public async Task KeyVaultCertificateSecretIdentifierSuccessTest(bool includeTenantId)
{
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.Success);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Create KeyVaultClient with MockKeyVault to mock successful calls to KeyVault
MockKeyVault mockKeyVault = new MockKeyVault(MockKeyVault.KeyVaultClientTestType.CertificateSecretIdentifierSuccess);
HttpClient httpClient = new HttpClient(mockKeyVault);
KeyVaultClient keyVaultClient = new KeyVaultClient(httpClient, azureCliAccessTokenProvider);
// MockAuthenticationContext is being asked to act like client cert auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
string tenantIdParam = includeTenantId ? Constants.TenantId : null;
// Create ClientCertificateAzureServiceTokenProvider instance with a subject name
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
Constants.TestKeyVaultCertificateSecretIdentifier, CertificateIdentifierType.KeyVaultCertificateSecretIdentifier, null, Constants.AzureAdInstance, tenantIdParam, 0, mockAuthenticationContext, keyVaultClient);
// Get the token. This will test that ClientCertificateAzureServiceTokenProvider could fetch the cert from CurrentUser store based on subject name in the connection string.
var authResult = await provider.GetAuthResultAsync(Constants.ArmResourceId, string.Empty).ConfigureAwait(false);
Validator.ValidateToken(authResult.AccessToken, provider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, cert.Thumbprint, expiresOn: authResult.ExpiresOn);
}
public async Task ClientSecretFailTest()
{
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCredentialFail);
ClientSecretAccessTokenProvider clientSecretAccessTokenProvider = new ClientSecretAccessTokenProvider(Constants.TestAppId, Constants.ClientSecret, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => clientSecretAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, string.Empty)));
Assert.Contains(Constants.KeyVaultResourceId, exception.Message);
Assert.Contains(Constants.TenantId, exception.Message);
Assert.Contains(Constants.NoConnectionString, exception.Message);
}
public async Task SilentFailAndUserCredentialSuccessTest()
{
MockAuthenticationContext authenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncUserCredentialSuccess);
WindowsAuthenticationAzureServiceTokenProvider provider = new WindowsAuthenticationAzureServiceTokenProvider(authenticationContext, Constants.AzureAdInstance);
var authResult = await provider.GetAuthResultAsync(Constants.KeyVaultResourceId, string.Empty).ConfigureAwait(false);
Validator.ValidateToken(authResult.AccessToken, provider.PrincipalUsed, Constants.UserType, Constants.TenantId, expiresOn: authResult.ExpiresOn);
}
public async Task SilentFailAndUserCredentialFailTest()
{
MockAuthenticationContext authenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncUserCredentialFail);
WindowsAuthenticationAzureServiceTokenProvider provider = new WindowsAuthenticationAzureServiceTokenProvider(authenticationContext, Constants.AzureAdInstance);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => provider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(Constants.KeyVaultResourceId, exception.Message);
Assert.Contains(Constants.TenantId, exception.Message);
}
public async Task CertificateNotFoundTest()
{
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
Guid.NewGuid().ToString(), CertificateIdentifierType.SubjectName, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => provider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(Constants.KeyVaultResourceId, exception.Message);
Assert.Contains(Constants.TenantId, exception.Message);
Assert.Contains(Constants.LocalCertificateNotFoundError, exception.Message);
}
public async Task ClientSecretSuccessTest()
{
// MockAuthenticationContext is being asked to act like client secret auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCredentialSuccess);
// Create ClientSecretAccessTokenProvider instance
ClientSecretAccessTokenProvider clientSecretAccessTokenProvider = new ClientSecretAccessTokenProvider(Constants.TestAppId, Constants.ClientSecret, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
// Get the token
var authResult = await clientSecretAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Check if the principal used and type were as expected.
Validator.ValidateToken(authResult.AccessToken, clientSecretAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, expiresOn: authResult.ExpiresOn);
}
public void ClientIdNullOrEmptyTest()
{
// MockAuthenticationContext is being asked to act like client secret auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCredentialSuccess);
// Create ClientSecretAccessTokenProvider instance
var exception = Assert.Throws <ArgumentNullException>(() => new ClientSecretAccessTokenProvider(null, Constants.ClientSecret, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext));
Assert.Contains(Constants.CannotBeNullError, exception.ToString());
// Create ClientSecretAccessTokenProvider instance
exception = Assert.Throws <ArgumentNullException>(() => new ClientSecretAccessTokenProvider(string.Empty, Constants.ClientSecret, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext));
Assert.Contains(Constants.CannotBeNullError, exception.ToString());
}
public void InvalidStoreLocationTest()
{
// Import the test certificate.
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
CertUtil.ImportCertificate(cert);
// MockAuthenticationContext is being asked to act like client cert auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
// Create ClientCertificateAzureServiceTokenProvider instance
var exception = Assert.Throws <ArgumentException>(() => new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
cert.Thumbprint, CertificateIdentifierType.Thumbprint, Constants.InvalidString, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext));
Assert.Contains(Constants.InvalidCertLocationError, exception.ToString());
}
public void CertSubjectNameOrThumbprintNullOrEmptyTest()
{
// MockAuthenticationContext is being asked to act like client cert auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
// Create ClientCertificateAzureServiceTokenProvider instance
var exception = Assert.Throws <ArgumentNullException>(() => new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
null, CertificateIdentifierType.Thumbprint, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext));
Assert.Contains(Constants.CannotBeNullError, exception.ToString());
exception = Assert.Throws <ArgumentNullException>(() => new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
string.Empty, CertificateIdentifierType.Thumbprint, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext));
Assert.Contains(Constants.CannotBeNullError, exception.ToString());
}
public async Task ThumbprintFailTest()
{
// Import the test certificate.
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
CertUtil.ImportCertificate(cert);
// MockAuthenticationContext is being asked to act like client cert auth failed.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateFail);
// Create ClientCertificateAzureServiceTokenProvider instance
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
cert.Thumbprint, CertificateIdentifierType.Thumbprint, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
// Ensure exception is thrown when getting the token
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => provider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId));
Assert.Contains(AzureServiceTokenProviderException.GenericErrorMessage, exception.ToString());
// Delete the cert, since testing is done.
CertUtil.DeleteCertificate(cert.Thumbprint);
}
public async Task ThumbprintSuccessTest()
{
// Import the test certificate.
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
CertUtil.ImportCertificate(cert);
// MockAuthenticationContext is being asked to act like client cert auth suceeded.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
// Create ClientCertificateAzureServiceTokenProvider instance
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
cert.Thumbprint, CertificateIdentifierType.Thumbprint, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
// Get the token. This will test that ClientCertificateAzureServiceTokenProvider could fetch the cert from CurrentUser store based on thumbprint in the connection string.
var authResult = await provider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Delete the cert, since testing is done.
CertUtil.DeleteCertificate(cert.Thumbprint);
Validator.ValidateToken(authResult.AccessToken, provider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, cert.Thumbprint, expiresOn: authResult.ExpiresOn);
}
public async Task KeyVaultCertificateNotFoundTest()
{
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireTokenAsyncClientCertificateSuccess);
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.Success);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
MockKeyVault mockKeyVault = new MockKeyVault(MockKeyVault.KeyVaultClientTestType.SecretNotFound);
HttpClient httpClient = new HttpClient(mockKeyVault);
KeyVaultClient keyVaultClient = new KeyVaultClient(httpClient, azureCliAccessTokenProvider);
string SecretIdentifier = "https://testbedkeyvault.vault.azure.net/secrets/secret/";
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
SecretIdentifier, CertificateIdentifierType.KeyVaultSecretIdentifier, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext, keyVaultClient);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => provider.GetAuthResultAsync(Constants.ArmResourceId, Constants.TenantId)));
Assert.Contains(Constants.ArmResourceId, exception.Message);
Assert.Contains(Constants.TenantId, exception.Message);
Assert.Contains(AzureServiceTokenProviderException.KeyVaultCertificateRetrievalError, exception.Message);
Assert.Contains(KeyVaultClient.KeyVaultResponseError, exception.Message);
Assert.Contains(MockKeyVault.SecretNotFoundErrorMessage, exception.Message);
}
public void CannotAcquireTokenThroughCertTest()
{
// Import the test certificate.
X509Certificate2 cert = new X509Certificate2(Convert.FromBase64String(Constants.TestCert), string.Empty);
CertUtil.ImportCertificate(cert);
// MockAuthenticationContext is being asked to act like client cert auth failed.
MockAuthenticationContext mockAuthenticationContext = new MockAuthenticationContext(MockAuthenticationContext.MockAuthenticationContextTestType.AcquireInvalidTokenAsyncFail);
// Create ClientCertificateAzureServiceTokenProvider instance with a subject name
ClientCertificateAzureServiceTokenProvider provider = new ClientCertificateAzureServiceTokenProvider(Constants.TestAppId,
cert.Subject, CertificateIdentifierType.SubjectName, Constants.CurrentUserStore, Constants.TenantId, Constants.AzureAdInstance, mockAuthenticationContext);
// Get the token. This will test that ClientCertificateAzureServiceTokenProvider could fetch the cert from CurrentUser store based on subject name in the connection string.
var exception = Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => provider.GetAuthResultAsync(Constants.KeyVaultResourceId, string.Empty));
// Delete the cert, since testing is done.
CertUtil.DeleteCertificate(cert.Thumbprint);
Assert.Contains(Constants.TokenFormatExceptionMessage, exception.Result.Message);
Assert.Contains(Constants.TokenNotInExpectedFormatError, exception.Result.Message);
}