public async Task OnAuthorization_WithDifferentUrl_ShouldNotAuthorize() { //Arrange var cryptoService = new HmacSha256CryptographyService(Options); TestServer server = TestServerHelper.CreateServer <string>(Options); var url = "/api/dummy/SomeBewitProtectedUrl"; BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => TestServerHelper.VariablesProvider) .SetRepository(() => TestServerHelper.NonceRepository); var tokenGenerator = new BewitTokenGenerator <string>(Options, context); BewitToken <string> bewitToken = await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(), CancellationToken.None); url = "/api/dummy/WithBewitProtection"; var fullUrl = $"{url}?bewit={bewitToken}"; HttpClient client = server.CreateClient(); //Act HttpResponseMessage res = await client.GetAsync(fullUrl, CancellationToken.None); //Assert res.StatusCode.Should().Be(HttpStatusCode.Forbidden); var content = await res.Content.ReadAsStringAsync(); if (content != null) { Assert.Equal(-1, content.IndexOf("bar")); } }
public void Constructor_WithSecret_ShouldConstruct() { //Arrange string secret = "esk84j85$85efsf"; //Act var service = new HmacSha256CryptographyService( new BewitOptions { Secret = secret }); //Assert service.Should().NotBeNull(); }
public async Task OnAuthorization_WithAlteredPayloadForUrl_ShouldNotAuthorize() { //Arrange var cryptoService = new HmacSha256CryptographyService(Options); TestServer server = TestServerHelper.CreateServer <string>(Options); var url = "/api/dummy/SomeBewitProtectedUrl"; BewitPayloadContext context = new BewitPayloadContext(typeof(string)) .SetCryptographyService(() => cryptoService) .SetVariablesProvider(() => TestServerHelper.VariablesProvider) .SetRepository(() => TestServerHelper.NonceRepository); var tokenGenerator = new BewitTokenGenerator <string>(Options, context); BewitToken <string> bewitToken = await tokenGenerator.GenerateBewitTokenAsync(url.ToLowerInvariant(), CancellationToken.None); //try to hack the token by replacing the url but reusing the same hash url = "/api/dummy/WithBewitProtection"; var serializedBewit = Encoding.UTF8.GetString(Convert.FromBase64String((string)bewitToken)); Bewit <string> bewitInternal = JsonConvert.DeserializeObject <Bewit <string> >(serializedBewit); var newBewitInternal = new Bewit <string>( bewitInternal.Nonce, bewitInternal.ExpirationDate, url.ToLowerInvariant(), bewitInternal.Hash); serializedBewit = JsonConvert.SerializeObject(newBewitInternal); bewitToken = new BewitToken <string>(Convert.ToBase64String( Encoding.UTF8.GetBytes(serializedBewit) )); var fullUrl = $"{url}?bewit={bewitToken}"; HttpClient client = server.CreateClient(); //Act HttpResponseMessage res = await client.GetAsync(fullUrl, CancellationToken.None); //Assert res.StatusCode.Should().Be(HttpStatusCode.Forbidden); var content = await res.Content.ReadAsStringAsync(); if (content != null) { Assert.Equal(-1, content.IndexOf("bar")); } }
public void GetHash_WithAllParamsAndStringPayload_ShouldAlwaysGenerateSameHash2() { //Arrange string secret = "esk84j85$85efsf"; var service = new HmacSha256CryptographyService( new BewitOptions { Secret = secret }); string token = "foo"; DateTime expirationDate = new DateTime(2017, 1, 1, 1, 1, 1, 1, DateTimeKind.Utc); string payload = "bar"; //Act string hash = service.GetHash(token, expirationDate, payload); //Assert hash.Should().Be("lBA9v7RxsHC/gSBD50PQaoyWH5XKq8eRZ9KM+Qs6b/g="); }
public void GetHash_WithAllParamsAndStringPayload_ShouldAlwaysGenerateSameHash() { //Arrange string secret = "esk84j85$85efsf"; var service = new HmacSha256CryptographyService( new BewitOptions { Secret = secret }); string token = "foo"; DateTime expirationDate = new DateTime(2017, 1, 1, 1, 1, 1, 1, DateTimeKind.Utc); string payload = "foo"; //Act string hash = service.GetHash(token, expirationDate, payload); //Assert hash.Should().Be("Ry+dceBg/qVpCDbw9kByG7HZ769CHiA7NWaQAIa+rg0="); }