public void AttemptToPokeInValueViaGetQueryParamaterRequestFails(string requestUrl) { "Given a URL with a secure property" .x(() => requestUrl = "/api/securityTest/asQueryParam?SensitiveData=shouldbeblocked&AnotherPieceOfData=something"); "When the request attempts to set the property via a GET operation" .x(async() => await HttpClient.GetAsync(requestUrl)); "Then the captured command ignores the data in the payload and the command contains a null SensitiveData property" .x(() => { CaptureCommandDispatcher commandDispatcher = (CaptureCommandDispatcher)CommandDispatcher; Assert.Equal(1, commandDispatcher.CommandLog.Count); Assert.IsType <SecurityTestCommand>(commandDispatcher.CommandLog.Single()); Assert.Null(((SecurityTestCommand)commandDispatcher.CommandLog.Single()).SensitiveData); }); }
public void SecurePropertyShouldNotBeSetWithoutClaimsMapping(string requestUrl, Post post) { "Given a request for the current users profiles" .x(() => requestUrl = "/api/profile/posts"); "When the API call is made" .x(async() => await HttpClient.GetAsync(requestUrl)); "Then the captured command contains an empty user ID" .x(() => { CaptureCommandDispatcher commandDispatcher = (CaptureCommandDispatcher)CommandDispatcher; Assert.Equal(1, commandDispatcher.CommandLog.Count); Assert.IsType <GetPostsForCurrentUserQuery>(commandDispatcher.CommandLog.Single()); Assert.Equal(Guid.Empty, ((GetPostsForCurrentUserQuery)commandDispatcher.CommandLog.Single()).UserId); }); }
public void AttemptToPokeInValueViaPostRequestFails(string requestUrl) { "Given a URL with a post body with a secure property" .x(() => requestUrl = "/api/securityTest"); "When the request attempts to set the property via a POST operation" .x(async() => await HttpClient.PostAsync(requestUrl, new StringContent(JsonConvert.SerializeObject( new SecurityTestCommand { AnotherPieceOfData = "something", SensitiveData = "shouldbeblocked" }), Encoding.UTF8, "application/json"))); "Then the captured command ignores the data in the payload and the command contains a null SensitiveData property" .x(() => { CaptureCommandDispatcher commandDispatcher = (CaptureCommandDispatcher)CommandDispatcher; Assert.Equal(1, commandDispatcher.CommandLog.Count); Assert.IsType <SecurityTestCommand>(commandDispatcher.CommandLog.Single()); Assert.Null(((SecurityTestCommand)commandDispatcher.CommandLog.Single()).SensitiveData); }); }