diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2008-08-07 22:27:10 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2008-08-07 22:27:10 -0700 |
| commit | 6f5f0325a7950a2576b966e3077a26c768938340 (patch) | |
| tree | ec980efe60dd277cb70c4cb3f96d03ce64d8560d /src | |
| parent | 14e245ead34cd1c5e67cef36968ed7c5f76e0fbf (diff) | |
| download | DotNetOpenAuth-6f5f0325a7950a2576b966e3077a26c768938340.zip DotNetOpenAuth-6f5f0325a7950a2576b966e3077a26c768938340.tar.gz DotNetOpenAuth-6f5f0325a7950a2576b966e3077a26c768938340.tar.bz2 | |
Added replay attack check to all authentication attempts.
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenId.Test/TestSupport.cs | 33 |
1 files changed, 16 insertions, 17 deletions
diff --git a/src/DotNetOpenId.Test/TestSupport.cs b/src/DotNetOpenId.Test/TestSupport.cs index d50a812..67add5a 100644 --- a/src/DotNetOpenId.Test/TestSupport.cs +++ b/src/DotNetOpenId.Test/TestSupport.cs @@ -173,27 +173,26 @@ public class TestSupport { var opAuthResponse = (EncodableResponse)opAuthWebResponse.EncodableMessage;
var rp = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
opAuthResponse.EncodedFields.ToNameValueCollection());
+ // Get the response now, before trying the replay attack. The Response
+ // property is lazily-evaluated, so the replay attack can be evaluated first
+ // and pass, while this one that SUPPOSED to pass fails, if we don't force it now.
+ var response = rp.Response;
- // TODO: Remove this conditional, which really should not be required.
- // When it's removed, some tests hang while signature verification
- // is supposedly being performed.
- if (rp.Response.Status == AuthenticationStatus.Authenticated) {
- // Side-track to test for replay attack while we're at it.
- // This simulates a network sniffing user who caught the
- // authenticating query en route to either the user agent or
- // the consumer, and tries the same query to the consumer in an
- // attempt to spoof the identity of the authenticating user.
- try {
- var replayRP = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
- opAuthResponse.EncodedFields.ToNameValueCollection());
- Assert.AreNotEqual(AuthenticationStatus.Authenticated, replayRP.Response.Status, "Replay attack succeeded!");
- } catch (OpenIdException) { // nonce already used
- // another way to pass
- }
+ // Side-track to test for replay attack while we're at it.
+ // This simulates a network sniffing user who caught the
+ // authenticating query en route to either the user agent or
+ // the consumer, and tries the same query to the consumer in an
+ // attempt to spoof the identity of the authenticating user.
+ try {
+ var replayRP = CreateRelyingParty(store, opAuthResponse.RedirectUrl,
+ opAuthResponse.EncodedFields.ToNameValueCollection());
+ Assert.AreNotEqual(AuthenticationStatus.Authenticated, replayRP.Response.Status, "Replay attack succeeded!");
+ } catch (OpenIdException) { // nonce already used
+ // another way to pass
}
// Return the result of the initial response (not the replay attack one).
- return rp.Response;
+ return response;
}
/// <summary>
/// Generates a new <see cref="OpenIdProvider"/> that uses the shared
|