public async Task OnAuthorization_WithDifferentUrl_ShouldNotAuthorize()
{
//Arrange
var cryptoService = new HmacSha256CryptographyService(Options);
TestServer server = TestServerHelper.CreateServer <string>(Options);
var url = "/api/dummy/SomeBewitProtectedUrl";
BewitPayloadContext context = new BewitPayloadContext(typeof(string))
.SetCryptographyService(() => cryptoService)
.SetVariablesProvider(() => TestServerHelper.VariablesProvider)
.SetRepository(() => TestServerHelper.NonceRepository);
var tokenGenerator = new BewitTokenGenerator <string>(Options, context);
BewitToken <string> bewitToken =
await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(),
CancellationToken.None);
url = "/api/dummy/WithBewitProtection";
var fullUrl = $"{url}?bewit={bewitToken}";
HttpClient client = server.CreateClient();
//Act
HttpResponseMessage res =
await client.GetAsync(fullUrl, CancellationToken.None);
//Assert
res.StatusCode.Should().Be(HttpStatusCode.Forbidden);
var content = await res.Content.ReadAsStringAsync();
if (content != null)
{
Assert.Equal(-1, content.IndexOf("bar"));
}
}
public void Constructor_WithSecret_ShouldConstruct()
{
//Arrange
string secret = "esk84j85$85efsf";
//Act
var service = new HmacSha256CryptographyService(
new BewitOptions {
Secret = secret
});
//Assert
service.Should().NotBeNull();
}
public async Task OnAuthorization_WithAlteredPayloadForUrl_ShouldNotAuthorize()
{
//Arrange
var cryptoService = new HmacSha256CryptographyService(Options);
TestServer server = TestServerHelper.CreateServer <string>(Options);
var url = "/api/dummy/SomeBewitProtectedUrl";
BewitPayloadContext context = new BewitPayloadContext(typeof(string))
.SetCryptographyService(() => cryptoService)
.SetVariablesProvider(() => TestServerHelper.VariablesProvider)
.SetRepository(() => TestServerHelper.NonceRepository);
var tokenGenerator = new BewitTokenGenerator <string>(Options, context);
BewitToken <string> bewitToken =
await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(),
CancellationToken.None);
//try to hack the token by replacing the url but reusing the same hash
url = "/api/dummy/WithBewitProtection";
var serializedBewit =
Encoding.UTF8.GetString(Convert.FromBase64String((string)bewitToken));
Bewit <string> bewitInternal =
JsonConvert.DeserializeObject <Bewit <string> >(serializedBewit);
var newBewitInternal = new Bewit <string>(
bewitInternal.Nonce,
bewitInternal.ExpirationDate,
url.ToLowerInvariant(),
bewitInternal.Hash);
serializedBewit = JsonConvert.SerializeObject(newBewitInternal);
bewitToken = new BewitToken <string>(Convert.ToBase64String(
Encoding.UTF8.GetBytes(serializedBewit)
));
var fullUrl = $"{url}?bewit={bewitToken}";
HttpClient client = server.CreateClient();
//Act
HttpResponseMessage res =
await client.GetAsync(fullUrl, CancellationToken.None);
//Assert
res.StatusCode.Should().Be(HttpStatusCode.Forbidden);
var content = await res.Content.ReadAsStringAsync();
if (content != null)
{
Assert.Equal(-1, content.IndexOf("bar"));
}
}
public void GetHash_WithAllParamsAndStringPayload_ShouldAlwaysGenerateSameHash2()
{
//Arrange
string secret = "esk84j85$85efsf";
var service = new HmacSha256CryptographyService(
new BewitOptions {
Secret = secret
});
string token = "foo";
DateTime expirationDate =
new DateTime(2017, 1, 1, 1, 1, 1, 1, DateTimeKind.Utc);
string payload = "bar";
//Act
string hash = service.GetHash(token, expirationDate, payload);
//Assert
hash.Should().Be("lBA9v7RxsHC/gSBD50PQaoyWH5XKq8eRZ9KM+Qs6b/g=");
}
public void GetHash_WithAllParamsAndStringPayload_ShouldAlwaysGenerateSameHash()
{
//Arrange
string secret = "esk84j85$85efsf";
var service = new HmacSha256CryptographyService(
new BewitOptions {
Secret = secret
});
string token = "foo";
DateTime expirationDate =
new DateTime(2017, 1, 1, 1, 1, 1, 1, DateTimeKind.Utc);
string payload = "foo";
//Act
string hash = service.GetHash(token, expirationDate, payload);
//Assert
hash.Should().Be("Ry+dceBg/qVpCDbw9kByG7HZ769CHiA7NWaQAIa+rg0=");
}
