public void GetValidRequestContextFromCache_UnmappedOidcUser()
{
var entitiesToSave = new List <IEntity>();
// Setup provider, provider user and user account
var provider = new OidcIdentityProvider {
Name = "ID Provider " + Guid.NewGuid()
};
entitiesToSave.Add(provider);
var userAccount = new UserAccount {
Name = "Test User " + Guid.NewGuid(), AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active
};
entitiesToSave.Add(userAccount);
// Provider user has no associated user account
var providerUser = new OidcIdentityProviderUser
{
Name = "Provider User" + Guid.NewGuid(),
IdentityProviderForUser = provider.As <IdentityProvider>()
};
entitiesToSave.Add(providerUser);
Entity.Save(entitiesToSave);
var cache = new IdentityProviderContextCache();
var requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, true);
Assert.IsNull(requestContextData, "Context data should be null");
}
private void CreateEntityModel(string idpUserName, bool active, out OidcIdentityProvider idProvider, out OidcIdentityProviderUser idProviderUser, out UserAccount userAccount)
{
var entitiesToSave = new List <IEntity>();
// Setup provider, provider user and user account
idProvider = new OidcIdentityProvider
{
Name = "ID Provider " + Guid.NewGuid(),
IsProviderEnabled = true,
OidcClientId = "5E9762FD-8EB8-4626-AB5A-A52A05041DC0",
OidcClientSecret = "cZ7xNZiBvPB41Clw0i0FnR4LRqfHvj2H3tBt6c8l",
OidcIdentityProviderConfigurationUrl = "https://rndev20adfs.sp.local/adfs/.well-known/openid-configuration",
OidcUserIdentityClaim = "upn"
};
entitiesToSave.Add(idProvider);
userAccount = new UserAccount {
Name = "Test User " + Guid.NewGuid(), AccountStatus_Enum = active ? UserAccountStatusEnum_Enumeration.Active : UserAccountStatusEnum_Enumeration.Disabled
};
entitiesToSave.Add(userAccount);
idProviderUser = new OidcIdentityProviderUser
{
AssociatedUserAccount = userAccount,
Name = idpUserName,
IdentityProviderForUser = idProvider.As <IdentityProvider>()
};
entitiesToSave.Add(idProviderUser);
Entity.Save(entitiesToSave);
}
public void GetValidRequestContextFromCache_DisabledToActiveUserAccount()
{
var entitiesToSave = new List <IEntity>();
// Setup provider, provider user and user account
var provider = new OidcIdentityProvider {
Name = "ID Provider " + Guid.NewGuid()
};
entitiesToSave.Add(provider);
var userAccount = new UserAccount {
Name = "Test User " + Guid.NewGuid(), AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Disabled
};
entitiesToSave.Add(userAccount);
// Provider user has no associated user account
var providerUser = new OidcIdentityProviderUser
{
AssociatedUserAccount = userAccount,
Name = "Provider User" + Guid.NewGuid(),
IdentityProviderForUser = provider.As <IdentityProvider>()
};
entitiesToSave.Add(providerUser);
Entity.Save(entitiesToSave);
var cache = new IdentityProviderContextCache();
var requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, false);
Assert.IsNotNull(requestContextData, "Context data should not be null");
requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, true);
Assert.IsNull(requestContextData, "Context data should be null");
// Change the account to active
userAccount.AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active;
userAccount.Save();
cache.CacheInvalidator.OnEntityChange(new IEntity[] { userAccount }, InvalidationCause.Save, null);
requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, true);
Assert.IsNotNull(requestContextData, "Context data should not be null");
}
public void GetValidRequestContextFromCache_OidcProviderInvalidateOnUserChange()
{
var entitiesToSave = new List <IEntity>();
// Setup provider, provider user and user account
var provider = new OidcIdentityProvider {
Name = "ID Provider " + Guid.NewGuid()
};
entitiesToSave.Add(provider);
var userAccount = new UserAccount {
Name = "Test User " + Guid.NewGuid(), AccountStatus_Enum = UserAccountStatusEnum_Enumeration.Active
};
entitiesToSave.Add(userAccount);
var providerUser = new OidcIdentityProviderUser
{
AssociatedUserAccount = userAccount,
Name = "Provider User" + Guid.NewGuid(),
IdentityProviderForUser = provider.As <IdentityProvider>()
};
entitiesToSave.Add(providerUser);
Entity.Save(entitiesToSave);
var cache = new IdentityProviderContextCache();
var requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, true);
Assert.IsNotNull(requestContextData, "Context data should not be null.");
Assert.AreEqual(userAccount.Id, requestContextData.Identity.Id, "The context identity user id is invalid.");
Assert.AreEqual(userAccount.Name, requestContextData.Identity.Name, "The context identity user name is invalid.");
Assert.AreEqual(provider.Id, requestContextData.Identity.IdentityProviderId, "The context identity provider is invalid.");
Assert.AreEqual(providerUser.Id, requestContextData.Identity.IdentityProviderUserId, "The context identity provider user id is invalid.");
Assert.AreEqual(provider.IsOfType[0].Alias, requestContextData.Identity.IdentityProviderTypeAlias, "The context identity provider alias is invalid.");
// This should invalidate the cache
providerUser.AssociatedUserAccount = null;
providerUser.Save();
cache.CacheInvalidator.OnEntityChange(new IEntity[] { providerUser }, InvalidationCause.Save, null);
requestContextData = cache.GetRequestContextData(RequestContext.TenantId, provider.Id, providerUser.Name, true);
Assert.IsNull(requestContextData, "Context data should be null.");
}
public void ProcessOidcAuthorizationResponse()
{
var context = RequestContext.GetContext();
OidcIdentityProvider idProvider = null;
OidcIdentityProviderUser idProviderUser = null;
UserAccount userAccount = null;
try
{
string tenantName = GetCurrentTenantName();
CreateEntityModel("*****@*****.**", true, out idProvider, out idProviderUser, out userAccount);
var code = Guid.NewGuid().ToString();
// Mock config provider and http client
var expectedTokenRequestMessage = new OpenIdConnectMessage
{
GrantType = "authorization_code",
Code = code,
ClientSecret = Factory.SecuredData.Read((Guid)idProvider.OidcClientSecretSecureId),
ClientId = idProvider.OidcClientId,
RedirectUri = "https://test.com/spapi/data/v1/login/oidc/authresponse/" + tenantName
};
var validResponseMessage = new HttpResponseMessage {
Content = new StringContent(_openIdTokenResponse)
};
var mockRepo = new MockRepository(MockBehavior.Strict);
var configUrl = idProvider.OidcIdentityProviderConfigurationUrl;
var configManager = mockRepo.Create <IOpenIdConnectConfigurationManager>();
configManager.Setup(w => w.GetIdentityProviderConfigurationAsync(configUrl)).Returns(Task.FromResult(_oidcConfig));
var httpClient = mockRepo.Create <IHttpClient>();
httpClient.Setup(w => w.PostAsync(new Uri(_oidcConfig.TokenEndpoint), It.Is <HttpContent>(c => ValidateTokenRequestMessage(expectedTokenRequestMessage, c))))
.Returns(Task.FromResult(validResponseMessage));
var oidcLoginHandler = new OpenIdConnectLoginHandler(configManager.Object, true);
var idpLoginRequest = new IdentityProviderLoginRequest
{
Tenant = context.Tenant.Name,
IdentityProviderId = idProvider.Id,
RedirectUrl = "https://test.com/login/callback"
};
var baseUri = new Uri("https://test.com");
// Get code auth uri, get state
var uri = Task.Run(() => oidcLoginHandler.GetAuthorizationCodeRequestUrl(idpLoginRequest, baseUri)).Result;
var queryValues = uri.ParseQueryString();
var state = queryValues["state"];
var validatedState = oidcLoginHandler.ValidateAuthState(state);
var result =
Task.Run(() => oidcLoginHandler.ProcessOidcAuthorizationResponse(tenantName, code, validatedState, baseUri, httpClient.Object)).Result;
Assert.IsNotNull(result, "The authorization result is invalid.");
Assert.IsNotNull(result.RequestContextData, "The authorization result context data is invalid.");
Assert.IsNotNull(result.IdentityProviderUserName, "The authorization result user name is invalid.");
Assert.AreEqual(RequestContext.TenantId, result.RequestContextData.Tenant.Id, "The tenant is invalid");
Assert.AreEqual(userAccount.Id, result.RequestContextData.Identity.Id, "The user account is invalid");
Assert.AreEqual(idProvider.Id, result.RequestContextData.Identity.IdentityProviderId, "The identity provider id is invalid");
Assert.AreEqual(userAccount.Name, result.RequestContextData.Identity.Name, "The identity provider id is invalid");
Assert.AreEqual(idProviderUser.Name, result.IdentityProviderUserName, "The identity provider id is invalid");
mockRepo.VerifyAll();
}
finally
{
DeleteEntity(idProvider);
DeleteEntity(idProviderUser);
DeleteEntity(userAccount);
}
}
