public async Task AuthorizeFilterWillCallPolicyProviderOnAuthorization()
{
// Arrange
var policyProvider = new Mock <IAuthorizationPolicyProvider>();
var getPolicyCount = 0;
policyProvider.Setup(p => p.GetPolicyAsync(It.IsAny <string>())).ReturnsAsync(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build())
.Callback(() => getPolicyCount++);
var authorizeFilter = new AuthorizeFilter(policyProvider.Object, new AuthorizeAttribute[] { new AuthorizeAttribute("whatever") });
var authorizationContext = GetAuthorizationContext();
// Act & Assert
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
Assert.Equal(1, getPolicyCount);
Assert.Null(authorizationContext.Result);
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
Assert.Equal(2, getPolicyCount);
Assert.Null(authorizationContext.Result);
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
Assert.Equal(3, getPolicyCount);
Assert.Null(authorizationContext.Result);
// Make sure we don't cache the policy
Assert.Null(authorizeFilter.Policy);
}
public async Task GetEffectivePolicyAsync_CombinesPoliciesFromEndpoint()
{
// Arrange
var policy1 = new AuthorizationPolicyBuilder()
.RequireClaim("Claim1")
.Build();
var policy2 = new AuthorizationPolicyBuilder()
.RequireClaim("Claim2")
.Build();
var filter = new AuthorizeFilter(policy1);
var options = new AuthorizationOptions();
options.AddPolicy("policy2", policy2);
var policyProvider = new DefaultAuthorizationPolicyProvider(Options.Create(options));
ActionContext.HttpContext.RequestServices = new ServiceCollection()
.AddSingleton <IAuthorizationPolicyProvider>(policyProvider)
.BuildServiceProvider();
ActionContext.HttpContext.SetEndpoint(new Endpoint(
_ => null,
new EndpointMetadataCollection(new AuthorizeAttribute("policy2")),
"test"));
var context = new AuthorizationFilterContext(ActionContext, new[] { filter, });
// Act
var effectivePolicy = await filter.GetEffectivePolicyAsync(context);
// Assert
Assert.NotSame(policy1, effectivePolicy);
Assert.NotSame(policy2, effectivePolicy);
Assert.Equal(new[] { "Claim1", "Claim2" }, effectivePolicy.Requirements.Cast <ClaimsAuthorizationRequirement>().Select(c => c.ClaimType));
}
public async Task AuthorizationFilterCombinesMultipleFiltersWithPolicyProvider()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new TestPolicyProvider(), new IAuthorizeData[]
{
new AuthorizeAttribute {
Policy = "true"
},
new AuthorizeAttribute {
Policy = "false"
}
});
var authorizationContext = GetAuthorizationContext(anonymous: false);
// Effective policy should fail, if both are combined
authorizationContext.Filters.Add(authorizeFilter);
var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => true).Build());
authorizationContext.Filters.Add(secondFilter);
// Act
await secondFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ForbidResult>(authorizationContext.Result);
}
public async Task Invoke_FailedContextShouldNotCheckPermission()
{
// Arrange
bool authorizationServiceIsCalled = false;
var authorizationService = new Mock <IAuthorizationService>();
authorizationService
.Setup(x => x.AuthorizeAsync(null, null, "CanViewComment"))
.Returns(() =>
{
authorizationServiceIsCalled = true;
return(Task.FromResult(true));
});
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireClaim("Permission", "CanViewComment")
.Build());
var authorizationContext = GetAuthorizationContext(services =>
services.AddSingleton(authorizationService.Object));
authorizationContext.Result = new UnauthorizedResult();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.False(authorizationServiceIsCalled);
}
public async Task Invoke_ValidClaimShouldNotFail()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewPage").Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_EmptyClaimsShouldChallengeAnonymousUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
var authorizationContext = GetAuthorizationContext(anonymous: true);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ChallengeResult>(authorizationContext.Result);
}
public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task AuthZResourceShouldBeAuthorizationFilterContext()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(c => c.Resource is AuthorizationFilterContext).Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_SingleValidClaimShouldSucceed()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewComment", "CanViewPage").Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_RequireUnknownRoleShouldFail()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Wut").Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task Invoke_RequireAdminAndUserRoleWithNoPolicyShouldSucceed()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Administrator").Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task AuthorizeFilterCanAuthorizeNullUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build());
var authorizationContext = GetAuthorizationContext(anonymous: true);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_RequireUnknownRoleShouldForbid()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Wut").Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ForbidResult>(authorizationContext.Result);
}
public async Task AuthorizeFilterCanAuthorizeNonAuthenticatedUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization(), anonymous: true);
authorizationContext.HttpContext.User = new ClaimsPrincipal();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task Invoke_CanFilterToOnlyBearerScheme()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Bearer")
.RequireClaim("Permission", "CanViewPage")
.Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task Invoke_FailWhenLookingForClaimInOtherIdentity()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireClaim("Permission", "CanViewComment")
.Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task Invoke_EmptyClaimsShouldRejectAnonymousUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
var authorizationContext = GetAuthorizationContext(services =>
services.AddAuthorization(),
anonymous: true);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public void CreateInstance_ReturnsSelfIfPolicyProviderIsSet()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireAssertion(_ => true)
.Build());
var factory = (IFilterFactory)authorizeFilter;
// Act
var result = factory.CreateInstance(new ServiceCollection().BuildServiceProvider());
// Assert
Assert.Same(authorizeFilter, result);
}
public async Task Invoke_AuthSchemesFailShouldSetEmptyPrincipalOnContext()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Fails")
.RequireAuthenticatedUser()
.Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.HttpContext.User?.Identity);
}
public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
var authorizationContext = GetAuthorizationContext(anonymous: true);
authorizationContext.Filters.Add(new AllowAnonymousFilter());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task AuthorizeFilter_CreatedWithPolicy_ThrowsWhenOnAuthorizationAsyncIsCalled()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new[] { new AuthorizeAttribute() });
var authorizationContext = GetAuthorizationContext();
var expected = "An AuthorizationPolicy cannot be created without a valid instance of " +
"IAuthorizationPolicyProvider.";
// Act & Assert
var ex = await Assert.ThrowsAsync <InvalidOperationException>(
() => authorizeFilter.OnAuthorizationAsync(authorizationContext));
Assert.Equal(expected, ex.Message);
}
public async Task Invoke_InvalidClaimShouldForbid()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireClaim("Permission", "CanViewComment")
.Build());
var authorizationContext = GetAuthorizationContext();
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ForbidResult>(authorizationContext.Result);
}
public async Task Invoke_RequireAdminRoleButFailPolicyShouldFail()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder()
.RequireRole("Administrator")
.RequireClaim("Permission", "CanViewComment")
.Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task Invoke_CanLookingForClaimsInMultipleIdentities()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Basic", "Bearer")
.RequireClaim("Permission", "CanViewComment")
.RequireClaim("Permission", "CupBearer")
.Build());
var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization());
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task AuthorizationFilterIgnoresFirstFilterWhenCombining()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build());
var authorizationContext = GetAuthorizationContext(anonymous: false);
// Effective policy should fail, if both are combined
authorizationContext.Filters.Add(authorizeFilter);
var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build());
authorizationContext.Filters.Add(secondFilter);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.Null(authorizationContext.Result);
}
public async Task GetEffectivePolicyAsync_ReturnsCurrentPolicy_WhenNoEndpointMetadataIsAvailable()
{
// Arrange
var policy = new AuthorizationPolicyBuilder()
.RequireAssertion(_ => true)
.Build();
var filter = new AuthorizeFilter(policy);
var context = new AuthorizationFilterContext(ActionContext, new[] { filter });
// Act
var effectivePolicy = await filter.GetEffectivePolicyAsync(context);
// Assert
//
// Verify the policy is cached
Assert.Same(effectivePolicy, await filter.GetEffectivePolicyAsync(context));
}
public async Task AuthorizationFilterCombinesMultipleFilters()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => true).Build());
var authorizationContext = GetAuthorizationContext(anonymous: false, registerServices: s => s.Configure <MvcOptions>(o => o.AllowCombiningAuthorizeFilters = true));
// Effective policy should fail, if both are combined
authorizationContext.Filters.Add(authorizeFilter);
var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build());
authorizationContext.Filters.Add(secondFilter);
// Act
await secondFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ForbidResult>(authorizationContext.Result);
}
public async Task Invoke_RequireAdminRoleShouldFailWithNoHandlers()
{
// Arrange
var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Administrator").Build());
var authorizationContext = GetAuthorizationContext(services =>
{
services.AddOptions();
services.AddAuthorization();
services.Remove(services.Where(sd => sd.ServiceType == typeof(IAuthorizationHandler)).Single());
});
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.NotNull(authorizationContext.Result);
}
public async Task DefaultConstructor_DeniesAnonymousUsers()
{
// Arrange
var authorizationContext = GetAuthorizationContext(anonymous: true);
// The type 'AuthorizeFilter' is both a filter by itself and also a filter factory.
// The default filter provider first checks if a type is a filter factory and creates an instance of
// this filter.
var authorizeFilterFactory = new AuthorizeFilter();
var filterFactory = authorizeFilterFactory as IFilterFactory;
var authorizeFilter = (AuthorizeFilter)filterFactory.CreateInstance(
authorizationContext.HttpContext.RequestServices);
// Act
await authorizeFilter.OnAuthorizationAsync(authorizationContext);
// Assert
Assert.IsType <ChallengeResult>(authorizationContext.Result);
}
public void CreateInstance_ReturnsNewFilterIfPolicyAndPolicyProviderAreNotSetAndCustomProviderIsUsed(
AuthorizeFilter authorizeFilter)
{
// Arrange
var factory = (IFilterFactory)authorizeFilter;
var policyProvider = Mock.Of <IAuthorizationPolicyProvider>();
var serviceProvider = new ServiceCollection()
.AddSingleton(policyProvider)
.BuildServiceProvider();
// Act
var result = factory.CreateInstance(serviceProvider);
// Assert
Assert.NotSame(authorizeFilter, result);
var actual = Assert.IsType <AuthorizeFilter>(result);
Assert.Same(policyProvider, actual.PolicyProvider);
}
