASecureSettingsPathMatchesRequestPath()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/login/");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.Equal(RequestSecurity.Secure, security);
}
public void EvaluateReturnsIgnoreWhenModeIsOff()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
var settings = new Settings {
Mode = Mode.Off
};
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, settings);
// Assert.
Assert.Equal(RequestSecurity.Ignore, security);
}
/// <summary>
/// Intercepts the beginning of the request pipeline. This will detect SingleSignOut
/// requests. SingleSignOut requests are posted back to the serviceName URL that
/// was passed when the CAS session was established. Since the behavior of the script
/// at that URL is unknown, a POST back by the CAS server could have unexpected
/// consequences. We want to prevent this request from authenticating and from
/// executing the HttpHandler typically associated with that URL. So we are handling
/// this by sending back an HTTP 200 (OK) message with a blank body and short
/// circuiting all event processing and firing EndRequest directly
/// (via CompleteRequest()).
/// </summary>
/// <param name="sender">The HttpApplication that sent the request</param>
/// <param name="e">Not used</param>
private static void OnBeginRequest(object sender, EventArgs e)
{
// Validate the ticket coming back from the CAS server (NETC-55)
if (!RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
{
logger.Debug("BeginRequest bypassed for " + HttpContext.Current.Request.RawUrl);
return;
}
CasAuthentication.Initialize();
HttpContext context = HttpContext.Current;
HttpRequest request = context.Request;
logger.Debug("Starting BeginRequest for " + request.RawUrl);
// Cleanup expired ServiceTickets in the ServiceTicketManager
if (CasAuthentication.ServiceTicketManager != null)
{
CasAuthentication.ServiceTicketManager.RemoveExpiredTickets();
}
// Cleanup expired ProxyTicket mappings in the ProxyTicketManager
if (CasAuthentication.ProxyTicketManager != null)
{
CasAuthentication.ProxyTicketManager.RemoveExpiredMappings();
}
// Detect & process inbound Single SignOut Requests from the CAS server
if (CasAuthentication.ServiceTicketManager != null && CasAuthentication.ProcessIncomingSingleSignOutRequests && RequestEvaluator.GetRequestIsCasSingleSignOut())
{
logger.Info("Processing inbound Single Sign Out request.");
CasAuthentication.ProcessSingleSignOutRequest();
return;
}
// Detect & process inbound proxy callback verifications from the CAS server
if (CasAuthentication.ProxyTicketManager != null && RequestEvaluator.GetRequestIsProxyResponse())
{
logger.Info("Processing Proxy Callback request");
CasAuthentication.ProcessProxyCallbackRequest();
return;
}
logger.Debug("Ending BeginRequest for " + request.RawUrl);
}
public static IEnumerable <(double, string)> EvaluateExpression(string exp)
{
try
{
Console.WriteLine($"Evaluating: {exp}");
var inputStream = new AntlrInputStream(exp);
var lexer = new DiceLexer(inputStream);
var tokenStream = new CommonTokenStream(lexer);
var parser = new DiceParser(tokenStream);
var context = parser.request();
var evaluator = new RequestEvaluator();
return(evaluator.Visit(context));
}
catch (Exception e)
{
Console.WriteLine(e);
return(new[] { (0.0, "Failed to parse and evaluate") });
public void EvaluateReturnsIgnoreWhenModeIsLocalOnlyAndRequestIsRemote()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.IsLocal).Returns(false);
var settings = new Settings {
Mode = Mode.LocalOnly
};
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, settings);
// Assert.
Assert.Equal(RequestSecurity.Ignore, security);
}
/// <summary>
/// Handles the authentication of the request.
///
/// If the request contains a ticket, this will validate the ticket and create a
/// FormsAuthenticationTicket and encrypted cookie container for it. It will redirect
/// to remove the ticket from the URL. With Forms-based authentication, this is
/// required to prevent the client from automatically/silently re-authenticating on a
/// refresh or after logout.
///
/// If the request does not contain a ticket, it checks for a FormsAuthentication
/// cookie, decrypts it, extracts the FormsAuthenticationTicket, verifies that it
/// exists in the StateProvider/ServiceTicketManager, and assigns a Principal to the
/// thread and context.User properties. All events after this request become
/// authenticated.
/// </summary>
/// <param name="sender">The HttpApplication that sent the request</param>
/// <param name="e">Not used</param>
private static void OnAuthenticateRequest(object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpRequest request = context.Request;
// Validate the ticket coming back from the CAS server
if (!RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
{
logger.Debug("AuthenticateRequest bypassed for " + request.RawUrl);
return;
}
// Validate the ticket coming back from the CAS server
if (RequestEvaluator.GetRequestHasCasTicket())
{
logger.Info("Processing Proxy Callback request");
CasAuthentication.ProcessTicketValidation();
}
logger.Debug("Starting AuthenticateRequest for " + request.RawUrl);
CasAuthentication.ProcessRequestAuthentication();
logger.Debug("Ending AuthenticateRequest for " + request.RawUrl);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestIsSystemHandler()
{
// Arrange.
var pathsToTest = new[] {
"/",
"/Default.aspx",
"/Info/AboutUs.aspx",
"/info/aboutus/",
"/Manage/DownloadThatFile.axd",
"/Info/WebResource.axd?i=C3E19B2A-15F0-4174-A245-20F08C1DF4B8",
"/OtherResource.axd/additional/info",
"/trace.axd#details"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 4; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 4; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}
