protected AuthenticationTicket BuildAuthenticationTicket(ServiceTicket ticket) { if (ticket == null) { return(null); } var assertion = ticket.Assertion; var principal = new CasPrincipal(assertion, ticket.AuthenticationType); var identity = (principal.Identity as ClaimsIdentity); if (identity != null) { foreach (var claim in ticket.Claims) { if (identity.HasClaim(claim.Type, claim.Value)) { continue; } identity.AddClaim(claim.ToClaim()); } } return(new AuthenticationTicket( principal, new AuthenticationProperties { IssuedUtc = assertion.ValidFrom, ExpiresUtc = assertion.ValidUntil }, ticket.AuthenticationType)); }
private static AuthenticationTicket BuildAuthenticationTicket(ServiceTicket ticket) { var assertion = ticket.Assertion; var principal = new CasPrincipal(assertion, ticket.AuthenticationType); if (!(principal.Identity is ClaimsIdentity identity)) { return(new AuthenticationTicket( principal, new AuthenticationProperties { IssuedUtc = assertion.ValidFrom, ExpiresUtc = assertion.ValidUntil }, ticket.AuthenticationType)); } identity.AddClaims(ticket.Claims); return(new AuthenticationTicket( principal, new AuthenticationProperties { IssuedUtc = assertion.ValidFrom, ExpiresUtc = assertion.ValidUntil }, ticket.AuthenticationType)); }
public async Task ValidatingAndCreatingTicketSuccess_ShouldResponseWithAuthCookies() { // Arrange var ticketValidator = new Mock <IServiceTicketValidator>(); using var server = CreateServer(options => { options.ServiceTicketValidator = ticketValidator.Object; options.CasServerUrlBase = _options.CasServerUrlBase; options.Provider = new CasAuthenticationProvider { OnCreatingTicket = context => { var assertion = (context.Identity as CasIdentity)?.Assertion; if (assertion == null) { return(Task.CompletedTask); } context.Identity.AddClaim(new Claim(context.Identity.NameClaimType, assertion.PrincipalName)); return(Task.CompletedTask); } }; }); var ticket = Guid.NewGuid().ToString(); var principal = new CasPrincipal(new Assertion(Guid.NewGuid().ToString()), CasDefaults.AuthenticationType); ticketValidator .Setup(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(principal); using var challengeResponse = await server.HttpClient.GetAsync(CookieAuthenticationDefaults.LoginPath.Value).ConfigureAwait(false); var query = QueryHelpers.ParseQuery(challengeResponse.Headers.Location.Query); var validateUrl = QueryHelpers.AddQueryString(query["service"], "ticket", ticket); // Act using var signinRequest = challengeResponse.GetRequest(validateUrl); using var signinResponse = await server.HttpClient.SendAsync(signinRequest).ConfigureAwait(false); // Assert var cookies = signinResponse.Headers.GetValues("Set-Cookie"); Assert.Contains(cookies, x => x.StartsWith(CookieAuthenticationDefaults.CookiePrefix + CookieAuthenticationDefaults.AuthenticationType)); Assert.Contains(cookies, x => x.StartsWith($"{CookieAuthenticationDefaults.CookiePrefix}Correlation.{CasDefaults.AuthenticationType}")); Assert.Equal("/", signinResponse.Headers.Location.OriginalString); using var authorizedRequest = signinResponse.GetRequest("/"); using var authorizedResponse = await server.HttpClient.SendAsync(authorizedRequest).ConfigureAwait(false); Assert.Equal(HttpStatusCode.OK, authorizedResponse.StatusCode); var bodyText = await authorizedResponse.Content.ReadAsStringAsync().ConfigureAwait(false); Assert.Equal(principal.GetPrincipalName(), bodyText); ticketValidator.Verify(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>()), Times.Once); }
public async Task CreatingTicketFailureWithoutHandledResponse_ShouldThrows() { // Arrange var ticketValidator = new Mock <IServiceTicketValidator>(); using var server = CreateServer(options => { options.ServiceTicketValidator = ticketValidator.Object; options.CasServerUrlBase = _options.CasServerUrlBase; options.Events = new CasEvents { OnCreatingTicket = _ => throw new NotSupportedException("test") }; }); using var client = server.CreateClient(); var ticket = Guid.NewGuid().ToString(); var principal = new CasPrincipal(new Assertion(Guid.NewGuid().ToString()), CasDefaults.AuthenticationType); ticketValidator .Setup(x => x.ValidateAsync(ticket, It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(principal); using var challengeResponse = await client.GetAsync(CookieAuthenticationDefaults.LoginPath).ConfigureAwait(false); var query = QueryHelpers.ParseQuery(challengeResponse.Headers.Location.Query); var validateUrl = QueryHelpers.AddQueryString(query["service"], "ticket", ticket); Exception exception = null; try { // Act using var signinRequest = challengeResponse.GetRequest(validateUrl); await client.SendAsync(signinRequest).ConfigureAwait(false); } catch (Exception e) { exception = e; } // Assert Assert.NotNull(exception); Assert.Equal("An error was encountered while handling the remote login.", exception.Message); Assert.IsType <NotSupportedException>(exception.InnerException); }
/// <summary> /// Attempts to authenticate requests subsequent to the initial authentication /// request (handled by ProcessTicketValidation). This method looks for a /// FormsAuthenticationCookie containing a FormsAuthenticationTicket and attempts /// to confirms its validitiy. It either contains the CAS service ticket or a /// reference to a CasAuthenticationTicket stored in the ServiceTicketManager /// (if configured). If it succeeds, the context.User and Thread.CurrentPrincipal /// are set with a ICasPrincipal and the current request is considered /// authenticated. Otherwise, the current request is effectively anonymous. /// </summary> public void ProcessRequestAuthentication(HttpContextBase httpContext) { // Look for a valid FormsAuthenticationTicket encrypted in a cookie. CasAuthenticationTicket casTicket = null; FormsAuthenticationTicket formsAuthenticationTicket = GetFormsAuthenticationTicket(httpContext); if (formsAuthenticationTicket != null) { ICasPrincipal principal; if (_casServices.ServiceTicketManager != null) { string serviceTicket = formsAuthenticationTicket.UserData; casTicket = _casServices.ServiceTicketManager.GetTicket(serviceTicket); if (casTicket != null) { IAssertion assertion = casTicket.Assertion; if (!_casServices.ServiceTicketManager.VerifyClientTicket(casTicket)) { Logger.Warning("CasAuthenticationTicket failed verification: {0}", casTicket); // Deletes the invalid FormsAuthentication cookie from the client. ClearAuthCookie(httpContext); _casServices.ServiceTicketManager.RevokeTicket(serviceTicket); // Don't give this request a User/Principal. Remove it if it was created // by the underlying FormsAuthenticationModule or another module. principal = null; } else { if (_casServices.ProxyTicketManager != null && !string.IsNullOrEmpty(casTicket.ProxyGrantingTicketIou) && string.IsNullOrEmpty(casTicket.ProxyGrantingTicket)) { string proxyGrantingTicket = _casServices.ProxyTicketManager.GetProxyGrantingTicket(casTicket.ProxyGrantingTicketIou); if (!string.IsNullOrEmpty(proxyGrantingTicket)) { casTicket.ProxyGrantingTicket = proxyGrantingTicket; } } principal = new CasPrincipal(assertion, casTicket.ProxyGrantingTicket, null, casTicket.MaxAttributes); } } else { if (httpContext.User != null && httpContext.User.Identity is FormsIdentity && _authenticationService.GetAuthenticatedUser() != null) { return; } // This didn't resolve to a ticket in the TicketStore. Revoke it. ClearAuthCookie(httpContext); Logger.Debug("Revoking ticket {0}", serviceTicket); _casServices.ServiceTicketManager.RevokeTicket(serviceTicket); // Don't give this request a User/Principal. Remove it if it was created // by the underlying FormsAuthenticationModule or another module. principal = null; } } else { principal = new CasPrincipal(new Assertion(formsAuthenticationTicket.Name)); } httpContext.User = principal; Thread.CurrentPrincipal = principal; if (principal == null) { // Remove the cookie from the client ClearAuthCookie(httpContext); } else { // Extend the expiration of the cookie if FormsAuthentication is configured to do so. if (FormsAuthentication.SlidingExpiration) { FormsAuthenticationTicket newTicket = FormsAuthentication.RenewTicketIfOld(formsAuthenticationTicket); if (newTicket != null && newTicket != formsAuthenticationTicket) { SetAuthCookie(httpContext, newTicket); if (_casServices.ServiceTicketManager != null) { _casServices.ServiceTicketManager.UpdateTicketExpiration(casTicket, newTicket.Expiration); } } } } } }
public string GetId(CasPrincipal user) { return(user.Identity.Name); }