public void Equals_Null_ReturnsFalse() { // Arrange object blobA = new BinaryBlob(32); object?blobB = null; // Act & assert Assert.NotEqual(blobA, blobB); }
public void Equals_DifferentData_ReturnsFalse() { // Arrange object blobA = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 }); object blobB = new BinaryBlob(32, new byte[] { 0x04, 0x03, 0x02, 0x01 }); // Act & assert Assert.NotEqual(blobA, blobB); }
public void Equals_NotABlob_ReturnsFalse() { // Arrange object blobA = new BinaryBlob(32); object blobB = "hello"; // Act & assert Assert.NotEqual(blobA, blobB); }
public void Ctor_BitLength_ProducesDifferentValues() { // Act var blobA = new BinaryBlob(bitLength: 64); var blobB = new BinaryBlob(bitLength: 64); // Assert Assert.NotEqual(blobA.GetData(), blobB.GetData()); }
public void Equals_SameData_ReturnsTrue() { // Arrange object blobA = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 }); object blobB = new BinaryBlob(32, new byte[] { 0x01, 0x02, 0x03, 0x04 }); // Act & assert Assert.Equal(blobA, blobB); }
public void Ctor_BitLength() { // Act var blob = new BinaryBlob(bitLength: 64); var data = blob.GetData(); // Assert Assert.Equal(64, blob.BitLength); Assert.Equal(64 / 8, data.Length); Assert.NotEqual(new byte[64 / 8], data); // should not be a zero-filled array }
public void Ctor_Data() { // Arrange var expectedData = new byte[] { 0x01, 0x02, 0x03, 0x04 }; // Act var blob = new BinaryBlob(32, expectedData); // Assert Assert.Equal(32, blob.BitLength); Assert.Equal(expectedData, blob.GetData()); }
public void SecurityTokenProperty_PropertySetter_DoesNotUseDefaults() { // Arrange var token = new AntiforgeryToken(); // Act var securityToken = new BinaryBlob(64); token.SecurityToken = securityToken; // Assert Assert.Equal(securityToken, token.SecurityToken); }
public void GetHashCodeTest() { // Arrange var blobData = new byte[] { 0x01, 0x02, 0x03, 0x04 }; var expectedHashCode = BitConverter.ToInt32(blobData, 0); var blob = new BinaryBlob(32, blobData); // Act var actualHashCode = blob.GetHashCode(); // Assert Assert.Equal(expectedHashCode, actualHashCode); }
public void ClaimUidProperty() { // Arrange var token = new AntiforgeryToken(); // Act & assert - 1 Assert.Null(token.ClaimUid); // Act & assert - 2 BinaryBlob blob = new BinaryBlob(32); token.ClaimUid = blob; Assert.Equal(blob, token.ClaimUid); // Act & assert - 3 token.ClaimUid = null; Assert.Null(token.ClaimUid); }
public void TryValidateTokenSet_ClaimUidMismatch() { // Arrange var httpContext = new DefaultHttpContext(); var identity = GetAuthenticatedIdentity("the-user"); httpContext.User = new ClaimsPrincipal(identity); var cookieToken = new AntiforgeryToken() { IsCookieToken = true }; var fieldtoken = new AntiforgeryToken() { SecurityToken = cookieToken.SecurityToken, IsCookieToken = false, ClaimUid = new BinaryBlob(256) }; var differentToken = new BinaryBlob(256); var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is <ClaimsPrincipal>(c => c.Identity == identity))) .Returns(Convert.ToBase64String(differentToken.GetData())); var tokenProvider = new DefaultAntiforgeryTokenGenerator( claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); string expectedMessage = "The provided antiforgery token was meant for a different " + "claims-based user than the current user."; // Act string message; var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message); // Assert Assert.False(result); Assert.Equal(expectedMessage, message); }
public void GenerateRequestToken_ClaimsBasedIdentity() { // Arrange var cookieToken = new AntiforgeryToken() { IsCookieToken = true }; var identity = GetAuthenticatedIdentity("some-identity"); var httpContext = new DefaultHttpContext(); httpContext.User = new ClaimsPrincipal(identity); byte[] data = new byte[256 / 8]; using (var rng = RandomNumberGenerator.Create()) { rng.GetBytes(data); } var base64ClaimUId = Convert.ToBase64String(data); var expectedClaimUid = new BinaryBlob(256, data); var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(It.Is <ClaimsPrincipal>(c => c.Identity == identity))) .Returns(base64ClaimUId); var tokenProvider = new DefaultAntiforgeryTokenGenerator( claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsCookieToken); Assert.Equal("", fieldToken.Username); Assert.Equal(expectedClaimUid, fieldToken.ClaimUid); Assert.Equal("", fieldToken.AdditionalData); }
/// <inheritdoc /> public bool TryValidateTokenSet( HttpContext httpContext, AntiforgeryToken cookieToken, AntiforgeryToken requestToken, out string message) { if (httpContext == null) { throw new ArgumentNullException(nameof(httpContext)); } if (cookieToken == null) { throw new ArgumentNullException( nameof(cookieToken), Resources.Antiforgery_CookieToken_MustBeProvided_Generic); } if (requestToken == null) { throw new ArgumentNullException( nameof(requestToken), Resources.Antiforgery_RequestToken_MustBeProvided_Generic); } // Do the tokens have the correct format? if (!cookieToken.IsCookieToken || requestToken.IsCookieToken) { message = Resources.AntiforgeryToken_TokensSwapped; return(false); } // Are the security tokens embedded in each incoming token identical? if (!object.Equals(cookieToken.SecurityToken, requestToken.SecurityToken)) { message = Resources.AntiforgeryToken_SecurityTokenMismatch; return(false); } // Is the incoming token meant for the current user? var currentUsername = string.Empty; BinaryBlob currentClaimUid = null; var authenticatedIdentity = GetAuthenticatedIdentity(httpContext.User); if (authenticatedIdentity != null) { currentClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(httpContext.User)); if (currentClaimUid == null) { currentUsername = authenticatedIdentity.Name ?? string.Empty; } } // OpenID and other similar authentication schemes use URIs for the username. // These should be treated as case-sensitive. var comparer = StringComparer.OrdinalIgnoreCase; if (currentUsername.StartsWith("http://", StringComparison.OrdinalIgnoreCase) || currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase)) { comparer = StringComparer.Ordinal; } if (!comparer.Equals(requestToken.Username, currentUsername)) { message = Resources.FormatAntiforgeryToken_UsernameMismatch(requestToken.Username, currentUsername); return(false); } if (!object.Equals(requestToken.ClaimUid, currentClaimUid)) { message = Resources.AntiforgeryToken_ClaimUidMismatch; return(false); } // Is the AdditionalData valid? if (_additionalDataProvider != null && !_additionalDataProvider.ValidateAdditionalData(httpContext, requestToken.AdditionalData)) { message = Resources.AntiforgeryToken_AdditionalDataCheckFailed; return(false); } message = null; return(true); }