public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity() { // Arrange. var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false); var mockResponse = new Mock<HttpResponseBase>(); var settings = new Settings(); var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "SSL_REQUEST", "on" }, { "OTHER_HEADER", "some-value" } }); settings.OffloadedSecurityHeaders = "SSL_REQUEST="; var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "OTHER_HEADER", "some-value" } }); var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Null(targetUrlForAlreadySecuredRequest); Assert.Null(targetUrlForAlreadyInsecureRequest); }
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri() { const string BaseRequestUri = "http://www.testsite.com"; const string ApplicationPathRequestUri = "/MySuperDuperApplication"; const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx"; const string QueryRequestUri = "?Param=SomeValue"; var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri); var mockResponse = new Mock<HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s); var settings = new Settings { Mode = Mode.On, BaseSecureUri = "https://secure.someotherwebsite.com/testsite/" }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl); }
public void GetUriReturnsSwitchedUriBasedOnSuppliedBaseInsecureUri() { const string BaseRequestUri = "https://www.testsite.com"; const string PathRequestUri = "/Info/Default.aspx"; const string QueryRequestUri = "?Param=SomeValue"; var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.ApplicationPath).Returns("/"); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true); var mockResponse = new Mock<HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s); var settings = new Settings { Mode = Mode.On, BaseInsecureUri = "http://www.someotherwebsite.com/" }; var evaluator = new StandardSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Equal(settings.BaseInsecureUri + PathRequestUri.Remove(0, 1) + QueryRequestUri, targetUrl); }
public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied() { // Arrange. const string BaseRequestUri = "http://www.testsite.com"; const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue"; var mockRequest = new Mock<HttpRequestBase>(); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri); var mockResponse = new Mock<HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s); var settings = new Settings { Mode = Mode.On, Paths = { new TestPathSetting("/Manage") } }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl); }
public void GetUriRequestReturnsNullIfRequestSecurityAlreadyMatchesSpecifiedSecurity() { // Arrange. var mockRequest = new Mock<HttpRequestBase>(); var mockResponse = new Mock<HttpResponseBase>(); var settings = new Settings(); var evaluator = new StandardSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true); var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false); var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Null(targetUrlForAlreadySecuredRequest); Assert.Null(targetUrlForAlreadyInsecureRequest); }