public void AuthExpiredRequestIdAreClearedFromCache() { Dictionary <string, string> GenerateAuthParameters() { return(new Dictionary <string, string> { { "awsAccessKeyId", "accessKey" }, { "awsSecretKey", "secretKey" }, { "requestId", Guid.NewGuid().ToString() }, { "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) } }); } var request1 = GenerateAuthParameters(); AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request1); Assert.Contains(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); var request2 = GenerateAuthParameters(); AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request2); Assert.Contains(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); Assert.Contains(request2["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); Thread.Sleep(AwsCredentialsAuthenticationHandler.MaxIssueDateDuration.Add(TimeSpan.FromSeconds(3))); var request3 = GenerateAuthParameters(); AwsCredentialsAuthenticationHandler.ValidateAuthParameters(request3); Assert.DoesNotContain(request1["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); Assert.DoesNotContain(request2["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); Assert.Contains(request3["requestId"], AwsCredentialsAuthenticationHandler.ProcessRequestIds); }
public void ProcessAuthorizationHeaderFailWrongSchema() { var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader("wrong-schema value", new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Contains("Unsupported authorization schema", authResults.Failure.Message); }
public void ProcessAuthorizationHeaderFailNoSchema() { var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader("no-schema-value", new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Contains("Incorrect format Authorization header", authResults.Failure.Message); }
public void AuthInvalidFormatForIssueDate() { var authValue = MockAuthorizationHeaderValue("access", "secret", null, "not a date"); var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Equal("Failed to parse issue date", authResults.Failure.Message); }
public void AuthFutureIssueDate() { var authValue = MockAuthorizationHeaderValue("access", "secret", null, DateTime.UtcNow.AddMinutes(5)); var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Equal("Issue date invalid set in the future", authResults.Failure.Message); }
public void AuthMissingIssueDate() { var authValue = MockAuthorizationHeaderValue("access", "secret", null, null); var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(authValue, new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Equal($"Authorization header missing {AwsCredentialsAuthenticationHandler.ClaimAwsIssueDate} property", authResults.Failure.Message); }
public void ProcessAuthorizationHeaderFailInValidJson() { var base64BadJson = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes("you are not json")); var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader($"aws-deploy-tool-server-mode {base64BadJson}", new NoEncryptionProvider()); Assert.False(authResults.Succeeded); Assert.Equal("Error decoding authorization value", authResults.Failure.Message); }
public void AuthMissingRequestId() { var authParameters = new Dictionary <string, string> { { "awsAccessKeyId", "accessKey" }, { "awsSecretKey", "secretKey" }, { "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) } }; var results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters); Assert.False(results.Succeeded); Assert.Equal($"Authorization header missing {AwsCredentialsAuthenticationHandler.ClaimAwsRequestId} property", results.Failure.Message); }
public void ProcessAuthorizationHeaderSuccess() { var request = new HttpRequestMessage(); var creds = new ImmutableCredentials("accessKeyId", "secretKey", "token"); ServerModeHttpClientAuthorizationHandler.AddAuthorizationHeader(request, creds); if (!request.Headers.TryGetValues("Authorization", out var value)) { throw new Exception("Missing Authorization header"); } var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(value.FirstOrDefault(), new NoEncryptionProvider()); Assert.True(authResults.Succeeded); }
public void AuthAttemptReplayRequestId() { var authParameters = new Dictionary <string, string> { { "awsAccessKeyId", "accessKey" }, { "awsSecretKey", "secretKey" }, { "requestId", Guid.NewGuid().ToString() }, { "issueDate", DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffzzz", DateTimeFormatInfo.InvariantInfo) } }; var results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters); Assert.Null(results); results = AwsCredentialsAuthenticationHandler.ValidateAuthParameters(authParameters); Assert.False(results.Succeeded); Assert.Equal($"Value for authorization header has already been used", results.Failure.Message); }
public void AuthPassCredentialsEncrypted() { var aes = Aes.Create(); var request = new HttpRequestMessage(); var creds = new ImmutableCredentials("accessKeyId", "secretKey", "token"); ServerModeHttpClientAuthorizationHandler.AddAuthorizationHeader(request, creds, aes); if (!request.Headers.TryGetValues("Authorization", out var value)) { throw new Exception("Missing Authorization header"); } var authPayloadBase64 = value.FirstOrDefault().Split(' ')[1]; var authPayload = Encoding.UTF8.GetString(Convert.FromBase64String(authPayloadBase64)); // This should fail because the payload is encrypted. Assert.Throws <JsonReaderException>(() => JsonConvert.DeserializeObject(authPayload)); var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(value.FirstOrDefault(), new AesEncryptionProvider(aes)); Assert.True(authResults.Succeeded); var accessKeyId = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsAccessKeyId, x.Type))?.Value; Assert.Equal(creds.AccessKey, accessKeyId); var secretKey = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsSecretKey, x.Type))?.Value; Assert.Equal(creds.SecretKey, secretKey); var token = authResults.Principal.Claims.FirstOrDefault(x => string.Equals(AwsCredentialsAuthenticationHandler.ClaimAwsSessionToken, x.Type))?.Value; Assert.Equal(creds.Token, token); }