public async Task Upserts() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client1 = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC3986, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client1); var client2 = new Client( "c1", "app two", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(3), RequestTargetEscaping.OriginalString, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client2); var actual = await _sut.Get(client1.Id); actual.Should().BeEquivalentTo(client2, options => options.ComparingByMembers <Client>()); }
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInDatabase(string nullOrEmpty) { using (var sut = new MongoDbClientStore( new MongoDatabaseClientProvider(Database), _collectionName, nullOrEmpty, _migrator, _signatureAlgorithmDataRecordConverter)) { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await sut.Register(client); var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName); var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id)); var loaded = await findResult.SingleAsync(); loaded.SignatureAlgorithm.Parameter.Should().NotBeNullOrEmpty(); var unencryptedKey = Encoding.UTF8.GetString(hmac.Key); loaded.SignatureAlgorithm.Parameter.Should().Be(unencryptedKey); loaded.SignatureAlgorithm.IsParameterEncrypted.Should().BeFalse(); } }
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInFile(string nullOrEmpty) { using (var sut = new FileSystemClientStore(_fileManager, _signatureAlgorithmDataRecordConverter, nullOrEmpty)) { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await sut.Register(client); var dataRecords = await _fileManager.Read(); var loaded = dataRecords.Single(r => r.Id == client.Id); loaded.SigAlg.Param.Should().NotBeNullOrEmpty(); var unencryptedKey = Encoding.UTF8.GetString(hmac.Key); loaded.SigAlg.Param.Should().Be($"<Secret>{unencryptedKey}</Secret>"); loaded.SigAlg.Encrypted.Should().BeFalse(); } }
public async Task EncryptsHMACSecretInDatabase() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName); var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id)); var loaded = await findResult.SingleAsync(); loaded.SignatureAlgorithm.Parameter.Should().NotBeNullOrEmpty(); var unencryptedKey = Encoding.UTF8.GetString(hmac.Key); var encryptedKey = new FakeStringProtector().Protect(unencryptedKey); loaded.SignatureAlgorithm.Parameter.Should().Be(encryptedKey); loaded.SignatureAlgorithm.IsParameterEncrypted.Should().BeTrue(); }
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInDatabase(string nullOrEmpty) { using (var sut = new SqlServerClientStore(new SqlServerClientStoreSettings { ConnectionString = _connectionString, SharedSecretEncryptionKey = nullOrEmpty }, new SignatureAlgorithmConverter(new FakeStringProtectorFactory()))) { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await sut.Register(client); var loaded = await LoadFromDb(client.Id); loaded.SigParameter.Should().NotBeNullOrEmpty(); var unencryptedKey = Encoding.UTF8.GetString(hmac.Key); loaded.SigParameter.Should().Be(unencryptedKey); loaded.IsSigParameterEncrypted.Should().BeFalse(); } }
public async Task EncryptsHMACSecretInFile() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var dataRecords = await _fileManager.Read(); var loaded = dataRecords.Single(r => r.Id == client.Id); loaded.SigAlg.Param.Should().NotBeNullOrEmpty(); var unencryptedKey = Encoding.UTF8.GetString(hmac.Key); var encryptedKey = new FakeStringProtector().Protect(unencryptedKey); loaded.SigAlg.Param.Should().Be($"<Secret>{encryptedKey}</Secret>"); loaded.SigAlg.Encrypted.Should().BeTrue(); }
public void GivenHMACDataRecord_ReturnsHMACDataRecord() { using (var actual = _sut.ToSignatureAlgorithm(_dataRecord, _encryptionKey, _recordVersion)) { var expected = new HMACSignatureAlgorithm(_unencryptedKey, HashAlgorithmName.MD5); actual.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected); } }
public CreateWithSignatureAlgorithm() { _keyId = (KeyId)"id1"; _name = "test client"; _signatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA256); _configureOptions = opts => { opts.Claims = new[] { new Claim("c1", "v1") }; opts.ClockSkew = TimeSpan.FromMinutes(10); opts.NonceLifetime = TimeSpan.FromMinutes(3); opts.RequestTargetEscaping = RequestTargetEscaping.OriginalString; }; }
public async Task CanDeserializeLegacyClientsWithoutVersion() { var collection = Database.GetCollection <BsonDocument>(_collectionName); var legacyJson = @"{ ""_id"" : ""c5"", ""Name"" : ""app one"", ""SignatureAlgorithm"" : { ""Type"" : ""HMAC"", ""Parameter"" : ""s3cr3t"", ""HashAlgorithm"" : ""SHA384"" }, ""NonceExpiration"" : 300.0, ""RequestTargetEscaping"" : ""RFC2396"", ""ClockSkew"" : 240.0, ""Claims"" : [ { ""Issuer"" : ""LOCAL AUTHORITY"", ""OriginalIssuer"" : ""LOCAL AUTHORITY"", ""Type"" : ""company"", ""Value"" : ""Dalion"", ""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string"" }, { ""Issuer"" : ""LOCAL AUTHORITY"", ""OriginalIssuer"" : ""LOCAL AUTHORITY"", ""Type"" : ""scope"", ""Value"" : ""HttpMessageSigning"", ""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string"" } ] }"; var legacyDocument = BsonSerializer.Deserialize <BsonDocument>(legacyJson); await collection.InsertOneAsync(legacyDocument); var actual = await _sut.Get(new KeyId("c5")); var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var expected = new Client( "c5", "app one", hmac, TimeSpan.FromMinutes(5), TimeSpan.FromMinutes(4), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); actual.Should().BeEquivalentTo(expected, options => options.ComparingByMembers <Client>()); actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Key.Should().Equal(Encoding.UTF8.GetBytes("s3cr3t")); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384); }
public async Task CanRoundTripHMAC() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var actual = await _sut.Get(client.Id); actual.Should().BeEquivalentTo(client); actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Secret.Should().Be("s3cr3t"); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384); }
public async Task CanRoundTripHMAC() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var actual = await _sut.Get(client.Id); actual.Should().BeEquivalentTo(client, options => options.ComparingByMembers <Client>()); actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Key.Should().Equal(Encoding.UTF8.GetBytes("s3cr3t")); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384); }
public async Task Upserts() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client1 = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client1); var client2 = new Client("c1", "app two", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client2); var actual = await _sut.Get(client1.Id); actual.Should().BeEquivalentTo(client2); }
public void GivenHMACDataRecord_ReturnsHMACDataRecord() { var sut = new SignatureAlgorithmDataRecord { Type = "HMAC", Parameter = "s3cr3t", HashAlgorithm = HashAlgorithmName.MD5.Name }; using (var actual = sut.ToSignatureAlgorithm()) { var expected = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.MD5); actual.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected); } }
public void GivenHMACDataRecord_ReturnsHMACDataRecord() { var sut = new SignatureAlgorithmDataRecordV2 { Type = "HMAC", Parameter = _encryptedKey, HashAlgorithm = HashAlgorithmName.MD5.Name, IsParameterEncrypted = true }; using (var actual = sut.ToSignatureAlgorithm(_encryptionKey, _recordVersion)) { var expected = new HMACSignatureAlgorithm(_unencryptedKey, HashAlgorithmName.MD5); actual.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected); } }
private string GetParameterWithEncryption(HMACSignatureAlgorithm hmac, SharedSecretEncryptionKey encryptionKey, out bool isEncrypted) { var unencrypted = Encoding.UTF8.GetString(hmac.Key); if (encryptionKey == SharedSecretEncryptionKey.Empty) { isEncrypted = false; return(unencrypted); } isEncrypted = true; var protector = _stringProtectorFactory.CreateSymmetric(encryptionKey); return(protector.Protect(unencrypted)); }
public async Task PerformsMigrations() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); A.CallTo(() => _migrator.Migrate()) .MustHaveHappened(); }
public async Task MarksRecordsWithCorrectVersion() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var loaded = await LoadFromDb(client.Id); loaded.V.Should().NotBeNull(); loaded.V.Should().Be(1); // Current version }
public async Task ReturnsResultFromDecoratedService() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); A.CallTo(() => _decorated.Get(client.Id)) .Returns(client); var actual = await _sut.Get(client.Id); actual.Should().Be(client); }
public async Task CanDeserializeLegacyClientsWithoutNonceLifetime() { var collection = Database.GetCollection <BsonDocument>(_collectionName); var legacyJson = @"{ ""_id"" : ""c2"", ""Name"" : ""app one"", ""SignatureAlgorithm"" : { ""Type"" : ""HMAC"", ""Parameter"" : ""s3cr3t"", ""HashAlgorithm"" : ""SHA384"" }, ""Claims"" : [ { ""Issuer"" : ""LOCAL AUTHORITY"", ""OriginalIssuer"" : ""LOCAL AUTHORITY"", ""Type"" : ""company"", ""Value"" : ""Dalion"", ""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string"" }, { ""Issuer"" : ""LOCAL AUTHORITY"", ""OriginalIssuer"" : ""LOCAL AUTHORITY"", ""Type"" : ""scope"", ""Value"" : ""HttpMessageSigning"", ""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string"" } ] }"; var legacyDocument = BsonSerializer.Deserialize <BsonDocument>(legacyJson); await collection.InsertOneAsync(legacyDocument); var actual = await _sut.Get(new KeyId("c2")); var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var expected = new Client("c2", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); actual.Should().BeEquivalentTo(expected); actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>(); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Secret.Should().Be("s3cr3t"); actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384); }
public async Task MarksRecordsWithCorrectVersion() { var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384); var client = new Client( "c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), RequestTargetEscaping.RFC2396, new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning")); await _sut.Register(client); var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName); var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id)); var loaded = await findResult.SingleAsync(); loaded.V.Should().NotBeNull(); loaded.V.Should().Be(2); // Current version }