Exemplo n.º 1
0
        public async Task OnAuthorization_WithDifferentUrl_ShouldNotAuthorize()
        {
            //Arrange
            var                 cryptoService = new HmacSha256CryptographyService(Options);
            TestServer          server        = TestServerHelper.CreateServer <string>(Options);
            var                 url           = "/api/dummy/SomeBewitProtectedUrl";
            BewitPayloadContext context       = new BewitPayloadContext(typeof(string))
                                                .SetCryptographyService(() => cryptoService)
                                                .SetVariablesProvider(() => TestServerHelper.VariablesProvider)
                                                .SetRepository(() => TestServerHelper.NonceRepository);
            var tokenGenerator             = new BewitTokenGenerator <string>(Options, context);
            BewitToken <string> bewitToken =
                await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(),
                                                             CancellationToken.None);

            url = "/api/dummy/WithBewitProtection";
            var        fullUrl = $"{url}?bewit={bewitToken}";
            HttpClient client  = server.CreateClient();

            //Act
            HttpResponseMessage res =
                await client.GetAsync(fullUrl, CancellationToken.None);

            //Assert
            res.StatusCode.Should().Be(HttpStatusCode.Forbidden);
            var content = await res.Content.ReadAsStringAsync();

            if (content != null)
            {
                Assert.Equal(-1, content.IndexOf("bar"));
            }
        }
Exemplo n.º 2
0
        public async Task OnAuthorization_WithAlteredPayloadForUrl_ShouldNotAuthorize()
        {
            //Arrange
            var                 cryptoService = new HmacSha256CryptographyService(Options);
            TestServer          server        = TestServerHelper.CreateServer <string>(Options);
            var                 url           = "/api/dummy/SomeBewitProtectedUrl";
            BewitPayloadContext context       = new BewitPayloadContext(typeof(string))
                                                .SetCryptographyService(() => cryptoService)
                                                .SetVariablesProvider(() => TestServerHelper.VariablesProvider)
                                                .SetRepository(() => TestServerHelper.NonceRepository);
            var tokenGenerator             = new BewitTokenGenerator <string>(Options, context);
            BewitToken <string> bewitToken =
                await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(),
                                                             CancellationToken.None);

            //try to hack the token by replacing the url but reusing the same hash
            url = "/api/dummy/WithBewitProtection";
            var serializedBewit =
                Encoding.UTF8.GetString(Convert.FromBase64String((string)bewitToken));
            Bewit <string> bewitInternal =
                JsonConvert.DeserializeObject <Bewit <string> >(serializedBewit);
            var newBewitInternal = new Bewit <string>(
                bewitInternal.Nonce,
                bewitInternal.ExpirationDate,
                url.ToLowerInvariant(),
                bewitInternal.Hash);

            serializedBewit = JsonConvert.SerializeObject(newBewitInternal);
            bewitToken      = new BewitToken <string>(Convert.ToBase64String(
                                                          Encoding.UTF8.GetBytes(serializedBewit)
                                                          ));

            var        fullUrl = $"{url}?bewit={bewitToken}";
            HttpClient client  = server.CreateClient();

            //Act
            HttpResponseMessage res =
                await client.GetAsync(fullUrl, CancellationToken.None);

            //Assert
            res.StatusCode.Should().Be(HttpStatusCode.Forbidden);
            var content = await res.Content.ReadAsStringAsync();

            if (content != null)
            {
                Assert.Equal(-1, content.IndexOf("bar"));
            }
        }
Exemplo n.º 3
0
        public void GenerateBewitTokenAsync_WithNullPayload_ShouldThrow()
        {
            //Arrange
            ICryptographyService cryptoService =
                MockHelper.GetMockedCrpytoService <Foo>();
            BewitPayloadContext context = new BewitPayloadContext(typeof(string))
                                          .SetCryptographyService(() => cryptoService)
                                          .SetVariablesProvider(() => new MockHelper.MockedVariablesProvider())
                                          .SetRepository(() => new DefaultNonceRepository());
            var provider = new BewitTokenGenerator <Foo>(new BewitOptions(), context);

            //Act
            Func <Task> generateBewit = async() =>
                                        await provider.GenerateBewitTokenAsync(null,
                                                                               CancellationToken.None);

            //Assert
            generateBewit.Should().Throw <ArgumentNullException>();
        }
Exemplo n.º 4
0
        public async Task GenerateBewitTokenAsync_WithDifferentPayload_ShouldGenerateBewit()
        {
            //Arrange
            ICryptographyService cryptoService = MockHelper.GetMockedCrpytoService <Foo>();
            BewitPayloadContext  context       = new BewitPayloadContext(typeof(string))
                                                 .SetCryptographyService(() => cryptoService)
                                                 .SetVariablesProvider(() => new MockHelper.MockedVariablesProvider())
                                                 .SetRepository(() => new DefaultNonceRepository());
            var provider = new BewitTokenGenerator <Foo>(new BewitOptions(), context);
            var payload  = new Foo
            {
                Bar = 5
            };

            //Act
            BewitToken <Foo> bewit =
                await provider.GenerateBewitTokenAsync(payload,
                                                       CancellationToken.None);

            //Assert
            ((string)bewit).Should().Be("eyJQYXlsb2FkIjp7IkJhciI6NX0sIkhhc2giOiI3MjRlN2FjYy1iZTU3LTQ5YTEtODE5NS00NmEwM2M2MjcxYzZfXzIwMTctMDEtMDFUMDE6MDI6MDEuMDAxMDAwMFpfX3tcIkJhclwiOjV9IiwiTm9uY2UiOiI3MjRlN2FjYy1iZTU3LTQ5YTEtODE5NS00NmEwM2M2MjcxYzYiLCJFeHBpcmF0aW9uRGF0ZSI6IjIwMTctMDEtMDFUMDE6MDI6MDEuMDAxWiJ9");
        }
Exemplo n.º 5
0
        public async Task OnAuthorization_WithValidBewitForUrl_ShouldAuthorize()
        {
            //Arrange
            TestServer          server  = TestServerHelper.CreateServer <IDictionary <string, object> >(Options);
            BewitPayloadContext context = new BewitPayloadContext(typeof(IDictionary <string, object>))
                                          .SetCryptographyService(() => new HmacSha256CryptographyService(Options))
                                          .SetVariablesProvider(() => TestServerHelper.VariablesProvider)
                                          .SetRepository(() => TestServerHelper.NonceRepository);
            var          tokenGenerator = new BewitTokenGenerator <IDictionary <string, object> >(Options, context);
            const string id             = "1",
                         firstName      = "John",
                         lastName       = "Smith";
            var payload =
                new Dictionary <string, object>
            {
                ["firstName"] = "John",
                ["lastName"]  = "Smith"
            };
            BewitToken <IDictionary <string, object> > bewitToken =
                await tokenGenerator.GenerateBewitTokenAsync(
                    payload,
                    CancellationToken.None);

            var        url     = $"/api/dummy/WithBewitParameters/{id}";
            var        fullUrl = $"{url}?bewit={bewitToken}";
            HttpClient client  = server.CreateClient();

            //Act
            HttpResponseMessage res =
                await client.GetAsync(fullUrl, CancellationToken.None);

            //Assert
            res.StatusCode.Should().Be(HttpStatusCode.OK);
            var content = await res.Content.ReadAsStringAsync();

            content.Should().Be($"{id}: {firstName} {lastName}");
        }