public void RequireHttpsAttributeDoesNotThrowForInsecureConnectionIfNotAuthenticatedOrForcingSSLAndOnlyWhenAuthenticatedSet()
{
// Arrange
var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
var mockConfig = new Mock<IConfiguration>();
var mockFormsAuth = new Mock<IFormsAuthenticationService>();
mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(false);
var context = mockAuthContext.Object;
mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(false);
var attribute = new RequireRemoteHttpsAttribute()
{
Configuration = mockConfig.Object,
OnlyWhenAuthenticated = true,
FormsAuthentication = mockFormsAuth.Object
};
var result = new ViewResult();
context.Result = result;
// Act
attribute.OnAuthorization(context);
// Assert
Assert.Same(result, context.Result);
}
public void RequireFactsAttributeDoesNotThrowForLocalHostRequests()
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(true);
var context = mockAuthContext.Object;
var attribute = new RequireRemoteHttpsAttribute();
var result = new ViewResult();
context.Result = result;
// Act
attribute.OnAuthorization(context);
// Assert
Assert.Same(result, context.Result);
}
public void RequireHttpsAttributeRedirectsGetRequest()
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/login"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/login");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
var context = mockAuthContext.Object;
var attribute = new RequireRemoteHttpsAttribute();
var result = new ViewResult();
context.Result = result;
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType<RedirectResult>(context.Result);
Assert.Equal("https://test.nuget.org/login", ((RedirectResult)context.Result).Url);
}
[InlineData(false, true, true, 44300, "{0}:44300")] // Non-standard Port, Authenticated, should be authenticated, force SSL
public void RequireHttpsAttributeRedirectsGetRequest(bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated, int port, string hostFormatter)
{
// Arrange
var mockAuthContext = new Mock <AuthorizationContext>(MockBehavior.Strict);
var mockConfig = new Mock <IAppConfiguration>();
var mockFormsAuth = new Mock <IFormsAuthenticationService>();
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/login"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/login");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
mockConfig.Setup(cfg => cfg.SSLPort).Returns(port);
var context = mockAuthContext.Object;
mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
var attribute = new RequireRemoteHttpsAttribute()
{
Configuration = mockConfig.Object,
OnlyWhenAuthenticated = onlyWhenAuthenticated,
FormsAuthentication = mockFormsAuth.Object
};
var result = new ViewResult();
context.Result = result;
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType <RedirectResult>(context.Result);
Assert.Equal("https://" + String.Format(hostFormatter, "test.nuget.org") + "/login", ((RedirectResult)context.Result).Url);
}
public void RequireHttpsAttributeReturns403IfNonGetRequest(string method, bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated)
{
// Arrange
var mockAuthContext = new Mock <AuthorizationContext>(MockBehavior.Strict);
var mockConfig = new Mock <IConfiguration>();
var mockFormsAuth = new Mock <IFormsAuthenticationService>();
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns(method);
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/api/create"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/api/create");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
var context = mockAuthContext.Object;
mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
var attribute = new RequireRemoteHttpsAttribute()
{
Configuration = mockConfig.Object,
OnlyWhenAuthenticated = onlyWhenAuthenticated,
FormsAuthentication = mockFormsAuth.Object
};
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType <HttpStatusCodeWithBodyResult>(context.Result);
var result = (HttpStatusCodeWithBodyResult)context.Result;
Assert.Equal(403, result.StatusCode);
Assert.Equal("The requested resource can only be accessed via SSL.", result.StatusDescription);
}
public void RequireHttpsAttributeReturns403IfNonGetRequest(string method)
{
// Arrange
Mock<AuthorizationContext> mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns(method);
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/api/create"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/api/create");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
var context = mockAuthContext.Object;
var attribute = new RequireRemoteHttpsAttribute();
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType<HttpStatusCodeWithBodyResult>(context.Result);
var result = (HttpStatusCodeWithBodyResult)context.Result;
Assert.Equal(403, result.StatusCode);
Assert.Equal("The requested resource can only be accessed via SSL.", result.StatusDescription);
}
[InlineData(false, true, true, 44300, "{0}:44300")] // Non-standard Port, Authenticated, should be authenticated, force SSL
public void RequireHttpsAttributeRedirectsGetRequest(bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated, int port, string hostFormatter)
{
// Arrange
var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
var mockConfig = new Mock<IConfiguration>();
var mockFormsAuth = new Mock<IFormsAuthenticationService>();
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns("get");
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/login"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/login");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
mockConfig.Setup(cfg => cfg.SSLPort).Returns(port);
var context = mockAuthContext.Object;
mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
var attribute = new RequireRemoteHttpsAttribute()
{
Configuration = mockConfig.Object,
OnlyWhenAuthenticated = onlyWhenAuthenticated,
FormsAuthentication = mockFormsAuth.Object
};
var result = new ViewResult();
context.Result = result;
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType<RedirectResult>(context.Result);
Assert.Equal("https://" + String.Format(hostFormatter, "test.nuget.org") + "/login", ((RedirectResult)context.Result).Url);
}
public void RequireHttpsAttributeReturns403IfNonGetRequest(string method, bool isAuthenticated, bool forceSSL, bool onlyWhenAuthenticated)
{
// Arrange
var mockAuthContext = new Mock<AuthorizationContext>(MockBehavior.Strict);
var mockConfig = new Mock<IConfiguration>();
var mockFormsAuth = new Mock<IFormsAuthenticationService>();
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsLocal).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.HttpMethod).Returns(method);
mockAuthContext.SetupGet(c => c.HttpContext.Request.Url).Returns(new Uri("http://test.nuget.org/api/create"));
mockAuthContext.SetupGet(c => c.HttpContext.Request.RawUrl).Returns("/api/create");
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsSecureConnection).Returns(false);
mockAuthContext.SetupGet(c => c.HttpContext.Request.IsAuthenticated).Returns(isAuthenticated);
mockConfig.Setup(cfg => cfg.RequireSSL).Returns(true);
var context = mockAuthContext.Object;
mockFormsAuth.Setup(fas => fas.ShouldForceSSL(context.HttpContext)).Returns(forceSSL);
var attribute = new RequireRemoteHttpsAttribute()
{
Configuration = mockConfig.Object,
OnlyWhenAuthenticated = onlyWhenAuthenticated,
FormsAuthentication = mockFormsAuth.Object
};
// Act
attribute.OnAuthorization(context);
// Assert
Assert.IsType<HttpStatusCodeWithBodyResult>(context.Result);
var result = (HttpStatusCodeWithBodyResult)context.Result;
Assert.Equal(403, result.StatusCode);
Assert.Equal("The requested resource can only be accessed via SSL.", result.StatusDescription);
}
