public async Task AuthenticateRequestTestX509ApiProxyForward_InvalidCertificate_ShoudThrow()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string apiProxyId = "iotedgeApiProxy";
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = new IPAddress(0);
var certContentBytes = Encoding.UTF8.GetBytes("Invalid cert");
string certContentBase64 = Convert.ToBase64String(certContentBytes);
string clientCertString = $"{certContentBase64}";
clientCertString = WebUtility.UrlEncode(clientCertString);
httpContext.Request.Headers.Add(Constants.ClientCertificateHeaderKey, new StringValues(clientCertString));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{apiProxyId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
var authenticator = new Mock <IAuthenticator>();
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpProxiedCertificateExtractor(authenticator.Object, identityFactory, iothubHostName, deviceId, apiProxyId);
await Assert.ThrowsAsync <AuthenticationException>(() => httpRequestAuthenticator.GetClientCertificate(httpContext));
authenticator.VerifyAll();
}
public async Task AuthenticateRequestTestX509ApiProxyForward_NoSasToken_ShouldThrow()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string apiProxyId = "iotedgeApiProxy";
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = new IPAddress(0);
var certContentBytes = CertificateHelper.GenerateSelfSignedCert($"test_cert").Export(X509ContentType.Cert);
string certContentBase64 = Convert.ToBase64String(certContentBytes);
string clientCertString = $"-----BEGIN CERTIFICATE-----\n{certContentBase64}\n-----END CERTIFICATE-----\n";
clientCertString = WebUtility.UrlEncode(clientCertString);
httpContext.Request.Headers.Add(Constants.ClientCertificateHeaderKey, new StringValues(clientCertString));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpProxiedCertificateExtractor(authenticator.Object, identityFactory, iothubHostName, deviceId, apiProxyId);
var ex = await Assert.ThrowsAsync <AuthenticationException>(() => httpRequestAuthenticator.GetClientCertificate(httpContext));
Assert.Equal($"Unable to authorize proxy iotedgeApiProxy to forward device certificate - Authorization header missing", ex.Message);
authenticator.VerifyAll();
}
public void GetSasIdentityTest()
{
string iothubHostName = "iothub1.azure.net";
string callerProductInfo = "productInfo";
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/device1/modules/moduleId");
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName), callerProductInfo);
// device test
string deviceId = "device1";
string deviceClientType = "customDeviceClient1";
IClientCredentials identityTry1 = identityFactory.GetWithSasToken(deviceId, null, deviceClientType, sasToken, false);
Assert.IsType <DeviceIdentity>(identityTry1.Identity);
Assert.IsType <TokenCredentials>(identityTry1);
Assert.Equal(sasToken, (identityTry1 as ITokenCredentials)?.Token);
Assert.Equal("device1", identityTry1.Identity.Id);
Assert.Equal($"{callerProductInfo} customDeviceClient1", identityTry1.ProductInfo);
Assert.Equal(AuthenticationType.Token, identityTry1.AuthenticationType);
// module test
deviceId = "device1";
string moduleId = "module1";
deviceClientType = "customDeviceClient2";
IClientCredentials identityTry2 = identityFactory.GetWithSasToken(deviceId, moduleId, deviceClientType, sasToken, false);
Assert.IsType <ModuleIdentity>(identityTry2.Identity);
Assert.IsType <TokenCredentials>(identityTry2);
Assert.Equal(sasToken, (identityTry2 as ITokenCredentials)?.Token);
Assert.Equal("device1/module1", identityTry2.Identity.Id);
Assert.Equal($"{callerProductInfo} customDeviceClient2", identityTry2.ProductInfo);
Assert.Equal(AuthenticationType.Token, identityTry2.AuthenticationType);
}
public async Task AuthenticateRequestTestX509ApiProxyForward_ProxyAuthSuccess_ShouldReturnCertificate()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string apiProxyId = "iotedgeApiProxy";
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = new IPAddress(0);
var certContentBytes = CertificateHelper.GenerateSelfSignedCert($"test_cert").Export(X509ContentType.Cert);
string certContentBase64 = Convert.ToBase64String(certContentBytes);
string clientCertString = $"-----BEGIN CERTIFICATE-----\n{certContentBase64}\n-----END CERTIFICATE-----\n";
clientCertString = WebUtility.UrlEncode(clientCertString);
httpContext.Request.Headers.Add(Constants.ClientCertificateHeaderKey, new StringValues(clientCertString));
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{apiProxyId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.Is <IClientCredentials>(c => c.Identity.Id == "device_2/iotedgeApiProxy"))).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpProxiedCertificateExtractor(authenticator.Object, identityFactory, iothubHostName, deviceId, apiProxyId);
var cert = await httpRequestAuthenticator.GetClientCertificate(httpContext);
Assert.True(cert.HasValue);
authenticator.VerifyAll();
}
public async Task AuthenticateRequestTest_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
httpContext.Connection.LocalPort = Constants.ApiProxyPort;
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.True(result.Authenticated);
Assert.Equal(string.Empty, result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestTest_TokenExpired()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}", expired: true);
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName, deviceId);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.False(result.success);
Assert.Equal("Cannot parse SharedAccessSignature because of the following error - The specified SAS token is expired", result.message);
}
public async Task AuthenticateRequestTestX509ApiProxyForward_NoProxyAuthorization_AuthFailed()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
string apiProxyId = "iotedgeApiProxy";
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = new IPAddress(0);
var certContentBytes = CertificateHelper.GenerateSelfSignedCert($"test_cert").Export(X509ContentType.Cert);
string certContentBase64 = Convert.ToBase64String(certContentBytes);
string clientCertString = $"-----BEGIN CERTIFICATE-----\n{certContentBase64}\n-----END CERTIFICATE-----\n";
clientCertString = WebUtility.UrlEncode(clientCertString);
httpContext.Request.Headers.Add(Constants.ClientCertificateHeaderKey, new StringValues(clientCertString));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpProxiedCertificateExtractor = new Mock <IHttpProxiedCertificateExtractor>();
httpProxiedCertificateExtractor.Setup(p => p.GetClientCertificate(httpContext)).ThrowsAsync(new AuthenticationException($"Unable to authorize proxy {apiProxyId} to forward device certificate - Authorization header missing"));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName, httpProxiedCertificateExtractor.Object);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.False(result.Authenticated);
Assert.Equal($"Unable to authenticate device with Id device_2/module_1 - Unable to authorize proxy {apiProxyId} to forward device certificate - Authorization header missing", result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestTest_MultipleAuthHeaders()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(new[] { "sasToken1", "sasToken2" }));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(iothubHostName);
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.NotNull(result);
Assert.False(result.success);
Assert.Equal("Invalid authorization header count", result.message);
}
public async Task InvalidCredentialsRequestTest_AuthFailed()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(false);
var identityFactory = new ClientCredentialsFactory(iothubHostName);
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.NotNull(result);
Assert.False(result.success);
Assert.Equal("Unable to authenticate device with Id device_2/module_1", result.message);
}
public void GetX509IdentityTest()
{
string iothubHostName = "iothub1.azure.net";
string callerProductInfo = "productInfo";
string deviceId = "device1";
string moduleId = "module1";
string deviceClientType = "customDeviceClient1";
var identityFactory = new ClientCredentialsFactory(iothubHostName, callerProductInfo);
// device test
IClientCredentials identityTry1 = identityFactory.GetWithX509Cert(deviceId, null, deviceClientType);
Assert.IsType <DeviceIdentity>(identityTry1.Identity);
Assert.Equal("device1", identityTry1.Identity.Id);
Assert.Equal($"{callerProductInfo} customDeviceClient1", identityTry1.ProductInfo);
Assert.Equal(AuthenticationType.X509Cert, identityTry1.AuthenticationType);
// module test
IClientCredentials identityTry2 = identityFactory.GetWithX509Cert(deviceId, moduleId, deviceClientType);
Assert.IsType <ModuleIdentity>(identityTry2.Identity);
Assert.Equal("device1/module1", identityTry2.Identity.Id);
Assert.Equal($"{callerProductInfo} customDeviceClient1", identityTry2.ProductInfo);
Assert.Equal(AuthenticationType.X509Cert, identityTry1.AuthenticationType);
}
public async Task InvalidAuthenticateRequestX509Test_InvalidDeviceId()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
string edgeDeviceId = "edgeDeviceId1";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName, edgeDeviceId);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.False(result.success);
Assert.Equal($"Module {moduleId} on device {deviceId} cannot invoke methods. Only modules on IoT Edge device {edgeDeviceId} can invoke methods.", result.message);
}
public async Task AuthenticateRequestTestX509ApiProxyIgnoresAuthorizationHeader_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
var certContentBytes = CertificateHelper.GenerateSelfSignedCert($"test_cert").Export(X509ContentType.Cert);
string certContentBase64 = Convert.ToBase64String(certContentBytes);
string clientCertString = $"-----BEGIN CERTIFICATE-----\n{certContentBase64}\n-----END CERTIFICATE-----\n";
clientCertString = WebUtility.UrlEncode(clientCertString);
httpContext.Request.Headers.Add(Constants.ClientCertificateHeaderKey, new StringValues(clientCertString));
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues("blah"));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.True(result.Authenticated);
Assert.Equal(string.Empty, result.ErrorMessage);
}
public async Task AuthenticateRequestTestX509IgnoresAuthorizationHeader_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues("blah"));
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName, deviceId);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.True(result.success);
Assert.Equal(string.Empty, result.message);
}
public async Task AuthenticateRequestTest_NoApiVersion_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName, deviceId);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.NotNull(result);
Assert.True(result.success);
Assert.Equal(string.Empty, result.message);
}
private (IAuthenticator, IUsernameParser, IClientCredentialsFactory, ISystemComponentIdProvider) SetupAcceptEverything(string hubname = "testhub")
{
var authenticator = Mock.Of <IAuthenticator>();
var usernameParser = new MqttUsernameParser();
var credFactory = new ClientCredentialsFactory(new IdentityProvider(hubname));
var sysIdProvider = Mock.Of <ISystemComponentIdProvider>();
Mock.Get(authenticator).Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).Returns(Task.FromResult(true));
Mock.Get(sysIdProvider).Setup(a => a.EdgeHubBridgeId).Returns("testdev/$edgeHub/$bridge");
return(authenticator, usernameParser, credFactory, sysIdProvider);
}
static async Task <IClientCredentials> GetClientCredentials(string iotHubHostName, string deviceId, string userName, string token, bool isCertAuthAllowed = false, string productInfo = "")
{
var authenticator = Mock.Of <IAuthenticator>(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>()) == Task.FromResult(true));
var factory = new ClientCredentialsFactory(iotHubHostName, productInfo);
var sasTokenIdentityProvider = new DeviceIdentityProvider(authenticator, factory, isCertAuthAllowed);
ProtocolGateway.Identity.IDeviceIdentity deviceIdentity = await sasTokenIdentityProvider.GetAsync(deviceId, userName, token, null);
Assert.NotNull(deviceIdentity);
IClientCredentials clientCredentials = (deviceIdentity as ProtocolGatewayIdentity)?.ClientCredentials;
return(clientCredentials);
}
static async Task <IClientCredentials> GetClientCredentials(string iotHubHostName, string deviceId, string userName, string token, bool isCertAuthAllowed = false, string productInfo = "", X509Certificate2 certificate = null, IList <X509Certificate2> chain = null)
{
var authenticator = Mock.Of <IAuthenticator>(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>()) == Task.FromResult(true));
var factory = new ClientCredentialsFactory(new IdentityProvider(iotHubHostName), productInfo);
var credentialIdentityProvider = new DeviceIdentityProvider(authenticator, factory, isCertAuthAllowed);
if ((certificate != null) && (chain != null))
{
credentialIdentityProvider.RemoteCertificateValidationCallback(certificate, chain);
}
ProtocolGateway.Identity.IDeviceIdentity deviceIdentity = await credentialIdentityProvider.GetAsync(deviceId, userName, token, null);
Assert.NotNull(deviceIdentity);
IClientCredentials clientCredentials = (deviceIdentity as ProtocolGatewayIdentity)?.ClientCredentials;
return(clientCredentials);
}
public void GetWithConnectionStringTest_Device()
{
string deviceId = "device1";
string iotHubHostName = "edgehubtest1.azure-devices.net";
string key = GetRandomString(44);
string deviceConnectionstring = $"HostName={iotHubHostName};DeviceId={deviceId};SharedAccessKey={key}";
IClientCredentialsFactory identityFactory = new ClientCredentialsFactory(new IdentityProvider(iotHubHostName));
IClientCredentials identityTry = identityFactory.GetWithConnectionString(deviceConnectionstring);
Assert.NotNull(identityTry);
IIdentity identity = identityTry.Identity;
Assert.IsType <DeviceIdentity>(identity);
Assert.IsType <SharedKeyCredentials>(identityTry);
Assert.Equal(deviceConnectionstring, (identityTry as ISharedKeyCredentials)?.ConnectionString);
Assert.Equal(deviceId, identity.Id);
}
public async Task AuthenticateRequestTest_NoForwardedCertificate_ShoultReturnNone()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string apiProxyId = "iotedgeApiProxy";
var httpContext = new DefaultHttpContext();
httpContext.Connection.RemoteIpAddress = new IPAddress(0);
var authenticator = new Mock <IAuthenticator>();
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpProxiedCertificateExtractor(authenticator.Object, identityFactory, iothubHostName, deviceId, apiProxyId);
var cert = await httpRequestAuthenticator.GetClientCertificate(httpContext);
Assert.Equal(Option.None <X509Certificate2>(), cert);
authenticator.VerifyAll();
}
public void GetX509IdentityTest()
{
string iothubHostName = "iothub1.azure.net";
string callerProductInfo = "productInfo";
string deviceId = "device1";
string moduleId = "module1";
string deviceClientType = "customDeviceClient1";
var clientCertificate = TestCertificateHelper.GenerateSelfSignedCert("some_cert");
var clientCertChain = new List <X509Certificate2>()
{
clientCertificate
};
Option <string> modelId = Option.Some("modelId1");
Option <string> authChain = Option.Some("device1;edge1");
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName), callerProductInfo);
// device test
IClientCredentials identityTry1 = identityFactory.GetWithX509Cert(deviceId, null, deviceClientType, clientCertificate, clientCertChain, modelId, authChain);
Assert.IsType <DeviceIdentity>(identityTry1.Identity);
Assert.IsType <X509CertCredentials>(identityTry1);
Assert.Equal(clientCertificate, (identityTry1 as ICertificateCredentials)?.ClientCertificate);
Assert.Equal(clientCertChain, (identityTry1 as ICertificateCredentials)?.ClientCertificateChain);
Assert.Equal("device1", identityTry1.Identity.Id);
Assert.Equal($"customDeviceClient1 {callerProductInfo}", identityTry1.ProductInfo);
Assert.Equal(AuthenticationType.X509Cert, identityTry1.AuthenticationType);
Assert.Equal(modelId, identityTry1.ModelId);
Assert.Equal(authChain, identityTry1.AuthChain);
// module test
IClientCredentials identityTry2 = identityFactory.GetWithX509Cert(deviceId, moduleId, deviceClientType, clientCertificate, clientCertChain, modelId, authChain);
Assert.IsType <ModuleIdentity>(identityTry2.Identity);
Assert.IsType <X509CertCredentials>(identityTry2);
Assert.Equal(clientCertificate, (identityTry2 as ICertificateCredentials)?.ClientCertificate);
Assert.Equal(clientCertChain, (identityTry2 as ICertificateCredentials)?.ClientCertificateChain);
Assert.Equal("device1/module1", identityTry2.Identity.Id);
Assert.Equal($"customDeviceClient1 {callerProductInfo}", identityTry2.ProductInfo);
Assert.Equal(AuthenticationType.X509Cert, identityTry1.AuthenticationType);
Assert.Equal(modelId, identityTry2.ModelId);
Assert.Equal(authChain, identityTry2.AuthChain);
}
static async Task <IClientCredentials> GetClientCredentials(string iotHubHostName, string deviceId, string userName, string token, bool isCertAuthAllowed = false, string productInfo = "", X509Certificate2 certificate = null, IList <X509Certificate2> chain = null, IMetadataStore metadataStore = null)
{
metadataStore = metadataStore ?? Mock.Of <IMetadataStore>();
var authenticator = Mock.Of <IAuthenticator>(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>()) == Task.FromResult(true));
var usernameParser = new MqttUsernameParser();
var factory = new ClientCredentialsFactory(new IdentityProvider(iotHubHostName), productInfo);
var credentialIdentityProvider = new DeviceIdentityProvider(authenticator, usernameParser, factory, metadataStore, isCertAuthAllowed);
if (certificate != null && chain != null)
{
credentialIdentityProvider.RegisterConnectionCertificate(certificate, chain);
}
IDeviceIdentity deviceIdentity = await credentialIdentityProvider.GetAsync(deviceId, userName, token, null);
Assert.NotNull(deviceIdentity);
IClientCredentials clientCredentials = (deviceIdentity as ProtocolGatewayIdentity)?.ClientCredentials;
return(clientCredentials);
}
public async Task InvalidInvokeTest_ExceptionNotCaught()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.Headers.Add(HttpConstants.IdHeaderKey, $"{deviceId}/{moduleId}");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).Throws <SomeException>();
var identityFactory = new ClientCredentialsFactory(iothubHostName);
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName);
await Assert.ThrowsAsync <SomeException>(() => authenticationMiddleware.Invoke(httpContext));
}
public async Task InvalidCredentialsRequestX509Test_AuthFailed()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(false);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName, Mock.Of <IHttpProxiedCertificateExtractor>());
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.False(result.Authenticated);
Assert.Equal("Unable to authenticate device with Id device_2/module_1", result.ErrorMessage);
}
public async Task AuthenticateRequestX509Test_NoApiVersion_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues("blah"));
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName, Mock.Of <IHttpProxiedCertificateExtractor>());
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.True(result.Authenticated);
Assert.Equal(string.Empty, result.ErrorMessage);
}
public async Task AuthenticateRequestTestX509_Success()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), httpContext);
Assert.True(result.Authenticated);
Assert.Equal(string.Empty, result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestTest_InvalidToken()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues("invalidSasToken"));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), httpContext);
Assert.False(result.Authenticated);
Assert.Equal("Invalid Authorization header. Only SharedAccessSignature is supported.", result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestX509Test_NoModuleId()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
var httpContext = new DefaultHttpContext();
var clientCert = CertificateHelper.GenerateSelfSignedCert($"test_cert");
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
httpContext.Connection.ClientCertificate = clientCert;
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var authenticationMiddleware = new AuthenticationMiddleware(Mock.Of <RequestDelegate>(), Task.FromResult(authenticator.Object), identityFactory, iothubHostName, deviceId);
(bool success, string message)result = await authenticationMiddleware.AuthenticateRequest(httpContext);
Assert.False(result.success);
Assert.Equal("Request header does not contain ModuleId", result.message);
}
public async Task InvalidCredentialsRequestTest_AuthFailed()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}");
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(false);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), httpContext);
Assert.False(result.Authenticated);
Assert.Equal("Unable to authenticate device with Id device_2/module_1", result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestTest_MultipleAuthHeaders()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(new[] { "sasToken1", "sasToken2" }));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var httpProxiedCertificateExtractor = Mock.Of <IHttpProxiedCertificateExtractor>();
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName, httpProxiedCertificateExtractor);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), Option.None <string>(), httpContext);
Assert.False(result.Authenticated);
Assert.Equal("Invalid authorization header count", result.ErrorMessage);
}
public async Task InvalidAuthenticateRequestTest_TokenExpired()
{
string iothubHostName = "TestHub.azure-devices.net";
string deviceId = "device_2";
string moduleId = "module_1";
var httpContext = new DefaultHttpContext();
string sasToken = TokenHelper.CreateSasToken($"{iothubHostName}/devices/{deviceId}/modules/{moduleId}", expired: true);
httpContext.Request.Headers.Add(HeaderNames.Authorization, new StringValues(sasToken));
httpContext.Request.QueryString = new QueryString("?api-version=2017-10-20");
var authenticator = new Mock <IAuthenticator>();
authenticator.Setup(a => a.AuthenticateAsync(It.IsAny <IClientCredentials>())).ReturnsAsync(true);
var identityFactory = new ClientCredentialsFactory(new IdentityProvider(iothubHostName));
var httpRequestAuthenticator = new HttpRequestAuthenticator(authenticator.Object, identityFactory, iothubHostName);
HttpAuthResult result = await httpRequestAuthenticator.AuthenticateAsync(deviceId, Option.Some(moduleId), httpContext);
Assert.False(result.Authenticated);
Assert.Equal("Cannot parse SharedAccessSignature because of the following error - The specified SAS token is expired", result.ErrorMessage);
}