public async Task OnValidateIdentityRejectsWhenValidateSecurityStampFails()
{
var user = new TestUser("test");
var userManager = MockHelpers.MockUserManager<TestUser>();
var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.Zero };
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var httpContext = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
contextAccessor.Object, claimsManager.Object, options.Object, null);
signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>(), user.Id)).ReturnsAsync(null).Verifiable();
var services = new ServiceCollection();
services.AddInstance(options.Object);
services.AddInstance(signInManager.Object);
services.AddInstance<ISecurityStampValidator>(new SecurityStampValidator<TestUser>());
httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
var id = new ClaimsIdentity(IdentityOptions.ApplicationCookieAuthenticationScheme);
id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));
var ticket = new AuthenticationTicket(new ClaimsPrincipal(id),
new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow },
IdentityOptions.ApplicationCookieAuthenticationScheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
Assert.NotNull(context.Properties);
Assert.NotNull(context.Options);
Assert.NotNull(context.Principal);
await SecurityStampValidator.ValidatePrincipalAsync(context);
Assert.Null(context.Principal);
signInManager.VerifyAll();
}
public async Task OnValidatePrincipalThrowsWithEmptyServiceCollection()
{
var scheme = new IdentityOptions().Cookies.ApplicationCookieAuthenticationScheme;
var httpContext = new Mock<HttpContext>();
httpContext.Setup(c => c.RequestServices).Returns(new ServiceCollection().BuildServiceProvider());
var id = new ClaimsPrincipal(new ClaimsIdentity(scheme));
var ticket = new AuthenticationTicket(id, new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow }, scheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => SecurityStampValidator.ValidatePrincipalAsync(context));
Assert.True(ex.Message.Contains("No service for type 'Microsoft.Extensions.OptionsModel.IOptions"));
}
public async Task CreateIdentityNullChecks()
{
var userManager = MockHelpers.MockUserManager<TestUser>().Object;
var roleManager = MockHelpers.MockRoleManager<TestRole>().Object;
var options = new Mock<IOptions<IdentityOptions>>();
Assert.Throws<ArgumentNullException>("optionsAccessor",
() => new UserClaimsPrincipalFactory<TestUser, TestRole>(userManager, roleManager, options.Object));
var identityOptions = new IdentityOptions();
options.Setup(a => a.Options).Returns(identityOptions);
var factory = new UserClaimsPrincipalFactory<TestUser, TestRole>(userManager, roleManager, options.Object);
await Assert.ThrowsAsync<ArgumentNullException>("user",
async () => await factory.CreateAsync(null));
}
public JwtTokenResult RefreshAccessToken(
string accessToken,
string refreshToken,
IEnumerable <string> customClaimsType)
{
var result = ValidateRefreshToken(refreshToken);
if (result.result != JwtTokenResult.TokenResult.Ok)
{
return(new JwtTokenResult(result.result));
}
Claim[] accessClaims = null;
try
{
accessClaims = new JwtSecurityTokenHandler()
.ReadJwtToken(accessToken)
.Claims.ToArray();
}
catch
{
return(JwtTokenResult.AccessInvalid());
}
var identityOptions = new IdentityOptions();
var refreshId = result.claims
.FirstOrDefault(x => x.Type
.Equals(JwtRegisteredClaimNames.Sub))
.Value;
var accessId = accessClaims
.FirstOrDefault(x => x.Type
.Equals(JwtRegisteredClaimNames.Sub))
.Value;
if (!refreshId.Equals(accessId))
{
return(JwtTokenResult.Mismatch());
}
var refreshJti = result.claims
.FirstOrDefault(x => x.Type
.Equals(JwtRegisteredClaimNames.Jti))
.Value;
var accessName = accessClaims
.FirstOrDefault(x => x.Type
.Equals(identityOptions.ClaimsIdentity.UserNameClaimType))
.Value;
var roles = accessClaims
.Where(x => x.Type
.Equals(ClaimTypes.Role));
List <Claim> claims = null;
if (customClaimsType != null)
{
var customClaims = accessClaims
.Where(claim => customClaimsType.Contains(claim.Type))
.ToArray();
if (customClaims != null && customClaims.Length > 0)
{
claims = GetAccessClaims(accessId, accessName, roles, customClaims);
}
else
{
claims = GetAccessClaims(accessId, accessName, roles);
}
}
else
{
claims = GetAccessClaims(accessId, accessName, roles);
}
var newAccessToken = CreateAccessToken(claims);
if (result.update)
{
var newRefreshToken = GetRefreshToken(accessId, accessName);
return(JwtTokenResult.Ok(new TokenModel
(
newAccessToken,
newRefreshToken
),
accessId,
accessClaims));
}
return(JwtTokenResult.Ok(
new TokenModel(newAccessToken, (null, default, refreshJti)),
public ExampleUserPrincipalFactory(IOptions <IdentityOptions> optionsAccessor)
{
_options = optionsAccessor?.Value ?? new IdentityOptions();
}
public (Mock <SignInManager <User> >, Mock <UserManager <User> >, Mock <IEmailConfirmation>, AuthService) CreateAuthService()
{
Mock <IUserPasswordStore <User> > userPasswordStore = new Mock <IUserPasswordStore <User> >();
userPasswordStore.Setup(s => s.CreateAsync(It.IsAny <User>(), It.IsAny <CancellationToken>()))
.Returns(Task.FromResult(IdentityResult.Success));
var options = new Mock <IOptions <IdentityOptions> >();
var idOptions = new IdentityOptions();
idOptions.SignIn.RequireConfirmedEmail = true;
idOptions.Password.RequireDigit = true;
idOptions.Password.RequiredLength = 8;
idOptions.Password.RequireUppercase = false;
idOptions.User.RequireUniqueEmail = true;
idOptions.Password.RequireNonAlphanumeric = false;
idOptions.Lockout.MaxFailedAccessAttempts = 5;
idOptions.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(15);
options.Setup(o => o.Value).Returns(idOptions);
var userValidators = new List <IUserValidator <User> >();
UserValidator <User> validator = new UserValidator <User>();
userValidators.Add(validator);
var passValidator = new PasswordValidator <User>();
var pwdValidators = new List <IPasswordValidator <User> >();
pwdValidators.Add(passValidator);
var userStore = new Mock <IUserStore <User> >();
userStore.Setup(s => s.CreateAsync(It.IsAny <User>(), It.IsAny <CancellationToken>()))
.Returns(Task.FromResult(IdentityResult.Success));
var mockUserManager = new Mock <UserManager <User> >(userStore.Object,
options.Object, new PasswordHasher <User>(),
userValidators, pwdValidators, new UpperInvariantLookupNormalizer(),
new IdentityErrorDescriber(), null,
new Mock <ILogger <UserManager <User> > >().Object);
mockUserManager
.Setup(s => s.CreateAsync(It.IsAny <User>(), It.IsAny <string>()))
.Returns(Task.FromResult(IdentityResult.Success));
var _contextAccessor = new Mock <IHttpContextAccessor>();
var _userPrincipalFactory = new Mock <IUserClaimsPrincipalFactory <User> >();
var mockSignInManager = new Mock <SignInManager <User> >(mockUserManager.Object,
_contextAccessor.Object, _userPrincipalFactory.Object, null, null, null, null);
Mock <IRepositoryWrapper> mockRepositoryWrapper = new Mock <IRepositoryWrapper>();
Mock <IEmailConfirmation> mockEmailConfirmation = new Mock <IEmailConfirmation>();
Mock <IMapper> mockMapper = new Mock <IMapper>();
mockMapper
.Setup(s => s.Map <UserDTO, User>(It.IsAny <UserDTO>()))
.Returns(GetTestUserWithEmailsSendedTime());
AuthService AuthService = new AuthService(mockUserManager.Object, mockSignInManager.Object,
mockEmailConfirmation.Object, mockMapper.Object, null, null);
return(mockSignInManager, mockUserManager, mockEmailConfirmation, AuthService);
}
public async Task PasswordSignInReturnsLockedOutWhenLockedOut()
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(true).Verifiable();
var context = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Value).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object, logger.Object);
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, false);
// Assert
Assert.False(result.Succeeded);
Assert.True(result.IsLockedOut);
Assert.True(logStore.ToString().Contains($"User {user.Id} is currently locked out."));
manager.Verify();
}
public void DefaultValueCookieHttpOnlyProperty_EqualsTrue()
{
var options = new IdentityOptions();
Assert.True(options.Cookie.Cookie.HttpOnly);
}
public async Task CanTwoFactorSignIn(bool isPersistent, bool supportsLockout, bool externalLogin, bool rememberClient)
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
var provider = "twofactorprovider";
var code = "123456";
manager.Setup(m => m.SupportsUserLockout).Returns(supportsLockout).Verifiable();
if (supportsLockout)
{
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
}
manager.Setup(m => m.VerifyTwoFactorTokenAsync(user, provider, code)).ReturnsAsync(true).Verifiable();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
var contextAccessor = new Mock<IHttpContextAccessor>();
var twoFactorInfo = new SignInManager<TestUser>.TwoFactorAuthenticationInfo { UserId = user.Id };
var loginProvider = "loginprovider";
var id = SignInManager<TestUser>.StoreTwoFactorInfo(user.Id, externalLogin ? loginProvider : null);
var authResult = new AuthenticationResult(id, new AuthenticationProperties(), new AuthenticationDescription());
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object);
if (externalLogin)
{
response.Setup(r => r.SignIn(
IdentityOptions.ApplicationCookieAuthenticationScheme,
It.Is<ClaimsPrincipal>(i => i.FindFirstValue(ClaimTypes.AuthenticationMethod) == loginProvider
&& i.FindFirstValue(ClaimTypes.NameIdentifier) == user.Id),
It.Is<AuthenticationProperties>(v => v.IsPersistent == isPersistent))).Verifiable();
response.Setup(r => r.SignOut(IdentityOptions.ExternalCookieAuthenticationScheme)).Verifiable();
}
else
{
SetupSignIn(response, user.Id);
}
if (rememberClient)
{
response.Setup(r => r.SignIn(
IdentityOptions.TwoFactorRememberMeCookieAuthenticationScheme,
It.Is<ClaimsPrincipal>(i => i.FindFirstValue(ClaimTypes.Name) == user.Id
&& i.Identities.First().AuthenticationType == IdentityOptions.TwoFactorRememberMeCookieAuthenticationType),
It.Is<AuthenticationProperties>(v => v.IsPersistent == true))).Verifiable();
}
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
context.Setup(c => c.AuthenticateAsync(IdentityOptions.TwoFactorUserIdCookieAuthenticationScheme)).ReturnsAsync(authResult).Verifiable();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object, null);
helper.Logger = logger.Object;
string expectedScope = string.Format("{0} for {1}: {2}", "TwoFactorSignInAsync", "user", user.Id);
string expectedLog = string.Format("{0} : {1}", "TwoFactorSignInAsync", "Succeeded");
// Act
var result = await helper.TwoFactorSignInAsync(provider, code, isPersistent, rememberClient);
// Assert
Assert.True(result.Succeeded);
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedLog));
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedScope));
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
}
public async Task PasswordSignInFailsWithWrongPassword()
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
manager.Setup(m => m.CheckPasswordAsync(user, "bogus")).ReturnsAsync(false).Verifiable();
var context = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object);
helper.Logger = logger.Object;
string expectedScope = string.Format("{0} for {1}: {2}", "PasswordSignInAsync", "user", user.Id);
string expectedLog = string.Format("{0} : {1}", "PasswordSignInAsync", "Failed");
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, false);
// Assert
Assert.False(result.Succeeded);
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedLog));
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedScope));
manager.Verify();
context.Verify();
contextAccessor.Verify();
}
public AuthTokensService(IdentityOptions options) => _options = options;
public override void Visit(IdentityOptions node) { this.action(node); }
private static SignInManager <TestUser> SetupSignInManager(UserManager <TestUser> manager, HttpContext context, StringBuilder logStore = null, IdentityOptions identityOptions = null)
{
var contextAccessor = new Mock <IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context);
var roleManager = MockHelpers.MockRoleManager <TestRole>();
identityOptions = identityOptions ?? new IdentityOptions();
var options = new Mock <IOptions <IdentityOptions> >();
options.Setup(a => a.Value).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory <TestUser, TestRole>(manager, roleManager.Object, options.Object);
var sm = new SignInManager <TestUser>(manager, contextAccessor.Object, claimsFactory, options.Object, null, new Mock <IAuthenticationSchemeProvider>().Object);
sm.Logger = MockHelpers.MockILogger <SignInManager <TestUser> >(logStore ?? new StringBuilder()).Object;
return(sm);
}
public void Get_NotNullByDefault()
{
var options = new IdentityOptions();
Assert.NotNull(options.Claims);
}
public void DefaultValueSlidingExpirationProperty_EqualsTrue()
{
var options = new IdentityOptions();
Assert.True(options.Cookie.SlidingExpiration);
}
public void DefaultValueExpireTimeSpanProperty_Equals7Days()
{
var options = new IdentityOptions();
Assert.Equal(TimeSpan.FromDays(7), options.Cookie.ExpireTimeSpan);
}
public void DefaultValueCookieSecurePolicyProperty_EqualsAlways()
{
var options = new IdentityOptions();
Assert.Equal(CookieSecurePolicy.Always, options.Cookie.Cookie.SecurePolicy);
}
public async Task PasswordSignInRequiresVerification(bool supportsLockout)
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.SupportsUserLockout).Returns(supportsLockout).Verifiable();
if (supportsLockout)
{
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
}
IList<string> providers = new List<string>();
providers.Add("PhoneNumber");
manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).Returns(Task.FromResult(providers)).Verifiable();
manager.Setup(m => m.SupportsUserTwoFactor).Returns(true).Verifiable();
manager.Setup(m => m.GetTwoFactorEnabledAsync(user)).ReturnsAsync(true).Verifiable();
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
if (supportsLockout)
{
manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
}
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
response.Setup(r => r.SignIn(IdentityOptions.TwoFactorUserIdCookieAuthenticationScheme,
It.Is<ClaimsPrincipal>(id => id.FindFirstValue(ClaimTypes.Name) == user.Id),
It.IsAny<AuthenticationProperties>())).Verifiable();
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object,
contextAccessor.Object,
new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object),
options.Object,
null);
helper.Logger = logger.Object;
string expectedScope = string.Format("{0} for {1}: {2}", "PasswordSignInAsync", "user", user.Id);
string expectedLog = string.Format("{0} : {1}", "PasswordSignInAsync", "RequiresTwoFactor");
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "password", false, false);
// Assert
Assert.False(result.Succeeded);
Assert.True(result.RequiresTwoFactor);
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedLog));
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedScope));
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
}
public override async Task <IActionResult> OnPostAsync(string action)
{
var context = await Interaction.GetAuthorizationContextAsync(ReturnUrl);
if (action == "Cancel")
{
if (context == null)
{
return(Redirect("~/"));
}
await Interaction.GrantConsentAsync(context, new ConsentResponse()
{
Error = AuthorizationError.AccessDenied
});
return(Redirect(ReturnUrl));
}
await CheckLocalLoginAsync();
ValidateModel();
await IdentityOptions.SetAsync();
ExternalProviders = await GetExternalProviders();
EnableLocalLogin = await SettingProvider.IsTrueAsync(AccountSettingNames.EnableLocalLogin);
await ReplaceEmailToUsernameOfInputIfNeeds();
var result = await SignInManager.PasswordSignInAsync(
LoginInput.UserNameOrEmailAddress,
LoginInput.Password,
LoginInput.RememberMe,
true
);
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
Identity = IdentitySecurityLogIdentityConsts.Identity,
Action = result.ToIdentitySecurityLogAction(),
UserName = LoginInput.UserNameOrEmailAddress,
ClientId = context?.Client?.ClientId
});
if (result.RequiresTwoFactor)
{
return(await TwoFactorLoginResultAsync());
}
if (result.IsLockedOut)
{
Alerts.Warning(L["UserLockedOutMessage"]);
return(Page());
}
if (result.IsNotAllowed)
{
Alerts.Warning(L["LoginIsNotAllowed"]);
return(Page());
}
if (!result.Succeeded)
{
Alerts.Danger(L["InvalidUserNameOrPassword"]);
return(Page());
}
//TODO: Find a way of getting user's id from the logged in user and do not query it again like that!
var user = await UserManager.FindByNameAsync(LoginInput.UserNameOrEmailAddress) ??
await UserManager.FindByEmailAsync(LoginInput.UserNameOrEmailAddress);
Debug.Assert(user != null, nameof(user) + " != null");
await IdentityServerEvents.RaiseAsync(new UserLoginSuccessEvent(user.UserName, user.Id.ToString(), user.UserName)); //TODO: Use user's name once implemented
return(RedirectSafely(ReturnUrl, ReturnUrlHash));
}
public async Task RememberBrowserSkipsTwoFactorVerificationSignIn(bool isPersistent)
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.GetTwoFactorEnabledAsync(user)).ReturnsAsync(true).Verifiable();
IList<string> providers = new List<string>();
providers.Add("PhoneNumber");
manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).Returns(Task.FromResult(providers)).Verifiable();
manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
manager.Setup(m => m.SupportsUserTwoFactor).Returns(true).Verifiable();
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
SetupSignIn(response);
var id = new ClaimsIdentity(IdentityOptions.TwoFactorRememberMeCookieAuthenticationType);
id.AddClaim(new Claim(ClaimTypes.Name, user.Id));
var authResult = new AuthenticationResult(new ClaimsPrincipal(id), new AuthenticationProperties(), new AuthenticationDescription());
context.Setup(c => c.AuthenticateAsync(IdentityOptions.TwoFactorRememberMeCookieAuthenticationScheme)).ReturnsAsync(authResult).Verifiable();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
claimsFactory.Setup(m => m.CreateAsync(user)).ReturnsAsync(new ClaimsPrincipal(new ClaimsIdentity(IdentityOptions.ApplicationCookieAuthenticationType))).Verifiable();
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object);
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "password", isPersistent, false);
// Assert
Assert.True(result.Succeeded);
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
claimsFactory.Verify();
}
/// <summary>
/// This method is callback for external authorizing.
/// </summary>
/// <param name="provider">Provider for external authorization.</param>
/// <returns>JSON Web Token.</returns>
public async Task <string> ExternalLoginCallBack(string provider)
{
var info = await Database.SignInManager.GetExternalLoginInfoAsync();
if (info == null)
{
throw new ValidationException("Error loading external login information");
}
string Email = "";
var identifier = info.Principal.FindFirstValue(ClaimTypes.NameIdentifier);
string picture = "";
string Name = info.Principal.Identity.Name;
if (info.Principal.HasClaim(c => c.Type == ClaimTypes.Email))
{
Email = info.Principal.FindFirstValue(ClaimTypes.Email);
}
var user = await Database.UserManager.FindByEmailAsync(Email);
if (user == null)
{
User checkUser;
int i = 1;
do
{
checkUser = Database.Users.Find(x => x.UserName == Name).FirstOrDefault();
if (checkUser != null)
{
Name += i.ToString();
}
}while (checkUser != null);
if (provider == "Facebook")
{
picture = $"https://graph.facebook.com/{identifier}/picture";
}
else
{
picture = "https://i03.fotocdn.net/s118/60ff0fe19bf91339/user_l/2688937826.jpg";
}
var registerUser = new User
{
UserName = Name,
Email = Email,
EmailConfirmed = true,
ProfileImageUrl = picture
};
var registerResult = await Database.UserManager.CreateAsync(registerUser);
var roleResult = await Database.UserManager.AddToRoleAsync(registerUser, "customer");
if (!registerResult.Succeeded || !roleResult.Succeeded)
{
throw new ValidationException(registerResult.Errors.ToList()[0].Description + " " + roleResult.Errors.ToList()[0].Description);
}
}
user = await Database.UserManager.FindByEmailAsync(Email);
var role = await Database.UserManager.GetRolesAsync(user);
IdentityOptions _options = new IdentityOptions();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new Claim[]
{
new Claim("UserID", user.Id.ToString()),
new Claim(_options.ClaimsIdentity.RoleClaimType, role.FirstOrDefault())
}),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey
(Encoding.UTF8.GetBytes(_appSettings.JWT_Secret)),
SecurityAlgorithms.HmacSha256Signature)
};
var tokenHandler = new JwtSecurityTokenHandler();
var securityToken = tokenHandler.CreateToken(tokenDescriptor);
var token = tokenHandler.WriteToken(securityToken);
return(token);
}
public async Task PasswordSignInFailsWithWrongPasswordCanAccessFailedAndLockout()
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
var lockedout = false;
manager.Setup(m => m.AccessFailedAsync(user)).Returns(() =>
{
lockedout = true;
return Task.FromResult(IdentityResult.Success);
}).Verifiable();
manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
manager.Setup(m => m.IsLockedOutAsync(user)).Returns(() => Task.FromResult(lockedout));
manager.Setup(m => m.CheckPasswordAsync(user, "bogus")).ReturnsAsync(false).Verifiable();
var context = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object);
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, true);
// Assert
Assert.False(result.Succeeded);
Assert.True(result.IsLockedOut);
manager.Verify();
}
/// <summary>
/// 用户 配置
/// </summary>
/// <param name="options"></param>
/// <returns></returns>
private static IdentityOptions ConfigurationUser(this IdentityOptions options)
{
options.User.RequireUniqueEmail = true; // 用户邮箱必须唯一
return(options);
}
public async Task CanRequireConfirmedPhoneNumberForPasswordSignIn(bool confirmed)
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.IsPhoneNumberConfirmedAsync(user)).ReturnsAsync(confirmed).Verifiable();
var context = new Mock<HttpContext>();
var auth = new Mock<AuthenticationManager>();
if (confirmed)
{
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
context.Setup(c => c.Authentication).Returns(auth.Object).Verifiable();
SetupSignIn(auth);
}
var identityOptions = new IdentityOptions();
identityOptions.SignIn.RequireConfirmedPhoneNumber = true;
var logStore = new StringBuilder();
var helper = SetupSignInManager(manager.Object, context.Object, logStore, identityOptions);
// Act
var result = await helper.PasswordSignInAsync(user, "password", false, false);
// Assert
Assert.Equal(confirmed, result.Succeeded);
Assert.NotEqual(confirmed, result.IsNotAllowed);
Assert.Equal(confirmed, !logStore.ToString().Contains($"User {user.Id} cannot sign in without a confirmed phone number."));
manager.Verify();
context.Verify();
auth.Verify();
}
/// <summary>
/// Token 配置
/// </summary>
/// <param name="options"></param>
/// <returns></returns>
private static IdentityOptions ConfigurationToken(this IdentityOptions options)
{
//options.Tokens
return(options);
}
public WeatherForecastController(ILogger <WeatherForecastController> logger, IdentityOptions identityOptions)
{
_logger = logger;
_identityOptions = identityOptions;
}
/// <summary>
/// ClaimsIdentity 配置
/// </summary>
/// <param name="options"></param>
/// <returns></returns>
private static IdentityOptions ConfigurationClaimsIdentity(this IdentityOptions options)
{
options.ClaimsIdentity.UserIdClaimType = JwtRegisteredClaimNames.Sub;
return(options);
}
public ExternalApplicationStorage(IdentityOptions identityOptions)
{
_identityOptions = identityOptions;
}
private static SignInManager <TUser> SetupSignInManager <TUser>(UserManager <TUser> manager,
HttpContext context, ILogger logger = null, IdentityOptions identityOptions = null,
IAuthenticationSchemeProvider schemeProvider = null) where TUser : class
{
var contextAccessor = new Mock <IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context);
identityOptions = identityOptions ?? new IdentityOptions();
var options = new Mock <IOptions <IdentityOptions> >();
options.Setup(a => a.Value).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory <TUser>(manager, options.Object);
schemeProvider = schemeProvider ?? new Mock <IAuthenticationSchemeProvider>().Object;
var sm = new SignInManager <TUser>(manager, contextAccessor.Object, claimsFactory, options.Object, null, schemeProvider, new DefaultUserConfirmation <TUser>());
sm.Logger = logger ?? (new Mock <ILogger <SignInManager <TUser> > >()).Object;
return(sm);
}
public (string name, string surname) GetNameAndSurnameFromClaims(List <Claim> claims, IdentityOptions identityOptions)
{
string name = null;
string surname = null;
var givenNameClaim = claims.FirstOrDefault(c => c.Type == ClaimTypes.GivenName);
if (givenNameClaim != null && !givenNameClaim.Value.IsNullOrEmpty())
{
name = givenNameClaim.Value;
}
var surnameClaim = claims.FirstOrDefault(c => c.Type == ClaimTypes.Surname);
if (surnameClaim != null && !surnameClaim.Value.IsNullOrEmpty())
{
surname = surnameClaim.Value;
}
if (name == null || surname == null)
{
var nameClaim = claims.FirstOrDefault(c => c.Type == identityOptions.ClaimsIdentity.UserNameClaimType);
if (nameClaim != null)
{
var nameSurName = nameClaim.Value;
if (!nameSurName.IsNullOrEmpty())
{
var lastSpaceIndex = nameSurName.LastIndexOf(' ');
if (lastSpaceIndex < 1 || lastSpaceIndex > (nameSurName.Length - 2))
{
name = surname = nameSurName;
}
else
{
name = nameSurName.Substring(0, lastSpaceIndex);
surname = nameSurName.Substring(lastSpaceIndex);
}
}
}
}
return(name, surname);
}
public CommentsService(IUnitOfWork unitOfWork,
IdentityOptions identity)
{
_unitOfWork = unitOfWork;
_identity = identity;
}
public async Task EnsureClaimsIdentityHasExpectedClaims(bool supportRoles, bool supportClaims, bool supportRoleClaims)
{
// Setup
var userManager = MockHelpers.MockUserManager<TestUser>();
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var user = new TestUser { UserName = "******" };
userManager.Setup(m => m.SupportsUserClaim).Returns(supportClaims);
userManager.Setup(m => m.SupportsUserRole).Returns(supportRoles);
userManager.Setup(m => m.GetUserIdAsync(user)).ReturnsAsync(user.Id);
userManager.Setup(m => m.GetUserNameAsync(user)).ReturnsAsync(user.UserName);
var roleClaims = new[] { "Admin", "Local" };
if (supportRoles)
{
userManager.Setup(m => m.GetRolesAsync(user)).ReturnsAsync(roleClaims);
roleManager.Setup(m => m.SupportsRoleClaims).Returns(supportRoleClaims);
}
var userClaims = new[] { new Claim("Whatever", "Value"), new Claim("Whatever2", "Value2") };
if (supportClaims)
{
userManager.Setup(m => m.GetClaimsAsync(user)).ReturnsAsync(userClaims);
}
userManager.Object.Options = new IdentityOptions();
var admin = new TestRole() { Name = "Admin" };
var local = new TestRole() { Name = "Local" };
var adminClaims = new[] { new Claim("AdminClaim1", "Value1"), new Claim("AdminClaim2", "Value2") };
var localClaims = new[] { new Claim("LocalClaim1", "Value1"), new Claim("LocalClaim2", "Value2") };
if (supportRoleClaims)
{
roleManager.Setup(m => m.FindByNameAsync("Admin")).ReturnsAsync(admin);
roleManager.Setup(m => m.FindByNameAsync("Local")).ReturnsAsync(local);
roleManager.Setup(m => m.GetClaimsAsync(admin)).ReturnsAsync(adminClaims);
roleManager.Setup(m => m.GetClaimsAsync(local)).ReturnsAsync(localClaims);
}
var options = new Mock<IOptions<IdentityOptions>>();
var identityOptions = new IdentityOptions();
options.Setup(a => a.Options).Returns(identityOptions);
var factory = new UserClaimsPrincipalFactory<TestUser, TestRole>(userManager.Object, roleManager.Object, options.Object);
// Act
var principal = await factory.CreateAsync(user);
var identity = principal.Identities.First();
// Assert
var manager = userManager.Object;
Assert.NotNull(identity);
Assert.Equal(1, principal.Identities.Count());
Assert.Equal(IdentityOptions.ApplicationCookieAuthenticationType, identity.AuthenticationType);
var claims = identity.Claims.ToList();
Assert.NotNull(claims);
Assert.True(
claims.Any(c => c.Type == manager.Options.ClaimsIdentity.UserNameClaimType && c.Value == user.UserName));
Assert.True(claims.Any(c => c.Type == manager.Options.ClaimsIdentity.UserIdClaimType && c.Value == user.Id));
Assert.Equal(supportRoles, claims.Any(c => c.Type == manager.Options.ClaimsIdentity.RoleClaimType && c.Value == "Admin"));
Assert.Equal(supportRoles, claims.Any(c => c.Type == manager.Options.ClaimsIdentity.RoleClaimType && c.Value == "Local"));
foreach (var cl in userClaims)
{
Assert.Equal(supportClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
foreach (var cl in adminClaims)
{
Assert.Equal(supportRoleClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
foreach (var cl in localClaims)
{
Assert.Equal(supportRoleClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
userManager.VerifyAll();
roleManager.VerifyAll();
}
private static SignInManager <PocoUser> SetupSignInManager(UserManager <PocoUser> manager, HttpContext context, ILogger logger = null, IdentityOptions identityOptions = null, IAuthenticationSchemeProvider schemeProvider = null)
{
var contextAccessor = new Mock <IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context);
var roleManager = MockHelpers.MockRoleManager <PocoRole>();
identityOptions = identityOptions ?? new IdentityOptions();
var options = new Mock <IOptions <IdentityOptions> >();
options.Setup(a => a.Value).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory <PocoUser, PocoRole>(manager, roleManager.Object, options.Object);
schemeProvider = schemeProvider ?? new Mock <IAuthenticationSchemeProvider>().Object;
var sm = new SignInManager <PocoUser>(manager, contextAccessor.Object, claimsFactory, options.Object, null, schemeProvider, new DefaultUserConfirmation <PocoUser>());
sm.Logger = logger ?? NullLogger <SignInManager <PocoUser> > .Instance;
return(sm);
}
public override void ExplicitVisit(IdentityOptions fragment)
{
_fragments.Add(fragment);
}
public IdentityContext(DbContextOptions <IdentityContext> options, IOptions <IdentityOptions> identityOptions) : base(options)
{
_identityOptions = identityOptions.Value;
}
public async Task PasswordSignInWorksWithNonTwoFactorStore()
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
SetupSignIn(response);
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object);
// Act
var result = await helper.PasswordSignInAsync(user.UserName, "password", false, false);
// Assert
Assert.True(result.Succeeded);
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
}
// to use with DI see:
// https://levelup.gitconnected.com/add-extra-user-claims-in-asp-net-core-web-applications-1f28c98c9ec6
// https://stackoverflow.com/questions/42036810/asp-net-core-jwt-mapping-role-claims-to-claimsidentity
private async Task <IList <Claim> > GetUserClaims(ApplicationUser user)
{
// https://tools.ietf.org/html/rfc7519#section-4
DateTimeOffset now = new DateTimeOffset(DateTime.UtcNow);
IdentityOptions options = new IdentityOptions();
List <Claim> claims = new List <Claim>
{
// (SUB) the principal that is the subject of the JWT
new Claim(RegisteredClaims.Sub, user.UserName),
// (JWT ID) provides a unique identifier for the JWT
new Claim(RegisteredClaims.Jti, Guid.NewGuid().ToString()),
// (NBF)
new Claim(RegisteredClaims.Nbf,
(now - new TimeSpan(0, 0, 10)).ToUnixTimeSeconds().ToString()),
new Claim(options.ClaimsIdentity.UserIdClaimType, user.Id.ToString()),
new Claim(options.ClaimsIdentity.UserNameClaimType, user.UserName),
// (IAT) issued at
new Claim(RegisteredClaims.Iat, now.ToUnixTimeSeconds().ToString()),
// email and its confirmation
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
user.Email),
// this claim name is arbitrary
new Claim("vfd", user.EmailConfirmed? "true" : "false")
};
// claims from user claims
IList <Claim> userClaims = await _userManager.GetClaimsAsync(user);
claims.AddRange(userClaims);
// claims from user roles
IList <string> userRoles = await _userManager.GetRolesAsync(user);
foreach (string userRole in userRoles)
{
claims.Add(new Claim(ClaimTypes.Role, userRole));
ApplicationRole role = await _roleManager.FindByNameAsync(userRole);
if (role != null && _roleManager.SupportsRoleClaims)
{
IList <Claim> roleClaims = await _roleManager.GetClaimsAsync(role);
foreach (Claim roleClaim in roleClaims)
{
claims.Add(roleClaim);
}
}
}
// claims from additional user properties
// http://docs.oasis-open.org/imi/identity/v1.0/os/identity-1.0-spec-os.html#_Toc229451870
claims.Add(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
user.FirstName));
claims.Add(new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
user.LastName));
return(claims);
}
public async Task CanExternalSignIn(bool isPersistent, bool supportsLockout)
{
// Setup
var user = new TestUser { UserName = "******" };
const string loginProvider = "login";
const string providerKey = "fookey";
var manager = SetupUserManager(user);
manager.Setup(m => m.SupportsUserLockout).Returns(supportsLockout).Verifiable();
if (supportsLockout)
{
manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
}
manager.Setup(m => m.FindByLoginAsync(loginProvider, providerKey)).ReturnsAsync(user).Verifiable();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
SetupSignIn(response, user.Id, isPersistent, loginProvider);
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
response.Setup(r => r.SignOut(IdentityOptions.ExternalCookieAuthenticationScheme)).Verifiable();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object, null);
helper.Logger = logger.Object;
string expectedScope = string.Format("{0} for {1}: {2}", "ExternalLoginSignInAsync", "user", user.Id);
string expectedLog = string.Format("{0} : {1}", "ExternalLoginSignInAsync", "Succeeded");
// Act
var result = await helper.ExternalLoginSignInAsync(loginProvider, providerKey, isPersistent);
// Assert
Assert.True(result.Succeeded);
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedLog));
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedScope));
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
}
public async Task EnsureClaimsIdentityHasExpectedClaims(bool supportRoles, bool supportClaims, bool supportRoleClaims)
{
// Setup
var userManager = MockHelpers.MockUserManager <TestUser>();
var roleManager = MockHelpers.MockRoleManager <TestRole>();
var user = new TestUser {
UserName = "******"
};
userManager.Setup(m => m.SupportsUserClaim).Returns(supportClaims);
userManager.Setup(m => m.SupportsUserRole).Returns(supportRoles);
userManager.Setup(m => m.GetUserIdAsync(user, CancellationToken.None)).ReturnsAsync(user.Id);
userManager.Setup(m => m.GetUserNameAsync(user, CancellationToken.None)).ReturnsAsync(user.UserName);
var roleClaims = new[] { "Admin", "Local" };
if (supportRoles)
{
userManager.Setup(m => m.GetRolesAsync(user, CancellationToken.None)).ReturnsAsync(roleClaims);
roleManager.Setup(m => m.SupportsRoleClaims).Returns(supportRoleClaims);
}
var userClaims = new[] { new Claim("Whatever", "Value"), new Claim("Whatever2", "Value2") };
if (supportClaims)
{
userManager.Setup(m => m.GetClaimsAsync(user, CancellationToken.None)).ReturnsAsync(userClaims);
}
userManager.Object.Options = new IdentityOptions();
var admin = new TestRole()
{
Name = "Admin"
};
var local = new TestRole()
{
Name = "Local"
};
var adminClaims = new[] { new Claim("AdminClaim1", "Value1"), new Claim("AdminClaim2", "Value2") };
var localClaims = new[] { new Claim("LocalClaim1", "Value1"), new Claim("LocalClaim2", "Value2") };
if (supportRoleClaims)
{
roleManager.Setup(m => m.FindByNameAsync("Admin", CancellationToken.None)).ReturnsAsync(admin);
roleManager.Setup(m => m.FindByNameAsync("Local", CancellationToken.None)).ReturnsAsync(local);
roleManager.Setup(m => m.GetClaimsAsync(admin, CancellationToken.None)).ReturnsAsync(adminClaims);
roleManager.Setup(m => m.GetClaimsAsync(local, CancellationToken.None)).ReturnsAsync(localClaims);
}
var options = new Mock <IOptions <IdentityOptions> >();
var identityOptions = new IdentityOptions();
options.Setup(a => a.Options).Returns(identityOptions);
var factory = new ClaimsIdentityFactory <TestUser, TestRole>(userManager.Object, roleManager.Object, options.Object);
// Act
var identity = await factory.CreateAsync(user);
// Assert
var manager = userManager.Object;
Assert.NotNull(identity);
Assert.Equal(IdentityOptions.ApplicationCookieAuthenticationType, identity.AuthenticationType);
var claims = identity.Claims.ToList();
Assert.NotNull(claims);
Assert.True(
claims.Any(c => c.Type == manager.Options.ClaimsIdentity.UserNameClaimType && c.Value == user.UserName));
Assert.True(claims.Any(c => c.Type == manager.Options.ClaimsIdentity.UserIdClaimType && c.Value == user.Id));
Assert.Equal(supportRoles, claims.Any(c => c.Type == manager.Options.ClaimsIdentity.RoleClaimType && c.Value == "Admin"));
Assert.Equal(supportRoles, claims.Any(c => c.Type == manager.Options.ClaimsIdentity.RoleClaimType && c.Value == "Local"));
foreach (var cl in userClaims)
{
Assert.Equal(supportClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
foreach (var cl in adminClaims)
{
Assert.Equal(supportRoleClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
foreach (var cl in localClaims)
{
Assert.Equal(supportRoleClaims, claims.Any(c => c.Type == cl.Type && c.Value == cl.Value));
}
userManager.VerifyAll();
roleManager.VerifyAll();
}
public async Task RememberClientStoresUserId()
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
var contextAccessor = new Mock<IHttpContextAccessor>();
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager.Object, roleManager.Object, options.Object);
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
response.Setup(r => r.SignIn(
IdentityOptions.TwoFactorRememberMeCookieAuthenticationScheme,
It.Is<ClaimsPrincipal>(i => i.FindFirstValue(ClaimTypes.Name) == user.Id
&& i.Identities.First().AuthenticationType == IdentityOptions.TwoFactorRememberMeCookieAuthenticationType),
It.Is<AuthenticationProperties>(v => v.IsPersistent == true))).Verifiable();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object).Verifiable();
options.Setup(a => a.Options).Returns(identityOptions).Verifiable();
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object);
// Act
await helper.RememberTwoFactorClientAsync(user);
// Assert
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
options.Verify();
}
private void ConfigureAuthServices(IServiceCollection services)
{
services.AddIdentity <ApplicationUser, IdentityRole <int> >(
options => { options.Lockout.AllowedForNewUsers = false; })
.AddEntityFrameworkStores <BuildAssetRegistryContext>();
services.AddSingleton <IAuthenticationSchemeProvider, ContextAwareAuthenticationSchemeProvider>();
services.AddAuthentication()
.AddOAuth <GitHubAuthenticationOptions, GitHubAuthenticationHandler>(
GitHubScheme,
options =>
{
IConfigurationSection ghAuthConfig = Configuration.GetSection("GitHubAuthentication");
ghAuthConfig.Bind(options);
options.Events = new OAuthEvents
{
OnCreatingTicket = async context =>
{
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <Startup> >();
logger.LogInformation("Reading user roles from GitHub.");
foreach (string role in await GetGithubRolesAsync(context.AccessToken))
{
context.Identity.AddClaim(
new Claim(ClaimTypes.Role, role, ClaimValueTypes.String, GitHubScheme));
}
},
OnRemoteFailure = context =>
{
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <GitHubAuthenticationHandler> >();
logger.LogError(context.Failure, "Github authentication failed.");
var res = context.HttpContext.Response;
res.StatusCode = (int)HttpStatusCode.Forbidden;
context.HandleResponse();
context.HttpContext.Items["ErrorMessage"] = "Authentication failed.";
return(Task.CompletedTask);
},
};
})
.AddPersonalAccessToken <ApplicationUser>(
options =>
{
options.Events = new PersonalAccessTokenEvents <ApplicationUser>
{
OnSetTokenHash = async context =>
{
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
int userId = context.User.Id;
var token = new ApplicationUserPersonalAccessToken
{
ApplicationUserId = userId,
Name = context.Name,
Hash = context.Hash,
Created = DateTimeOffset.UtcNow
};
await dbContext.Set <ApplicationUserPersonalAccessToken>().AddAsync(token);
await dbContext.SaveChangesAsync();
return(token.Id);
},
OnGetTokenHash = async context =>
{
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
ApplicationUserPersonalAccessToken token = await dbContext
.Set <ApplicationUserPersonalAccessToken>()
.Where(t => t.Id == context.TokenId)
.Include(t => t.ApplicationUser)
.FirstOrDefaultAsync();
if (token != null)
{
context.Success(token.Hash, token.ApplicationUser);
}
},
OnValidatePrincipal = async context =>
{
ApplicationUser user = context.User;
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var userManager = context.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
var signInManager = context.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
await UpdateUserIfNeededAsync(user, dbContext, userManager, signInManager);
ClaimsPrincipal principal = await signInManager.CreateUserPrincipalAsync(user);
context.ReplacePrincipal(principal);
}
};
});
services.ConfigureExternalCookie(
options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
options.ReturnUrlParameter = "returnUrl";
options.LoginPath = "/Account/SignIn";
options.Events = new CookieAuthenticationEvents
{
OnRedirectToLogin = ctx =>
{
if (ctx.Request.Path.StartsWithSegments("/api"))
{
ctx.Response.StatusCode = 401;
return(Task.CompletedTask);
}
ctx.Response.Redirect(ctx.RedirectUri);
return(Task.CompletedTask);
},
OnRedirectToAccessDenied = ctx =>
{
ctx.Response.StatusCode = 403;
return(Task.CompletedTask);
},
};
});
services.ConfigureApplicationCookie(
options =>
{
options.ExpireTimeSpan = LoginCookieLifetime;
options.SlidingExpiration = true;
options.Events = new CookieAuthenticationEvents
{
OnSigningIn = async ctx =>
{
var dbContext = ctx.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var signInManager = ctx.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
var userManager = ctx.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
ExternalLoginInfo info = await signInManager.GetExternalLoginInfoAsync();
var user = await userManager.GetUserAsync(ctx.Principal);
await UpdateUserTokenAsync(dbContext, userManager, user, info);
IdentityOptions identityOptions = ctx.HttpContext.RequestServices
.GetRequiredService <IOptions <IdentityOptions> >()
.Value;
// replace the ClaimsPrincipal we are about to serialize to the cookie with a reference
Claim claim = ctx.Principal.Claims.Single(
c => c.Type == identityOptions.ClaimsIdentity.UserIdClaimType);
Claim[] claims = { claim };
var identity = new ClaimsIdentity(claims, IdentityConstants.ApplicationScheme);
ctx.Principal = new ClaimsPrincipal(identity);
},
OnValidatePrincipal = async ctx =>
{
var dbContext = ctx.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var userManager = ctx.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
var signInManager = ctx.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
// extract the userId from the ClaimsPrincipal and read the user from the Db
ApplicationUser user = await userManager.GetUserAsync(ctx.Principal);
if (user == null)
{
ctx.RejectPrincipal();
}
else
{
await UpdateUserIfNeededAsync(user, dbContext, userManager, signInManager);
ClaimsPrincipal principal = await signInManager.CreateUserPrincipalAsync(user);
ctx.ReplacePrincipal(principal);
}
}
};
});
services.AddAuthorization(
options =>
{
options.AddPolicy(
MsftAuthorizationPolicyName,
policy =>
{
policy.RequireAuthenticatedUser();
if (!HostingEnvironment.IsDevelopment())
{
policy.RequireRole("github:team:dotnet:dnceng", "github:team:dotnet:arcade-contrib");
}
});
});
services.Configure <MvcOptions>(
options =>
{
options.Conventions.Add(new DefaultAuthorizeActionModelConvention(MsftAuthorizationPolicyName));
});
}
public void SignOutCallsContextResponseSignOut(string authenticationScheme)
{
// Setup
var manager = MockHelpers.MockUserManager<TestUser>();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
response.Setup(r => r.SignOut(authenticationScheme)).Verifiable();
response.Setup(r => r.SignOut(IdentityOptions.TwoFactorUserIdCookieAuthenticationScheme)).Verifiable();
response.Setup(r => r.SignOut(IdentityOptions.ExternalCookieAuthenticationScheme)).Verifiable();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
IdentityOptions.ApplicationCookieAuthenticationScheme = authenticationScheme;
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object, null);
helper.Logger = logger.Object;
// Act
helper.SignOut();
// Assert
context.Verify();
response.Verify();
contextAccessor.Verify();
claimsFactory.Verify();
}
private void ConfigureAuthServices(IServiceCollection services)
{
services.AddIdentity <ApplicationUser, IdentityRole <int> >(
options => { options.Lockout.AllowedForNewUsers = false; })
.AddEntityFrameworkStores <BuildAssetRegistryContext>();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = options.DefaultChallengeScheme = options.DefaultScheme = "Contextual";
options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
})
.AddPolicyScheme("Contextual", "Contextual",
policyOptions => { policyOptions.ForwardDefaultSelector = ctx => ctx.Request.Path.StartsWithSegments("/api") ? PersonalAccessTokenDefaults.AuthenticationScheme : IdentityConstants.ApplicationScheme; })
.AddGitHubOAuth(Configuration.GetSection("GitHubAuthentication"), GitHubScheme)
.AddPersonalAccessToken <ApplicationUser>(
options =>
{
options.Events = new PersonalAccessTokenEvents <ApplicationUser>
{
OnSetTokenHash = async context =>
{
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
int userId = context.User.Id;
var token = new ApplicationUserPersonalAccessToken
{
ApplicationUserId = userId,
Name = context.Name,
Hash = context.Hash,
Created = DateTimeOffset.UtcNow
};
await dbContext.Set <ApplicationUserPersonalAccessToken>().AddAsync(token);
await dbContext.SaveChangesAsync();
return(token.Id);
},
OnGetTokenHash = async context =>
{
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
ApplicationUserPersonalAccessToken token = await dbContext
.Set <ApplicationUserPersonalAccessToken>()
.Where(t => t.Id == context.TokenId)
.Include(t => t.ApplicationUser)
.FirstOrDefaultAsync();
if (token != null)
{
context.Success(token.Hash, token.ApplicationUser);
}
},
OnValidatePrincipal = async context =>
{
ApplicationUser user = context.User;
var dbContext = context.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var userManager = context.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
var signInManager = context.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
var gitHubClaimResolver = context.HttpContext.RequestServices
.GetRequiredService <GitHubClaimResolver>();
await UpdateUserIfNeededAsync(user, dbContext, userManager, signInManager, gitHubClaimResolver);
ClaimsPrincipal principal = await signInManager.CreateUserPrincipalAsync(user);
context.ReplacePrincipal(principal);
}
};
});
services.ConfigureExternalCookie(
options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(30);
options.ReturnUrlParameter = "returnUrl";
options.LoginPath = "/Account/SignIn";
options.Events = new CookieAuthenticationEvents
{
OnRedirectToLogin = ctx =>
{
if (ctx.Request.Path.StartsWithSegments("/api"))
{
ctx.Response.StatusCode = 401;
return(Task.CompletedTask);
}
ctx.Response.Redirect(ctx.RedirectUri);
return(Task.CompletedTask);
},
OnRedirectToAccessDenied = ctx =>
{
ctx.Response.StatusCode = 403;
return(Task.CompletedTask);
},
};
});
services.ConfigureApplicationCookie(
options =>
{
options.ExpireTimeSpan = LoginCookieLifetime;
options.SlidingExpiration = true;
options.ReturnUrlParameter = "returnUrl";
options.LoginPath = "/Account/SignIn";
options.Events = new CookieAuthenticationEvents
{
OnSigningIn = async ctx =>
{
var dbContext = ctx.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var signInManager = ctx.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
var userManager = ctx.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
ExternalLoginInfo info = await signInManager.GetExternalLoginInfoAsync();
var user = await userManager.GetUserAsync(ctx.Principal);
await UpdateUserTokenAsync(dbContext, userManager, user, info);
IdentityOptions identityOptions = ctx.HttpContext.RequestServices
.GetRequiredService <IOptions <IdentityOptions> >()
.Value;
// replace the ClaimsPrincipal we are about to serialize to the cookie with a reference
Claim claim = ctx.Principal.Claims.First(
c => c.Type == identityOptions.ClaimsIdentity.UserIdClaimType);
Claim[] claims = { claim };
var identity = new ClaimsIdentity(claims, IdentityConstants.ApplicationScheme);
ctx.Principal = new ClaimsPrincipal(identity);
},
OnValidatePrincipal = async ctx =>
{
var dbContext = ctx.HttpContext.RequestServices
.GetRequiredService <BuildAssetRegistryContext>();
var userManager = ctx.HttpContext.RequestServices
.GetRequiredService <UserManager <ApplicationUser> >();
var signInManager = ctx.HttpContext.RequestServices
.GetRequiredService <SignInManager <ApplicationUser> >();
var gitHubClaimResolver = ctx.HttpContext.RequestServices
.GetRequiredService <GitHubClaimResolver>();
// extract the userId from the ClaimsPrincipal and read the user from the Db
ApplicationUser user = await userManager.GetUserAsync(ctx.Principal);
if (user == null)
{
ctx.RejectPrincipal();
}
else
{
await UpdateUserIfNeededAsync(user, dbContext, userManager, signInManager, gitHubClaimResolver);
ClaimsPrincipal principal = await signInManager.CreateUserPrincipalAsync(user);
ctx.ReplacePrincipal(principal);
}
}
};
});
services.AddAuthorization(
options =>
{
options.AddPolicy(
MsftAuthorizationPolicyName,
policy =>
{
policy.RequireAuthenticatedUser();
if (!HostingEnvironment.IsDevelopment())
{
policy.RequireRole(GitHubClaimResolver.GetTeamRole("dotnet", "dnceng"), GitHubClaimResolver.GetTeamRole("dotnet", "arcade-contrib"));
}
});
});
services.Configure <MvcOptions>(
options =>
{
options.Conventions.Add(new DefaultAuthorizeActionModelConvention(MsftAuthorizationPolicyName));
});
}
public async Task PasswordSignInFailsWithUnknownUser()
{
// Setup
var manager = MockHelpers.MockUserManager<TestUser>();
manager.Setup(m => m.FindByNameAsync("bogus")).ReturnsAsync(null).Verifiable();
var context = new Mock<HttpContext>();
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object);
// Act
var result = await helper.PasswordSignInAsync("bogus", "bogus", false, false);
// Assert
Assert.False(result.Succeeded);
manager.Verify();
context.Verify();
contextAccessor.Verify();
}
/// <summary>
/// Creates new instance of password check service.
/// </summary>
/// <param name="options"></param>
public PasswordCheckService(UserManager <ApplicationUser> userManager)
{
Options = userManager.Options;
}
public async Task CanRequireConfirmedPhoneNumberForPasswordSignIn(bool confirmed)
{
// Setup
var user = new TestUser { UserName = "******" };
var manager = SetupUserManager(user);
manager.Setup(m => m.IsPhoneNumberConfirmedAsync(user)).ReturnsAsync(confirmed).Verifiable();
var context = new Mock<HttpContext>();
var response = new Mock<HttpResponse>();
if (confirmed)
{
manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
context.Setup(c => c.Response).Returns(response.Object).Verifiable();
SetupSignIn(response);
}
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context.Object);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
var identityOptions = new IdentityOptions();
identityOptions.SignIn.RequireConfirmedPhoneNumber = true;
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Options).Returns(identityOptions);
var claimsFactory = new Mock<UserClaimsPrincipalFactory<TestUser, TestRole>>(manager.Object, roleManager.Object, options.Object);
var logStore = new StringBuilder();
var logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore);
var helper = new SignInManager<TestUser>(manager.Object, contextAccessor.Object, claimsFactory.Object, options.Object, null);
helper.Logger = logger.Object;
string expectedScope = string.Format("{0} for {1}: {2}", "PasswordSignInAsync", "user", user.Id);
string expectedLog = string.Format("{0} : {1}", "CanSignInAsync", confirmed.ToString());
// Act
var result = await helper.PasswordSignInAsync(user, "password", false, false);
// Assert
Assert.Equal(confirmed, result.Succeeded);
Assert.NotEqual(confirmed, result.IsNotAllowed);
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedLog));
Assert.NotEqual(-1, logStore.ToString().IndexOf(expectedScope));
manager.Verify();
context.Verify();
response.Verify();
contextAccessor.Verify();
}
public virtual async Task <IActionResult> OnPostAsync(string action)
{
ActionHelper.AddTitle(this, "Login");
// Clean old noitify data
ViewData["LoginError"] = null;
await CheckLocalLoginAsync();
ValidateModel();
ExternalProviders = await GetExternalProviders();
EnableLocalLogin = await SettingProvider.IsTrueAsync(AccountSettingNames.EnableLocalLogin);
await ReplaceEmailToUsernameOfInputIfNeeds();
await IdentityOptions.SetAsync();
var result = await SignInManager.PasswordSignInAsync(
LoginInput.UserNameOrEmailAddress,
LoginInput.Password,
LoginInput.RememberMe,
true
);
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
Identity = IdentitySecurityLogIdentityConsts.Identity,
Action = result.ToIdentitySecurityLogAction(),
UserName = LoginInput.UserNameOrEmailAddress
});
if (result.RequiresTwoFactor)
{
return(await TwoFactorLoginResultAsync());
}
if (result.IsLockedOut)
{
ViewData["LoginError"] = L["Please try again after a few minutes"];
ToastHelper.ToastError(this, L["Please try again after a few minutes"]);
return(Page());
}
if (result.IsNotAllowed)
{
ViewData["LoginError"] = L["You are not permitted login right now"];
ToastHelper.ToastError(this, L["You are not permitted login right now"]);
return(Page());
}
if (!result.Succeeded)
{
ViewData["LoginError"] = L["Invalid Username/Email or Password"];
ToastHelper.ToastError(this, L["Invalid Username/Email or Password"]);
return(Page());
}
//TODO: Find a way of getting user's id from the logged in user and do not query it again like that!
var user = await UserManager.FindByNameAsync(LoginInput.UserNameOrEmailAddress) ??
await UserManager.FindByEmailAsync(LoginInput.UserNameOrEmailAddress);
Debug.Assert(user != null, nameof(user) + " != null");
ToastHelper.ToastSuccess(this, L["Login successful"]);
return(RedirectSafely(ReturnUrl, ReturnUrlHash));
}
private static SignInManager<TestUser> SetupSignInManager(UserManager<TestUser> manager, HttpContext context, StringBuilder logStore = null, IdentityOptions identityOptions = null)
{
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(context);
var roleManager = MockHelpers.MockRoleManager<TestRole>();
identityOptions = identityOptions ?? new IdentityOptions();
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Value).Returns(identityOptions);
var claimsFactory = new UserClaimsPrincipalFactory<TestUser, TestRole>(manager, roleManager.Object, options.Object);
var sm = new SignInManager<TestUser>(manager, contextAccessor.Object, claimsFactory, options.Object, null);
sm.Logger = MockHelpers.MockILogger<SignInManager<TestUser>>(logStore ?? new StringBuilder()).Object;
return sm;
}
public virtual async Task <IActionResult> OnGetExternalLoginCallbackAsync(string returnUrl = "", string returnUrlHash = "", string remoteError = null)
{
//TODO: Did not implemented Identity Server 4 sample for this method (see ExternalLoginCallback in Quickstart of IDS4 sample)
/* Also did not implement these:
* - Logout(string logoutId)
*/
if (remoteError != null)
{
Logger.LogWarning($"External login callback error: {remoteError}");
return(RedirectToPage("./Login"));
}
await IdentityOptions.SetAsync();
var loginInfo = await SignInManager.GetExternalLoginInfoAsync();
if (loginInfo == null)
{
Logger.LogWarning("External login info is not available");
return(RedirectToPage("./Login"));
}
var result = await SignInManager.ExternalLoginSignInAsync(
loginInfo.LoginProvider,
loginInfo.ProviderKey,
isPersistent : false,
bypassTwoFactor : true
);
if (!result.Succeeded)
{
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
Action = "Login" + result
});
}
if (result.IsLockedOut)
{
throw new UserFriendlyException("Cannot proceed because user is locked out!");
}
if (result.Succeeded)
{
return(RedirectSafely(returnUrl, returnUrlHash));
}
//TODO: Handle other cases for result!
// Get the information about the user from the external login provider
var externalLoginInfo = await SignInManager.GetExternalLoginInfoAsync();
if (externalLoginInfo == null)
{
throw new ApplicationException("Error loading external login information during confirmation.");
}
if (!IsEmailRetrievedFromExternalLogin(externalLoginInfo))
{
return(RedirectToPage("./Register", new
{
IsExternalLogin = true,
ExternalLoginAuthSchema = externalLoginInfo.LoginProvider,
ReturnUrl = returnUrl
}));
}
var user = await CreateExternalUserAsync(externalLoginInfo);
await SignInManager.SignInAsync(user, false);
await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
Identity = IdentitySecurityLogIdentityConsts.IdentityExternal,
Action = result.ToIdentitySecurityLogAction(),
UserName = user.Name
});
return(RedirectSafely(returnUrl, returnUrlHash));
}
/// <summary> Constructor. </summary>
/// <param name="options"> Options for controlling the operation. </param>
public IdentityDataProvider(IdentityOptions options)
{
_options = options ?? throw new ArgumentNullException(nameof(options));
}
public async Task OnValidateIdentityDoesNotRejectsWhenNotExpired()
{
var user = new TestUser("test");
var httpContext = new Mock<HttpContext>();
var userManager = MockHelpers.MockUserManager<TestUser>();
var claimsManager = new Mock<IUserClaimsPrincipalFactory<TestUser>>();
var identityOptions = new IdentityOptions { SecurityStampValidationInterval = TimeSpan.FromDays(1) };
var options = new Mock<IOptions<IdentityOptions>>();
options.Setup(a => a.Value).Returns(identityOptions);
var contextAccessor = new Mock<IHttpContextAccessor>();
contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object);
var signInManager = new Mock<SignInManager<TestUser>>(userManager.Object,
contextAccessor.Object, claimsManager.Object, options.Object, null);
signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>(), user.Id)).Throws(new Exception("Shouldn't be called"));
signInManager.Setup(s => s.SignInAsync(user, false, null)).Throws(new Exception("Shouldn't be called"));
var services = new ServiceCollection();
services.AddSingleton(options.Object);
services.AddSingleton(signInManager.Object);
services.AddSingleton<ISecurityStampValidator>(new SecurityStampValidator<TestUser>());
httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider());
var id = new ClaimsIdentity(identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id));
var ticket = new AuthenticationTicket(new ClaimsPrincipal(id),
new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow },
identityOptions.Cookies.ApplicationCookieAuthenticationScheme);
var context = new CookieValidatePrincipalContext(httpContext.Object, ticket, new CookieAuthenticationOptions());
Assert.NotNull(context.Properties);
Assert.NotNull(context.Options);
Assert.NotNull(context.Principal);
await SecurityStampValidator.ValidatePrincipalAsync(context);
Assert.NotNull(context.Principal);
}
