diff --git a/src/Arcus.WebApi.Security/Authentication/Certificates/Extensions/FilterCollectionExtensions.cs b/src/Arcus.WebApi.Security/Authentication/Certificates/Extensions/FilterCollectionExtensions.cs
deleted file mode 100644
index fbc552ab..00000000
--- a/src/Arcus.WebApi.Security/Authentication/Certificates/Extensions/FilterCollectionExtensions.cs
+++ /dev/null
@@ -1,51 +0,0 @@
-using System;
-using Arcus.WebApi.Security.Authentication.Certificates;
-using GuardNet;
-using Microsoft.Extensions.DependencyInjection;
-
-// ReSharper disable once CheckNamespace
-namespace Microsoft.AspNetCore.Mvc.Filters
-{
- ///
- /// Extensions on the related to authentication.
- ///
- public static partial class FilterCollectionExtensions
- {
- ///
- /// Adds an certificate authentication MVC filter to the given that authenticates the incoming HTTP request.
- ///
- /// The current MVC filters of the application.
- ///
- /// Thrown when the is null.
- [Obsolete("Use the " + nameof(MvcOptionsExtensions.AddCertificateAuthenticationFilter) + " instead via the services.AddControllers(options => options." + nameof(MvcOptionsExtensions.AddCertificateAuthenticationFilter) + "())")]
- public static FilterCollection AddCertificateAuthentication(this FilterCollection filters)
- {
- Guard.NotNull(filters, nameof(filters), "Requires a set of MVC filters to add the certificate authentication MVC filter");
-
- return AddCertificateAuthentication(filters, configureOptions: null);
- }
-
- ///
- /// Adds an certificate authentication MVC filter to the given that authenticates the incoming HTTP request.
- ///
- /// The current MVC filters of the application.
- ///
- /// The optional function to configure the set of additional consumer-configurable options to change the behavior of the certificate authentication.
- ///
- ///
- /// Thrown when the is null.
- [Obsolete("Use the " + nameof(MvcOptionsExtensions.AddCertificateAuthenticationFilter) + " instead via the services.AddControllers(options => options." + nameof(MvcOptionsExtensions.AddCertificateAuthenticationFilter) + "(...))")]
- public static FilterCollection AddCertificateAuthentication(
- this FilterCollection filters,
- Action configureOptions)
- {
- Guard.NotNull(filters, nameof(filters), "Requires a set of MVC filters to add the certificate authentication MVC filter");
-
- var options = new CertificateAuthenticationOptions();
- configureOptions?.Invoke(options);
-
- filters.Add(new CertificateAuthenticationFilter(options));
- return filters;
- }
- }
-}
diff --git a/src/Arcus.WebApi.Tests.Integration/Security/Authentication/CertificateAuthenticationFilterTests.cs b/src/Arcus.WebApi.Tests.Integration/Security/Authentication/CertificateAuthenticationFilterTests.cs
index 8fb5fa66..ba0ecf75 100644
--- a/src/Arcus.WebApi.Tests.Integration/Security/Authentication/CertificateAuthenticationFilterTests.cs
+++ b/src/Arcus.WebApi.Tests.Integration/Security/Authentication/CertificateAuthenticationFilterTests.cs
@@ -44,42 +44,6 @@ public CertificateAuthenticationFilterTests(ITestOutputHelper outputWriter)
_logger = new XunitTestLogger(outputWriter);
}
- [Fact]
- public async Task AuthorizedRoute_WithCertificateAuthenticationOnFilters_ShouldFailWithUnauthorized_WhenClientCertificateSubjectNameDoesntMatch()
- {
- // Arrange
- string subjectKey = "subject", subjectValue = $"subject-{Guid.NewGuid()}";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithSubject("unrecognized-subject-name"))
- {
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(SecretProvider, subjectKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(subjectKey, subjectValue))
- .AddSingleton(certificateValidator)
- .AddClientCertificate(clientCertificate)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
- }
- }
- }
- }
-
[Fact]
public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUnauthorized_WhenClientCertificateSubjectNameDoesntMatch()
{
@@ -90,7 +54,7 @@ public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUn
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
- var certificateValidator =
+ var certificateValidator =
new CertificateAuthenticationValidator(
new CertificateAuthenticationConfigBuilder()
.WithSubject(SecretProvider, subjectKey)
@@ -145,49 +109,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
}
}
- [Theory]
- [InlineData("", false)]
- [InlineData("thumbprint-noise", true)]
- public async Task AuthorizedRoute_WithCertificateAuthenticationOnFilters_ShouldFailWithUnauthorized_WhenClientCertificateThumbprintDoesntMatch(
- string thumbprintNoise,
- bool expected)
- {
- // Arrange
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.Create())
- {
- const string thumbprintKey = "thumbprint";
-
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithThumbprint(SecretProvider, thumbprintKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(thumbprintKey, clientCertificate.Thumbprint + thumbprintNoise))
- .AddSingleton(certificateValidator)
- .AddClientCertificate(clientCertificate)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.True(
- (HttpStatusCode.Unauthorized == response.StatusCode) == expected,
- $"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
- }
- }
- }
- }
-
[Theory]
[InlineData("", false)]
[InlineData("thumbprint-noise", true)]
@@ -199,7 +120,7 @@ public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUn
using (X509Certificate2 clientCertificate = SelfSignedCertificate.Create())
{
const string thumbprintKey = "thumbprint";
-
+
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
@@ -208,13 +129,13 @@ public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailWithUn
new CertificateAuthenticationConfigBuilder()
.WithThumbprint(SecretProvider, thumbprintKey)
.Build());
-
+
services.AddSecretStore(stores => stores.AddInMemory(thumbprintKey, clientCertificate.Thumbprint + thumbprintNoise))
.AddSingleton(certificateValidator)
.AddClientCertificate(clientCertificate)
.AddControllers(opt => opt.AddCertificateAuthenticationFilter());
});
-
+
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
@@ -242,7 +163,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
using (X509Certificate2 clientCertificate = SelfSignedCertificate.Create())
{
const string thumbprintKey = "thumbprint";
-
+
var options = new TestApiServerOptions()
.ConfigureServices(services =>
{
@@ -250,57 +171,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
.AddClientCertificate(clientCertificate)
.AddControllers(opt => opt.AddCertificateAuthenticationFilter(auth => auth.WithThumbprint(SecretProvider, thumbprintKey)));
});
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.True(
- (HttpStatusCode.Unauthorized == response.StatusCode) == expected,
- $"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
- }
- }
- }
- }
-
- [Theory]
- [InlineData("known-subject", "known-issuername", false)]
- [InlineData("unrecognizedSubjectName", "known-issuername", true)]
- [InlineData("known-subject", "unrecognizedIssuerName", true)]
- [InlineData("unrecognizedSubjectName", "unrecognizedIssuerName", true)]
- public async Task AuthorizedRoute_WithCertificateAuthenticationViaSecretProviderOnFilters_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
- string subjectValue,
- string issuerValue,
- bool expected)
- {
- // Arrange
- const string subjectKey = "subject", issuerKey = "issuer";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
- {
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(SecretProvider, subjectKey)
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
- services.AddClientCertificate(clientCertificate)
- .AddSingleton(certificateValidator)
- .AddSecretStore(stores => stores.AddInMemory(new Dictionary
- {
- [subjectKey] = "CN=known-subject",
- [issuerKey] = "CN=known-issuername"
- }))
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
@@ -350,7 +221,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationViaSecretProvider
}))
.AddControllers(opt => opt.AddCertificateAuthenticationFilter());
});
-
+
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
@@ -396,56 +267,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
.WithIssuer(SecretProvider, issuerKey);
}));
});
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.True(
- (HttpStatusCode.Unauthorized == response.StatusCode) == expected,
- $"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
- }
- }
- }
- }
-
- [Theory]
- [InlineData("known-subject", "known-issuername", false)]
- [InlineData("unrecognizedSubjectName", "known-issuername", true)]
- [InlineData("known-subject", "unrecognizedIssuerName", true)]
- [InlineData("unrecognizedSubjectName", "unrecognizedIssuerName", true)]
- public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfigurationOnFilters_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
- string subjectValue,
- string issuerValue,
- bool expected)
- {
- // Arrange
- const string subjectKey = "subject", issuerKey = "issuer";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
- {
- var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
- {
- new KeyValuePair(subjectKey, "CN=known-subject"),
- new KeyValuePair(issuerKey, "CN=known-issuername")
- }))
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(Configuration, subjectKey)
- .WithIssuer(Configuration, issuerKey)
- .Build());
-
- services.AddSingleton(certificateValidator)
- .AddClientCertificate(clientCertificate)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
@@ -478,7 +299,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfiguration_
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject"),
new KeyValuePair(issuerKey, "CN=known-issuername")
@@ -528,7 +349,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject"),
new KeyValuePair(issuerKey, "CN=known-issuername")
@@ -559,56 +380,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
}
}
- [Theory]
- [InlineData("known-subject", "known-issuername", false)]
- [InlineData("unrecognizedSubjectName", "known-issuername", true)]
- [InlineData("known-subject", "unrecognizedIssuerName", true)]
- [InlineData("unrecognizedSubjectName", "unrecognizedIssuerName", true)]
- public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfigurationAndSecretProviderOnFilters_ShouldFailWithUnauthorized_WhenAnyClientCertificateValidationDoesntSucceeds(
- string subjectValue,
- string issuerValue,
- bool expected)
- {
- // Arrange
- const string subjectKey = "subject", issuerKey = "issuer";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
- {
- var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
- {
- new KeyValuePair(subjectKey, "CN=known-subject")
- }))
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(Configuration, subjectKey)
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=known-issuername"))
- .AddClientCertificate(clientCertificate)
- .AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.True(
- (HttpStatusCode.Unauthorized == response.StatusCode) == expected,
- $"Response HTTP status code {(expected ? "should" : "shouldn't")} be 'Unauthorized' but was '{response.StatusCode}'");
- }
- }
- }
- }
-
[Theory]
[InlineData("known-subject", "known-issuername", false)]
[InlineData("unrecognizedSubjectName", "known-issuername", true)]
@@ -624,7 +395,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationViaConfigurationA
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject")
}))
@@ -674,7 +445,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidto
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName(issuerValue, subjectValue))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject")
}))
@@ -705,38 +476,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidto
}
}
- [Fact]
- public async Task AuthorizedRoute_WithCertificateAuthenticationOnFilters_ShouldFailOnInvalidBase64Format()
- {
- // Arrange
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(Configuration, "ignored-subject")
- .Build());
-
- services.AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder
- .Get(NoneAuthenticationController.GetRoute)
- .WithHeader("X-ARR-ClientCert", "something not even close to an client certificate export");
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
- }
- }
- }
-
[Fact]
public async Task AuthorizedRoute_WithCertificateAuthentication_ShouldFailOnInvalidBase64Format()
{
@@ -797,49 +536,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
}
}
- [Fact]
- public async Task AuthorizedRoute_WithCertificateAuthenticationInHeaderOnFilters_ShouldSucceed()
- {
- // Arrange
- const string subjectKey = "subject", issuerKey = "issuer";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("known-issuername", "known-subject"))
- {
- var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
- {
- new KeyValuePair(subjectKey, "CN=known-subject")
- }))
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithSubject(Configuration, subjectKey)
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=known-issuername"))
- .AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- string base64String = Convert.ToBase64String(clientCertificate.Export(X509ContentType.Pkcs12), Base64FormattingOptions.None);
- var request = HttpRequestBuilder
- .Get(NoneAuthenticationController.GetRoute)
- .WithHeader("X-ARR-ClientCert", base64String);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.NotEqual(HttpStatusCode.Unauthorized, response.StatusCode);
- }
- }
- }
- }
-
[Fact]
public async Task AuthorizedRoute_WithCertificateAuthenticationInHeader_ShouldSucceed()
{
@@ -848,7 +544,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationInHeader_ShouldSu
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("known-issuername", "known-subject"))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject")
}))
@@ -860,12 +556,12 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationInHeader_ShouldSu
.WithSubject(Configuration, subjectKey)
.WithIssuer(SecretProvider, issuerKey)
.Build());
-
+
services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=known-issuername"))
.AddSingleton(certificateValidator)
.AddControllers(opt => opt.AddCertificateAuthenticationFilter());
});
-
+
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
string base64String = Convert.ToBase64String(clientCertificate.Export(X509ContentType.Pkcs12), Base64FormattingOptions.None);
@@ -891,7 +587,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("known-issuername", "known-subject"))
{
var options = new TestApiServerOptions()
- .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new []
+ .ConfigureAppConfiguration(config => config.AddInMemoryCollection(new[]
{
new KeyValuePair(subjectKey, "CN=known-subject")
}))
@@ -904,7 +600,7 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
.WithIssuer(SecretProvider, issuerKey);
}));
});
-
+
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
string base64String = Convert.ToBase64String(clientCertificate.Export(X509ContentType.Pkcs12), Base64FormattingOptions.None);
@@ -921,45 +617,6 @@ public async Task AuthorizedRoute_WithCertificateAuthenticationWithDirectValidat
}
}
}
-
- [Theory]
- [InlineData(BypassOnMethodController.CertificateRoute)]
- [InlineData(BypassCertificateController.BypassOverAuthenticationRoute)]
- [InlineData(AllowAnonymousCertificateController.Route)]
- public async Task CertificateAuthorizedRoute_WithBypassAttributeOnFilters_SkipsAuthentication(string route)
- {
- // Arrange
- const string issuerKey = "issuer";
- using (X509Certificate2 clientCertificate = SelfSignedCertificate.CreateWithIssuerAndSubjectName("issuer", "subject"))
- {
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=issuer"))
- .AddClientCertificate(clientCertificate)
- .AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- });
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(route);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.Equal(HttpStatusCode.OK, response.StatusCode);
- }
- }
- }
- }
[Theory]
[InlineData(BypassOnMethodController.CertificateRoute)]
@@ -989,7 +646,7 @@ public async Task CertificateAuthorizedRoute_WithBypassAttribute_SkipsAuthentica
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(route);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1021,7 +678,7 @@ public async Task CertificateWithDirectValidatorAuthorizedRoute_WithBypassAttrib
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(route);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1051,7 +708,7 @@ public async Task CertificateWithDirectValidatorAuthorizedOnFilterByBypassedOnRo
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(BypassOnMethodController.CertificateRoute);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1061,46 +718,6 @@ public async Task CertificateWithDirectValidatorAuthorizedOnFilterByBypassedOnRo
}
}
}
-
- [Fact]
- public async Task CertificateAuthorizedRoute_DoesntEmitSecurityEventsByDefaultOnFilters_RunsAuthentication()
- {
- // Arrange
- const string issuerKey = "issuer";
- var spySink = new InMemorySink();
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=issuer"))
- .AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication());
- })
- .ConfigureHost(host => host.UseSerilog((context, config) => config.WriteTo.Sink(spySink)));
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
- IEnumerable logEvents = spySink.DequeueLogEvents();
- Assert.DoesNotContain(logEvents, logEvent =>
- {
- string message = logEvent.RenderMessage();
- return message.Contains("EventType") && message.Contains("Security");
- });
- }
- }
- }
[Fact]
public async Task CertificateAuthorizedRoute_DoesntEmitSecurityEventsByDefault_RunsAuthentication()
@@ -1126,7 +743,7 @@ public async Task CertificateAuthorizedRoute_DoesntEmitSecurityEventsByDefault_R
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1159,7 +776,7 @@ public async Task CertificateWithDirectValidatorAuthorizedRoute_DoesntEmitSecuri
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1175,51 +792,6 @@ public async Task CertificateWithDirectValidatorAuthorizedRoute_DoesntEmitSecuri
}
}
- [Theory]
- [InlineData(false)]
- [InlineData(true)]
- public async Task CertificateAuthorizedRoute_EmitsSecurityEventsWhenRequestedOnFilters_RunsAuthentication(bool emitsSecurityEvents)
- {
- // Arrange
- const string issuerKey = "issuer";
- var spySink = new InMemorySink();
- var options = new TestApiServerOptions()
- .ConfigureServices(services =>
- {
- var certificateValidator =
- new CertificateAuthenticationValidator(
- new CertificateAuthenticationConfigBuilder()
- .WithIssuer(SecretProvider, issuerKey)
- .Build());
-
- services.AddSecretStore(stores => stores.AddInMemory(issuerKey, "CN=issuer"))
- .AddSingleton(certificateValidator)
- .AddMvc(opt => opt.Filters.AddCertificateAuthentication(authOptions =>
- {
- authOptions.EmitSecurityEvents = emitsSecurityEvents;
- }));
- })
- .ConfigureHost(host => host.UseSerilog((context, config) => config.WriteTo.Sink(spySink)));
-
- await using (var server = await TestApiServer.StartNewAsync(options, _logger))
- {
- var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
- // Act
- using (HttpResponseMessage response = await server.SendAsync(request))
- {
- // Assert
- Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
- IEnumerable logEvents = spySink.DequeueLogEvents();
- Assert.True(emitsSecurityEvents == logEvents.Any(logEvent =>
- {
- string message = logEvent.RenderMessage();
- return message.Contains("EventType") && message.Contains("Security");
- }));
- }
- }
- }
-
[Theory]
[InlineData(false)]
[InlineData(true)]
@@ -1249,7 +821,7 @@ public async Task CertificateAuthorizedRoute_EmitsSecurityEventsWhenRequested_Ru
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{
@@ -1289,7 +861,7 @@ public async Task CertificateWithDirectValidatorAuthorizedRoute_EmitsSecurityEve
await using (var server = await TestApiServer.StartNewAsync(options, _logger))
{
var request = HttpRequestBuilder.Get(NoneAuthenticationController.GetRoute);
-
+
// Act
using (HttpResponseMessage response = await server.SendAsync(request))
{