Exemplo n.º 1
0
            public async Task GivenMatchingApiKey_ItReturnsTicketWithClaims(string apiKeyType)
            {
                // Arrange
                var fakes = Get <Fakes>();
                var user  = fakes.User;

                //var user = new User { Username = "******", EmailAddress = "*****@*****.**" };
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = user.Credentials.First(c => c.Type == apiKeyType);

                apiKeyCredential.Key = 99;

                var plaintextApiKey = apiKeyCredential.Type == CredentialTypes.ApiKey.V4 ? fakes.ApiKeyV4PlaintextValue : apiKeyCredential.Value;

                handler.OwinContext.Request.Headers.Set(
                    ServicesConstants.ApiKeyHeaderName,
                    plaintextApiKey);

                handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.NotNull(ticket);
                Assert.Equal(user.Username, ticket.Identity.GetClaimOrDefault(ClaimTypes.NameIdentifier));
                Assert.Equal(apiKeyCredential.Value, ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
                Assert.Equal(apiKeyCredential.Key.ToString(), ticket.Identity.GetClaimOrDefault(NuGetClaims.CredentialKey));
                Assert.Equal(JsonConvert.SerializeObject(apiKeyCredential.Scopes, Formatting.None), ticket.Identity.GetClaimOrDefault(NuGetClaims.Scope));
            }
Exemplo n.º 2
0
            public async Task GivenApiKeyWithOwnerScopeThatDoesNotMatch_WritesUnauthorizedResponse()
            {
                // Arrange
                var user = new User {
                    Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
                };
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1, out string plaintextApiKey);

                apiKeyCredential.Scopes.Add(new Scope(2345, "thePackage", "theAction"));

                handler.OwinContext.Request.Headers.Set(
                    ServicesConstants.ApiKeyHeaderName,
                    plaintextApiKey);
                handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);

                // Act
                var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
                                                                                  await handler.InvokeAuthenticateCoreAsync());

                // Assert
                Assert.Equal(Strings.ApiKeyNotAuthorized, handler.OwinContext.Response.ReasonPhrase);
                Assert.Equal(Strings.ApiKeyNotAuthorized, body);
                Assert.Equal(403, handler.OwinContext.Response.StatusCode);
            }
            public async Task GivenA401ResponseInActiveModeAndNoHeader_ItReturns401ApiKeyRequired()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Response.Headers.Set("WWW-Authenticate", "existing");
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());

                // Act
                var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
                                                                                  await handler.InvokeApplyResponseChallengeAsync());

                // Assert
                Assert.Equal(Strings.ApiKeyRequired, handler.OwinContext.Response.ReasonPhrase);
                Assert.Equal(Strings.ApiKeyRequired, body);
                Assert.Equal(401, handler.OwinContext.Response.StatusCode);

                var authenticateValues = handler.OwinContext.Response.Headers.GetCommaSeparatedValues("WWW-Authenticate");

                Assert.Contains(
                    "ApiKey realm=\"nuget.local\"",
                    authenticateValues);
                Assert.Contains(
                    "existing",
                    authenticateValues);
            }
Exemplo n.º 4
0
            public async Task GivenMatchingApiKey_ItReturnsTicketWithClaims()
            {
                // Arrange
                var user = new User {
                    Username = "******", EmailAddress = "*****@*****.**"
                };
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);

                apiKeyCredential.Key    = 99;
                apiKeyCredential.Scopes = new List <Scope>()
                {
                    new Scope("a", "b")
                };

                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKeyCredential.Value.ToLowerInvariant());
                handler.MockAuth.SetupAuth(apiKeyCredential, user);

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.NotNull(ticket);
                Assert.Equal(user.Username, ticket.Identity.GetClaimOrDefault(ClaimTypes.NameIdentifier));
                Assert.Equal(apiKeyCredential.Value.ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
                Assert.Equal(apiKeyCredential.Key.ToString(), ticket.Identity.GetClaimOrDefault(NuGetClaims.CredentialKey));
                Assert.Equal(JsonConvert.SerializeObject(apiKeyCredential.Scopes, Formatting.None), ticket.Identity.GetClaimOrDefault(NuGetClaims.Scope));
            }
Exemplo n.º 5
0
            public async Task GivenMatchingApiKeyWithOwnerScopeOfSelf_ItSetsUserInOwinEnvironment()
            {
                // Arrange
                var user = new User {
                    Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
                };
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1, out string plaintextApiKey);

                apiKeyCredential.Scopes.Add(new Scope(1234, "thePackage", "theAction"));

                handler.OwinContext.Request.Headers.Set(
                    ServicesConstants.ApiKeyHeaderName,
                    plaintextApiKey);
                handler.MockAuth.SetupAuth(apiKeyCredential, user, credentialValue: plaintextApiKey);

                // Act
                await handler.InvokeAuthenticateCoreAsync();

                // Assert
                var authUser = Assert.IsType <AuthenticatedUser>(
                    handler.OwinContext.Environment[ServicesConstants.CurrentUserOwinEnvironmentKey]);

                Assert.Same(user, authUser.User);
            }
Exemplo n.º 6
0
            public async Task GivenMatchingApiKey_ItSetsUserInOwinEnvironment()
            {
                // Arrange
                Guid apiKey = Guid.NewGuid();
                var  user   = new User()
                {
                    Username = "******", EmailAddress = "*****@*****.**"
                };
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    RootPath = "/api"
                });

                handler.OwinContext.Request.Path = "/api/v2/packages";
                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKey.ToString().ToLowerInvariant());
                handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);

                // Act
                await handler.InvokeAuthenticateCoreAsync();

                // Assert
                var authUser = Assert.IsType <AuthenticatedUser>(
                    handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);

                Assert.Same(user, authUser.User);
            }
Exemplo n.º 7
0
            public async Task GivenMatchingApiKey_ItReturnsTicketWithUserNameAndRoles()
            {
                // Arrange
                Guid apiKey = Guid.NewGuid();
                var  user   = new User()
                {
                    Username = "******", EmailAddress = "*****@*****.**"
                };
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    RootPath = "/api"
                });

                handler.OwinContext.Request.Path = "/api/v2/packages";
                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKey.ToString().ToLowerInvariant());
                handler.MockAuth.SetupAuth(CredentialBuilder.CreateV1ApiKey(apiKey), user);

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.NotNull(ticket);
                Assert.Equal(apiKey.ToString().ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
            }
            public async Task GivenNoApiKeyHeader_ItReturnsNull()
            {
                // Arrange
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.Null(ticket);
            }
            public async Task GivenANon401ResponseInActiveMode_ItPassesThrough()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Active
                });

                handler.OwinContext.Response.StatusCode = 200;

                // Act
                await handler.InvokeApplyResponseChallengeAsync();

                // Assert
                Assert.Equal(200, handler.OwinContext.Response.StatusCode);
            }
            public async Task GivenNoUserMatchingApiKey_ItReturnsNull()
            {
                // Arrange
                Guid apiKey = Guid.NewGuid();
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKey.ToString().ToLowerInvariant());

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.Null(ticket);
            }
Exemplo n.º 11
0
            public async Task GivenANon401ResponseInActiveMode_ItReturnsNull()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Active
                });

                handler.OwinContext.Response.StatusCode = 200;

                // Act
                var message = handler.GetChallengeMessage();

                // Assert
                Assert.Null(message);
            }
Exemplo n.º 12
0
            public async Task GivenNoApiKeyHeader_ItReturnsNull()
            {
                // Arrange
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    RootPath = "/api"
                });

                handler.OwinContext.Request.Path = "/api/v2/packages";

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.Null(ticket);
            }
            public async Task GivenA401ResponseInPassiveModeWithoutMatchingAuthenticationType_ItPassesThrough()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Passive,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new[] { "flarg" }, new AuthenticationProperties());

                // Act
                await handler.InvokeApplyResponseChallengeAsync();

                // Assert
                Assert.Equal(401, handler.OwinContext.Response.StatusCode);
            }
Exemplo n.º 14
0
            public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndNoHeader_ItReturnsApiKeyRequired()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Passive,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());

                // Act
                var message = handler.GetChallengeMessage();

                // Assert
                Assert.Equal(Strings.ApiKeyRequired, message);
            }
Exemplo n.º 15
0
            public async Task GivenA401ResponseInActiveModeAndHeader_ItReturnsApiKeyNotAuthorized()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Active,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new [] { "blarg" }, new AuthenticationProperties());
                handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";

                // Act
                var message = handler.GetChallengeMessage();

                // Assert
                Assert.Equal(Strings.ApiKeyNotAuthorized, message);
            }
            public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndNoHeader_ItWrites401WithApiKeyRequiredMessage()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Passive,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new[] { "blarg" }, new AuthenticationProperties());

                // Act
                var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
                                                                                  await handler.InvokeApplyResponseChallengeAsync());

                // Assert
                Assert.Equal(Strings.ApiKeyRequired, handler.OwinContext.Response.ReasonPhrase);
                Assert.Equal(Strings.ApiKeyRequired, body);
                Assert.Equal(401, handler.OwinContext.Response.StatusCode);
            }
Exemplo n.º 17
0
            public async Task GivenMatchingApiKey_ItReturnsTicketWithUserNameAndRoles()
            {
                // Arrange
                var user = new User {
                    Username = "******", EmailAddress = "*****@*****.**"
                };
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);

                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKeyCredential.Value.ToLowerInvariant());
                handler.MockAuth.SetupAuth(apiKeyCredential, user);

                // Act
                var ticket = await handler.InvokeAuthenticateCoreAsync();

                // Assert
                Assert.NotNull(ticket);
                Assert.Equal(apiKeyCredential.Value.ToLower(), ticket.Identity.GetClaimOrDefault(NuGetClaims.ApiKey));
            }
            public async Task GivenMatchingApiKeyWithOwnerScopeOfOrganization_ItSetsUserInOwinEnvironment(bool isAdmin)
            {
                // Arrange
                var organization = new Organization()
                {
                    Key = 2345
                };
                var user = new User {
                    Key = 1234, Username = "******", EmailAddress = "*****@*****.**"
                };

                user.Organizations.Add(new Membership
                {
                    OrganizationKey = 2345,
                    Organization    = organization,
                    IsAdmin         = isAdmin
                });

                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);

                apiKeyCredential.Scopes.Add(new Scope(2345, "thePackage", "theAction"));

                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKeyCredential.Value.ToLowerInvariant());
                handler.MockAuth.SetupAuth(apiKeyCredential, user);

                // Act
                await handler.InvokeAuthenticateCoreAsync();

                // Assert
                var authUser = Assert.IsType <AuthenticatedUser>(
                    handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);

                Assert.Same(user, authUser.User);
            }
            public async Task GivenA401ResponseInPassiveModeWithMatchingAuthenticationTypeAndHeader_ItReturnsApiKeyNotAuthorized()
            {
                // Arrange
                var handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions()
                {
                    AuthenticationMode = AuthenticationMode.Passive,
                    AuthenticationType = "blarg"
                });

                handler.OwinContext.Response.StatusCode = 401;
                handler.OwinContext.Authentication.AuthenticationResponseChallenge =
                    new AuthenticationResponseChallenge(new[] { "blarg" }, new AuthenticationProperties());
                handler.OwinContext.Request.Headers[Constants.ApiKeyHeaderName] = "woozle wuzzle";

                // Act
                var body = await handler.OwinContext.Response.CaptureBodyAsString(async() =>
                                                                                  await handler.InvokeApplyResponseChallengeAsync());

                // Assert
                Assert.Equal(Strings.ApiKeyNotAuthorized, handler.OwinContext.Response.ReasonPhrase);
                Assert.Equal(Strings.ApiKeyNotAuthorized, body);
                Assert.Equal(403, handler.OwinContext.Response.StatusCode);
            }
Exemplo n.º 20
0
            public async Task GivenMatchingApiKey_ItSetsUserInOwinEnvironment()
            {
                // Arrange
                var user = new User {
                    Username = "******", EmailAddress = "*****@*****.**"
                };
                TestableApiKeyAuthenticationHandler handler = await TestableApiKeyAuthenticationHandler.CreateAsync(new ApiKeyAuthenticationOptions());

                var apiKeyCredential = new CredentialBuilder().CreateApiKey(Fakes.ExpirationForApiKeyV1);

                handler.OwinContext.Request.Headers.Set(
                    Constants.ApiKeyHeaderName,
                    apiKeyCredential.Value.ToLowerInvariant());
                handler.MockAuth.SetupAuth(apiKeyCredential, user);

                // Act
                await handler.InvokeAuthenticateCoreAsync();

                // Assert
                var authUser = Assert.IsType <AuthenticatedUser>(
                    handler.OwinContext.Environment[Constants.CurrentUserOwinEnvironmentKey]);

                Assert.Same(user, authUser.User);
            }