private Response BatchProcess(UriInfo uriInfo, HttpHeaders httpHeaders, HttpServletRequest req, Stream body)
{
try
{
NonStreamingBatchOperations batchOperations = new NonStreamingBatchOperations(_webServer);
BatchOperationResults results = batchOperations.PerformBatchJobs(uriInfo, httpHeaders, req, body);
Response res = Response.ok().entity(results.ToJSON()).type(HttpHeaderUtils.mediaTypeWithCharsetUtf8(MediaType.APPLICATION_JSON_TYPE)).build();
_representationWriteHandler.onRepresentationWritten();
return(res);
}
catch (Exception e)
{
return(_output.serverError(e));
}
finally
{
_representationWriteHandler.onRepresentationFinal();
}
}
public async Task IssueAccessTokenFromStsToken_WrongIssuingCertificate_ReturnsError()
{
var clientCertificate = CertificateUtil.GetCertificate("0E6DBCC6EFAAFF72E3F3D824E536381B26DEECF5");
var issuerAudienceses = new[]
{
//wrong issuing cert
new IssuerAudiences("0E6DBCC6EFAAFF72E3F3D824E536381B26DEECF5", "sts cert")
.Audience(new Uri("https://wsp.oioidws-net.dk")),
};
await PerformValidationTestAsync(clientCertificate, issuerAudienceses, (options, response) =>
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("Issuer certificate 'D9F10C97AA647727ADB64A349BB037C5C23C9A7A' was unknown", errors["error_description"]);
return(Task.FromResult(0));
});
}
public async Task Authenticate_UnknownToken_UnauthorizedByService()
{
await ProcessAuthenticateAsync(
"bearer",
(context, next) =>
{
//this service requires auth, therefore denies
context.Response.StatusCode = context.Request.User == null ? 401 : 200;
return(Task.FromResult(0));
},
response =>
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("Token information could not be retrieved from the Authorization Server. The access token might be unknown or expired", errors["error_description"]);
return(Task.FromResult(0));
},
tokenFunc : () => null);
}
public async Task IssueAccessTokenFromStsToken_ExpiredSecurityToken_ReturnsError()
{
var clientCertificate = CertificateUtil.GetCertificate("0E6DBCC6EFAAFF72E3F3D824E536381B26DEECF5");
var issuerAudienceses = new[]
{
new IssuerAudiences("d9f10c97aa647727adb64a349bb037c5c23c9a7a", "sts cert")
.Audience(new Uri("https://wsp.oioidws-net.dk")),
};
var samlToken = File.ReadAllText(@"Resources\ExpiredSecurityToken.xml");
await PerformValidationTestAsync(clientCertificate, issuerAudienceses, (options, response) =>
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("The Token is expired", errors["error_description"]);
return(Task.FromResult(0));
},
samlToken : () => samlToken);
}
public async Task Authenticate_InsufficientScope_ReturnsRequiredScope()
{
await ProcessAuthenticateAsync(
"bearer",
(context, next) =>
{
//this service requires auth, therefore denies if nu user
var authProperties = new AuthenticationProperties();
authProperties.Dictionary[AuthenticationErrorCodes.InsufficentScope] = "scope1";
context.Authentication.Challenge(authProperties);
return(Task.FromResult(0));
},
response =>
{
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InsufficentScope, errors["error"]);
Assert.AreEqual("scope1", errors["scope"]);
return(Task.FromResult(0));
});
}
public async Task Authenticate_WrongTokenType_UnauthorizedByService()
{
await ProcessAuthenticateAsync(
"bearer",
(context, next) =>
{
//this service requires auth, therefore denies
context.Response.StatusCode = context.Request.User == null ? 401 : 200;
return(Task.FromResult(0));
},
response =>
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("Authentication scheme was not valid", errors["error_description"]);
return(Task.FromResult(0));
},
tokenFunc : () => new OioIdwsToken {
Type = AccessTokenType.HolderOfKey
});
}
public async Task Authenticate_InvalidHolderOfKeyCertificate_UnauthorizedByService()
{
await ProcessAuthenticateAsync(
"holder-of-key",
(context, next) =>
{
//this service requires auth, therefore denies
context.Response.StatusCode = context.Request.User == null ? 401 : 200;
return(Task.FromResult(0));
},
response =>
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("A valid certificate must be presented when presenting a Holder-of-key token", errors["error_description"]);
return(Task.FromResult(0));
},
tokenFunc : () => new OioIdwsToken {
Type = AccessTokenType.HolderOfKey, CertificateThumbprint = "correct cert thumbprint"
},
certificateFunc : () => CertificateUtil.GetCertificate("d9f10c97aa647727adb64a349bb037c5c23c9a7a"));
}
private static bool IsInvalidToken(HttpResponseMessage response)
{
return(response.Headers.WwwAuthenticate.Any(x =>
AccessTokenTypeParser.FromString(x.Scheme).HasValue&&
HttpHeaderUtils.ParseOAuthSchemeParameter(x.Parameter)["error"].Equals(AuthenticationErrorCodes.InvalidToken, StringComparison.OrdinalIgnoreCase)));
}
public async Task <AccessToken> GetTokenAsync(GenericXmlSecurityToken securityToken, CancellationToken cancellationToken)
{
if (securityToken == null)
{
throw new ArgumentNullException(nameof(securityToken));
}
string samlToken;
using (var stream = new MemoryStream())
{
using (var writer = XmlWriter.Create(stream))
{
securityToken.TokenXml.WriteTo(writer);
}
samlToken = Convert.ToBase64String(stream.ToArray());
}
var requestHandler = new WebRequestHandler
{
ClientCertificates = { _settings.ClientCertificate }
};
var formFields = new Dictionary <string, string>
{
{ "saml-token", samlToken }
};
if (_settings.DesiredAccessTokenExpiry.HasValue)
{
formFields["should-expire-in"] =
((int)_settings.DesiredAccessTokenExpiry.Value.TotalSeconds).ToString();
}
var client = new HttpClient(requestHandler);
var response = await client.PostAsync(
_settings.AccessTokenIssuerEndpoint,
new FormUrlEncodedContent(formFields),
cancellationToken);
if (!response.IsSuccessStatusCode)
{
//just find the first valid authenticate header we recognize
var challenge = response.Headers.WwwAuthenticate
.Select(x => new
{
Type = AccessTokenTypeParser.FromString(x.Scheme),
x.Parameter
})
.FirstOrDefault(x => x.Type.HasValue);
if (challenge != null)
{
var parms = HttpHeaderUtils.ParseOAuthSchemeParameter(challenge.Parameter);
throw new OioIdwsChallengeException(
challenge.Type.Value,
parms["error"],
parms["error_description"],
$@"Got unexpected challenge while issuing access token from '{
_settings.AccessTokenIssuerEndpoint
}'
({response.StatusCode})': {parms["error"]} - {parms["error_description"]}");
}
throw new InvalidOperationException(
$@"Got unexpected response while issuing access token from '{_settings.AccessTokenIssuerEndpoint}'
{response.StatusCode}: {await response.Content.ReadAsStringAsync()}");
}
var json = await response.Content.ReadAsStringAsync();
var jsonValue = JObject.Parse(json);
var accessToken = new Rest.Client.AccessToken.AccessToken
{
Value = (string)jsonValue["access_token"],
ExpiresIn = TimeSpan.FromSeconds((int)jsonValue["expires_in"]),
RetrievedAtUtc = DateTime.UtcNow,
Type = ParseAccessTokenType((string)jsonValue["token_type"])
};
return(accessToken);
}
internal static EntityTagHeaderValue GetETagFromVersion(byte[] version)
{
string quotedEtag = HttpHeaderUtils.GetQuotedString(Convert.ToBase64String(version));
return(new EntityTagHeaderValue(quotedEtag));
}
protected internal virtual Response Response(Response.ResponseBuilder response, Representation representation)
{
return(FormatRepresentation(response, representation).type(HttpHeaderUtils.mediaTypeWithCharsetUtf8(MediaType)).build());
}
public async Task Authenticates_TokenExpired_IsUnauthorized()
{
var accessToken = "dummy";
var oioIdwsTokenKey = "token1";
var token = new OioIdwsToken
{
ExpiresUtc = DateTimeOffset.UtcNow.AddHours(-1),
Claims = new[]
{
new OioIdwsClaim
{
Value = "hans",
Type = "name"
},
}
};
var storeMock = new Mock <ISecurityTokenStore>();
storeMock
.Setup(x => x.RetrieveTokenAsync(oioIdwsTokenKey))
.ReturnsAsync(token);
var authProperties = new AuthenticationProperties
{
ExpiresUtc = DateTimeOffset.UtcNow.AddHours(-1),
Dictionary = { { "value", oioIdwsTokenKey } }
};
var tokenDataFormatMock = new Mock <ISecureDataFormat <AuthenticationProperties> >();
tokenDataFormatMock
.Setup(x => x.Unprotect(accessToken))
.Returns(authProperties);
using (var server = TestServer.Create(app =>
{
app
.UseOioIdwsAuthentication(new OioIdwsAuthenticationOptions())
.UseOioIdwsAuthorizationService(new OioIdwsAuthorizationServiceOptions
{
AccessTokenIssuerPath = new PathString("/accesstoken/issue"),
IssuerAudiences = () => Task.FromResult(new[] { new IssuerAudiences("", "") }),
SecurityTokenStore = storeMock.Object,
TokenDataFormat = tokenDataFormatMock.Object,
})
.Use((context, next) =>
{
if (context.Request.Path == new PathString("/wsp"))
{
context.Response.StatusCode = context.Request.User != null ? 200 : 401;
}
return(Task.FromResult(0));
});
}))
{
var client = server.HttpClient;
var authHeader = new AuthenticationHeaderValue("Bearer", accessToken);
client.DefaultRequestHeaders.Authorization = authHeader;
{
var response = await client.GetAsync("/wsp");
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("Token was expired", errors["error_description"]);
}
{
authProperties.ExpiresUtc = DateTimeOffset.Now.AddHours(1);
var response = await client.GetAsync("/wsp");
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
var errors = HttpHeaderUtils.ParseOAuthSchemeParameter(response.Headers.WwwAuthenticate.First().Parameter);
Assert.AreEqual(AuthenticationErrorCodes.InvalidToken, errors["error"]);
Assert.AreEqual("Token was expired", errors["error_description"]);
}
}
}
