public async Task AuthorizeFilterWillCallPolicyProviderOnAuthorization() { // Arrange var policyProvider = new Mock <IAuthorizationPolicyProvider>(); var getPolicyCount = 0; policyProvider.Setup(p => p.GetPolicyAsync(It.IsAny <string>())).ReturnsAsync(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build()) .Callback(() => getPolicyCount++); var authorizeFilter = new AuthorizeFilter(policyProvider.Object, new AuthorizeAttribute[] { new AuthorizeAttribute("whatever") }); var authorizationContext = GetAuthorizationContext(); // Act & Assert await authorizeFilter.OnAuthorizationAsync(authorizationContext); Assert.Equal(1, getPolicyCount); Assert.Null(authorizationContext.Result); await authorizeFilter.OnAuthorizationAsync(authorizationContext); Assert.Equal(2, getPolicyCount); Assert.Null(authorizationContext.Result); await authorizeFilter.OnAuthorizationAsync(authorizationContext); Assert.Equal(3, getPolicyCount); Assert.Null(authorizationContext.Result); // Make sure we don't cache the policy Assert.Null(authorizeFilter.Policy); }
public async Task GetEffectivePolicyAsync_CombinesPoliciesFromEndpoint() { // Arrange var policy1 = new AuthorizationPolicyBuilder() .RequireClaim("Claim1") .Build(); var policy2 = new AuthorizationPolicyBuilder() .RequireClaim("Claim2") .Build(); var filter = new AuthorizeFilter(policy1); var options = new AuthorizationOptions(); options.AddPolicy("policy2", policy2); var policyProvider = new DefaultAuthorizationPolicyProvider(Options.Create(options)); ActionContext.HttpContext.RequestServices = new ServiceCollection() .AddSingleton <IAuthorizationPolicyProvider>(policyProvider) .BuildServiceProvider(); ActionContext.HttpContext.SetEndpoint(new Endpoint( _ => null, new EndpointMetadataCollection(new AuthorizeAttribute("policy2")), "test")); var context = new AuthorizationFilterContext(ActionContext, new[] { filter, }); // Act var effectivePolicy = await filter.GetEffectivePolicyAsync(context); // Assert Assert.NotSame(policy1, effectivePolicy); Assert.NotSame(policy2, effectivePolicy); Assert.Equal(new[] { "Claim1", "Claim2" }, effectivePolicy.Requirements.Cast <ClaimsAuthorizationRequirement>().Select(c => c.ClaimType)); }
public async Task AuthorizationFilterCombinesMultipleFiltersWithPolicyProvider() { // Arrange var authorizeFilter = new AuthorizeFilter(new TestPolicyProvider(), new IAuthorizeData[] { new AuthorizeAttribute { Policy = "true" }, new AuthorizeAttribute { Policy = "false" } }); var authorizationContext = GetAuthorizationContext(anonymous: false); // Effective policy should fail, if both are combined authorizationContext.Filters.Add(authorizeFilter); var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => true).Build()); authorizationContext.Filters.Add(secondFilter); // Act await secondFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ForbidResult>(authorizationContext.Result); }
public async Task Invoke_FailedContextShouldNotCheckPermission() { // Arrange bool authorizationServiceIsCalled = false; var authorizationService = new Mock <IAuthorizationService>(); authorizationService .Setup(x => x.AuthorizeAsync(null, null, "CanViewComment")) .Returns(() => { authorizationServiceIsCalled = true; return(Task.FromResult(true)); }); var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireClaim("Permission", "CanViewComment") .Build()); var authorizationContext = GetAuthorizationContext(services => services.AddSingleton(authorizationService.Object)); authorizationContext.Result = new UnauthorizedResult(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.False(authorizationServiceIsCalled); }
public async Task Invoke_ValidClaimShouldNotFail() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewPage").Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task Invoke_EmptyClaimsShouldChallengeAnonymousUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()); var authorizationContext = GetAuthorizationContext(anonymous: true); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ChallengeResult>(authorizationContext.Result); }
public async Task Invoke_EmptyClaimsShouldAuthorizeAuthenticatedUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task AuthZResourceShouldBeAuthorizationFilterContext() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(c => c.Resource is AuthorizationFilterContext).Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task Invoke_SingleValidClaimShouldSucceed() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireClaim("Permission", "CanViewComment", "CanViewPage").Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task Invoke_RequireUnknownRoleShouldFail() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Wut").Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task Invoke_RequireAdminAndUserRoleWithNoPolicyShouldSucceed() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Administrator").Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task AuthorizeFilterCanAuthorizeNullUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build()); var authorizationContext = GetAuthorizationContext(anonymous: true); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task Invoke_RequireUnknownRoleShouldForbid() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Wut").Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ForbidResult>(authorizationContext.Result); }
public async Task AuthorizeFilterCanAuthorizeNonAuthenticatedUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(_ => true).Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization(), anonymous: true); authorizationContext.HttpContext.User = new ClaimsPrincipal(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task Invoke_CanFilterToOnlyBearerScheme() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Bearer") .RequireClaim("Permission", "CanViewPage") .Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task Invoke_FailWhenLookingForClaimInOtherIdentity() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireClaim("Permission", "CanViewComment") .Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task Invoke_EmptyClaimsShouldRejectAnonymousUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization(), anonymous: true); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public void CreateInstance_ReturnsSelfIfPolicyProviderIsSet() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireAssertion(_ => true) .Build()); var factory = (IFilterFactory)authorizeFilter; // Act var result = factory.CreateInstance(new ServiceCollection().BuildServiceProvider()); // Assert Assert.Same(authorizeFilter, result); }
public async Task Invoke_AuthSchemesFailShouldSetEmptyPrincipalOnContext() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Fails") .RequireAuthenticatedUser() .Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.HttpContext.User?.Identity); }
public async Task Invoke_EmptyClaimsWithAllowAnonymousAttributeShouldNotRejectAnonymousUser() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()); var authorizationContext = GetAuthorizationContext(anonymous: true); authorizationContext.Filters.Add(new AllowAnonymousFilter()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task AuthorizeFilter_CreatedWithPolicy_ThrowsWhenOnAuthorizationAsyncIsCalled() { // Arrange var authorizeFilter = new AuthorizeFilter(new[] { new AuthorizeAttribute() }); var authorizationContext = GetAuthorizationContext(); var expected = "An AuthorizationPolicy cannot be created without a valid instance of " + "IAuthorizationPolicyProvider."; // Act & Assert var ex = await Assert.ThrowsAsync <InvalidOperationException>( () => authorizeFilter.OnAuthorizationAsync(authorizationContext)); Assert.Equal(expected, ex.Message); }
public async Task Invoke_InvalidClaimShouldForbid() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireClaim("Permission", "CanViewComment") .Build()); var authorizationContext = GetAuthorizationContext(); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ForbidResult>(authorizationContext.Result); }
public async Task Invoke_RequireAdminRoleButFailPolicyShouldFail() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder() .RequireRole("Administrator") .RequireClaim("Permission", "CanViewComment") .Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task Invoke_CanLookingForClaimsInMultipleIdentities() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder("Basic", "Bearer") .RequireClaim("Permission", "CanViewComment") .RequireClaim("Permission", "CupBearer") .Build()); var authorizationContext = GetAuthorizationContext(services => services.AddAuthorization()); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task AuthorizationFilterIgnoresFirstFilterWhenCombining() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build()); var authorizationContext = GetAuthorizationContext(anonymous: false); // Effective policy should fail, if both are combined authorizationContext.Filters.Add(authorizeFilter); var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build()); authorizationContext.Filters.Add(secondFilter); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.Null(authorizationContext.Result); }
public async Task GetEffectivePolicyAsync_ReturnsCurrentPolicy_WhenNoEndpointMetadataIsAvailable() { // Arrange var policy = new AuthorizationPolicyBuilder() .RequireAssertion(_ => true) .Build(); var filter = new AuthorizeFilter(policy); var context = new AuthorizationFilterContext(ActionContext, new[] { filter }); // Act var effectivePolicy = await filter.GetEffectivePolicyAsync(context); // Assert // // Verify the policy is cached Assert.Same(effectivePolicy, await filter.GetEffectivePolicyAsync(context)); }
public async Task AuthorizationFilterCombinesMultipleFilters() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => true).Build()); var authorizationContext = GetAuthorizationContext(anonymous: false, registerServices: s => s.Configure <MvcOptions>(o => o.AllowCombiningAuthorizeFilters = true)); // Effective policy should fail, if both are combined authorizationContext.Filters.Add(authorizeFilter); var secondFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAssertion(a => false).Build()); authorizationContext.Filters.Add(secondFilter); // Act await secondFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ForbidResult>(authorizationContext.Result); }
public async Task Invoke_RequireAdminRoleShouldFailWithNoHandlers() { // Arrange var authorizeFilter = new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireRole("Administrator").Build()); var authorizationContext = GetAuthorizationContext(services => { services.AddOptions(); services.AddAuthorization(); services.Remove(services.Where(sd => sd.ServiceType == typeof(IAuthorizationHandler)).Single()); }); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.NotNull(authorizationContext.Result); }
public async Task DefaultConstructor_DeniesAnonymousUsers() { // Arrange var authorizationContext = GetAuthorizationContext(anonymous: true); // The type 'AuthorizeFilter' is both a filter by itself and also a filter factory. // The default filter provider first checks if a type is a filter factory and creates an instance of // this filter. var authorizeFilterFactory = new AuthorizeFilter(); var filterFactory = authorizeFilterFactory as IFilterFactory; var authorizeFilter = (AuthorizeFilter)filterFactory.CreateInstance( authorizationContext.HttpContext.RequestServices); // Act await authorizeFilter.OnAuthorizationAsync(authorizationContext); // Assert Assert.IsType <ChallengeResult>(authorizationContext.Result); }
public void CreateInstance_ReturnsNewFilterIfPolicyAndPolicyProviderAreNotSetAndCustomProviderIsUsed( AuthorizeFilter authorizeFilter) { // Arrange var factory = (IFilterFactory)authorizeFilter; var policyProvider = Mock.Of <IAuthorizationPolicyProvider>(); var serviceProvider = new ServiceCollection() .AddSingleton(policyProvider) .BuildServiceProvider(); // Act var result = factory.CreateInstance(serviceProvider); // Assert Assert.NotSame(authorizeFilter, result); var actual = Assert.IsType <AuthorizeFilter>(result); Assert.Same(policyProvider, actual.PolicyProvider); }