public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity() { // Arrange. var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false); var mockResponse = new Mock<HttpResponseBase>(); var settings = new Settings(); var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "SSL_REQUEST", "on" }, { "OTHER_HEADER", "some-value" } }); settings.OffloadedSecurityHeaders = "SSL_REQUEST="; var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "OTHER_HEADER", "some-value" } }); var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Null(targetUrlForAlreadySecuredRequest); Assert.Null(targetUrlForAlreadyInsecureRequest); }
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri() { const string BaseRequestUri = "http://www.testsite.com"; const string ApplicationPathRequestUri = "/MySuperDuperApplication"; const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx"; const string QueryRequestUri = "?Param=SomeValue"; var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri); var mockResponse = new Mock<HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s); var settings = new Settings { Mode = Mode.On, BaseSecureUri = "https://secure.someotherwebsite.com/testsite/" }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl); }
public void IsSecureConnectionReturnsFalseIfNoHeaderMatchesAnOffloadHeader() { // Arrange. var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "SOME_HEADER", "some-value" } }); var settings = new Settings { OffloadedSecurityHeaders = "SSL_REQUEST=on" }; var evaluator = new HeadersSecurityEvaluator(); // Act. var result = evaluator.IsSecureConnection(mockRequest.Object, settings); // Assert. Assert.False(result); }
public void IsSecureConnectionReturnsTrueIfHeaderMatchesAnOffloadHeader() { // Arrange. var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "SOME_HEADER", "some-value" }, { "SSL_REQUEST", "on" } }); var settings = new Settings(); var evaluator = new HeadersSecurityEvaluator(); // Act. settings.OffloadedSecurityHeaders = "SSL_REQUEST=on"; var resultWithHeaderValueMatch = evaluator.IsSecureConnection(mockRequest.Object, settings); settings.OffloadedSecurityHeaders = "SSL_REQUEST="; var resultWithJustHeaderPresent = evaluator.IsSecureConnection(mockRequest.Object, settings); // Assert. Assert.True(resultWithHeaderValueMatch); Assert.True(resultWithJustHeaderPresent); }
public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied() { // Arrange. const string BaseRequestUri = "http://www.testsite.com"; const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue"; var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri); var mockResponse = new Mock<HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s); var settings = new Settings { Mode = Mode.On, Paths = { new TestPathSetting("/Manage") } }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl); }