public async Task MustReturn401WhenUriIsTampered()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
string bewit = await client.CreateBewitAsync(request, 10);
var parts = bewit.ToUtf8StringFromBase64Url().Split('\\');
string id = parts[0];
string timestamp = parts[1];
string mac = parts[2];
string ext = parts[3];
string tamperedBewit = String.Format(@"{0}\{1}\{2}\{3}", "Id of my choice", timestamp, mac, ext);
tamperedBewit = tamperedBewit.ToBytesFromUtf8().ToBase64UrlString();
using (var freshRequest = new HttpRequestMessage())
{
string tamperedUri = URI + "/1";
freshRequest.RequestUri = new Uri(tamperedUri + "?bewit=" + tamperedBewit);
using (var response = await invoker.SendAsync(freshRequest, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
}
public async Task MustThrowInvalidOperationExceptionWhenBewitUsedWithPost()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Post, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 10);
await invoker.SendAsync(request, CancellationToken.None);
}
}
}
public async Task MustReturn401WhenBewitHasExpired()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 0); // no life in it
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
}
}
}
}
public async Task MustReturn200WhenBewitIsValid()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = new HawkClient(() => ServerFactory.DefaultCredential);
await client.CreateBewitAsync(request, 10);
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
Assert.AreEqual(HttpStatusCode.OK, response.StatusCode);
Assert.AreEqual("Thanks for flying Hawk", await response.Content.ReadAsAsync<string>());
Assert.IsFalse(response.Headers.Contains(HawkConstants.ServerAuthorizationHeaderName));
}
}
}
}
static void Main(string[] args)
{
string uri = "http://localhost:12345/api/values";
string headerName = "X-Response-Header-To-Protect";
var credential = new Credential()
{
Id = "dh37fgj492je",
Algorithm = SupportedAlgorithms.SHA256,
User = "******",
Key = "werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn"
};
// GET and POST using the Authorization header
var handler = new HawkValidationHandler(credentialsCallback: () => credential,
verificationCallback: (r, ext) =>
ext.Equals(headerName + ":" + r.Headers.GetValues(headerName).First()));
HttpClient client = HttpClientFactory.Create(handler);
var response = client.GetAsync(uri).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
response = client.PostAsJsonAsync(uri, credential.User).Result;
Console.WriteLine(response.Content.ReadAsStringAsync().Result);
// GET using Bewit
var hawkClient = new HawkClient(() => credential);
string bewit = hawkClient.CreateBewitAsync(new HttpRequestMessage()
{
RequestUri = new Uri(uri)
},
lifeSeconds: 60).Result;
// Bewit is handed off to a client needing temporary access to the resource.
var clientNeedingTempAccess = new WebClient();
var resource = clientNeedingTempAccess.DownloadString(uri + "?bewit=" + bewit);
Console.WriteLine(resource);
Console.Read();
}
