src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

//-----------------------------------------------------------------------
// <copyright file="PositiveAuthenticationResponseTests.cs" company="Andrew Arnott">
//     Copyright (c) Andrew Arnott. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------

namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
	using System;
	using System.Collections.Generic;
	using DotNetOpenAuth.Messaging;
	using DotNetOpenAuth.OpenId;
	using DotNetOpenAuth.OpenId.Extensions.SimpleRegistration;
	using DotNetOpenAuth.OpenId.Messages;
	using DotNetOpenAuth.OpenId.RelyingParty;
	using Microsoft.VisualStudio.TestTools.UnitTesting;

	[TestClass]
	public class PositiveAuthenticationResponseTests : OpenIdTestBase {
		private readonly Realm realm = new Realm("http://localhost/rp.aspx");
		private readonly Uri returnTo = new Uri("http://localhost/rp.aspx");

		[TestInitialize]
		public override void SetUp() {
			base.SetUp();
		}

		/// <summary>
		/// Verifies good, positive assertions are accepted.
		/// </summary>
		[TestMethod]
		public void Valid() {
			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
			ClaimsResponse extension = new ClaimsResponse();
			assertion.Extensions.Add(extension);
			var rp = CreateRelyingParty();
			var authResponse = new PositiveAuthenticationResponse(assertion, rp);
			var authResponseAccessor = PositiveAuthenticationResponse_Accessor.AttachShadow(authResponse);
			Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
			Assert.IsNull(authResponse.Exception);
			Assert.AreEqual<string>(assertion.ClaimedIdentifier, authResponse.ClaimedIdentifier);
			Assert.AreEqual<string>(authResponseAccessor.endpoint.FriendlyIdentifierForDisplay, authResponse.FriendlyIdentifierForDisplay);
			Assert.AreSame(extension, authResponse.GetUntrustedExtension(typeof(ClaimsResponse)));
			Assert.AreSame(extension, authResponse.GetUntrustedExtension<ClaimsResponse>());
			Assert.IsNull(authResponse.GetCallbackArgument("a"));
			Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
		}

		/// <summary>
		/// Verifies that the RP rejects signed solicited assertions by an OP that
		/// makes up a claimed Id that was not part of the original request, and 
		/// that the OP has no authority to assert positively regarding.
		/// </summary>
		[TestMethod, ExpectedException(typeof(ProtocolException))]
		public void SpoofedClaimedIdDetectionSolicited() {
			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
			assertion.ProviderEndpoint = new Uri("http://rogueOP");
			var rp = CreateRelyingParty();
			var authResponse = new PositiveAuthenticationResponse(assertion, rp);
			Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
		}

		/// <summary>
		/// Verifies that the RP rejects positive assertions with HTTP Claimed
		/// Cdentifiers when RequireSsl is set to true.
		/// </summary>
		[TestMethod, ExpectedException(typeof(ProtocolException))]
		public void InsecureIdentifiersRejectedWithRequireSsl() {
			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
			var rp = CreateRelyingParty();
			rp.SecuritySettings.RequireSsl = true;
			var authResponse = new PositiveAuthenticationResponse(assertion, rp);
		}

		[TestMethod]
		public void GetCallbackArguments() {
			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
			var rp = CreateRelyingParty();

			UriBuilder returnToBuilder = new UriBuilder(assertion.ReturnTo);
			returnToBuilder.AppendQueryArgs(new Dictionary<string, string> { { "a", "b" } });
			assertion.ReturnTo = returnToBuilder.Uri;
			var authResponse = new PositiveAuthenticationResponse(assertion, rp);

			// First pretend that the return_to args were signed.
			assertion.ReturnToParametersSignatureValidated = true;
			Assert.AreEqual(1, authResponse.GetCallbackArguments().Count);
			Assert.IsTrue(authResponse.GetCallbackArguments().ContainsKey("a"));
			Assert.AreEqual("b", authResponse.GetCallbackArgument("a"));

			// Now simulate them NOT being signed.
			assertion.ReturnToParametersSignatureValidated = false;
			Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
			Assert.IsFalse(authResponse.GetCallbackArguments().ContainsKey("a"));
			Assert.IsNull(authResponse.GetCallbackArgument("a"));
		}

		private PositiveAssertionResponse GetPositiveAssertion() {
			Protocol protocol = Protocol.Default;
			PositiveAssertionResponse assertion = new PositiveAssertionResponse(protocol.Version, this.returnTo);
			assertion.ClaimedIdentifier = this.GetMockIdentifier(protocol.ProtocolVersion, false);
			assertion.LocalIdentifier = OPLocalIdentifiers[0];
			assertion.ReturnTo = this.returnTo;
			assertion.ProviderEndpoint = OPUri;
			return assertion;
		}
	}
}