public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUnauthorized_WhenClientCertificateSubjectNameDoesntMatch()
{
// Arrange
string subjectKey = "subject", subjectValue = $"subject-{Guid.NewGuid()}";
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((subjectKey, subjectValue)));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(X509ValidationLocation.SecretProvider, subjectKey)
.Build()));
_testServer.AddFilter(new CertificateAuthenticationFilter());
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithSubject("unrecognized-subject-name"))
{
_testServer.SetClientCertificate(clientCertificate);
using (HttpClient client = _testServer.CreateClient())
{
var request = new HttpRequestMessage(
HttpMethod.Get,
NoneAuthenticationController.Route);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Arrange
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
string issuer = GenerateRandomUri();
string authority = GenerateRandomUri();
string privateKey = GenerateRandomPrivateKey();
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
_testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = _testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, daysValid: 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = await testOpenIdServer.RequestAccessTokenAsync();
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithIncorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = await testOpenIdServer.GenerateTokenValidationParametersAsync();
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = $"Bearer {_bogusGenerator.Random.AlphaNumeric(10)}.{_bogusGenerator.Random.AlphaNumeric(50)}.{_bogusGenerator.Random.AlphaNumeric(40)}";
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorization_ReturnsOk()
{
// Arrange
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters validationParameters = await testOpenIdServer.GenerateTokenValidationParametersAsync();
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(new AzureManagedIdentityAuthorizationFilter(reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = await testOpenIdServer.RequestAccessTokenAsync();
request.Headers.Add(AzureManagedIdentityAuthorizationFilter.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task GetHealthWithCorrectBearerToken_WithAzureManagedIdentityAuthorizationAndCustomClaims_ReturnsOk()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
TokenValidationParameters tokenValidationParameters = testOpenIdServer.GenerateTokenValidationParametersWithValidAudience(issuer, authority, privateKey);
var reader = new JwtTokenReader(tokenValidationParameters, testOpenIdServer.OpenIdAddressConfiguration);
Dictionary <string, string> claimCheck = new Dictionary <string, string> {
{ JwtClaimTypes.Audience, Guid.NewGuid().ToString() }
};
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader, claimCheck));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7, claimCheck);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
}
public async Task SharedAccessKeyAuthorizedRoute_WithBypassAttributeOnMethod_SkipsAuthentication(string route)
{
// Arrange
_testServer.AddFilter(new SharedAccessKeyAuthenticationFilter(HeaderName, queryParameterName: null, SecretName));
// Act
using (HttpResponseMessage response = await SendAuthorizedHttpRequest(route, headerValue: null))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
public async Task GetHealthWithCorrectBearerToken_WithIncorrectAzureManagedIdentityAuthorization_ReturnsUnauthorized()
{
// Arrange
string issuer = $"http://{Util.GetRandomString(10).ToLower()}.com";
string authority = $"http://{Util.GetRandomString(10).ToLower()}.com";
RSA rsa = new RSACryptoServiceProvider(512);
string privateKey = rsa.ToCustomXmlString(true);
using (var testServer = new TestApiServer())
using (var testOpenIdServer = await TestOpenIdServer.StartNewAsync(_outputWriter))
{
var validationParameters = new TokenValidationParameters
{
ValidateAudience = false,
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidateLifetime = true
};
var reader = new JwtTokenReader(validationParameters, testOpenIdServer.OpenIdAddressConfiguration);
testServer.AddFilter(filters => filters.AddJwtTokenAuthorization(options => options.JwtTokenReader = reader));
using (HttpClient client = testServer.CreateClient())
using (var request = new HttpRequestMessage(HttpMethod.Get, HealthController.Route))
{
string accessToken = testOpenIdServer.RequestSecretToken(issuer, authority, privateKey, 7);
request.Headers.Add(JwtTokenAuthorizationOptions.DefaultHeaderName, accessToken);
// Act
using (HttpResponseMessage response = await client.SendAsync(request))
{
// Assert
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task CertificateAuthorizedRoute_WithBypassAttribute_SkipsAuthentication(string route)
{
// Arrange
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("issuer", "subject"))
{
_testServer.SetClientCertificate(clientCertificate);
_testServer.AddFilter(new CertificateAuthenticationFilter());
_testServer.AddService <ISecretProvider>(new InMemorySecretProvider((IssuerKey, "CN=issuer")));
_testServer.AddService(
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithIssuer(X509ValidationLocation.SecretProvider, IssuerKey)
.Build()));
using (HttpClient client = _testServer.CreateClient())
// Act
using (HttpResponseMessage response = await client.GetAsync(route))
{
// Assert
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}
