public void Should_not_expire_token_when_key_expiration_has_lapsed_but_token_expiration_has_not()
{
var tokenizer = CreateTokenizer(cfg =>
{
cfg.TokenExpiration(() => TimeSpan.FromMilliseconds(50));
cfg.KeyExpiration(() => TimeSpan.FromMilliseconds(100));
});
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
tokenizer.Tokenize(identity, context); // prime the pump to generate a key
Thread.Sleep(75); // key is 75% to its expiration
var token = tokenizer.Tokenize(identity, context);
Thread.Sleep(25); // key is now expired but should not be purged until token expiration lapses
var detokenizedIdentity = tokenizer.Detokenize(token, context);
detokenizedIdentity.ShouldNotBeNull();
}
public void Should_store_keys_when_a_key_is_purged()
{
var keyCache = A.Fake <ITokenKeyStore>();
var tokenizer = CreateTokenizer(cfg =>
{
cfg.TokenExpiration(() => TimeSpan.FromMilliseconds(1));
cfg.KeyExpiration(() => TimeSpan.FromMilliseconds(2));
cfg.WithKeyCache(keyCache);
});
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
tokenizer.Tokenize(identity, context);
Thread.Sleep(5);
tokenizer.Tokenize(identity, context);
A.CallTo(() => keyCache.Store(A <IDictionary <DateTime, byte[]> > .Ignored)).MustHaveHappened(Repeated.AtLeast.Once);
}
public void Should_fail_to_detokenize_when_additional_items_do_not_match()
{
var tokenizer = CreateTokenizer();
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context);
var badRequest = new FakeRequest("GET", "/",
new Dictionary <string, IEnumerable <string> >
{
{ "User-Agent", new[] { "uh oh! no matchey!" } }
});
var badContext = new NancyContext
{
Request = badRequest
};
var detokenizedIdentity = tokenizer.Detokenize(token, badContext);
detokenizedIdentity.ShouldBeNull();
}
private static IUserIdentity GetFakeUser(string userName, IEnumerable <string> claims = null)
{
var ret = new FakeUserIdentity();
ret.UserName = userName;
ret.Claims = claims;
return(ret);
}
public void Should_be_able_to_create_token_from_user_identity()
{
var tokenizer = CreateTokenizer();
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context);
token.ShouldNotBeNull();
}
public void Should_store_keys_when_the_first_token_is_tokenized()
{
var keyCache = A.Fake <ITokenKeyStore>();
var tokenizer = CreateTokenizer(cfg => cfg.WithKeyCache(keyCache));
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
tokenizer.Tokenize(identity, this.context);
A.CallTo(() => keyCache.Store(A <IDictionary <DateTime, byte[]> > .Ignored)).MustHaveHappened(Repeated.Exactly.Once);
}
public void Should_not_set_username_in_context_with_broken_encryption_data()
{
var fakePipelines = new Pipelines();
var fakeMapper = A.Fake <IUserMapper>();
var fakeUser = new FakeUserIdentity {
UserName = "******"
};
A.CallTo(() => fakeMapper.GetUserFromIdentifier(this.userGuid, this.context)).Returns(fakeUser);
this.config.UserMapper = fakeMapper;
FormsAuthentication.Enable(fakePipelines, this.config);
this.context.Request.Cookies.Add(FormsAuthentication.FormsAuthenticationCookieName, this.cookieWithBrokenEncryptedData);
var result = fakePipelines.BeforeRequest.Invoke(this.context, new CancellationToken());
context.CurrentUser.ShouldBeNull();
}
public void Should_set_user_in_context_with_valid_cookie()
{
var fakePipelines = new Pipelines();
var fakeMapper = A.Fake <IUserMapper>();
var fakeUser = new FakeUserIdentity {
UserName = "******"
};
A.CallTo(() => fakeMapper.GetUserFromIdentifier(this.userGuid, this.context)).Returns(fakeUser);
this.config.UserMapper = fakeMapper;
FormsAuthentication.Enable(fakePipelines, this.config);
this.context.Request.Cookies.Add(FormsAuthentication.FormsAuthenticationCookieName, this.validCookieValue);
var result = fakePipelines.BeforeRequest.Invoke(this.context, new CancellationToken());
context.CurrentUser.ShouldBeSameAs(fakeUser);
}
public void Should_not_set_user_in_context_with_no_hmac()
{
var fakePipelines = new Pipelines();
var fakeMapper = A.Fake <IUserMapper>();
var fakeUser = new FakeUserIdentity {
UserName = "******"
};
A.CallTo(() => fakeMapper.GetUserFromIdentifier(this.userGuid, this.context)).Returns(fakeUser);
this.config.UserMapper = fakeMapper;
FormsAuthentication.Enable(fakePipelines, this.config);
this.context.Request.Cookies.Add(FormsAuthentication.FormsAuthenticationCookieName, this.cookieWithNoHmac);
var result = fakePipelines.BeforeRequest.Invoke(this.context);
context.CurrentUser.ShouldBeNull();
}
public void Should_expire_token_when_expiration_has_lapsed()
{
var tokenizer = CreateTokenizer(cfg => cfg.TokenExpiration(() => TimeSpan.FromMilliseconds(10)));
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context);
Thread.Sleep(20);
var detokenizedIdentity = tokenizer.Detokenize(token, context);
detokenizedIdentity.ShouldBeNull();
}
public void Should_be_able_to_extract_user_identity_from_token()
{
var tokenizer = CreateTokenizer();
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context);
var detokenizedIdentity = tokenizer.Detokenize(token, context);
detokenizedIdentity.ShouldNotBeNull();
detokenizedIdentity.UserName.ShouldEqual("joe");
detokenizedIdentity.Claims.ShouldEqualSequence(new[] { "claim1", "claim2" });
}
public void Should_generate_new_token_after_previous_key_has_expired()
{
var tokenizer = CreateTokenizer(cfg =>
{
cfg.TokenExpiration(() => TimeSpan.FromMilliseconds(50));
cfg.KeyExpiration(() => TimeSpan.FromMilliseconds(100));
cfg.TokenStamp(() => new DateTime(2014, 1, 1));
});
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context); // prime the pump to generate a key
Thread.Sleep(120); // expire the key
var secondToken = tokenizer.Tokenize(identity, context);
token.ShouldNotEqual(secondToken);
}
public void Should_not_be_able_to_extract_user_identity_from_modified_token()
{
var tokenizer = CreateTokenizer();
var identity = new FakeUserIdentity
{
UserName = "******",
Claims = new[] { "claim1", "claim2" }
};
var token = tokenizer.Tokenize(identity, context);
var parts = token.Split(new[] { ":" }, StringSplitOptions.RemoveEmptyEntries);
var bytes = Convert.FromBase64String(parts[0]);
var tweak = new List <byte>(bytes);
tweak.Add(Encoding.UTF8.GetBytes("X")[0]);
var badToken = Convert.ToBase64String(tweak.ToArray()) + ":" + parts[1];
var detokenizedIdentity = tokenizer.Detokenize(badToken, context);
detokenizedIdentity.ShouldBeNull();
}
