protected AuthenticationTicket BuildAuthenticationTicket(ServiceTicket ticket)
{
if (ticket == null)
{
return(null);
}
var assertion = ticket.Assertion;
var principal = new CasPrincipal(assertion, ticket.AuthenticationType);
var identity = (principal.Identity as ClaimsIdentity);
if (identity != null)
{
foreach (var claim in ticket.Claims)
{
if (identity.HasClaim(claim.Type, claim.Value))
{
continue;
}
identity.AddClaim(claim.ToClaim());
}
}
return(new AuthenticationTicket(
principal,
new AuthenticationProperties {
IssuedUtc = assertion.ValidFrom,
ExpiresUtc = assertion.ValidUntil
},
ticket.AuthenticationType));
}
private static AuthenticationTicket BuildAuthenticationTicket(ServiceTicket ticket)
{
var assertion = ticket.Assertion;
var principal = new CasPrincipal(assertion, ticket.AuthenticationType);
if (!(principal.Identity is ClaimsIdentity identity))
{
return(new AuthenticationTicket(
principal,
new AuthenticationProperties
{
IssuedUtc = assertion.ValidFrom,
ExpiresUtc = assertion.ValidUntil
},
ticket.AuthenticationType));
}
identity.AddClaims(ticket.Claims);
return(new AuthenticationTicket(
principal,
new AuthenticationProperties
{
IssuedUtc = assertion.ValidFrom,
ExpiresUtc = assertion.ValidUntil
},
ticket.AuthenticationType));
}
public async Task ValidatingAndCreatingTicketSuccess_ShouldResponseWithAuthCookies()
{
// Arrange
var ticketValidator = new Mock <IServiceTicketValidator>();
using var server = CreateServer(options =>
{
options.ServiceTicketValidator = ticketValidator.Object;
options.CasServerUrlBase = _options.CasServerUrlBase;
options.Provider = new CasAuthenticationProvider
{
OnCreatingTicket = context =>
{
var assertion = (context.Identity as CasIdentity)?.Assertion;
if (assertion == null)
{
return(Task.CompletedTask);
}
context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, assertion.PrincipalName));
return(Task.CompletedTask);
}
};
});
var ticket = Guid.NewGuid().ToString();
var principal = new CasPrincipal(new Assertion(Guid.NewGuid().ToString()), CasDefaults.AuthenticationType);
ticketValidator
.Setup(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(principal);
using var challengeResponse = await server.HttpClient.GetAsync(CookieAuthenticationDefaults.LoginPath.Value).ConfigureAwait(false);
var query = QueryHelpers.ParseQuery(challengeResponse.Headers.Location.Query);
var validateUrl = QueryHelpers.AddQueryString(query["service"], "ticket", ticket);
// Act
using var signinRequest = challengeResponse.GetRequest(validateUrl);
using var signinResponse = await server.HttpClient.SendAsync(signinRequest).ConfigureAwait(false);
// Assert
var cookies = signinResponse.Headers.GetValues("Set-Cookie");
Assert.Contains(cookies, x => x.StartsWith(CookieAuthenticationDefaults.CookiePrefix + CookieAuthenticationDefaults.AuthenticationType));
Assert.Contains(cookies, x => x.StartsWith($"{CookieAuthenticationDefaults.CookiePrefix}Correlation.{CasDefaults.AuthenticationType}"));
Assert.Equal("/", signinResponse.Headers.Location.OriginalString);
using var authorizedRequest = signinResponse.GetRequest("/");
using var authorizedResponse = await server.HttpClient.SendAsync(authorizedRequest).ConfigureAwait(false);
Assert.Equal(HttpStatusCode.OK, authorizedResponse.StatusCode);
var bodyText = await authorizedResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
Assert.Equal(principal.GetPrincipalName(), bodyText);
ticketValidator.Verify(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>()), Times.Once);
}
public async Task CreatingTicketFailureWithoutHandledResponse_ShouldThrows()
{
// Arrange
var ticketValidator = new Mock <IServiceTicketValidator>();
using var server = CreateServer(options =>
{
options.ServiceTicketValidator = ticketValidator.Object;
options.CasServerUrlBase = _options.CasServerUrlBase;
options.Events = new CasEvents
{
OnCreatingTicket = _ => throw new NotSupportedException("test")
};
});
using var client = server.CreateClient();
var ticket = Guid.NewGuid().ToString();
var principal = new CasPrincipal(new Assertion(Guid.NewGuid().ToString()), CasDefaults.AuthenticationType);
ticketValidator
.Setup(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>()))
.ReturnsAsync(principal);
using var challengeResponse = await client.GetAsync(CookieAuthenticationDefaults.LoginPath).ConfigureAwait(false);
var query = QueryHelpers.ParseQuery(challengeResponse.Headers.Location.Query);
var validateUrl = QueryHelpers.AddQueryString(query["service"], "ticket", ticket);
Exception exception = null;
try
{
// Act
using var signinRequest = challengeResponse.GetRequest(validateUrl);
await client.SendAsync(signinRequest).ConfigureAwait(false);
}
catch (Exception e)
{
exception = e;
}
// Assert
Assert.NotNull(exception);
Assert.Equal("An error was encountered while handling the remote login.", exception.Message);
Assert.IsType <NotSupportedException>(exception.InnerException);
}
/// <summary>
/// Attempts to authenticate requests subsequent to the initial authentication
/// request (handled by ProcessTicketValidation). This method looks for a
/// FormsAuthenticationCookie containing a FormsAuthenticationTicket and attempts
/// to confirms its validitiy. It either contains the CAS service ticket or a
/// reference to a CasAuthenticationTicket stored in the ServiceTicketManager
/// (if configured). If it succeeds, the context.User and Thread.CurrentPrincipal
/// are set with a ICasPrincipal and the current request is considered
/// authenticated. Otherwise, the current request is effectively anonymous.
/// </summary>
public void ProcessRequestAuthentication(HttpContextBase httpContext)
{
// Look for a valid FormsAuthenticationTicket encrypted in a cookie.
CasAuthenticationTicket casTicket = null;
FormsAuthenticationTicket formsAuthenticationTicket = GetFormsAuthenticationTicket(httpContext);
if (formsAuthenticationTicket != null)
{
ICasPrincipal principal;
if (_casServices.ServiceTicketManager != null)
{
string serviceTicket = formsAuthenticationTicket.UserData;
casTicket = _casServices.ServiceTicketManager.GetTicket(serviceTicket);
if (casTicket != null)
{
IAssertion assertion = casTicket.Assertion;
if (!_casServices.ServiceTicketManager.VerifyClientTicket(casTicket))
{
Logger.Warning("CasAuthenticationTicket failed verification: {0}", casTicket);
// Deletes the invalid FormsAuthentication cookie from the client.
ClearAuthCookie(httpContext);
_casServices.ServiceTicketManager.RevokeTicket(serviceTicket);
// Don't give this request a User/Principal. Remove it if it was created
// by the underlying FormsAuthenticationModule or another module.
principal = null;
}
else
{
if (_casServices.ProxyTicketManager != null &&
!string.IsNullOrEmpty(casTicket.ProxyGrantingTicketIou) &&
string.IsNullOrEmpty(casTicket.ProxyGrantingTicket))
{
string proxyGrantingTicket = _casServices.ProxyTicketManager.GetProxyGrantingTicket(casTicket.ProxyGrantingTicketIou);
if (!string.IsNullOrEmpty(proxyGrantingTicket))
{
casTicket.ProxyGrantingTicket = proxyGrantingTicket;
}
}
principal = new CasPrincipal(assertion, casTicket.ProxyGrantingTicket, null, casTicket.MaxAttributes);
}
}
else
{
if (httpContext.User != null &&
httpContext.User.Identity is FormsIdentity &&
_authenticationService.GetAuthenticatedUser() != null)
{
return;
}
// This didn't resolve to a ticket in the TicketStore. Revoke it.
ClearAuthCookie(httpContext);
Logger.Debug("Revoking ticket {0}", serviceTicket);
_casServices.ServiceTicketManager.RevokeTicket(serviceTicket);
// Don't give this request a User/Principal. Remove it if it was created
// by the underlying FormsAuthenticationModule or another module.
principal = null;
}
}
else
{
principal = new CasPrincipal(new Assertion(formsAuthenticationTicket.Name));
}
httpContext.User = principal;
Thread.CurrentPrincipal = principal;
if (principal == null)
{
// Remove the cookie from the client
ClearAuthCookie(httpContext);
}
else
{
// Extend the expiration of the cookie if FormsAuthentication is configured to do so.
if (FormsAuthentication.SlidingExpiration)
{
FormsAuthenticationTicket newTicket = FormsAuthentication.RenewTicketIfOld(formsAuthenticationTicket);
if (newTicket != null && newTicket != formsAuthenticationTicket)
{
SetAuthCookie(httpContext, newTicket);
if (_casServices.ServiceTicketManager != null)
{
_casServices.ServiceTicketManager.UpdateTicketExpiration(casTicket, newTicket.Expiration);
}
}
}
}
}
}
public string GetId(CasPrincipal user)
{
return(user.Identity.Name);
}
