public async Task Upserts()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client1 = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC3986,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client1);
var client2 = new Client(
"c1",
"app two",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(3),
RequestTargetEscaping.OriginalString,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client2);
var actual = await _sut.Get(client1.Id);
actual.Should().BeEquivalentTo(client2, options => options.ComparingByMembers <Client>());
}
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInDatabase(string nullOrEmpty)
{
using (var sut = new MongoDbClientStore(
new MongoDatabaseClientProvider(Database),
_collectionName,
nullOrEmpty,
_migrator,
_signatureAlgorithmDataRecordConverter)) {
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await sut.Register(client);
var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName);
var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id));
var loaded = await findResult.SingleAsync();
loaded.SignatureAlgorithm.Parameter.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
loaded.SignatureAlgorithm.Parameter.Should().Be(unencryptedKey);
loaded.SignatureAlgorithm.IsParameterEncrypted.Should().BeFalse();
}
}
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInFile(string nullOrEmpty)
{
using (var sut = new FileSystemClientStore(_fileManager, _signatureAlgorithmDataRecordConverter, nullOrEmpty)) {
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await sut.Register(client);
var dataRecords = await _fileManager.Read();
var loaded = dataRecords.Single(r => r.Id == client.Id);
loaded.SigAlg.Param.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
loaded.SigAlg.Param.Should().Be($"<Secret>{unencryptedKey}</Secret>");
loaded.SigAlg.Encrypted.Should().BeFalse();
}
}
public async Task EncryptsHMACSecretInDatabase()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName);
var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id));
var loaded = await findResult.SingleAsync();
loaded.SignatureAlgorithm.Parameter.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
var encryptedKey = new FakeStringProtector().Protect(unencryptedKey);
loaded.SignatureAlgorithm.Parameter.Should().Be(encryptedKey);
loaded.SignatureAlgorithm.IsParameterEncrypted.Should().BeTrue();
}
public async Task WhenEncryptionKeyIsNullOrEmpty_DoesNotEncryptHMACSecretInDatabase(string nullOrEmpty)
{
using (var sut = new SqlServerClientStore(new SqlServerClientStoreSettings {
ConnectionString = _connectionString,
SharedSecretEncryptionKey = nullOrEmpty
},
new SignatureAlgorithmConverter(new FakeStringProtectorFactory()))) {
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await sut.Register(client);
var loaded = await LoadFromDb(client.Id);
loaded.SigParameter.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
loaded.SigParameter.Should().Be(unencryptedKey);
loaded.IsSigParameterEncrypted.Should().BeFalse();
}
}
public async Task EncryptsHMACSecretInFile()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var dataRecords = await _fileManager.Read();
var loaded = dataRecords.Single(r => r.Id == client.Id);
loaded.SigAlg.Param.Should().NotBeNullOrEmpty();
var unencryptedKey = Encoding.UTF8.GetString(hmac.Key);
var encryptedKey = new FakeStringProtector().Protect(unencryptedKey);
loaded.SigAlg.Param.Should().Be($"<Secret>{encryptedKey}</Secret>");
loaded.SigAlg.Encrypted.Should().BeTrue();
}
public void GivenHMACDataRecord_ReturnsHMACDataRecord()
{
using (var actual = _sut.ToSignatureAlgorithm(_dataRecord, _encryptionKey, _recordVersion)) {
var expected = new HMACSignatureAlgorithm(_unencryptedKey, HashAlgorithmName.MD5);
actual.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected);
}
}
public CreateWithSignatureAlgorithm()
{
_keyId = (KeyId)"id1";
_name = "test client";
_signatureAlgorithm = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA256);
_configureOptions = opts => {
opts.Claims = new[] { new Claim("c1", "v1") };
opts.ClockSkew = TimeSpan.FromMinutes(10);
opts.NonceLifetime = TimeSpan.FromMinutes(3);
opts.RequestTargetEscaping = RequestTargetEscaping.OriginalString;
};
}
public async Task CanDeserializeLegacyClientsWithoutVersion()
{
var collection = Database.GetCollection <BsonDocument>(_collectionName);
var legacyJson = @"{
""_id"" : ""c5"",
""Name"" : ""app one"",
""SignatureAlgorithm"" : {
""Type"" : ""HMAC"",
""Parameter"" : ""s3cr3t"",
""HashAlgorithm"" : ""SHA384""
},
""NonceExpiration"" : 300.0,
""RequestTargetEscaping"" : ""RFC2396"",
""ClockSkew"" : 240.0,
""Claims"" : [
{
""Issuer"" : ""LOCAL AUTHORITY"",
""OriginalIssuer"" : ""LOCAL AUTHORITY"",
""Type"" : ""company"",
""Value"" : ""Dalion"",
""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string""
},
{
""Issuer"" : ""LOCAL AUTHORITY"",
""OriginalIssuer"" : ""LOCAL AUTHORITY"",
""Type"" : ""scope"",
""Value"" : ""HttpMessageSigning"",
""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string""
}
]
}";
var legacyDocument = BsonSerializer.Deserialize <BsonDocument>(legacyJson);
await collection.InsertOneAsync(legacyDocument);
var actual = await _sut.Get(new KeyId("c5"));
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var expected = new Client(
"c5",
"app one",
hmac,
TimeSpan.FromMinutes(5),
TimeSpan.FromMinutes(4),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
actual.Should().BeEquivalentTo(expected, options => options.ComparingByMembers <Client>());
actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Key.Should().Equal(Encoding.UTF8.GetBytes("s3cr3t"));
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384);
}
public async Task CanRoundTripHMAC()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var actual = await _sut.Get(client.Id);
actual.Should().BeEquivalentTo(client);
actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Secret.Should().Be("s3cr3t");
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384);
}
public async Task CanRoundTripHMAC()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(2), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var actual = await _sut.Get(client.Id);
actual.Should().BeEquivalentTo(client, options => options.ComparingByMembers <Client>());
actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Key.Should().Equal(Encoding.UTF8.GetBytes("s3cr3t"));
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384);
}
public async Task Upserts()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client1 = new Client("c1", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client1);
var client2 = new Client("c1", "app two", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client2);
var actual = await _sut.Get(client1.Id);
actual.Should().BeEquivalentTo(client2);
}
public void GivenHMACDataRecord_ReturnsHMACDataRecord()
{
var sut = new SignatureAlgorithmDataRecord {
Type = "HMAC",
Parameter = "s3cr3t",
HashAlgorithm = HashAlgorithmName.MD5.Name
};
using (var actual = sut.ToSignatureAlgorithm()) {
var expected = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.MD5);
actual.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected);
}
}
public void GivenHMACDataRecord_ReturnsHMACDataRecord()
{
var sut = new SignatureAlgorithmDataRecordV2 {
Type = "HMAC",
Parameter = _encryptedKey,
HashAlgorithm = HashAlgorithmName.MD5.Name,
IsParameterEncrypted = true
};
using (var actual = sut.ToSignatureAlgorithm(_encryptionKey, _recordVersion)) {
var expected = new HMACSignatureAlgorithm(_unencryptedKey, HashAlgorithmName.MD5);
actual.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.As <HMACSignatureAlgorithm>().Should().BeEquivalentTo(expected);
}
}
private string GetParameterWithEncryption(HMACSignatureAlgorithm hmac, SharedSecretEncryptionKey encryptionKey, out bool isEncrypted)
{
var unencrypted = Encoding.UTF8.GetString(hmac.Key);
if (encryptionKey == SharedSecretEncryptionKey.Empty)
{
isEncrypted = false;
return(unencrypted);
}
isEncrypted = true;
var protector = _stringProtectorFactory.CreateSymmetric(encryptionKey);
return(protector.Protect(unencrypted));
}
public async Task PerformsMigrations()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
A.CallTo(() => _migrator.Migrate())
.MustHaveHappened();
}
public async Task MarksRecordsWithCorrectVersion()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var loaded = await LoadFromDb(client.Id);
loaded.V.Should().NotBeNull();
loaded.V.Should().Be(1); // Current version
}
public async Task ReturnsResultFromDecoratedService()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
A.CallTo(() => _decorated.Get(client.Id))
.Returns(client);
var actual = await _sut.Get(client.Id);
actual.Should().Be(client);
}
public async Task CanDeserializeLegacyClientsWithoutNonceLifetime()
{
var collection = Database.GetCollection <BsonDocument>(_collectionName);
var legacyJson = @"{
""_id"" : ""c2"",
""Name"" : ""app one"",
""SignatureAlgorithm"" : {
""Type"" : ""HMAC"",
""Parameter"" : ""s3cr3t"",
""HashAlgorithm"" : ""SHA384""
},
""Claims"" : [
{
""Issuer"" : ""LOCAL AUTHORITY"",
""OriginalIssuer"" : ""LOCAL AUTHORITY"",
""Type"" : ""company"",
""Value"" : ""Dalion"",
""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string""
},
{
""Issuer"" : ""LOCAL AUTHORITY"",
""OriginalIssuer"" : ""LOCAL AUTHORITY"",
""Type"" : ""scope"",
""Value"" : ""HttpMessageSigning"",
""ValueType"" : ""http://www.w3.org/2001/XMLSchema#string""
}
]
}";
var legacyDocument = BsonSerializer.Deserialize <BsonDocument>(legacyJson);
await collection.InsertOneAsync(legacyDocument);
var actual = await _sut.Get(new KeyId("c2"));
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var expected = new Client("c2", "app one", hmac, TimeSpan.FromMinutes(1), new Claim("company", "Dalion"), new Claim("scope", "HttpMessageSigning"));
actual.Should().BeEquivalentTo(expected);
actual.SignatureAlgorithm.Should().BeAssignableTo <HMACSignatureAlgorithm>();
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().Secret.Should().Be("s3cr3t");
actual.SignatureAlgorithm.As <HMACSignatureAlgorithm>().HashAlgorithm.Should().Be(HashAlgorithmName.SHA384);
}
public async Task MarksRecordsWithCorrectVersion()
{
var hmac = new HMACSignatureAlgorithm("s3cr3t", HashAlgorithmName.SHA384);
var client = new Client(
"c1",
"app one",
hmac,
TimeSpan.FromMinutes(1),
TimeSpan.FromMinutes(2),
RequestTargetEscaping.RFC2396,
new Claim("company", "Dalion"),
new Claim("scope", "HttpMessageSigning"));
await _sut.Register(client);
var collection = Database.GetCollection <ClientDataRecordV2>(_collectionName);
var findResult = await collection.FindAsync <ClientDataRecordV2>(new ExpressionFilterDefinition <ClientDataRecordV2>(r => r.Id == client.Id));
var loaded = await findResult.SingleAsync();
loaded.V.Should().NotBeNull();
loaded.V.Should().Be(2); // Current version
}
