1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
//-----------------------------------------------------------------------
// <copyright file="PositiveAuthenticationResponseTests.cs" company="Andrew Arnott">
// Copyright (c) Andrew Arnott. All rights reserved.
// </copyright>
//-----------------------------------------------------------------------
namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
using System;
using System.Collections.Generic;
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OpenId;
using DotNetOpenAuth.OpenId.Extensions.SimpleRegistration;
using DotNetOpenAuth.OpenId.Messages;
using DotNetOpenAuth.OpenId.RelyingParty;
using NUnit.Framework;
[TestFixture]
public class PositiveAuthenticationResponseTests : OpenIdTestBase {
private readonly Realm realm = new Realm("http://localhost/rp.aspx");
private readonly Uri returnTo = new Uri("http://localhost/rp.aspx");
[SetUp]
public override void SetUp() {
base.SetUp();
}
/// <summary>
/// Verifies good, positive assertions are accepted.
/// </summary>
[TestCase]
public void Valid() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
var authResponseAccessor = PositiveAuthenticationResponse_Accessor.AttachShadow(authResponse);
Assert.AreEqual(AuthenticationStatus.Authenticated, authResponse.Status);
Assert.IsNull(authResponse.Exception);
Assert.AreEqual((string)assertion.ClaimedIdentifier, (string)authResponse.ClaimedIdentifier);
Assert.AreEqual(authResponse.Endpoint.FriendlyIdentifierForDisplay, authResponse.FriendlyIdentifierForDisplay);
Assert.AreSame(extension, authResponse.GetUntrustedExtension(typeof(ClaimsResponse)));
Assert.AreSame(extension, authResponse.GetUntrustedExtension<ClaimsResponse>());
Assert.IsNull(authResponse.GetCallbackArgument("a"));
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
}
/// <summary>
/// Verifies that discovery verification of a positive assertion can match a dual identifier.
/// </summary>
[TestCase]
public void DualIdentifierMatchesInAssertionVerification() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion(true);
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
rp.SecuritySettings.AllowDualPurposeIdentifiers = true;
new PositiveAuthenticationResponse(assertion, rp); // this will throw if it fails to find a match
}
/// <summary>
/// Verifies that discovery verification of a positive assertion cannot match a dual identifier
/// if the default settings are in place.
/// </summary>
[TestCase, ExpectedException(typeof(ProtocolException))]
public void DualIdentifierNoMatchInAssertionVerificationByDefault() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion(true);
ClaimsResponse extension = new ClaimsResponse();
assertion.Extensions.Add(extension);
var rp = CreateRelyingParty();
new PositiveAuthenticationResponse(assertion, rp); // this will throw if it fails to find a match
}
/// <summary>
/// Verifies that the RP rejects signed solicited assertions by an OP that
/// makes up a claimed Id that was not part of the original request, and
/// that the OP has no authority to assert positively regarding.
/// </summary>
[TestCase, ExpectedException(typeof(ProtocolException))]
public void SpoofedClaimedIdDetectionSolicited() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
assertion.ProviderEndpoint = new Uri("http://rogueOP");
var rp = CreateRelyingParty();
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
}
/// <summary>
/// Verifies that the RP rejects positive assertions with HTTP Claimed
/// Cdentifiers when RequireSsl is set to true.
/// </summary>
[TestCase, ExpectedException(typeof(ProtocolException))]
public void InsecureIdentifiersRejectedWithRequireSsl() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
rp.SecuritySettings.RequireSsl = true;
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
}
[TestCase]
public void GetCallbackArguments() {
PositiveAssertionResponse assertion = this.GetPositiveAssertion();
var rp = CreateRelyingParty();
UriBuilder returnToBuilder = new UriBuilder(assertion.ReturnTo);
returnToBuilder.AppendQueryArgs(new Dictionary<string, string> { { "a", "b" } });
assertion.ReturnTo = returnToBuilder.Uri;
var authResponse = new PositiveAuthenticationResponse(assertion, rp);
// First pretend that the return_to args were signed.
assertion.ReturnToParametersSignatureValidated = true;
Assert.AreEqual(1, authResponse.GetCallbackArguments().Count);
Assert.IsTrue(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.AreEqual("b", authResponse.GetCallbackArgument("a"));
// Now simulate them NOT being signed.
assertion.ReturnToParametersSignatureValidated = false;
Assert.AreEqual(0, authResponse.GetCallbackArguments().Count);
Assert.IsFalse(authResponse.GetCallbackArguments().ContainsKey("a"));
Assert.IsNull(authResponse.GetCallbackArgument("a"));
}
private PositiveAssertionResponse GetPositiveAssertion() {
return this.GetPositiveAssertion(false);
}
private PositiveAssertionResponse GetPositiveAssertion(bool dualIdentifier) {
Protocol protocol = Protocol.Default;
PositiveAssertionResponse assertion = new PositiveAssertionResponse(protocol.Version, this.returnTo);
assertion.ClaimedIdentifier = dualIdentifier ? this.GetMockDualIdentifier() : this.GetMockIdentifier(protocol.ProtocolVersion, false);
assertion.LocalIdentifier = OPLocalIdentifiers[0];
assertion.ReturnTo = this.returnTo;
assertion.ProviderEndpoint = OPUri;
return assertion;
}
}
}
|
