public async Task GivenMatchingApiKeyWithOwnerScopeOfSelf_ItSetsUserInOwinEnvironment()
{
// Arrange
var user = new User {
Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
};
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1, out string plaintextApiKey);
apiKeyCredential.Scopes.Add(new Scope(1234, "thePackage", "theAction"));
handler.OwinContext.Request.Headers.Set(
ServicesConstants.ApiKeyHeaderName,
plaintextApiKey);
handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);
// Act
await handler.InvokeAuthenticateCoreAsync();
// Assert
var authUser = Assert.IsType <AuthenticatedUser>(
handler.OwinContext.Environment[ServicesConstants.CurrentUserOwinEnvironmentKey]);
Assert.Same(user, authUser.User);
}
public async Task GivenA401ResponseInActiveModeAndNoHeader_ItReturns401ApiKeyRequired()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Response.Headers.Set("WWW-Authenticate", "existing");
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
// Act
var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
await handler.InvokeApplyResponseChallengeAsync());
// Assert
Assert.Equal(Strings.ApiKeyRequired, handler.OwinContext.Response.ReasonPhrase);
Assert.Equal(Strings.ApiKeyRequired, body);
Assert.Equal(401, handler.OwinContext.Response.StatusCode);
var authenticateValues = handler.OwinContext.Response.Headers.GetCommaSeparatedValues("WWW-Authenticate");
Assert.Contains(
"ApiKey realm=\"nuget.local\"",
authenticateValues);
Assert.Contains(
"existing",
authenticateValues);
}
public async Task GivenMatchingApiKey_ItReturnsTicketWithClaims(string apiKeyType)
{
// Arrange
var fakes = Get <Fakes>();
var user = fakes.User;
//var user = new User { Username = "******", EmailAddress = "*****@*****.**" };
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = user.Credentials.First(c => c.Type == apiKeyType);
apiKeyCredential.Key = 99;
var plaintextApiKey = apiKeyCredential.Type == CredentialTypes.ApiKey.V4 ? fakes.ApiKeyV4PlaintextValue : apiKeyCredential.Value;
handler.OwinContext.Request.Headers.Set(
ServicesConstants.ApiKeyHeaderName,
plaintextApiKey);
handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.NotNull(ticket);
Assert.Equal(user.Username, ticket.Identity.GetClaimOrDefault(ClaimTypes.NameIdentifier));
Assert.Equal(apiKeyCredential.Value, ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
Assert.Equal(apiKeyCredential.Key.ToString(), ticket.Identity.GetClaimOrDefault(NuGetClaims.CredentialKey));
Assert.Equal(JsonConvert.SerializeObject(apiKeyCredential.Scopes, Formatting.None), ticket.Identity.GetClaimOrDefault(NuGetClaims.Scope));
}
public async Task GivenMatchingApiKey_ItSetsUserInOwinEnvironment()
{
// Arrange
Guid apiKey = Guid.NewGuid();
var user = new User()
{
Username = "******", EmailAddress = "*****@*****.**"
};
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
RootPath = "/api"
});
handler.OwinContext.Request.Path = "/api/v2/packages";
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKey.ToString().ToLowerInvariant());
handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);
// Act
await handler.InvokeAuthenticateCoreAsync();
// Assert
var authUser = Assert.IsType <AuthenticatedUser>(
handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);
Assert.Same(user, authUser.User);
}
public async Task GivenMatchingApiKey_ItReturnsTicketWithUserNameAndRoles()
{
// Arrange
Guid apiKey = Guid.NewGuid();
var user = new User()
{
Username = "******", EmailAddress = "*****@*****.**"
};
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
RootPath = "/api"
});
handler.OwinContext.Request.Path = "/api/v2/packages";
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKey.ToString().ToLowerInvariant());
handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.NotNull(ticket);
Assert.Equal(apiKey.ToString().ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
}
public async Task GivenMatchingApiKey_ItReturnsTicketWithClaims()
{
// Arrange
var user = new User {
Username = "******", EmailAddress = "*****@*****.**"
};
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);
apiKeyCredential.Key = 99;
apiKeyCredential.Scopes = new List <Scope>()
{
new Scope("a", "b")
};
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKeyCredential.Value.ToLowerInvariant());
handler.MockAuth.SetupAuth(apiKeyCredential, user);
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.NotNull(ticket);
Assert.Equal(user.Username, ticket.Identity.GetClaimOrDefault(ClaimTypes.NameIdentifier));
Assert.Equal(apiKeyCredential.Value.ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
Assert.Equal(apiKeyCredential.Key.ToString(), ticket.Identity.GetClaimOrDefault(NuGetClaims.CredentialKey));
Assert.Equal(JsonConvert.SerializeObject(apiKeyCredential.Scopes, Formatting.None), ticket.Identity.GetClaimOrDefault(NuGetClaims.Scope));
}
public async Task GivenApiKeyWithOwnerScopeThatDoesNotMatch_WritesUnauthorizedResponse()
{
// Arrange
var user = new User {
Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
};
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1, out string plaintextApiKey);
apiKeyCredential.Scopes.Add(new Scope(2345, "thePackage", "theAction"));
handler.OwinContext.Request.Headers.Set(
ServicesConstants.ApiKeyHeaderName,
plaintextApiKey);
handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);
// Act
var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
await handler.InvokeAuthenticateCoreAsync());
// Assert
Assert.Equal(Strings.ApiKeyNotAuthorized, handler.OwinContext.Response.ReasonPhrase);
Assert.Equal(Strings.ApiKeyNotAuthorized, body);
Assert.Equal(403, handler.OwinContext.Response.StatusCode);
}
public async Task GivenNoApiKeyHeader_ItReturnsNull()
{
// Arrange
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.Null(ticket);
}
public static async Task <TestableApiKeyAuthenticationHandler> CreateAsync(ApiKeyAuthenticationOptions options)
{
// Always use passive mode for tests
options.AuthenticationMode = AuthenticationMode.Passive;
var handler = new TestableApiKeyAuthenticationHandler();
var ctxt = Fakes.CreateOwinContext();
await handler.InitializeAsync(options, ctxt);
return(handler);
}
public async Task GivenANon401ResponseInActiveMode_ItPassesThrough()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active
});
handler.OwinContext.Response.StatusCode = 200;
// Act
await handler.InvokeApplyResponseChallengeAsync();
// Assert
Assert.Equal(200, handler.OwinContext.Response.StatusCode);
}
public async Task GivenANon401ResponseInActiveMode_ItReturnsNull()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active
});
handler.OwinContext.Response.StatusCode = 200;
// Act
var message = handler.GetChallengeMessage();
// Assert
Assert.Null(message);
}
public async Task GivenNoApiKeyHeader_ItReturnsNull()
{
// Arrange
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
RootPath = "/api"
});
handler.OwinContext.Request.Path = "/api/v2/packages";
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.Null(ticket);
}
public async Task GivenNoUserMatchingApiKey_ItReturnsNull()
{
// Arrange
Guid apiKey = Guid.NewGuid();
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKey.ToString().ToLowerInvariant());
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.Null(ticket);
}
public static async Task <TestableApiKeyAuthenticationHandler> CreateAsync(ApiKeyAuthenticationOptions options)
{
// Always use passive mode for tests
options.AuthenticationMode = AuthenticationMode.Passive;
var handler = new TestableApiKeyAuthenticationHandler();
var ctxt = Fakes.CreateOwinContext();
// Grr, have to make an internal call to initialize...
await(Task)(typeof(AuthenticationHandler <ApiKeyAuthenticationOptions>)
.InvokeMember(
"Initialize",
BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.InvokeMethod,
Type.DefaultBinder,
handler,
new object[] { options, ctxt }));
return(handler);
}
public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndNoHeader_ItReturnsApiKeyRequired()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
// Act
var message = handler.GetChallengeMessage();
// Assert
Assert.Equal(Strings.ApiKeyRequired, message);
}
public async Task GivenA401ResponseInPassiveModeWithoutMatchingAuthenticationType_ItPassesThrough()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new[] { "flarg" }, new AuthenticationProperties());
// Act
await handler.InvokeApplyResponseChallengeAsync();
// Assert
Assert.Equal(401, handler.OwinContext.Response.StatusCode);
}
public async Task GivenA401ResponseInActiveModeAndHeader_ItReturnsApiKeyNotAuthorized()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";
// Act
var message = handler.GetChallengeMessage();
// Assert
Assert.Equal(Strings.ApiKeyNotAuthorized, message);
}
public async Task GivenMatchingApiKey_ItReturnsTicketWithUserNameAndRoles()
{
// Arrange
var user = new User {
Username = "******", EmailAddress = "*****@*****.**"
};
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKeyCredential.Value.ToLowerInvariant());
handler.MockAuth.SetupAuth(apiKeyCredential, user);
// Act
var ticket = await handler.InvokeAuthenticateCoreAsync();
// Assert
Assert.NotNull(ticket);
Assert.Equal(apiKeyCredential.Value.ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
}
public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndNoHeader_ItWrites401WithApiKeyRequiredMessage()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new[] { "blarg" }, new AuthenticationProperties());
// Act
var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
await handler.InvokeApplyResponseChallengeAsync());
// Assert
Assert.Equal(Strings.ApiKeyRequired, handler.OwinContext.Response.ReasonPhrase);
Assert.Equal(Strings.ApiKeyRequired, body);
Assert.Equal(401, handler.OwinContext.Response.StatusCode);
}
public async Task GivenMatchingApiKeyWithOwnerScopeOfOrganization_ItSetsUserInOwinEnvironment(bool isAdmin)
{
// Arrange
var organization = new Organization()
{
Key = 2345
};
var user = new User {
Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
};
user.Organizations.Add(new Membership
{
OrganizationKey = 2345,
Organization = organization,
IsAdmin = isAdmin
});
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);
apiKeyCredential.Scopes.Add(new Scope(2345, "thePackage", "theAction"));
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKeyCredential.Value.ToLowerInvariant());
handler.MockAuth.SetupAuth(apiKeyCredential, user);
// Act
await handler.InvokeAuthenticateCoreAsync();
// Assert
var authUser = Assert.IsType <AuthenticatedUser>(
handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);
Assert.Same(user, authUser.User);
}
public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndHeader_ItReturnsApiKeyNotAuthorized()
{
// Arrange
var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
{
AuthenticationMode = AuthenticationMode.Passive,
AuthenticationType = "blarg"
});
handler.OwinContext.Response.StatusCode = 401;
handler.OwinContext.Authentication.AuthenticationResponseChallenge =
new AuthenticationResponseChallenge(new[] { "blarg" }, new AuthenticationProperties());
handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";
// Act
var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
await handler.InvokeApplyResponseChallengeAsync());
// Assert
Assert.Equal(Strings.ApiKeyNotAuthorized, handler.OwinContext.Response.ReasonPhrase);
Assert.Equal(Strings.ApiKeyNotAuthorized, body);
Assert.Equal(403, handler.OwinContext.Response.StatusCode);
}
public async Task GivenMatchingApiKey_ItSetsUserInOwinEnvironment()
{
// Arrange
var user = new User {
Username = "******", EmailAddress = "*****@*****.**"
};
TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());
var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);
handler.OwinContext.Request.Headers.Set(
Constants.ApiKeyHeaderName,
apiKeyCredential.Value.ToLowerInvariant());
handler.MockAuth.SetupAuth(apiKeyCredential, user);
// Act
await handler.InvokeAuthenticateCoreAsync();
// Assert
var authUser = Assert.IsType <AuthenticatedUser>(
handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);
Assert.Same(user, authUser.User);
}
public static async Task<TestableApiKeyAuthenticationHandler> CreateAsync(ApiKeyAuthenticationOptions options)
{
// Always use passive mode for tests
options.AuthenticationMode = AuthenticationMode.Passive;
var handler = new TestableApiKeyAuthenticationHandler();
var ctxt = Fakes.CreateOwinContext();
await handler.InitializeAsync(options, ctxt);
return handler;
}
public static async Task<TestableApiKeyAuthenticationHandler> CreateAsync(ApiKeyAuthenticationOptions options)
{
// Always use passive mode for tests
options.AuthenticationMode = AuthenticationMode.Passive;
var handler = new TestableApiKeyAuthenticationHandler();
var ctxt = Fakes.CreateOwinContext();
// Grr, have to make an internal call to initialize...
await (Task)(typeof(AuthenticationHandler<ApiKeyAuthenticationOptions>)
.InvokeMember(
"Initialize",
BindingFlags.NonPublic | BindingFlags.Instance | BindingFlags.InvokeMethod,
Type.DefaultBinder,
handler,
new object[] { options, ctxt }));
return handler;
}
