public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfigurationSecretProviderAndCustom_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
string subjectName,
string issuerName,
string thumbprintNoise,
bool expected)
{
// Arrange
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerName, subjectName))
{
_testServer.AddConfigKeyValue(SubjectKey, "CN=subject");
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((IssuerKey, "CN=issuer")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.Configuration, SubjectKey)
.WithIssuer(X509ValidationLocation.SecretProvider, IssuerKey)
.WithThumbprint(new StubX509ValidationLocation(clientCertificate.Thumbprint + thumbprintNoise), ThumbprintKey)
.Build()));
_testServer.SetClientCertificate(clientCertificate);
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, AuthorizedRoute);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.True(
(HttpStatusCode.Unauthorized == response.StatusCode) == expected,
$"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
}
}
}
}
public async Task CertificateAuthorizedRoute_WithBypassAttribute_SkipsAuthentication(string route)
{
// Arrange
const string issuerKey = "issuer";
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("issuer", "subject"))
{
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build());
services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=issuer"))
.AddClientCertificate(clientCertificate)
.AddSingleton(certificateValidator)
.AddMvc(opt => opt.Filters.AddCertificateAuthentication());
});
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(route);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationInHeader_ShouldSucceed()
{
// Arrange
const string subjectKey = "subject", issuerKey = "issuer";
_testServer.AddConfigKeyValue(subjectKey, "CN=known-subject");
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((issuerKey, "CN=known-issuername")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.Configuration, subjectKey)
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build()));
_testServer.AddFilter(new CertificateAuthenticationFilter());
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("known-issuername", "known-subject"))
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(HttpMethod.Get, NoneAuthenticationController.Route);
string base64String = Convert.ToBase64String(clientCertificate.Export(X509ContentType.Pkcs12), Base64FormattingOptions.None);
request.Headers.Add("X-ARR-ClientCert", base64String);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.NotEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfiguration_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
string subjectName,
string issuerName,
string thumbprintNoise,
bool expected)
{
// Arrange
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerName, subjectName))
{
var options = new TestApiServerOptions()
.ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
{
new KeyValuePair <string, string>(SubjectKey, "CN=subject"),
new KeyValuePair <string, string>(IssuerKey, "CN=issuer"),
new KeyValuePair <string, string>(ThumbprintKey, clientCertificate.Thumbprint + thumbprintNoise)
}))
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.Configuration, SubjectKey)
.WithIssuer(X509ValidationLocation.Configuration, IssuerKey)
.WithThumbprint(X509ValidationLocation.Configuration, ThumbprintKey)
.Build());
services.AddSingleton(certificateValidator)
.AddClientCertificate(clientCertificate);
});
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(CertificateAuthenticationOnMethodController.AuthorizedGetRoute);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.True(
(HttpStatusCode.Unauthorized == response.StatusCode) == expected,
$"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
}
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfigurationAndSecretProvider_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
string subjectValue,
string issuerValue,
bool expected)
{
// Arrange
const string subjectKey = "subject", issuerKey = "issuer";
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
var options = new TestApiServerOptions()
.ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
{
new KeyValuePair <string, string>(subjectKey, "CN=known-subject")
}))
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.Configuration, subjectKey)
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build());
services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=known-issuername"))
.AddClientCertificate(clientCertificate)
.AddSingleton(certificateValidator)
.AddMvc(opt => opt.Filters.AddCertificateAuthentication());
});
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.True(
(HttpStatusCode.Unauthorized == response.StatusCode) == expected,
$"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
}
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationViaSecretProvider_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
string subjectValue,
string issuerValue,
bool expected)
{
// Arrange
const string subjectKey = "subject", issuerKey = "issuer";
_testServer.AddService <ISecretProvider>(
new InMemorySecretProvider(
(subjectKey, "CN=known-subject"),
(issuerKey, "CN=known-issuername")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.SecretProvider, subjectKey)
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build()));
_testServer.AddFilter(new CertificateAuthenticationFilter());
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
_testServer.SetClientCertificate(clientCertificate);
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(
HttpMethod.Get,
NoneAuthenticationController.Route);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.True(
(HttpStatusCode.Unauthorized == response.StatusCode) == expected,
$"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
}
}
}
}
public async Task AuthorizedRoute_WithCertificateAuthenticationInHeader_ShouldSucceed()
{
// Arrange
const string subjectKey = "subject", issuerKey = "issuer";
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("known-issuername", "known-subject"))
{
var options = new TestApiServerOptions()
.ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
{
new KeyValuePair <string, string>(subjectKey, "CN=known-subject")
}))
.ConfigureServices(services =>
{
var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.Configuration, subjectKey)
.WithIssuer(X509ValidationLocation.SecretProvider, issuerKey)
.Build());
services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=known-issuername"))
.AddSingleton(certificateValidator)
.AddMvc(opt => opt.Filters.AddCertificateAuthentication());
});
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
string base64String = Convert.ToBase64String(clientCertificate.Export(X509ContentType.Pkcs12), Base64FormattingOptions.None);
var request = HttpRequestBuilder
.Get(NoneAuthenticationController.GetRoute)
.WithHeader("X-ARR-ClientCert", base64String);
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
// Assert
Assert.NotEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task CertificateAuthorizedRoute_WithBypassAttribute_SkipsAuthentication(string route)
{
// Arrange
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("issuer", "subject"))
{
_testServer.SetClientCertificate(clientCertificate);
_testServer.AddFilter(new CertificateAuthenticationFilter());
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((IssuerKey, "CN=issuer")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithIssuer(X509ValidationLocation.SecretProvider, IssuerKey)
.Build()));
using (HttpClient client = _testServer.CreateClient())
// Act
using (HttpResponseMessage response = await client.GetAsync(route))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}