public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity()
{
// Arrange.
var mockRequest = new Mock<HttpRequestBase>();
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
var mockResponse = new Mock<HttpResponseBase>();
var settings = new Settings();
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "SSL_REQUEST", "on" },
{ "OTHER_HEADER", "some-value" }
});
settings.OffloadedSecurityHeaders = "SSL_REQUEST=";
var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "OTHER_HEADER", "some-value" }
});
var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Null(targetUrlForAlreadySecuredRequest);
Assert.Null(targetUrlForAlreadyInsecureRequest);
}
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri()
{
const string BaseRequestUri = "http://www.testsite.com";
const string ApplicationPathRequestUri = "/MySuperDuperApplication";
const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx";
const string QueryRequestUri = "?Param=SomeValue";
var mockRequest = new Mock<HttpRequestBase>();
mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri);
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
var mockResponse = new Mock<HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);
var settings = new Settings {
Mode = Mode.On,
BaseSecureUri = "https://secure.someotherwebsite.com/testsite/"
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl);
}
public void GetUriReturnsSwitchedUriBasedOnSuppliedBaseInsecureUri()
{
const string BaseRequestUri = "https://www.testsite.com";
const string PathRequestUri = "/Info/Default.aspx";
const string QueryRequestUri = "?Param=SomeValue";
var mockRequest = new Mock<HttpRequestBase>();
mockRequest.SetupGet(req => req.ApplicationPath).Returns("/");
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);
var mockResponse = new Mock<HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);
var settings = new Settings {
Mode = Mode.On,
BaseInsecureUri = "http://www.someotherwebsite.com/"
};
var evaluator = new StandardSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Equal(settings.BaseInsecureUri + PathRequestUri.Remove(0, 1) + QueryRequestUri, targetUrl);
}
public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied()
{
// Arrange.
const string BaseRequestUri = "http://www.testsite.com";
const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue";
var mockRequest = new Mock<HttpRequestBase>();
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri);
var mockResponse = new Mock<HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);
var settings = new Settings {
Mode = Mode.On,
Paths = {
new TestPathSetting("/Manage")
}
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl);
}
public void GetUriRequestReturnsNullIfRequestSecurityAlreadyMatchesSpecifiedSecurity()
{
// Arrange.
var mockRequest = new Mock<HttpRequestBase>();
var mockResponse = new Mock<HttpResponseBase>();
var settings = new Settings();
var evaluator = new StandardSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);
var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Null(targetUrlForAlreadySecuredRequest);
Assert.Null(targetUrlForAlreadyInsecureRequest);
}
