public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity()
        {
            // Arrange.
            var mockRequest = new Mock<HttpRequestBase>();
            mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);

            var mockResponse = new Mock<HttpResponseBase>();
            var settings = new Settings();
            var evaluator = new HeadersSecurityEvaluator();
            var enforcer = new SecurityEnforcer(evaluator);

            // Act.
            mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
                { "SSL_REQUEST", "on" },
                { "OTHER_HEADER", "some-value" }
            });
            settings.OffloadedSecurityHeaders = "SSL_REQUEST=";
            var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                                             mockResponse.Object,
                                                                                             RequestSecurity.Secure,
                                                                                             settings);

            mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
                { "OTHER_HEADER", "some-value" }
            });
            var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                                              mockResponse.Object,
                                                                                              RequestSecurity.Insecure,
                                                                                              settings);

            // Assert.
            Assert.Null(targetUrlForAlreadySecuredRequest);
            Assert.Null(targetUrlForAlreadyInsecureRequest);
        }
        public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri()
        {
            const string BaseRequestUri = "http://www.testsite.com";
            const string ApplicationPathRequestUri = "/MySuperDuperApplication";
            const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx";
            const string QueryRequestUri = "?Param=SomeValue";

            var mockRequest = new Mock<HttpRequestBase>();
            mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri);
            mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
            mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);

            var mockResponse = new Mock<HttpResponseBase>();
            mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);

            var settings = new Settings {
                Mode = Mode.On,
                BaseSecureUri = "https://secure.someotherwebsite.com/testsite/"
            };
            var evaluator = new HeadersSecurityEvaluator();
            var enforcer = new SecurityEnforcer(evaluator);

            // Act.
            var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                     mockResponse.Object,
                                                                     RequestSecurity.Secure,
                                                                     settings);

            // Assert.
            Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl);
        }
        public void GetUriReturnsSwitchedUriBasedOnSuppliedBaseInsecureUri()
        {
            const string BaseRequestUri = "https://www.testsite.com";
            const string PathRequestUri = "/Info/Default.aspx";
            const string QueryRequestUri = "?Param=SomeValue";

            var mockRequest = new Mock<HttpRequestBase>();
            mockRequest.SetupGet(req => req.ApplicationPath).Returns("/");
            mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
            mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
            mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);

            var mockResponse = new Mock<HttpResponseBase>();
            mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);

            var settings = new Settings {
                Mode = Mode.On,
                BaseInsecureUri = "http://www.someotherwebsite.com/"
            };
            var evaluator = new StandardSecurityEvaluator();
            var enforcer = new SecurityEnforcer(evaluator);

            // Act.
            var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                     mockResponse.Object,
                                                                     RequestSecurity.Insecure,
                                                                     settings);

            // Assert.
            Assert.Equal(settings.BaseInsecureUri + PathRequestUri.Remove(0, 1) + QueryRequestUri, targetUrl);
        }
        public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied()
        {
            // Arrange.
            const string BaseRequestUri = "http://www.testsite.com";
            const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue";

            var mockRequest = new Mock<HttpRequestBase>();
            mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri));
            mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri);

            var mockResponse = new Mock<HttpResponseBase>();
            mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny<string>())).Returns<string>(s => s);

            var settings = new Settings {
                Mode = Mode.On,
                Paths = {
                    new TestPathSetting("/Manage")
                }
            };
            var evaluator = new HeadersSecurityEvaluator();
            var enforcer = new SecurityEnforcer(evaluator);

            // Act.
            var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                     mockResponse.Object,
                                                                     RequestSecurity.Secure,
                                                                     settings);

            // Assert.
            Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl);
        }
        public void GetUriRequestReturnsNullIfRequestSecurityAlreadyMatchesSpecifiedSecurity()
        {
            // Arrange.
            var mockRequest = new Mock<HttpRequestBase>();
            var mockResponse = new Mock<HttpResponseBase>();
            var settings = new Settings();
            var evaluator = new StandardSecurityEvaluator();
            var enforcer = new SecurityEnforcer(evaluator);

            // Act.
            mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);
            var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                                             mockResponse.Object,
                                                                                             RequestSecurity.Secure,
                                                                                             settings);

            mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
            var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
                                                                                              mockResponse.Object,
                                                                                              RequestSecurity.Insecure,
                                                                                              settings);

            // Assert.
            Assert.Null(targetUrlForAlreadySecuredRequest);
            Assert.Null(targetUrlForAlreadyInsecureRequest);
        }