1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
//-----------------------------------------------------------------------
// <copyright file="PositiveAuthenticationResponseTests.cs" company="Outercurve Foundation">
// Copyright (c) Outercurve Foundation. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OpenId;
using DotNetOpenAuth.OpenId.Extensions.SimpleRegistration;
using DotNetOpenAuth.OpenId.Messages;
using DotNetOpenAuth.OpenId.RelyingParty;
using DotNetOpenAuth.Test.Mocks;
using NUnit.Framework;
[TestFixture]
public class PositiveAuthenticationResponseTests : OpenIdTestBase {
private readonly Realm realm = new Realm("http://localhost/rp.aspx");
private readonly Uri returnTo = new Uri("http://localhost/rp.aspx");
[SetUp]
public override void SetUp() {
base.SetUp();
}
/// <summary>
/// Verifies good, positive assertions are accepted.
/// </summary>
[Test]
public async Task Valid() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
var authResponse = await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None);
Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
Assert.IsNull(authResponse.Exception);
Assert.AreEqual((string)assertion.ClaimedIdentifier, (string)authResponse.ClaimedIdentifier);
Assert.AreEqual(authResponse.Endpoint.FriendlyIdentifierForDisplay, authResponse.FriendlyIdentifierForDisplay);
Assert.AreSame(extension, authResponse.GetUntrustedExtension(typeof(ClaimsResponse)));
Assert.AreSame(extension, authResponse.GetUntrustedExtension<ClaimsResponse>());
Assert.IsNull(authResponse.GetCallbackArgument("a"));
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
}
/// <summary>
/// Verifies that discovery verification of a positive assertion can match a dual identifier.
/// </summary>
[Test]
public async Task DualIdentifierMatchesInAssertionVerification() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion(true);
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
rp.SecuritySettings.AllowDualPurposeIdentifiers = true;
await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None); // this will throw if it fails to find a match
}
/// <summary>
/// Verifies that discovery verification of a positive assertion cannot match a dual identifier
/// if the default settings are in place.
/// </summary>
[Test, ExpectedException(typeof(ProtocolException))]
public async Task DualIdentifierNoMatchInAssertionVerificationByDefault() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion(true);
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None); // this will throw if it fails to find a match
}
/// <summary>
/// Verifies that the RP rejects signed solicited assertions by an OP that
/// makes up a claimed Id that was not part of the original request, and
/// that the OP has no authority to assert positively regarding.
/// </summary>
[Test, ExpectedException(typeof(ProtocolException))]
public async Task SpoofedClaimedIdDetectionSolicited() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
assertion.ProviderEndpoint = new Uri("http://rogueOP");
var rp = CreateRelyingParty();
var authResponse = await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None);
Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
}
/// <summary>
/// Verifies that the RP rejects positive assertions with HTTP Claimed
/// Cdentifiers when RequireSsl is set to true.
/// </summary>
[Test, ExpectedException(typeof(ProtocolException))]
public async Task InsecureIdentifiersRejectedWithRequireSsl() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
rp.SecuritySettings.RequireSsl = true;
var authResponse = await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None);
}
[Test]
public async Task GetCallbackArguments() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
UriBuilder returnToBuilder = new UriBuilder(assertion.ReturnTo);
returnToBuilder.AppendQueryArgs(new Dictionary<string, string> { { "a", "b" } });
assertion.ReturnTo = returnToBuilder.Uri;
var authResponse = await PositiveAuthenticationResponse.CreateAsync(assertion, rp, CancellationToken.None);
// First pretend that the return_to args were signed.
assertion.ReturnToParametersSignatureValidated = true;
Assert.AreEqual(1, authResponse.GetCallbackArguments().Count);
Assert.IsTrue(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.AreEqual("b", authResponse.GetCallbackArgument("a"));
// Now simulate them NOT being signed.
assertion.ReturnToParametersSignatureValidated = false;
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
Assert.IsFalse(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.IsNull(authResponse.GetCallbackArgument("a"));
}
/// <summary>
/// Verifies that certain problematic claimed identifiers pass through to the RP response correctly.
/// </summary>
[Test]
public async Task ProblematicClaimedId() {
var providerEndpoint = new ProviderEndpointDescription(OpenIdTestBase.OPUri, Protocol.Default.Version);
string claimed_id = BaseMockUri + "a./b.";
var se = IdentifierDiscoveryResult.CreateForClaimedIdentifier(claimed_id, claimed_id, providerEndpoint, null, null);
var identityUri = (UriIdentifier)se.ClaimedIdentifier;
this.RegisterMockXrdsResponse(se);
var rp = this.CreateRelyingParty();
var positiveAssertion = this.GetPositiveAssertion();
positiveAssertion.ClaimedIdentifier = claimed_id;
positiveAssertion.LocalIdentifier = claimed_id;
var authResponse = await PositiveAuthenticationResponse.CreateAsync(positiveAssertion, rp, CancellationToken.None);
Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
Assert.AreEqual(claimed_id, authResponse.ClaimedIdentifier.ToString());
}
private PositiveAssertionResponse GetPositiveAssertion() {
return this.GetPositiveAssertion(false);
}
private PositiveAssertionResponse GetPositiveAssertion(bool dualIdentifier) {
Protocol protocol = Protocol.Default;
PositiveAssertionResponse assertion = new PositiveAssertionResponse(protocol.Version, this.returnTo);
assertion.ClaimedIdentifier = dualIdentifier ? this.GetMockDualIdentifier() : this.GetMockIdentifier(protocol.ProtocolVersion, false);
assertion.LocalIdentifier = OPLocalIdentifiers[0];
assertion.ReturnTo = this.returnTo;
assertion.ProviderEndpoint = OPUri;
return assertion;
}
}
}
|
