public async Task CustomHandlersAuthenticateRunsClaimsTransformationEveryTime()
{
var transform = new RunOnce();
var services = new ServiceCollection().AddOptions().AddAuthenticationCore(o =>
{
o.AddScheme <BaseHandler>("base", "whatever");
})
.AddSingleton <IClaimsTransformation>(transform)
.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = services;
// Because base handler returns a different principal per call, its run multiple times
await context.AuthenticateAsync("base");
Assert.Equal(1, transform.Ran);
await context.AuthenticateAsync("base");
Assert.Equal(2, transform.Ran);
await context.AuthenticateAsync("base");
Assert.Equal(3, transform.Ran);
}
public async Task NullForwardSelectorUsesDefault()
{
var services = new ServiceCollection().AddLogging();
services.AddAuthentication(o =>
{
o.DefaultScheme = MicrosoftAccountDefaults.AuthenticationScheme;
o.AddScheme <TestHandler2>("auth1", "auth1");
o.AddScheme <TestHandler3>("selector", "selector");
o.AddScheme <TestHandler>("specific", "specific");
})
.AddMicrosoftAccount(o =>
{
ConfigureDefaults(o);
o.ForwardDefault = "auth1";
o.ForwardDefaultSelector = _ => null;
});
var specific = new TestHandler();
services.AddSingleton(specific);
var forwardDefault = new TestHandler2();
services.AddSingleton(forwardDefault);
var selector = new TestHandler3();
services.AddSingleton(selector);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
await context.AuthenticateAsync();
Assert.Equal(1, forwardDefault.AuthenticateCount);
await context.ForbidAsync();
Assert.Equal(1, forwardDefault.ForbidCount);
await context.ChallengeAsync();
Assert.Equal(1, forwardDefault.ChallengeCount);
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignOutAsync());
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignInAsync(new ClaimsPrincipal()));
Assert.Equal(0, selector.AuthenticateCount);
Assert.Equal(0, selector.ForbidCount);
Assert.Equal(0, selector.ChallengeCount);
Assert.Equal(0, selector.SignInCount);
Assert.Equal(0, selector.SignOutCount);
Assert.Equal(0, specific.AuthenticateCount);
Assert.Equal(0, specific.ForbidCount);
Assert.Equal(0, specific.ChallengeCount);
Assert.Equal(0, specific.SignInCount);
Assert.Equal(0, specific.SignOutCount);
}
public async Task AuthenticateThrowsForSchemeMismatch()
{
var services = new ServiceCollection().AddOptions().AddAuthenticationCore(o =>
{
o.AddScheme <BaseHandler>("base", "whatever");
}).BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = services;
await context.AuthenticateAsync("base");
var ex = await Assert.ThrowsAsync <InvalidOperationException>(() => context.AuthenticateAsync("missing"));
Assert.Contains("base", ex.Message);
}
public static DefaultHttpContext GetHttpContextAuthenticated
(
string authenticationType,
List <Claim> claims
)
{
var context = new DefaultHttpContext
{
User = new ClaimsPrincipal(new ClaimsIdentity(claims, authenticationType))
};
var services = new ServiceCollection();
services.AddAuthentication(authenticationType);
var application = new ApplicationBuilder(services.BuildServiceProvider());
application.Use(async(context, next) =>
{
await context.AuthenticateAsync(authenticationType).ConfigureAwait(false);
await next().ConfigureAwait(false);
});
return(context);
}
public async Task AuthenticateAsync_WithToken_PerformsAuthentication_Using_ContainerEncryptionKey_If_WebSiteAuthEncryptionKey_Not_Available()
{
var containerEncryptionKeyBytes = TestHelpers.GenerateKeyBytes();
var vars = new Dictionary <string, string>
{
{ EnvironmentSettingNames.WebSiteAuthEncryptionKey, string.Empty },
{ EnvironmentSettingNames.ContainerEncryptionKey, TestHelpers.GenerateKeyHexString(containerEncryptionKeyBytes) }
};
using (var env = new TestScopedEnvironmentVariable(vars))
{
// Arrange
DefaultHttpContext context = GetContext();
string token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(2), containerEncryptionKeyBytes);
context.Request.Headers.Add(ArmAuthenticationHandler.ArmTokenHeaderName, token);
// Act
AuthenticateResult result = await context.AuthenticateAsync();
// Assert
Assert.True(result.Succeeded);
Assert.True(result.Principal.Identity.IsAuthenticated);
Assert.True(result.Principal.HasClaim(SecurityConstants.AuthLevelClaimType, AuthorizationLevel.Admin.ToString()));
}
}
public async Task ForwardAuthenticateOnlyRunsTransformOnceByDefault()
{
var services = new ServiceCollection().AddLogging();
var transform = new RunOnce();
var builder = services.AddSingleton <IClaimsTransformation>(transform).AddAuthentication(o =>
{
o.DefaultScheme = DefaultScheme;
o.AddScheme <TestHandler2>("auth1", "auth1");
o.AddScheme <TestHandler>("specific", "specific");
});
RegisterAuth(builder, o =>
{
o.ForwardDefault = "auth1";
o.ForwardAuthenticate = "specific";
});
var specific = new TestHandler();
services.AddSingleton(specific);
var forwardDefault = new TestHandler2();
services.AddSingleton(forwardDefault);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
await context.AuthenticateAsync();
Assert.Equal(1, transform.Ran);
}
public async Task VirtualSchemeTargetsForwardWithDefaultTarget()
{
var services = new ServiceCollection().AddOptions().AddLogging();
services.AddAuthentication(o =>
{
o.AddScheme <TestHandler>("auth1", "auth1");
o.AddScheme <TestHandler2>("auth2", "auth2");
})
.AddPolicyScheme("forward", "forward", p => p.ForwardDefault = "auth1");
var handler1 = new TestHandler();
services.AddSingleton(handler1);
var handler2 = new TestHandler2();
services.AddSingleton(handler2);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
Assert.Equal(0, handler1.AuthenticateCount);
Assert.Equal(0, handler1.ForbidCount);
Assert.Equal(0, handler1.ChallengeCount);
Assert.Equal(0, handler1.SignInCount);
Assert.Equal(0, handler1.SignOutCount);
Assert.Equal(0, handler2.AuthenticateCount);
Assert.Equal(0, handler2.ForbidCount);
Assert.Equal(0, handler2.ChallengeCount);
Assert.Equal(0, handler2.SignInCount);
Assert.Equal(0, handler2.SignOutCount);
await context.AuthenticateAsync("forward");
Assert.Equal(1, handler1.AuthenticateCount);
Assert.Equal(0, handler2.AuthenticateCount);
await context.ForbidAsync("forward");
Assert.Equal(1, handler1.ForbidCount);
Assert.Equal(0, handler2.ForbidCount);
await context.ChallengeAsync("forward");
Assert.Equal(1, handler1.ChallengeCount);
Assert.Equal(0, handler2.ChallengeCount);
await context.SignOutAsync("forward");
Assert.Equal(1, handler1.SignOutCount);
Assert.Equal(0, handler2.SignOutCount);
await context.SignInAsync("forward", new ClaimsPrincipal());
Assert.Equal(1, handler1.SignInCount);
Assert.Equal(0, handler2.SignInCount);
}
public async Task AuthenticateAsync_WithoutToken_DoesNotAuthenticate()
{
// Arrange
DefaultHttpContext context = GetContext();
// Act
AuthenticateResult result = await context.AuthenticateAsync();
// Assert
Assert.True(result.None);
Assert.Null(result.Failure);
Assert.Null(result.Principal);
}
public async Task CanForwardDefault()
{
var services = new ServiceCollection().AddLogging();
services.AddAuthentication(o =>
{
o.DefaultScheme = OpenIdConnectDefaults.AuthenticationScheme;
o.AddScheme <TestHandler>("auth1", "auth1");
})
.AddOpenIdConnect(o =>
{
ConfigureDefaults(o);
o.ForwardDefault = "auth1";
});
var forwardDefault = new TestHandler();
services.AddSingleton(forwardDefault);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
Assert.Equal(0, forwardDefault.AuthenticateCount);
Assert.Equal(0, forwardDefault.ForbidCount);
Assert.Equal(0, forwardDefault.ChallengeCount);
Assert.Equal(0, forwardDefault.SignInCount);
Assert.Equal(0, forwardDefault.SignOutCount);
await context.AuthenticateAsync();
Assert.Equal(1, forwardDefault.AuthenticateCount);
await context.ForbidAsync();
Assert.Equal(1, forwardDefault.ForbidCount);
await context.ChallengeAsync();
Assert.Equal(1, forwardDefault.ChallengeCount);
await context.SignOutAsync();
Assert.Equal(1, forwardDefault.SignOutCount);
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignInAsync(new ClaimsPrincipal()));
}
public async Task AuthenticateAsync_WithExpiredToken_FailsAuthentication()
{
using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, TestHelpers.GenerateKeyHexString()))
{
DefaultHttpContext context = GetContext();
string token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(-20));
context.Request.Headers.Add(ArmAuthenticationHandler.ArmTokenHeaderName, token);
// Act
AuthenticateResult result = await context.AuthenticateAsync();
// Assert
Assert.False(result.Succeeded);
Assert.NotNull(result.Failure);
Assert.Null(result.Principal);
}
}
public async Task ForwardAuthenticateWinsOverDefault()
{
var services = new ServiceCollection().AddLogging();
services.AddAuthentication(o =>
{
o.DefaultScheme = "default";
o.DefaultSignInScheme = "auth1";
o.AddScheme <TestHandler2>("auth1", "auth1");
o.AddScheme <TestHandler>("specific", "specific");
})
.AddOAuth("default", o =>
{
ConfigureDefaults(o);
o.ForwardDefault = "auth1";
o.ForwardAuthenticate = "specific";
});
var specific = new TestHandler();
services.AddSingleton(specific);
var forwardDefault = new TestHandler2();
services.AddSingleton(forwardDefault);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
await context.AuthenticateAsync();
Assert.Equal(0, specific.SignOutCount);
Assert.Equal(1, specific.AuthenticateCount);
Assert.Equal(0, specific.ForbidCount);
Assert.Equal(0, specific.ChallengeCount);
Assert.Equal(0, specific.SignInCount);
Assert.Equal(0, forwardDefault.AuthenticateCount);
Assert.Equal(0, forwardDefault.ForbidCount);
Assert.Equal(0, forwardDefault.ChallengeCount);
Assert.Equal(0, forwardDefault.SignInCount);
Assert.Equal(0, forwardDefault.SignOutCount);
}
public async Task AuthenticateAsync_WithToken_PerformsAuthentication()
{
using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, TestHelpers.GenerateKeyHexString()))
{
// Arrange
DefaultHttpContext context = GetContext();
string token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(2));
context.Request.Headers.Add(ArmAuthenticationHandler.ArmTokenHeaderName, token);
// Act
AuthenticateResult result = await context.AuthenticateAsync();
// Assert
Assert.True(result.Succeeded);
Assert.True(result.Principal.Identity.IsAuthenticated);
Assert.True(result.Principal.HasClaim(SecurityConstants.AuthLevelClaimType, AuthorizationLevel.Admin.ToString()));
}
}
public async Task AuthenticateAsync_WithInvalidToken_FailsAuthentication()
{
using (new TestScopedEnvironmentVariable(EnvironmentSettingNames.WebSiteAuthEncryptionKey, TestHelpers.GenerateKeyHexString()))
{
// Arrange
DefaultHttpContext context = GetContext();
string token = SimpleWebTokenHelper.CreateToken(DateTime.UtcNow.AddMinutes(2));
token = token.Substring(0, token.Length - 5);
context.Request.Headers.Add(ScriptConstants.SiteTokenHeaderName, token);
// Act
AuthenticateResult result = await context.AuthenticateAsync();
// Assert
Assert.False(result.Succeeded);
Assert.NotNull(result.Failure);
Assert.Null(result.Principal);
}
}
public async Task ServicesWithDefaultIAuthenticationHandlerMethodsTest()
{
var services = new ServiceCollection().AddOptions().AddAuthenticationCore(o =>
{
o.AddScheme <BaseHandler>("base", "whatever");
o.DefaultScheme = "base";
}).BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = services;
await context.AuthenticateAsync();
await context.ChallengeAsync();
await context.ForbidAsync();
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignOutAsync());
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignInAsync(new ClaimsPrincipal()));
}
public async Task ServicesWithDefaultSignInMethodsTest()
{
var services = new ServiceCollection().AddOptions().AddAuthenticationCore(o =>
{
o.AddScheme <SignInHandler>("base", "whatever");
o.DefaultScheme = "base";
}).BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = services;
await context.AuthenticateAsync();
await context.ChallengeAsync();
await context.ForbidAsync();
await context.SignOutAsync();
await context.SignInAsync(new ClaimsPrincipal(new ClaimsIdentity("whatever")));
}
public async Task ForwardSchemeOverridesSchemeFromConfig()
{
// Arrange
var defaultSchemeFromConfig = "DefaultSchemeFromConfig";
var defaultSchemeFromForward = "DefaultSchemeFromForward";
var services = new ServiceCollection().AddLogging();
var config = new ConfigurationBuilder().AddInMemoryCollection(new[]
{
new KeyValuePair <string, string>("Authentication:DefaultScheme", defaultSchemeFromConfig)
}).Build();
services.AddSingleton <IConfiguration>(config);
// Act
var builder = services.AddAuthentication(o =>
{
o.AddScheme <TestHandler>(defaultSchemeFromForward, defaultSchemeFromForward);
});
builder.AddJwtBearer(defaultSchemeFromConfig, o => o.ForwardAuthenticate = defaultSchemeFromForward);
var forwardAuthentication = new TestHandler();
services.AddSingleton(forwardAuthentication);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
// Assert
Assert.Equal(0, forwardAuthentication.AuthenticateCount);
await context.AuthenticateAsync();
Assert.Equal(1, forwardAuthentication.AuthenticateCount);
var schemeProvider = sp.GetRequiredService <IAuthenticationSchemeProvider>();
var defaultSchemeFromServices = await schemeProvider.GetDefaultAuthenticateSchemeAsync();
Assert.Equal(defaultSchemeFromConfig, defaultSchemeFromServices.Name);
}
public async Task SpecificTargetAlwaysWinsOverDefaultTarget()
{
var services = new ServiceCollection().AddOptions().AddLogging();
services.AddAuthentication(o =>
{
o.AddScheme <TestHandler>("auth1", "auth1");
o.AddScheme <TestHandler2>("auth2", "auth2");
})
.AddPolicyScheme("forward", "forward", p => {
p.ForwardDefault = "auth2";
p.ForwardDefaultSelector = ctx => "auth2";
p.ForwardAuthenticate = "auth1";
p.ForwardSignIn = "auth1";
p.ForwardSignOut = "auth1";
p.ForwardForbid = "auth1";
p.ForwardChallenge = "auth1";
});
var handler1 = new TestHandler();
services.AddSingleton(handler1);
var handler2 = new TestHandler2();
services.AddSingleton(handler2);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
Assert.Equal(0, handler1.AuthenticateCount);
Assert.Equal(0, handler1.ForbidCount);
Assert.Equal(0, handler1.ChallengeCount);
Assert.Equal(0, handler1.SignInCount);
Assert.Equal(0, handler1.SignOutCount);
Assert.Equal(0, handler2.AuthenticateCount);
Assert.Equal(0, handler2.ForbidCount);
Assert.Equal(0, handler2.ChallengeCount);
Assert.Equal(0, handler2.SignInCount);
Assert.Equal(0, handler2.SignOutCount);
await context.AuthenticateAsync("forward");
Assert.Equal(1, handler1.AuthenticateCount);
Assert.Equal(0, handler2.AuthenticateCount);
await context.ForbidAsync("forward");
Assert.Equal(1, handler1.ForbidCount);
Assert.Equal(0, handler2.ForbidCount);
await context.ChallengeAsync("forward");
Assert.Equal(1, handler1.ChallengeCount);
Assert.Equal(0, handler2.ChallengeCount);
await context.SignOutAsync("forward");
Assert.Equal(1, handler1.SignOutCount);
Assert.Equal(0, handler2.SignOutCount);
await context.SignInAsync("forward", new ClaimsPrincipal(new ClaimsIdentity("whatever")));
Assert.Equal(1, handler1.SignInCount);
Assert.Equal(0, handler2.SignInCount);
}
public async Task SpecificForwardWinsOverSelectorAndDefault()
{
var services = new ServiceCollection().AddLogging();
var builder = services.AddAuthentication(o =>
{
o.DefaultScheme = DefaultScheme;
o.AddScheme <TestHandler2>("auth1", "auth1");
o.AddScheme <TestHandler3>("selector", "selector");
o.AddScheme <TestHandler>("specific", "specific");
});
RegisterAuth(builder, o =>
{
o.ForwardDefault = "auth1";
o.ForwardDefaultSelector = _ => "selector";
o.ForwardAuthenticate = "specific";
o.ForwardChallenge = "specific";
o.ForwardSignIn = "specific";
o.ForwardSignOut = "specific";
o.ForwardForbid = "specific";
});
var specific = new TestHandler();
services.AddSingleton(specific);
var forwardDefault = new TestHandler2();
services.AddSingleton(forwardDefault);
var selector = new TestHandler3();
services.AddSingleton(selector);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
await context.AuthenticateAsync();
Assert.Equal(1, specific.AuthenticateCount);
await context.ForbidAsync();
Assert.Equal(1, specific.ForbidCount);
await context.ChallengeAsync();
Assert.Equal(1, specific.ChallengeCount);
if (SupportsSignOut)
{
await context.SignOutAsync();
Assert.Equal(1, specific.SignOutCount);
}
else
{
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignOutAsync());
}
if (SupportsSignIn)
{
await context.SignInAsync(new ClaimsPrincipal(new ClaimsIdentity("whatever")));
Assert.Equal(1, specific.SignInCount);
}
else
{
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignInAsync(new ClaimsPrincipal()));
}
Assert.Equal(0, forwardDefault.AuthenticateCount);
Assert.Equal(0, forwardDefault.ForbidCount);
Assert.Equal(0, forwardDefault.ChallengeCount);
Assert.Equal(0, forwardDefault.SignInCount);
Assert.Equal(0, forwardDefault.SignOutCount);
Assert.Equal(0, selector.AuthenticateCount);
Assert.Equal(0, selector.ForbidCount);
Assert.Equal(0, selector.ChallengeCount);
Assert.Equal(0, selector.SignInCount);
Assert.Equal(0, selector.SignOutCount);
}
public async Task CanForwardDefault()
{
var services = new ServiceCollection().AddLogging();
var builder = services.AddAuthentication(o =>
{
o.DefaultScheme = DefaultScheme;
o.AddScheme <TestHandler>("auth1", "auth1");
});
RegisterAuth(builder, o => o.ForwardDefault = "auth1");
var forwardDefault = new TestHandler();
services.AddSingleton(forwardDefault);
var sp = services.BuildServiceProvider();
var context = new DefaultHttpContext();
context.RequestServices = sp;
Assert.Equal(0, forwardDefault.AuthenticateCount);
Assert.Equal(0, forwardDefault.ForbidCount);
Assert.Equal(0, forwardDefault.ChallengeCount);
Assert.Equal(0, forwardDefault.SignInCount);
Assert.Equal(0, forwardDefault.SignOutCount);
await context.AuthenticateAsync();
Assert.Equal(1, forwardDefault.AuthenticateCount);
await context.ForbidAsync();
Assert.Equal(1, forwardDefault.ForbidCount);
await context.ChallengeAsync();
Assert.Equal(1, forwardDefault.ChallengeCount);
if (SupportsSignOut)
{
await context.SignOutAsync();
Assert.Equal(1, forwardDefault.SignOutCount);
}
else
{
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignOutAsync());
}
if (SupportsSignIn)
{
await context.SignInAsync(new ClaimsPrincipal(new ClaimsIdentity("whatever")));
Assert.Equal(1, forwardDefault.SignInCount);
}
else
{
await Assert.ThrowsAsync <InvalidOperationException>(() => context.SignInAsync(new ClaimsPrincipal()));
}
}