public async Task AuthorizeAsyncEvaluatesPoliciesInPriorityOrder()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockPrincipalPolicy = new Mock <IAuthorizationPolicy>();
var mockSslPolicy = new Mock <IAuthorizationPolicy>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
mockDependencyScope.Setup(scope => scope.GetServices(It.Is <Type>(param => param == typeof(IAuthorizationPolicy))))
.Returns(new [] { mockPrincipalPolicy.Object, mockSslPolicy.Object });
mockPrincipalPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockPrincipalPolicy.SetupGet(policy => policy.Priority).Returns(Priority.Low);
mockPrincipalPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.AuthenticatedPrincipal);
mockPrincipalPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns(HttpStatusCode.Unauthorized);
mockSslPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockSslPolicy.SetupGet(policy => policy.Priority).Returns(Priority.High);
mockSslPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.RequireSsl);
mockSslPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns(HttpStatusCode.Forbidden);
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
actionContext.Response = request.CreateResponse(HttpStatusCode.OK, "This was sucessful");
var authAttribute = new OrderFulfillmentAuthorizeAttribute();
await authAttribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
mockSslPolicy.Verify(policy => policy.Evaluate(It.IsAny <HttpActionContext>()), Times.Once, "The SSL policy should have been evaluated because it is higher priority");
mockPrincipalPolicy.Verify(policy => policy.Evaluate(It.IsAny <HttpActionContext>()), Times.Never, "The principal policy should not have been evaluated because it a higher priority policy already failed");
}
public async Task AuthorizeAsyncOverridesASuccessResultWhenNotAuthorized()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockPrincipalPolicy = new Mock <IAuthorizationPolicy>();
var mockSslPolicy = new Mock <IAuthorizationPolicy>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var expectedStatus = HttpStatusCode.Unauthorized;
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
mockDependencyScope.Setup(scope => scope.GetServices(It.Is <Type>(param => param == typeof(IAuthorizationPolicy))))
.Returns(new [] { mockPrincipalPolicy.Object, mockSslPolicy.Object });
mockPrincipalPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockPrincipalPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.AuthenticatedPrincipal);
mockPrincipalPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns(expectedStatus);
mockSslPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockSslPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.RequireSsl);
mockSslPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns((HttpStatusCode?)null);
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
actionContext.Response = request.CreateResponse(HttpStatusCode.OK, "This was sucessful");
var authAttribute = new OrderFulfillmentAuthorizeAttribute();
await authAttribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
actionContext.Response.Should().NotBeNull("because a failed authorization should set the result");
actionContext.Response.StatusCode.Should().Be(expectedStatus, "because callers are forbidden when authorization fails.");
}
public async Task AuthorizeAsyncRespectsAFailedRequest()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockAuthPolicy = new Mock <IAuthorizationPolicy>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
var response = request.CreateResponse(HttpStatusCode.ServiceUnavailable);
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
mockDependencyScope.Setup(scope => scope.GetServices(It.Is <Type>(param => param == typeof(IAuthorizationPolicy))))
.Returns(new [] { mockAuthPolicy.Object });
mockAuthPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockAuthPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.AuthenticatedPrincipal);
mockAuthPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns(HttpStatusCode.Unauthorized);
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
actionContext.Response = response;
var authAttribute = new OrderFulfillmentAuthorizeAttribute(AuthorizationPolicy.AuthenticatedPrincipal);
await authAttribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
actionContext.Response.Should().Be(response, "because the existing failure result should have been detected before authorization took place");
mockDependencyScope.Verify(scope => scope.GetServices(It.Is <Type>(param => param == typeof(IAuthorizationPolicy))), Times.Never, "The cancellation should have taken place before a policy was sought");
}
public async Task AuthorizeAsyncDoesNotFailWhenPoliciesAreSatisfied()
{
var mockActionDescriptor = new Mock <HttpActionDescriptor>();
var mockDependencyScope = new Mock <IDependencyScope>();
var mockPrincipalPolicy = new Mock <IAuthorizationPolicy>();
var mockSslPolicy = new Mock <IAuthorizationPolicy>();
var httpConfiguration = new HttpConfiguration();
var routeData = new HttpRouteData(new HttpRoute());
var request = new HttpRequestMessage();
var controllerDescriptor = new HttpControllerDescriptor {
Configuration = httpConfiguration, ControllerName = "generic"
};
var controllerContext = new HttpControllerContext(httpConfiguration, routeData, request)
{
ControllerDescriptor = controllerDescriptor
};
var actionContext = new HttpActionContext(controllerContext, mockActionDescriptor.Object);
mockActionDescriptor.SetupGet(descriptor => descriptor.ActionName).Returns("someAction");
mockDependencyScope.Setup(scope => scope.GetServices(It.Is <Type>(param => param == typeof(IAuthorizationPolicy))))
.Returns(new [] { mockPrincipalPolicy.Object, mockSslPolicy.Object });
mockPrincipalPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockPrincipalPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.AuthenticatedPrincipal);
mockPrincipalPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns((HttpStatusCode?)null);
mockSslPolicy.SetupGet(policy => policy.Enabled).Returns(true);
mockSslPolicy.SetupGet(policy => policy.Policy).Returns(AuthorizationPolicy.RequireSsl);
mockSslPolicy.Setup(policy => policy.Evaluate(It.Is <HttpActionContext>(context => context == actionContext))).Returns((HttpStatusCode?)null);
request.SetConfiguration(httpConfiguration);
request.SetRouteData(routeData);
request.Properties.Add(HttpPropertyKeys.DependencyScope, mockDependencyScope.Object);
var authAttribute = new OrderFulfillmentAuthorizeAttribute();
await authAttribute.OnAuthorizationAsync(actionContext, CancellationToken.None);
actionContext.Response.Should().BeNull("because a result should only be set on failure");
}
