Esempio n. 1
0
        public void Equals_Null_ReturnsFalse()
        {
            // Arrange
            object blobA = new BinaryBlob(32);
            object?blobB = null;

            // Act & assert
            Assert.NotEqual(blobA, blobB);
        }
Esempio n. 2
0
        public void Equals_DifferentData_ReturnsFalse()
        {
            // Arrange
            object blobA = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 });
            object blobB = new BinaryBlob(32, new byte[] { 0x04, 0x03, 0x02, 0x01 });

            // Act & assert
            Assert.NotEqual(blobA, blobB);
        }
Esempio n. 3
0
        public void Equals_NotABlob_ReturnsFalse()
        {
            // Arrange
            object blobA = new BinaryBlob(32);
            object blobB = "hello";

            // Act & assert
            Assert.NotEqual(blobA, blobB);
        }
Esempio n. 4
0
        public void Ctor_BitLength_ProducesDifferentValues()
        {
            // Act
            var blobA = new BinaryBlob(bitLength: 64);
            var blobB = new BinaryBlob(bitLength: 64);

            // Assert
            Assert.NotEqual(blobA.GetData(), blobB.GetData());
        }
Esempio n. 5
0
        public void Equals_SameData_ReturnsTrue()
        {
            // Arrange
            object blobA = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 });
            object blobB = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 });

            // Act & assert
            Assert.Equal(blobA, blobB);
        }
Esempio n. 6
0
        public void Ctor_BitLength()
        {
            // Act
            var blob = new BinaryBlob(bitLength: 64);
            var data = blob.GetData();

            // Assert
            Assert.Equal(64, blob.BitLength);
            Assert.Equal(64 / 8, data.Length);
            Assert.NotEqual(new byte[64 / 8], data); // should not be a zero-filled array
        }
Esempio n. 7
0
        public void Ctor_Data()
        {
            // Arrange
            var expectedData = new byte[] { 0x01, 0x02, 0x03, 0x04 };

            // Act
            var blob = new BinaryBlob(32, expectedData);

            // Assert
            Assert.Equal(32, blob.BitLength);
            Assert.Equal(expectedData, blob.GetData());
        }
Esempio n. 8
0
        public void SecurityTokenProperty_PropertySetter_DoesNotUseDefaults()
        {
            // Arrange
            var token = new AntiforgeryToken();

            // Act
            var securityToken = new BinaryBlob(64);

            token.SecurityToken = securityToken;

            // Assert
            Assert.Equal(securityToken, token.SecurityToken);
        }
Esempio n. 9
0
        public void GetHashCodeTest()
        {
            // Arrange
            var blobData         = new byte[] { 0x01, 0x02, 0x03, 0x04 };
            var expectedHashCode = BitConverter.ToInt32(blobData, 0);

            var blob = new BinaryBlob(32, blobData);

            // Act
            var actualHashCode = blob.GetHashCode();

            // Assert
            Assert.Equal(expectedHashCode, actualHashCode);
        }
Esempio n. 10
0
        public void ClaimUidProperty()
        {
            // Arrange
            var token = new AntiforgeryToken();

            // Act & assert - 1
            Assert.Null(token.ClaimUid);

            // Act & assert - 2
            BinaryBlob blob = new BinaryBlob(32);

            token.ClaimUid = blob;
            Assert.Equal(blob, token.ClaimUid);

            // Act & assert - 3
            token.ClaimUid = null;
            Assert.Null(token.ClaimUid);
        }
        public void TryValidateTokenSet_ClaimUidMismatch()
        {
            // Arrange
            var httpContext = new DefaultHttpContext();
            var identity    = GetAuthenticatedIdentity("the-user");

            httpContext.User = new ClaimsPrincipal(identity);

            var cookieToken = new AntiforgeryToken()
            {
                IsCookieToken = true
            };
            var fieldtoken = new AntiforgeryToken()
            {
                SecurityToken = cookieToken.SecurityToken,
                IsCookieToken = false,
                ClaimUid      = new BinaryBlob(256)
            };

            var differentToken        = new BinaryBlob(256);
            var mockClaimUidExtractor = new Mock <IClaimUidExtractor>();

            mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is <ClaimsPrincipal>(c => c.Identity == identity)))
            .Returns(Convert.ToBase64String(differentToken.GetData()));

            var tokenProvider = new DefaultAntiforgeryTokenGenerator(
                claimUidExtractor: mockClaimUidExtractor.Object,
                additionalDataProvider: null);

            string expectedMessage =
                "The provided antiforgery token was meant for a different " +
                "claims-based user than the current user.";

            // Act
            string message;
            var    result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);

            // Assert
            Assert.False(result);
            Assert.Equal(expectedMessage, message);
        }
        public void GenerateRequestToken_ClaimsBasedIdentity()
        {
            // Arrange
            var cookieToken = new AntiforgeryToken()
            {
                IsCookieToken = true
            };

            var identity    = GetAuthenticatedIdentity("some-identity");
            var httpContext = new DefaultHttpContext();

            httpContext.User = new ClaimsPrincipal(identity);

            byte[] data = new byte[256 / 8];
            using (var rng = RandomNumberGenerator.Create())
            {
                rng.GetBytes(data);
            }
            var base64ClaimUId   = Convert.ToBase64String(data);
            var expectedClaimUid = new BinaryBlob(256, data);

            var mockClaimUidExtractor = new Mock <IClaimUidExtractor>();

            mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is <ClaimsPrincipal>(c => c.Identity == identity)))
            .Returns(base64ClaimUId);

            var tokenProvider = new DefaultAntiforgeryTokenGenerator(
                claimUidExtractor: mockClaimUidExtractor.Object,
                additionalDataProvider: null);

            // Act
            var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken);

            // Assert
            Assert.NotNull(fieldToken);
            Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken);
            Assert.False(fieldToken.IsCookieToken);
            Assert.Equal("", fieldToken.Username);
            Assert.Equal(expectedClaimUid, fieldToken.ClaimUid);
            Assert.Equal("", fieldToken.AdditionalData);
        }
        /// <inheritdoc />
        public bool TryValidateTokenSet(
            HttpContext httpContext,
            AntiforgeryToken cookieToken,
            AntiforgeryToken requestToken,
            out string message)
        {
            if (httpContext == null)
            {
                throw new ArgumentNullException(nameof(httpContext));
            }

            if (cookieToken == null)
            {
                throw new ArgumentNullException(
                          nameof(cookieToken),
                          Resources.Antiforgery_CookieToken_MustBeProvided_Generic);
            }

            if (requestToken == null)
            {
                throw new ArgumentNullException(
                          nameof(requestToken),
                          Resources.Antiforgery_RequestToken_MustBeProvided_Generic);
            }

            // Do the tokens have the correct format?
            if (!cookieToken.IsCookieToken || requestToken.IsCookieToken)
            {
                message = Resources.AntiforgeryToken_TokensSwapped;
                return(false);
            }

            // Are the security tokens embedded in each incoming token identical?
            if (!object.Equals(cookieToken.SecurityToken, requestToken.SecurityToken))
            {
                message = Resources.AntiforgeryToken_SecurityTokenMismatch;
                return(false);
            }

            // Is the incoming token meant for the current user?
            var        currentUsername = string.Empty;
            BinaryBlob currentClaimUid = null;

            var authenticatedIdentity = GetAuthenticatedIdentity(httpContext.User);

            if (authenticatedIdentity != null)
            {
                currentClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(httpContext.User));
                if (currentClaimUid == null)
                {
                    currentUsername = authenticatedIdentity.Name ?? string.Empty;
                }
            }

            // OpenID and other similar authentication schemes use URIs for the username.
            // These should be treated as case-sensitive.
            var comparer = StringComparer.OrdinalIgnoreCase;

            if (currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
                currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
            {
                comparer = StringComparer.Ordinal;
            }

            if (!comparer.Equals(requestToken.Username, currentUsername))
            {
                message = Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername);
                return(false);
            }

            if (!object.Equals(requestToken.ClaimUid, currentClaimUid))
            {
                message = Resources.AntiforgeryToken_ClaimUidMismatch;
                return(false);
            }

            // Is the AdditionalData valid?
            if (_additionalDataProvider != null &&
                !_additionalDataProvider.ValidateAdditionalData(httpContext, requestToken.AdditionalData))
            {
                message = Resources.AntiforgeryToken_AdditionalDataCheckFailed;
                return(false);
            }

            message = null;
            return(true);
        }