public async Task OnAuthorization_WithDifferentUrl_ShouldNotAuthorize() { //Arrange var cryptoService = new HmacSha256CryptographyService(Options); TestServer server = TestServerHelper.CreateServer <string>(Options); var url = "/api/dummy/SomeBewitProtectedUrl"; BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => TestServerHelper.VariablesProvider) .SetRepository(() => TestServerHelper.NonceRepository); var tokenGenerator = new BewitTokenGenerator <string>(Options, context); BewitToken <string> bewitToken = await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(), CancellationToken.None); url = "/api/dummy/WithBewitProtection"; var fullUrl = $"{url}?bewit={bewitToken}"; HttpClient client = server.CreateClient(); //Act HttpResponseMessage res = await client.GetAsync(fullUrl, CancellationToken.None); //Assert res.StatusCode.Should().Be(HttpStatusCode.Forbidden); var content = await res.Content.ReadAsStringAsync(); if (content != null) { Assert.Equal(-1, content.IndexOf("bar")); } }
public async Task OnAuthorization_WithAlteredPayloadForUrl_ShouldNotAuthorize() { //Arrange var cryptoService = new HmacSha256CryptographyService(Options); TestServer server = TestServerHelper.CreateServer <string>(Options); var url = "/api/dummy/SomeBewitProtectedUrl"; BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => TestServerHelper.VariablesProvider) .SetRepository(() => TestServerHelper.NonceRepository); var tokenGenerator = new BewitTokenGenerator <string>(Options, context); BewitToken <string> bewitToken = await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(), CancellationToken.None); //try to hack the token by replacing the url but reusing the same hash url = "/api/dummy/WithBewitProtection"; var serializedBewit = Encoding.UTF8.GetString(Convert.FromBase64String((string)bewitToken)); Bewit <string> bewitInternal = JsonConvert.DeserializeObject <Bewit <string> >(serializedBewit); var newBewitInternal = new Bewit <string>( bewitInternal.Nonce, bewitInternal.ExpirationDate, url.ToLowerInvariant(), bewitInternal.Hash); serializedBewit = JsonConvert.SerializeObject(newBewitInternal); bewitToken = new BewitToken <string>(Convert.ToBase64String( Encoding.UTF8.GetBytes(serializedBewit) )); var fullUrl = $"{url}?bewit={bewitToken}"; HttpClient client = server.CreateClient(); //Act HttpResponseMessage res = await client.GetAsync(fullUrl, CancellationToken.None); //Assert res.StatusCode.Should().Be(HttpStatusCode.Forbidden); var content = await res.Content.ReadAsStringAsync(); if (content != null) { Assert.Equal(-1, content.IndexOf("bar")); } }
public void GenerateBewitTokenAsync_WithNullPayload_ShouldThrow() { //Arrange ICryptographyService cryptoService = MockHelper.GetMockedCrpytoService <Foo>(); BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => new MockHelper.MockedVariablesProvider()) .SetRepository(() => new DefaultNonceRepository()); var provider = new BewitTokenGenerator <Foo>(new BewitOptions(), context); //Act Func <Task> generateBewit = async() => await provider.GenerateBewitTokenAsync(null, CancellationToken.None); //Assert generateBewit.Should().Throw <ArgumentNullException>(); }
public async Task GenerateBewitTokenAsync_WithDifferentPayload_ShouldGenerateBewit() { //Arrange ICryptographyService cryptoService = MockHelper.GetMockedCrpytoService <Foo>(); BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => new MockHelper.MockedVariablesProvider()) .SetRepository(() => new DefaultNonceRepository()); var provider = new BewitTokenGenerator <Foo>(new BewitOptions(), context); var payload = new Foo { Bar = 5 }; //Act BewitToken <Foo> bewit = await provider.GenerateBewitTokenAsync(payload, CancellationToken.None); //Assert ((string)bewit).Should().Be("eyJQYXlsb2FkIjp7IkJhciI6NX0sIkhhc2giOiI3MjRlN2FjYy1iZTU3LTQ5YTEtODE5NS00NmEwM2M2MjcxYzZfXzIwMTctMDEtMDFUMDE6MDI6MDEuMDAxMDAwMFpfX3tcIkJhclwiOjV9IiwiTm9uY2UiOiI3MjRlN2FjYy1iZTU3LTQ5YTEtODE5NS00NmEwM2M2MjcxYzYiLCJFeHBpcmF0aW9uRGF0ZSI6IjIwMTctMDEtMDFUMDE6MDI6MDEuMDAxWiJ9"); }
public async Task OnAuthorization_WithValidBewitForUrl_ShouldAuthorize() { //Arrange TestServer server = TestServerHelper.CreateServer <IDictionary <string, object> >(Options); BewitPayloadContext context = new BewitPayloadContext(typeof(IDictionary <string, object>)) .SetCryptographyService(() => new HmacSha256CryptographyService(Options)) .SetVariablesProvider(() => TestServerHelper.VariablesProvider) .SetRepository(() => TestServerHelper.NonceRepository); var tokenGenerator = new BewitTokenGenerator <IDictionary <string, object> >(Options, context); const string id = "1", firstName = "John", lastName = "Smith"; var payload = new Dictionary <string, object> { ["firstName"] = "John", ["lastName"] = "Smith" }; BewitToken <IDictionary <string, object> > bewitToken = await tokenGenerator.GenerateBewitTokenAsync( payload, CancellationToken.None); var url = $"/api/dummy/WithBewitParameters/{id}"; var fullUrl = $"{url}?bewit={bewitToken}"; HttpClient client = server.CreateClient(); //Act HttpResponseMessage res = await client.GetAsync(fullUrl, CancellationToken.None); //Assert res.StatusCode.Should().Be(HttpStatusCode.OK); var content = await res.Content.ReadAsStringAsync(); content.Should().Be($"{id}: {firstName} {lastName}"); }