public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUnauthorized_WhenClientCertificateSubjectNameDoesntMatch()
{
// Arrange
string subjectKey = "subject", subjectValue = $"subject-{Guid.NewGuid()}";
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((subjectKey, subjectValue)));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.SecretProvider, subjectKey)
.Build()));
_testServer.AddFilter(new CertificateAuthenticationFilter());
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithSubject("unrecognized-subject-name"))
{
_testServer.SetClientCertificate(clientCertificate);
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(
HttpMethod.Get,
NoneAuthenticationController.Route);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Arrange
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task OAuthAuthorizeOperationFilter_ShouldIncludeSecurityDefinitionResponses_OnAuthorizedOperations()
{
// Arrange
using (var client = _testServer.CreateClient())
// Act
using (HttpResponseMessage response = await client.GetAsync("swagger/v1/swagger.json"))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var reader = new OpenApiStreamReader();
using (var responseStream = await response.Content.ReadAsStreamAsync())
{
OpenApiDocument swagger = reader.Read(responseStream, out OpenApiDiagnostic diagnostic);
_outputWriter.WriteLine(diagnostic.Errors.Count == 0 ? String.Empty : String.Join(", ", diagnostic.Errors.Select(e => e.Message + ": " + e.Pointer)));
Assert.True(
swagger.Paths.TryGetValue("/oauth/authorize", out OpenApiPathItem oauthPath),
"Cannot find OAuth authorized path in Open API spec file");
Assert.True(
oauthPath.Operations.TryGetValue(OperationType.Get, out OpenApiOperation oauthOperation),
"Cannot find OAuth GET operation in Open API spec file");
OpenApiResponses oauthResponses = oauthOperation.Responses;
Assert.Contains(oauthResponses, r => r.Key == "401");
Assert.Contains(oauthResponses, r => r.Key == "403");
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationOnAppServiceHeader_ShouldSucceeds_WhenClientCertificateSubjectNameMatches(string actualSubject)
{
// Arrange
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((SubjectKey, $"CN={actualSubject}")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.SecretProvider, SubjectKey)
.Build()));
const string expectedSubject = "known-subject";
using (HttpClient client = _testServer.CreateClient())
using (var cert = SelfSignedCertificate.CreateWithSubject(expectedSubject))
{
var request = new HttpRequestMessage(HttpMethod.Get, AuthorizedRoute);
string clientCertificate = Convert.ToBase64String(cert.RawData);
request.Headers.Add("X-ARR-ClientCert", clientCertificate);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Arrange
bool equalSubject = expectedSubject == actualSubject;
bool isUnauthorized = response.StatusCode == HttpStatusCode.Unauthorized;
Assert.True(equalSubject != isUnauthorized, "Client certificate with the same subject name should result in an OK HTTP status code");
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
string issuer = GenerateRandomUri();
string authority = GenerateRandomUri();
string privateKey = GenerateRandomPrivateKey();
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
_testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, daysValid: 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task SendRequest_WithSerilogCorrelationEnrichment_ReturnsOkWithEnrichedCorrelationLogProperties()
{
// Arrange
using (HttpClient client = _testServer.CreateClient())
// Act
using (HttpResponseMessage response = await client.GetAsync(Route))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
CorrelationInfo correlationInfo = await AssertAppCorrelationInfoAsync(response);
AssertLoggedCorrelationProperties(correlationInfo);
}
}
public async Task GetHealthWithCorrectBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = await testOpenIdServer.RequestAccessTokenAsync();
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithIncorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = await testOpenIdServer.GenerateTokenValidationParametersAsync();
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = $"Bearer {_bogusGenerator.Random.AlphaNumeric(10)}.{_bogusGenerator.Random.AlphaNumeric(50)}.{_bogusGenerator.Random.AlphaNumeric(40)}";
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = await testOpenIdServer.GenerateTokenValidationParametersAsync();
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(new AzureManagedIdentityAuthorizationFilter(reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = await testOpenIdServer.RequestAccessTokenAsync();
request.Headers.Add(AzureManagedIdentityAuthorizationFilter.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorizationAndCustomClaims_ReturnsOk()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
Dictionary <string, string> claimCheck = new Dictionary <string, string> {
{ JwtClaimTypes.Audience, Guid.NewGuid().ToString() }
};
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader, claimCheck));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7, claimCheck);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task SendRequest_WithVersionTracking_AddsApplicationVersionToResponse()
{
// Arrange
string expected = $"version-{Guid.NewGuid()}";
_testServer.AddServicesConfig(services => services.AddSingleton <IAppVersion>(provider => new StubAppVersion(expected)));
_testServer.AddConfigure(app => app.UseVersionTracking());
using (HttpClient client = _testServer.CreateClient())
// Act
using (HttpResponseMessage response = await client.GetAsync(EchoController.Route))
{
// Assert
Assert.True(response.Headers.TryGetValues(DefaultHeaderName, out IEnumerable <string> values));
Assert.Equal(expected, Assert.Single(values));
}
}
public async Task SendRequest_WithCorrelateOptionsNotAllowTransactionInRequest_ResponseWithBadRequest()
{
// Arrange
_testServer.AddServicesConfig(services => services.Configure <CorrelationInfoOptions>(options => options.Transaction.AllowInRequest = false));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, DefaultRoute))
{
request.Headers.Add(DefaultTransactionId, Guid.NewGuid().ToString());
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
Assert.DoesNotContain(response.Headers, header => header.Key == DefaultOperationId);
Assert.DoesNotContain(response.Headers, header => header.Key == DefaultTransactionId);
}
}
}
public async Task HandlesBadRequestException_ResultsInExceptionStatusCode()
{
// Arrange
using (HttpClient client = _testServer.CreateClient())
{
// Act
HttpResponseMessage response = await client.GetAsync(RequestBodyTooLargeRoute);
// Assert
Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
}
}
private async Task <HttpResponseMessage> SendAuthorizedHttpRequestWithHeader(string headerName, IEnumerable <string> headerValues)
{
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, AuthorizedRoute)
{
Headers = { { headerName, headerValues } }
};
return(await client.SendAsync(request));
}
}
public async Task GetRequest_TracksRequest_ReturnsSuccess()
{
// Arrange
const string headerName = "x-custom-header", headerValue = "custom header value", body = "echo me";
_testServer.AddConfigure(app => app.UseRequestTracking());
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, EchoController.Route)
{
Headers = { { headerName, headerValue } },
Content = new StringContent($"\"{body}\"", Encoding.UTF8, "application/json")
};
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
string content = await response.Content.ReadAsStringAsync();
Assert.Equal("echo me", content);
IReadOnlyDictionary <ScalarValue, LogEventPropertyValue> eventContext = GetLoggedEventContext();
Assert.True(ContainsRequestHeader(eventContext, headerName, headerValue), "Logged event context should contain request header");
Assert.False(ContainsRequestBody(eventContext, body), "Shouldn't contain request body");
}
}
}
public async Task GetRequestWithInvalidEndpointFeature_TracksRequest_ReturnsSuccess()
{
// Arrange
string headerName = $"x-custom-header-{Guid.NewGuid()}", headerValue = $"header-{Guid.NewGuid()}";
_testServer.AddConfigure(app =>
{
app.Use((ctx, next) =>
{
ctx.Features.Set(Mock.Of <IEndpointFeature>());
return(next());
});
app.UseRequestTracking();
});
// Act
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
request.Headers.Add(headerName, headerValue);
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
IDictionary <string, string> eventContext = GetLoggedEventContext();
Assert.Equal(headerValue, Assert.Contains(headerName, eventContext));
}
}
}
private async Task <HttpResponseMessage> SendAuthorizedHttpRequest(string route, string headerName = null, IEnumerable <string> headerValues = null, string parameterName = null, string parameterValue = null)
{
string requestUri = parameterName == null ? route : route + $"?{parameterName}={parameterValue}";
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
if (headerName != null)
{
request.Headers.Add(headerName, headerValues);
}
return(await client.SendAsync(request));
}
}
public async Task GetHealthWithCorrectBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
