public void OioWsTrustTokenServiceCacheGivesDifferentTokenTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            var securityToken = stsTokenService.GetToken();

            Thread.Sleep(230000); // Sleep 4 minutes - 10 seconds ... 4 minutes due to default clock skew of 1 minut

            // Act 1
            var securityToken2 = stsTokenService.GetToken();

            // Assert 1
            Assert.AreEqual(securityToken, securityToken2, "Expected that tokens was the same");

            // Act 2
            Thread.Sleep(20000); // Sleep 20 seconds more and token should be expired.
            var securityToken3 = stsTokenService.GetToken();

            // Assert 2
            Assert.AreNotEqual(securityToken, securityToken3, "Expected that tokens was Not the same");
        }
Пример #2
0
        public void OioWsTrustTokenServiceGivesDifferentTokensTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );
            var securityToken = stsTokenService.GetToken();

            // Act
            var securityToken2 = stsTokenService.GetToken();

            // Assert
            Assert.AreNotEqual(securityToken, securityToken2, "Expected that tokens was NOT the same");
        }
Пример #3
0
        public void OioWsTrustRequestFailDueToReplayAttackTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            byte[] recordedRequest = null;
            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    if (recordedRequest == null)
                    {
                        // record request
                        recordedRequest = oS.RequestBody;
                    }
                    else
                    {
                        // Replay
                        oS.RequestBody = recordedRequest;
                    }
                }
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            stsTokenService.GetToken();

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (FaultException fe)
            {
                // Assert
                Assert.AreEqual("The specified request failed", fe.Message);
            }
        }
Пример #4
0
        public void OioWsTrustRequestFailDueToBodyTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                oS.utilReplaceInRequest("<trust:Lifetime>", "<trust:Lifetime testAttribute=\"Tampered\">");
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (FaultException fe)
            {
                // Assert
                Assert.AreEqual("Authentication failed", fe.Message);
            }
        }
        public void OioWsTrustRequestExpiredTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                Thread.Sleep(_wait);
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (MessageSecurityException mse)
            {
                // Assert
                var fe = mse.InnerException as FaultException;
                Assert.IsNotNull(fe, "Expected inner fault exception");
                Assert.AreEqual("An error occurred when verifying security for the message.", fe.Message);
            }
        }
Пример #6
0
        public void OioWsTrustRequestFailDueToTokenTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    var bodyAsString     = Encoding.UTF8.GetString(oS.RequestBody);
                    var bodyAsXml        = XDocument.Load(new StringReader(bodyAsString));
                    var namespaceManager = new XmlNamespaceManager(new NameTable());
                    namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
                    namespaceManager.AddNamespace("o",
                                                  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                    var binarySecurityTokenElement =
                        bodyAsXml.XPathSelectElement(
                            "/s:Envelope/s:Header/o:Security/o:BinarySecurityToken",
                            namespaceManager);
                    // Følgende er en gammel udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare med "The request was invalid or malformed"
                    //binarySecurityTokenElement.Value =
                    //    "MIIGLjCCBRagAwIBAgIEUw9wBzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTQxMTEwMTQwMTQxWhcNMTcxMTEwMTQwMTMxWjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDVoVZz4QT+WP43mTl28pM9+Jy4JtBFV4R/LP2d2xLrAUGnDXn8dkAnTn4xcDll7t1kzCceI4/0ngN/CGwMpxynBbWRhoYWk4DesR34G2XehPiAf4E8Wsup2adyDWbqUUmrbFoyVsN8XCm/O32WSH19hn9nU5zOc0K4C2d0LJRcfsMCwSlQDu7BtEAjCRxYYw3pxnRu2vvzynW7j4txVbp82aGvZnJ0Fq6fvf+99sVBpyfAgHSAmhR5A5CzjlIpW9vG1WjGG8be5OgV+WurUzN9A1bjoXRpKkG9h035KKn6fRZEjI9Ztxd1JoeVkiBQaYdH1O3OW6rXKsfPLtyiCYsCAwEAAaOCAvEwggLtMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMCUGA1UdEQQeMByBGmtmb2JzX3Rlc3RAbm92b25vcmRpc2suY29tMIGqBgNVHR8EgaIwgZ8wPKA6oDiGNmh0dHA6Ly9jcmwuc3lzdGVtdGVzdDE5LnRydXN0MjQwOC5jb20vc3lzdGVtdGVzdDE5LmNybDBfoF2gW6RZMFcxCzAJBgNVBAYTAkRLMRIwEAYDVQQKDAlUUlVTVDI0MDgxJDAiBgNVBAMMG1RSVVNUMjQwOCBTeXN0ZW10ZXN0IFhJWCBDQTEOMAwGA1UEAwwFQ1JMMTYwHwYDVR0jBBgwFoAUzAJVDOSBdK8gVNURFFeckVI4f6AwHQYDVR0OBBYEFKuH3e+mCu7y3/brN7zXSkvo6MwKMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAESudYwnM/vbo5cMrUvgnpSgJUZhsQnSzLMwJTsT45OS3O+yct1ci9vPI1ExFZeAisC0bROV3tlsPuDiAVgmErgrHbrz1CmNqIxNcQvkqeL1sQtsrMSRicyILvU7Ve0N0gryR/axG+7D3U488X3oxXtJlS/9WZd33FVDnTIo7Asb+c1clqlUa/DSeBBdZ19L4DbfEkamLA96trEkH1hUTZfRXLFvYW5w8w+muaBu7eL84zzTxpGZxYM14ap+cQHuq+uczDsGDDUKc/BHUmN1UuQ0QCCxHegMHUDD8KXVsosj5wUXOLzd8WwKjPyUTxKPAI5xv9/Bim4mAA7eYc+3lXs=";
                    // Følgende er den nye udgave af Morten Mortensen MOCES certifikatet. Det får STS til at svare korrekt med "The request was invalid or malformed".
                    binarySecurityTokenElement.Value =
                        "MIIGJzCCBQ+gAwIBAgIEVp5ySzANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJESzESMBAGA1UECgwJVFJVU1QyNDA4MSQwIgYDVQQDDBtUUlVTVDI0MDggU3lzdGVtdGVzdCBYSVggQ0EwHhcNMTYwNTE3MTE1NDM0WhcNMTkwNTE3MTE1NDE4WjB2MQswCQYDVQQGEwJESzEqMCgGA1UECgwhw5hrb25vbWlzdHlyZWxzZW4gLy8gQ1ZSOjEwMjEzMjMxMTswFwYDVQQDDBBNb3J0ZW4gTW9ydGVuc2VuMCAGA1UEBRMZQ1ZSOjEwMjEzMjMxLVJJRDo5Mzk0NzU1MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwVzTYsKncrByNHU1M8HVHh5ZdiZAc2yQavTMFkQ0X9Wu4FGMcddH5XvnXsNHipBJ8gZh9HrIza6gujPrlZJvtQG+rhjiKhAaQbMN5yWY2E8H1Lv7aLB3bd1ShGccT/SeMJ3Lrn0xA8HedgYPlf4lYce8y20wlqe2ZBFG5664RBW3KuNapqP++XyJ0KMS5OE17Max/oOzBx4106DDXsMdMNQRtTBT0kJvAs0jiu9Wr/g9TMhM8wot+lsYMHZR8ecYbX70eQJLPI5YErjSkA5pzWO7z1SfewdQguUr71uIDjH2C1A2vIJFyPof6idpKYQJsSshQZWqLbExBr6JDtJYkCAwEAAaOCAuowggLmMA4GA1UdDwEB/wQEAwID+DCBlwYIKwYBBQUHAQEEgYowgYcwPAYIKwYBBQUHMAGGMGh0dHA6Ly9vY3NwLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3Jlc3BvbmRlcjBHBggrBgEFBQcwAoY7aHR0cDovL20uYWlhLnN5c3RlbXRlc3QxOS50cnVzdDI0MDguY29tL3N5c3RlbXRlc3QxOS1jYS5jZXIwggEgBgNVHSAEggEXMIIBEzCCAQ8GDSsGAQQBgfRRAgQGAgUwgf0wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cudHJ1c3QyNDA4LmNvbS9yZXBvc2l0b3J5MIHJBggrBgEFBQcCAjCBvDAMFgVEYW5JRDADAgEBGoGrRGFuSUQgdGVzdCBjZXJ0aWZpa2F0ZXIgZnJhIGRlbm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuIERhbklEIHRlc3QgY2VydGlmaWNhdGVzIGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjMuNi4xLjQuMS4zMTMxMy4yLjQuNi4yLjUuMB4GA1UdEQQXMBWBE0tGT0JTX1RFU1RAbm5pdC5jb20wgaoGA1UdHwSBojCBnzA8oDqgOIY2aHR0cDovL2NybC5zeXN0ZW10ZXN0MTkudHJ1c3QyNDA4LmNvbS9zeXN0ZW10ZXN0MTkuY3JsMF+gXaBbpFkwVzELMAkGA1UEBhMCREsxEjAQBgNVBAoMCVRSVVNUMjQwODEkMCIGA1UEAwwbVFJVU1QyNDA4IFN5c3RlbXRlc3QgWElYIENBMQ4wDAYDVQQDDAVDUkw2NDAfBgNVHSMEGDAWgBTMAlUM5IF0ryBU1REUV5yRUjh/oDAdBgNVHQ4EFgQUEWdFrMEb7hG5I2QaLQx4eevxXD8wCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAetwAPoeMMHE9zRSVcGsK3TTo6+YqORR78HXFel4Yg4j7SE3HLSHcrOYaVT/ouUcLqufEWiKRVDpZ4QShSV1hfcF3UhufKCLhMf/sNuc97e/ptOVciN76q+6jNJ+1fAtwNk+myf8lqR1r5CGCk5TDZZv64GR3Q5nhQTBG6wCCUE2vP22bDjY9h+ibfSl4eQG56rNXsDSMMnOB6Fqm9mwPXKUedF8ezHJeRAb1JQtDxkt0oy94i53EaCj6Hd6LzI4Gfq7ReorkuVJvqv+pcpPfZN9FkbbK/o62DMTw3wb+uGh/8VehGOpV05EkafClZ0lqwXpndnI+dbS6PvJpmoqElg==";
                    oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
                }
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (FaultException fe)
            {
                // Assert
                Assert.AreEqual("Authentication failed", fe.Message);
            }
        }
Пример #7
0
        public void OioWsTrustRequestFailDueToHeaderSecurityTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    var bodyAsString     = Encoding.UTF8.GetString(oS.RequestBody);
                    var bodyAsXml        = XDocument.Load(new StringReader(bodyAsString));
                    var namespaceManager = new XmlNamespaceManager(new NameTable());
                    namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
                    namespaceManager.AddNamespace("o",
                                                  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
                    namespaceManager.AddNamespace("u",
                                                  "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                    var createdTimestampElement =
                        bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/o:Security/u:Timestamp/u:Created",
                                                     namespaceManager);
                    var dateTime       = DateTime.Parse(createdTimestampElement.Value);
                    var addMinutes     = dateTime.AddMinutes(1);
                    var longDateString = addMinutes.ToUniversalTime().ToString(TimeFormat);
                    createdTimestampElement.Value = longDateString;
                    oS.RequestBody = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
                }
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (FaultException fe)
            {
                // Assert
                Assert.AreEqual("Authentication failed", fe.Message);
            }
        }
Пример #8
0
        public void TotalFlowSucessTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            // Act
            var securityToken = stsTokenService.GetToken();

            // Assert
            Assert.IsNotNull(securityToken);
        }
Пример #9
0
        public void OioWsTrustResponseFailDueToHeaderActionTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // In order to enable response tampering, buffering mode must
                // be enabled; this allows FiddlerCore to permit modification of
                // the response in the BeforeResponse handler rather than streaming
                // the response to the client as the response comes in.
                oS.bBufferResponse = true;
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;


            _fiddlerApplicationOnBeforeResponse = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                oS.utilReplaceInResponse("<wsa:Action", "<wsa:Action testAttribute=\"Tampered\"");
            };
            FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (InvalidOperationException ioe)
            {
                // Assert
                Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message);
            }
        }
        public void OioWsTrustResponseExpiredTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // it not set then Thread.Sleep is ignored on the response.
                oS.bBufferResponse = true;
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            _fiddlerApplicationOnBeforeResponse = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                Thread.Sleep(_wait);
            };
            FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (MessageSecurityException mse)
            {
                // Assert
                Assert.IsTrue(mse.Message.StartsWith("The security timestamp is stale because its expiration time"));
            }
        }
Пример #11
0
        public void OioWsTrustRequestFailDueToHeaderMessageIdTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService = new StsTokenService(TokenServiceConfigurationFactory.CreateConfiguration());

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    var bodyAsString     = Encoding.UTF8.GetString(oS.RequestBody);
                    var bodyAsXml        = XDocument.Load(new StringReader(bodyAsString));
                    var namespaceManager = new XmlNamespaceManager(new NameTable());
                    namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
                    namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing");
                    var messageIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:MessageID",
                                                                        namespaceManager);
                    messageIdElement.Value = "uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9";
                    oS.RequestBody         = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
                }
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (FaultException fe)
            {
                // Assert
                Assert.AreEqual("Authentication failed", fe.Message);
            }
        }
Пример #12
0
        public void OioWsTrustResponseFailDueToReplayAttackTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            byte[] recordedResponse = null;
            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // In order to enable response tampering, buffering mode must
                // be enabled; this allows FiddlerCore to permit modification of
                // the response in the BeforeResponse handler rather than streaming
                // the response to the client as the response comes in.
                oS.bBufferResponse = true;
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;

            _fiddlerApplicationOnBeforeResponse = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    if (recordedResponse == null)
                    {
                        // record request
                        recordedResponse = oS.ResponseBody;
                    }
                    else
                    {
                        // Replay
                        oS.ResponseBody = recordedResponse;
                    }
                }
            };
            FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;

            stsTokenService.GetToken();

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (InvalidOperationException ioe)
            {
                // Assert
                Assert.IsTrue(ioe.Message.StartsWith("Replay attack detected. Response message id:"), "Replay attack not detected!");
            }
        }
Пример #13
0
        public void OioWsTrustResponseFailDueToHeaderRelatesToTamperingTest()
        {
            // Arrange
            IStsTokenService stsTokenService =
                new StsTokenService(
                    TokenServiceConfigurationFactory.CreateConfiguration()
                    );

            _fiddlerApplicationOnBeforeRequest = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // In order to enable response tampering, buffering mode must
                // be enabled; this allows FiddlerCore to permit modification of
                // the response in the BeforeResponse handler rather than streaming
                // the response to the client as the response comes in.
                oS.bBufferResponse = true;
            };
            FiddlerApplication.BeforeRequest += _fiddlerApplicationOnBeforeRequest;


            _fiddlerApplicationOnBeforeResponse = delegate(Session oS)
            {
                // Only act on requests to WSP
                if (StsHostName != oS.hostname)
                {
                    return;
                }

                // Use xml version instead of utilReplaceInRequest(...) because message id is dynamically
                // For some reason there are two calls where the first call has en empty body.
                if (oS.RequestBody.Length > 0)
                {
                    var bodyAsString     = Encoding.UTF8.GetString(oS.ResponseBody);
                    var bodyAsXml        = XDocument.Load(new StringReader(bodyAsString));
                    var namespaceManager = new XmlNamespaceManager(new NameTable());
                    namespaceManager.AddNamespace("s", "http://schemas.xmlsoap.org/soap/envelope/");
                    namespaceManager.AddNamespace("a", "http://www.w3.org/2005/08/addressing");
                    var relatesToIdElement = bodyAsXml.XPathSelectElement("/s:Envelope/s:Header/a:RelatesTo",
                                                                          namespaceManager);
                    relatesToIdElement.Value = "urn:uuid:0e07468e-42b2-4813-b837-6c2c6122a9c9";
                    oS.ResponseBody          = Encoding.UTF8.GetBytes(bodyAsXml.ToString(SaveOptions.DisableFormatting));
                }
            };
            FiddlerApplication.BeforeResponse += _fiddlerApplicationOnBeforeResponse;

            // Act
            try
            {
                stsTokenService.GetToken();
                Assert.IsTrue(false, "Expected exception was not thrown!!!");
            }
            catch (InvalidOperationException ioe)
            {
                // Assert
                Assert.AreEqual("SOAP signature recieved from STS does not validate!", ioe.Message);
            }
        }