huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Revert "Add antiforgery middleware" 

This reverts commit 4629148519.
This commit is contained in:
Ryan Nowak 2016-04-01 08:15:47 -07:00
parent fab3bfd237
commit 37c8f5de70
13 changed files with 60 additions and 1331 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/Microsoft.AspNetCore.Antiforgery/AntiforgeryBuilderExtensions.cs
View File

@ -1,29 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using Microsoft.AspNetCore.Antiforgery;
namespace Microsoft.AspNetCore.Builder
{
/// <summary>
/// Extension methods for configuring the antiforgery middleware.
/// </summary>
public static class AntiforgeryBuilderExtensions
{
/// <summary>
/// Adds the antiforgery middleware.
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/>.</param>
/// <returns>The <see cref="IApplicationBuilder"/>.</returns>
public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder app)
{
if (app == null)
{
throw new ArgumentNullException(nameof(app));
}
return app.UseMiddleware<AntiforgeryMiddleware>();
}
}
}

65
src/Microsoft.AspNetCore.Antiforgery/AntiforgeryMiddleware.cs
View File

@ -1,65 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Antiforgery.Internal;
using Microsoft.AspNetCore.Http;
namespace Microsoft.AspNetCore.Antiforgery
{
/// <summary>
/// A middleware implementation of antiforgery validation.
/// </summary>
public class AntiforgeryMiddleware
{
private readonly IAntiforgery _antiforgery;
private readonly RequestDelegate _next;
/// <summary>
/// Creates a new <see cref="AntiforgeryMiddleware"/>.
/// </summary>
/// <param name="next">The <see cref="RequestDelegate"/> for the next middleware.</param>
/// <param name="antiforgery">The <see cref="IAntiforgery"/>.</param>
public AntiforgeryMiddleware(RequestDelegate next, IAntiforgery antiforgery)
{
if (next == null)
{
throw new ArgumentNullException(nameof(next));
}
if (antiforgery == null)
{
throw new ArgumentNullException(nameof(antiforgery));
}
_next = next;
_antiforgery = antiforgery;
}
/// <summary>
/// Invokes the middleware for the given <paramref name="httpContext"/>.
/// </summary>
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
/// <returns>A <see cref="Task"/> which will be completed when execution of the middleware completes.</returns>
public async Task Invoke(HttpContext httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException(nameof(httpContext));
}
var handler = new AntiforgeryAuthenticationHandler(_antiforgery);
await handler.InitializeAsync(httpContext);
try
{
await _next(httpContext);
}
finally
{
handler.Teardown();
}
}
}
}

23
src/Microsoft.AspNetCore.Antiforgery/IAntiforgery.cs
View File

@ -1,7 +1,6 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
@ -47,18 +46,6 @@ namespace Microsoft.AspNetCore.Antiforgery
/// </returns>
Task<bool> IsRequestValidAsync(HttpContext httpContext);
/// <summary>
/// Asynchronously returns a value indicating whether the request passes antiforgery validation. If the
/// request uses a safe HTTP method (GET, HEAD, OPTIONS, TRACE), the antiforgery token is not validated.
/// </summary>
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
/// <param name="principal">The claims-based principal to validate.</param>
/// <returns>
/// A <see cref="Task{Boolean}"/> that, when completed, returns <c>true</c> if the is requst uses a safe HTTP
/// method or contains a value antiforgery token, otherwise returns <c>false</c>.
/// </returns>
Task<bool> IsRequestValidAsync(HttpContext httpContext, ClaimsPrincipal principal);
/// <summary>
/// Validates an antiforgery token that was supplied as part of the request.
/// </summary>
@ -68,16 +55,6 @@ namespace Microsoft.AspNetCore.Antiforgery
/// </exception>
Task ValidateRequestAsync(HttpContext httpContext);
/// <summary>
/// Validates an antiforgery token that was supplied as part of the request.
/// </summary>
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
/// <param name="principal">The claims-based principal to validate.</param>
/// <exception cref="AntiforgeryValidationException">
/// Thrown when the request does not include a valid antiforgery token.
/// </exception>
Task ValidateRequestAsync(HttpContext httpContext, ClaimsPrincipal principal);
/// <summary>
/// Generates and stores an antiforgery cookie token if one is not available or not valid.
/// </summary>

160
src/Microsoft.AspNetCore.Antiforgery/Internal/AntiforgeryAuthenticationHandler.cs
View File

@ -1,160 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Features.Authentication;
namespace Microsoft.AspNetCore.Antiforgery.Internal
{
public class AntiforgeryAuthenticationHandler : IAuthenticationHandler
{
private readonly IAntiforgery _antiforgery;
private HttpContext _httpContext;
private IAuthenticationHandler _priorHandler;
public AntiforgeryAuthenticationHandler(IAntiforgery antiforgery)
{
if (antiforgery == null)
{
throw new ArgumentNullException(nameof(antiforgery));
}
_antiforgery = antiforgery;
}
public async Task InitializeAsync(HttpContext httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException(nameof(httpContext));
}
_httpContext = httpContext;
var authentication = GetAuthenticationFeature(_httpContext);
_priorHandler = authentication.Handler;
authentication.Handler = this;
if (authentication.User != null)
{
if (!await _antiforgery.IsRequestValidAsync(_httpContext))
{
// Wipe out any existing principal if we can't validate this request.
authentication.User = null;
return;
}
}
}
public void Teardown()
{
var authentication = GetAuthenticationFeature(_httpContext);
authentication.Handler = _priorHandler;
}
/// <inheritdoc />
public async Task AuthenticateAsync(AuthenticateContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_priorHandler != null)
{
await _priorHandler.AuthenticateAsync(context);
var authentication = GetAuthenticationFeature(_httpContext);
if (context.Principal != null)
{
try
{
await _antiforgery.ValidateRequestAsync(_httpContext, context.Principal);
}
catch (AntiforgeryValidationException ex)
{
context.Failed(ex);
return;
}
}
}
}
/// <inheritdoc />
public Task ChallengeAsync(ChallengeContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_priorHandler != null)
{
return _priorHandler.ChallengeAsync(context);
}
return TaskCache.CompletedTask;
}
/// <inheritdoc />
public void GetDescriptions(DescribeSchemesContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_priorHandler != null)
{
_priorHandler.GetDescriptions(context);
}
}
/// <inheritdoc />
public Task SignInAsync(SignInContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_priorHandler != null)
{
return _priorHandler.SignInAsync(context);
}
return TaskCache.CompletedTask;
}
/// <inheritdoc />
public Task SignOutAsync(SignOutContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
if (_priorHandler != null)
{
return _priorHandler.SignOutAsync(context);
}
return TaskCache.CompletedTask;
}
private static IHttpAuthenticationFeature GetAuthenticationFeature(HttpContext httpContext)
{
var authentication = httpContext.Features.Get<IHttpAuthenticationFeature>();
if (authentication == null)
{
authentication = new HttpAuthenticationFeature();
httpContext.Features.Set(authentication);
}
return authentication;
}
}
}

78
src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs
View File

@ -3,7 +3,6 @@
using System;
using System.Diagnostics;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
@ -86,7 +85,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
/// <inheritdoc />
public Task<bool> IsRequestValidAsync(HttpContext httpContext)
public async Task<bool> IsRequestValidAsync(HttpContext httpContext)
{
if (httpContext == null)
{
@ -95,26 +94,13 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
CheckSSLConfig(httpContext);
return IsRequestValidAsync(httpContext, httpContext.User);
}
/// <inheritdoc />
public async Task<bool> IsRequestValidAsync(HttpContext httpContext, ClaimsPrincipal principal)
{
if (httpContext == null)
{
throw new ArgumentNullException(nameof(httpContext));
}
if (principal == null)
{
throw new ArgumentNullException(nameof(principal));
}
CheckSSLConfig(httpContext);
if (!IsValidationRequired(httpContext))
var method = httpContext.Request.Method;
if (string.Equals(method, "GET", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "HEAD", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "OPTIONS", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "TRACE", StringComparison.OrdinalIgnoreCase))
{
// Validation not needed for these request types.
return true;
}
@ -140,7 +126,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
string message;
var result = _tokenGenerator.TryValidateTokenSet(
httpContext,
principal,
deserializedCookieToken,
deserializedRequestToken,
out message);
@ -158,7 +143,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
/// <inheritdoc />
public Task ValidateRequestAsync(HttpContext httpContext)
public async Task ValidateRequestAsync(HttpContext httpContext)
{
if (httpContext == null)
{
@ -167,29 +152,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
CheckSSLConfig(httpContext);
return ValidateRequestAsync(httpContext, httpContext.User);
}
/// <inheritdoc />
public async Task ValidateRequestAsync(HttpContext httpContext, ClaimsPrincipal principal)
{
if (httpContext == null)
{
throw new ArgumentNullException(nameof(httpContext));
}
if (principal == null)
{
throw new ArgumentNullException(nameof(principal));
}
CheckSSLConfig(httpContext);
if (!IsValidationRequired(httpContext))
{
return;
}
var tokens = await _tokenStore.GetRequestTokensAsync(httpContext);
if (tokens.CookieToken == null)
{
@ -218,15 +180,12 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
}
ValidateTokens(httpContext, principal, tokens);
ValidateTokens(httpContext, tokens);
_logger.ValidatedAntiforgeryToken();
}
private void ValidateTokens(
HttpContext httpContext,
ClaimsPrincipal principal,
AntiforgeryTokenSet antiforgeryTokenSet)
private void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
{
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.CookieToken));
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.RequestToken));
@ -244,7 +203,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
string message;
if (!_tokenGenerator.TryValidateTokenSet(
httpContext,
principal,
deserializedCookieToken,
deserializedRequestToken,
out message))
@ -310,21 +268,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
}
private bool IsValidationRequired(HttpContext httpContext)
{
var method = httpContext.Request.Method;
if (string.Equals(method, "GET", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "HEAD", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "OPTIONS", StringComparison.OrdinalIgnoreCase) ||
string.Equals(method, "TRACE", StringComparison.OrdinalIgnoreCase))
{
// Validation not needed for HTTP methods that don't mutate any state.
return false;
}
return true;
}
private static IAntiforgeryFeature GetAntiforgeryFeature(HttpContext httpContext)
{
var antiforgeryFeature = httpContext.Features.Get<IAntiforgeryFeature>();
@ -405,7 +348,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var cookieToken = antiforgeryFeature.NewCookieToken ?? antiforgeryFeature.CookieToken;
antiforgeryFeature.NewRequestToken = _tokenGenerator.GenerateRequestToken(
httpContext,
httpContext.User,
cookieToken);
}

10
src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgeryTokenGenerator.cs
View File

@ -35,7 +35,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
/// <inheritdoc />
public AntiforgeryToken GenerateRequestToken(
HttpContext httpContext,
ClaimsPrincipal principal,
AntiforgeryToken cookieToken)
{
if (httpContext == null)
@ -64,11 +63,11 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var isIdentityAuthenticated = false;
// populate Username and ClaimUid
var authenticatedIdentity = GetAuthenticatedIdentity(principal);
var authenticatedIdentity = GetAuthenticatedIdentity(httpContext.User);
if (authenticatedIdentity != null)
{
isIdentityAuthenticated = true;
requestToken.ClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(principal));
requestToken.ClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(httpContext.User));
if (requestToken.ClaimUid == null)
{
@ -110,7 +109,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
/// <inheritdoc />
public bool TryValidateTokenSet(
HttpContext httpContext,
ClaimsPrincipal principal,
AntiforgeryToken cookieToken,
AntiforgeryToken requestToken,
out string message)
@ -152,10 +150,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var currentUsername = string.Empty;
BinaryBlob currentClaimUid = null;
var authenticatedIdentity = GetAuthenticatedIdentity(principal);
var authenticatedIdentity = GetAuthenticatedIdentity(httpContext.User);
if (authenticatedIdentity != null)
{
currentClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(principal));
currentClaimUid = GetClaimUidBlob(_claimUidExtractor.ExtractClaimUid(httpContext.User));
if (currentClaimUid == null)
{
currentUsername = authenticatedIdentity.Name ?? string.Empty;

9
src/Microsoft.AspNetCore.Antiforgery/Internal/IAntiforgeryTokenGenerator.cs
View File

@ -1,7 +1,6 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
namespace Microsoft.AspNetCore.Antiforgery.Internal
@ -21,13 +20,9 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
/// Generates a request token corresponding to <paramref name="cookieToken"/>.
/// </summary>
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
/// <param name="principal">The claims-based principal to use for token generation.</param>
/// <param name="cookieToken">A valid cookie token.</param>
/// <returns>An <see cref="AntiforgeryToken"/>.</returns>
AntiforgeryToken GenerateRequestToken(
HttpContext httpContext,
ClaimsPrincipal principal,
AntiforgeryToken cookieToken);
AntiforgeryToken GenerateRequestToken(HttpContext httpContext, AntiforgeryToken cookieToken);
/// <summary>
/// Attempts to validate a cookie token.
@ -40,7 +35,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
/// Attempts to validate a cookie and request token set for the given <paramref name="httpContext"/>.
/// </summary>
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
/// <param name="principal">The claims-based principal to use for token validation.</param>
/// <param name="cookieToken">A cookie token.</param>
/// <param name="requestToken">A request token.</param>
/// <param name="message">
@ -49,7 +43,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
/// <returns><c>true</c> if the tokens are valid, otherwise <c>false</c>.</returns>
bool TryValidateTokenSet(
HttpContext httpContext,
ClaimsPrincipal principal,
AntiforgeryToken cookieToken,
AntiforgeryToken requestToken,
out string message);

12
src/Microsoft.AspNetCore.Antiforgery/Internal/TaskCache.cs
View File

@ -1,12 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System.Threading.Tasks;
namespace Microsoft.AspNetCore.Antiforgery.Internal
{
public static class TaskCache
{
public static readonly Task CompletedTask = Task.FromResult(0);
}
}

4
src/Microsoft.AspNetCore.Antiforgery/project.json
View File

@ -19,7 +19,9 @@
},
"dependencies": {
"Microsoft.AspNetCore.DataProtection": "1.0.0-*",
"Microsoft.AspNetCore.Http": "1.0.0-*"
"Microsoft.AspNetCore.Http.Abstractions": "1.0.0-*",
"Microsoft.AspNetCore.WebUtilities": "1.0.0-*",
"Microsoft.Extensions.ObjectPool": "1.0.0-*"
},
"frameworks": {
"netstandard1.3": {

380
test/Microsoft.AspNetCore.Antiforgery.Test/AntiforgeryMiddlewareTest.cs
View File

@ -1,380 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Antiforgery.Internal;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Builder.Internal;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Features.Authentication;
using Microsoft.Extensions.DependencyInjection;
using Moq;
using Xunit;
namespace Microsoft.AspNetCore.Antiforgery
{
// These are really more like integration tests and just verify a bunch of different
// reasonable combinations of authN middleware.
public class AntiforgeryMiddlewareTest
{
private readonly ClaimsPrincipal LoggedInUser = new ClaimsPrincipal(new ClaimsIdentity[]
{
new ClaimsIdentity("Test"),
});
private readonly ClaimsPrincipal LoggedInUser2 = new ClaimsPrincipal(new ClaimsIdentity[]
{
new ClaimsIdentity("Test"),
});
[Fact]
public async Task AutomaticAuthentication_Anonymous()
{
// Arrange
var context = Setup((app) =>
{
app.Use(next => new AutomaticAuthenticationMiddleware(next, null).Invoke);
app.UseAntiforgery();
});
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Null(context.Principal);
}
[Fact]
public async Task AutomaticAuthentication_LoggedIn_WithoutToken()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AutomaticAuthenticationMiddleware>(LoggedInUser);
app.UseAntiforgery();
});
context.Antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false);
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Null(context.Principal);
}
[Fact]
public async Task AutomaticAuthentication_LoggedIn_WithValidToken()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AutomaticAuthenticationMiddleware>(LoggedInUser);
app.UseAntiforgery();
});
context.Antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(true);
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Same(LoggedInUser, context.Principal);
}
// A middleware after antiforgery in the pipeline can authenticate without going through token
// validation.
[Fact]
public async Task AutomaticAuthentication_LoggedIn_WithoutToken_AuthenticatedBySubsequentMiddleware()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AutomaticAuthenticationMiddleware>(LoggedInUser);
app.UseAntiforgery();
app.UseMiddleware<AutomaticAuthenticationMiddleware>(LoggedInUser2);
});
context.Antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false);
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Same(LoggedInUser2, context.Principal);
}
[Fact]
public async Task PasiveAuthentication_Anonymous()
{
// Arrange
var context = Setup((app) =>
{
app.Use(next => new AuthenticationHandlerMiddleware(next, null).Invoke);
app.UseAntiforgery();
app.UseMiddleware<CallAuthenticateMiddleware>();
});
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Null(context.Principal);
}
[Fact]
public async Task PassiveAuthentication_LoggedIn_WithoutToken()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AuthenticationHandlerMiddleware>(LoggedInUser);
app.UseAntiforgery();
app.UseMiddleware<CallAuthenticateMiddleware>();
});
context.Antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), LoggedInUser))
.Throws(new AntiforgeryValidationException("error"));
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Null(context.Principal);
}
[Fact]
public async Task PassiveAuthentication_LoggedIn_WithValidToken()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AuthenticationHandlerMiddleware>(LoggedInUser);
app.UseAntiforgery();
app.UseMiddleware<CallAuthenticateMiddleware>();
});
context.Antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), LoggedInUser))
.Returns(TaskCache.CompletedTask);
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Same(LoggedInUser, context.Principal);
}
// A middleware after antiforgery in the pipeline can authenticate without going through token
// validation.
[Fact]
public async Task PassiveAuthentication_LoggedIn_WithoutToken_AuthenticatedBySubsequentMiddleware()
{
// Arrange
var context = Setup((app) =>
{
app.UseMiddleware<AuthenticationHandlerMiddleware>(LoggedInUser);
app.UseAntiforgery();
app.UseMiddleware<AuthenticationHandlerMiddleware>(LoggedInUser2);
app.UseMiddleware<CallAuthenticateMiddleware>();
});
var httpContext = new DefaultHttpContext();
await context.AppFunc(httpContext);
Assert.Same(LoggedInUser2, context.Principal);
}
private static IHttpAuthenticationFeature GetAuthenticationFeature(HttpContext httpContext)
{
var authentication = httpContext.Features.Get<IHttpAuthenticationFeature>();
if (authentication == null)
{
authentication = new HttpAuthenticationFeature();
httpContext.Features.Set(authentication);
}
return authentication;
}
private static TestContext Setup(Action<IApplicationBuilder> action)
{
var services = new ServiceCollection();
services.AddLogging();
services.AddOptions();
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
services.AddSingleton(antiforgery.Object);
var result = new TestContext();
result.Antiforgery = antiforgery;
var app = new ApplicationBuilder(services.BuildServiceProvider());
action(app);
// Capture the logged in user 'after' the middleware so we can validate it.
app.Run(c =>
{
result.Principal = GetAuthenticationFeature(c).User;
return TaskCache.CompletedTask;
});
result.AppFunc = app.Build();
return result;
}
private class TestContext
{
public Mock<IAntiforgery> Antiforgery { get; set; }
public RequestDelegate AppFunc { get; set; }
public ClaimsPrincipal Principal { get; set; }
}
private class AutomaticAuthenticationMiddleware
{
private readonly RequestDelegate _next;
private readonly ClaimsPrincipal _principal;
public AutomaticAuthenticationMiddleware(RequestDelegate next, ClaimsPrincipal principal)
{
_next = next;
_principal = principal;
}
public Task Invoke(HttpContext httpContext)
{
GetAuthenticationFeature(httpContext).User = _principal;
return _next(httpContext);
}
}
private class AuthenticationHandlerMiddleware
{
private readonly RequestDelegate _next;
private readonly ClaimsPrincipal _principal;
public AuthenticationHandlerMiddleware(RequestDelegate next, ClaimsPrincipal principal)
{
_next = next;
_principal = principal;
}
public async Task Invoke(HttpContext httpContext)
{
var handler = new AuthenticationHandler(_principal);
await handler.InitializeAsync(httpContext);
try
{
await _next(httpContext);
}
finally
{
await handler.TeardownAsync();
}
}
}
private class AuthenticationHandler : IAuthenticationHandler
{
private readonly ClaimsPrincipal _principal;
private IAuthenticationHandler _priorHandler;
private HttpContext _httpContext;
public AuthenticationHandler(ClaimsPrincipal principal)
{
_principal = principal;
}
public Task InitializeAsync(HttpContext httpContext)
{
_httpContext = httpContext;
var authenticationFeature = GetAuthenticationFeature(_httpContext);
_priorHandler = authenticationFeature.Handler;
authenticationFeature.Handler = this;
return TaskCache.CompletedTask;
}
public Task TeardownAsync()
{
var authenticationFeature = GetAuthenticationFeature(_httpContext);
authenticationFeature.Handler = _priorHandler;
return TaskCache.CompletedTask;
}
public Task AuthenticateAsync(AuthenticateContext context)
{
if (_principal == null)
{
context.NotAuthenticated();
}
else
{
context.Authenticated(_principal, null, null);
}
return TaskCache.CompletedTask;
}
public Task ChallengeAsync(ChallengeContext context)
{
throw new NotImplementedException();
}
public void GetDescriptions(DescribeSchemesContext context)
{
throw new NotImplementedException();
}
public Task SignInAsync(SignInContext context)
{
throw new NotImplementedException();
}
public Task SignOutAsync(SignOutContext context)
{
throw new NotImplementedException();
}
}
private class CallAuthenticateMiddleware
{
private readonly RequestDelegate _next;
public CallAuthenticateMiddleware(RequestDelegate next)
{
_next = next;
}
public async Task Invoke(HttpContext httpContext)
{
var authenticationFeature = GetAuthenticationFeature(httpContext);
var authenticateContext = new AuthenticateContext("Test");
await httpContext.Authentication.AuthenticateAsync(authenticateContext);
if (authenticateContext.Accepted)
{
authenticationFeature.User = authenticateContext.Principal;
}
await _next(httpContext);
}
}
}
}

291
test/Microsoft.AspNetCore.Antiforgery.Test/Internal/AntiforgeryAuthenticationHandlerTest.cs
View File

@ -1,291 +0,0 @@
// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Features.Authentication;
using Moq;
using Xunit;
namespace Microsoft.AspNetCore.Antiforgery.Internal
{
public class AntiforgeryAuthenticationHandlerTest
{
[Fact]
public async Task IntializeAsync_NoOp_WhenAnonymous()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
var httpContext = new DefaultHttpContext();
// Act
await handler.InitializeAsync(httpContext);
// Assert
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
}
[Fact]
public async Task IntializeAsync_ValidatesRequest_WhenLoggedIn()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(true)
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
authenticationFeature.User = new ClaimsPrincipal();
// Act
await handler.InitializeAsync(httpContext);
// Assert
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Once());
}
[Fact]
public async Task IntializeAsync_ClearsUser_WhenInvalid()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
authenticationFeature.User = new ClaimsPrincipal();
// Act
await handler.InitializeAsync(httpContext);
// Assert
Assert.Null(authenticationFeature.User);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Once());
}
[Fact]
public async Task IntializeAsync_AttachesAuthorizationHandler()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
// Act
await handler.InitializeAsync(httpContext);
// Assert
Assert.Same(handler, authenticationFeature.Handler);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
}
[Fact]
public async Task AuthenticateAsync_NoPriorHandler_NoOp()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), It.IsAny<ClaimsPrincipal>()))
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
await handler.InitializeAsync(httpContext);
var authenticateContext = new AuthenticateContext("Test");
// Act
await handler.AuthenticateAsync(authenticateContext);
// Assert
Assert.False(authenticateContext.Accepted);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
antiforgery.Verify(
a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), It.IsAny<ClaimsPrincipal>()),
Times.Never());
}
[Fact]
public async Task AuthenticateAsync_PriorHandlerDoesNotAuthenticate_NoOp()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), It.IsAny<ClaimsPrincipal>()))
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
var priorHandler = new Mock<IAuthenticationHandler>(MockBehavior.Strict);
authenticationFeature.Handler = priorHandler.Object;
priorHandler
.Setup(h => h.AuthenticateAsync(It.IsAny<AuthenticateContext>()))
.Returns(TaskCache.CompletedTask)
.Callback<AuthenticateContext>(c => c.NotAuthenticated());
await handler.InitializeAsync(httpContext);
var authenticateContext = new AuthenticateContext("Test");
// Act
await handler.AuthenticateAsync(authenticateContext);
// Assert
Assert.True(authenticateContext.Accepted);
Assert.Null(authenticateContext.Principal);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
antiforgery.Verify(
a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), It.IsAny<ClaimsPrincipal>()),
Times.Never());
}
[Fact]
public async Task AuthenticateAsync_PriorHandlerSetsPrincipal_Valid()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
var principal = new ClaimsPrincipal();
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), principal))
.Returns(TaskCache.CompletedTask)
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
var priorHandler = new Mock<IAuthenticationHandler>(MockBehavior.Strict);
authenticationFeature.Handler = priorHandler.Object;
priorHandler
.Setup(h => h.AuthenticateAsync(It.IsAny<AuthenticateContext>()))
.Returns(TaskCache.CompletedTask)
.Callback<AuthenticateContext>(c => c.Authenticated(principal, null, null));
await handler.InitializeAsync(httpContext);
var authenticateContext = new AuthenticateContext("Test");
// Act
await handler.AuthenticateAsync(authenticateContext);
// Assert
Assert.True(authenticateContext.Accepted);
Assert.Same(principal, authenticateContext.Principal);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
antiforgery.Verify(
a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), principal),
Times.Once());
}
[Fact]
public async Task AuthenticateAsync_PriorHandlerSetsPrincipal_Invalid()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var handler = new AntiforgeryAuthenticationHandler(antiforgery.Object);
var principal = new ClaimsPrincipal();
antiforgery
.Setup(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()))
.ReturnsAsync(false)
.Verifiable();
antiforgery
.Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), principal))
.Throws(new AntiforgeryValidationException("invalid"))
.Verifiable();
var httpContext = new DefaultHttpContext();
var authenticationFeature = new HttpAuthenticationFeature();
httpContext.Features.Set<IHttpAuthenticationFeature>(authenticationFeature);
var priorHandler = new Mock<IAuthenticationHandler>(MockBehavior.Strict);
authenticationFeature.Handler = priorHandler.Object;
priorHandler
.Setup(h => h.AuthenticateAsync(It.IsAny<AuthenticateContext>()))
.Returns(TaskCache.CompletedTask)
.Callback<AuthenticateContext>(c => c.Authenticated(principal, null, null));
await handler.InitializeAsync(httpContext);
var authenticateContext = new AuthenticateContext("Test");
// Act
await handler.AuthenticateAsync(authenticateContext);
// Assert
Assert.True(authenticateContext.Accepted);
Assert.Null(authenticateContext.Principal);
Assert.NotNull(authenticateContext.Error);
antiforgery.Verify(a => a.IsRequestValidAsync(It.IsAny<HttpContext>()), Times.Never());
antiforgery.Verify(
a => a.ValidateRequestAsync(It.IsAny<HttpContext>(), principal),
Times.Once());
}
}
}

262
test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTest.cs
View File

@ -15,22 +15,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
public class DefaultAntiforgeryTest
{
public static TheoryData<string> SafeHttpMethods => new TheoryData<string>()
{
"GeT",
"HEAD",
"options",
"TrAcE",
};
public static TheoryData<string> UnsafeHttpMethods => new TheoryData<string>()
{
"PUT",
"post",
"Delete",
"Custom",
};
[Fact]
public async Task ChecksSSL_ValidateRequestAsync_Throws()
{
@ -51,26 +35,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
exception.Message);
}
[Fact]
public async Task ChecksSSL_ValidateRequestAsync_WithPrincipal_Throws()
{
// Arrange
var httpContext = GetHttpContext();
var options = new AntiforgeryOptions()
{
RequireSsl = true
};
var antiforgery = GetAntiforgery(httpContext, options);
// Act & Assert
var exception = await Assert.ThrowsAsync<InvalidOperationException>(
() => antiforgery.ValidateRequestAsync(httpContext, new ClaimsPrincipal()));
Assert.Equal(
@"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " +
"but the current request is not an SSL request.",
exception.Message);
}
[Fact]
public async Task ChecksSSL_IsRequestValidAsync_Throws()
{
@ -92,27 +56,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
exception.Message);
}
[Fact]
public async Task ChecksSSL_IsRequestValidAsync_WithPrincipal_Throws()
{
// Arrange
var httpContext = GetHttpContext();
var options = new AntiforgeryOptions()
{
RequireSsl = true
};
var antiforgery = GetAntiforgery(httpContext, options);
// Act & Assert
var exception = await Assert.ThrowsAsync<InvalidOperationException>(
() => antiforgery.IsRequestValidAsync(httpContext, new ClaimsPrincipal()));
Assert.Equal(
@"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " +
"but the current request is not an SSL request.",
exception.Message);
}
[Fact]
public void ChecksSSL_GetAndStoreTokens_Throws()
{
@ -467,7 +410,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
context.TestTokenSet.OldCookieToken,
context.TestTokenSet.RequestToken,
out message))
@ -502,7 +444,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
context.TestTokenSet.OldCookieToken,
context.TestTokenSet.RequestToken,
out message))
@ -543,7 +484,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
antiforgeryFeature.CookieToken,
antiforgeryFeature.RequestToken,
out message))
@ -569,7 +509,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
[Theory]
[MemberData(nameof(SafeHttpMethods))]
[InlineData("GeT")]
[InlineData("HEAD")]
[InlineData("options")]
[InlineData("TrAcE")]
public async Task IsRequestValidAsync_SkipsAntiforgery_ForSafeHttpMethods(string httpMethod)
{
// Arrange
@ -580,7 +523,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
@ -597,7 +539,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Verify(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message),
@ -605,7 +546,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
}
[Theory]
[MemberData(nameof(UnsafeHttpMethods))]
[InlineData("PUT")]
[InlineData("post")]
[InlineData("Delete")]
[InlineData("Custom")]
public async Task IsRequestValidAsync_ValidatesAntiforgery_ForNonSafeHttpMethods(string httpMethod)
{
// Arrange
@ -616,7 +560,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
@ -633,68 +576,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator.Verify();
}
[Fact]
public async Task IsRequestValidAsync_UsesPrincipalFromHttpContext()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = "POST";
var principal = new ClaimsPrincipal();
context.HttpContext.User = principal;
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
principal,
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(true)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
var result = await antiforgery.IsRequestValidAsync(context.HttpContext);
// Assert
Assert.True(result);
context.TokenGenerator.Verify();
}
[Fact]
public async Task IsRequestValidAsync_UsesPassedInPrincipal()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = "POST";
var principal = new ClaimsPrincipal();
context.HttpContext.User = new ClaimsPrincipal(); // This should be ignored.
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
principal,
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(true)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
var result = await antiforgery.IsRequestValidAsync(context.HttpContext, principal);
// Assert
Assert.True(result);
context.TokenGenerator.Verify();
}
[Fact]
public async Task ValidateRequestAsync_FromStore_Failure()
{
@ -706,7 +587,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
context.TestTokenSet.OldCookieToken,
context.TestTokenSet.RequestToken,
out message))
@ -739,7 +619,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
context.TestTokenSet.OldCookieToken,
context.TestTokenSet.RequestToken,
out message))
@ -881,7 +760,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
antiforgeryFeature.CookieToken,
antiforgeryFeature.RequestToken,
out message))
@ -905,129 +783,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
Times.Never);
}
[Theory]
[MemberData(nameof(SafeHttpMethods))]
public async Task ValidateRequestAsync_SkipsAntiforgery_ForSafeHttpMethods(string httpMethod)
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = httpMethod;
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(false)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
await antiforgery.ValidateRequestAsync(context.HttpContext);
// Assert
context.TokenGenerator
.Verify(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message),
Times.Never);
}
[Theory]
[MemberData(nameof(UnsafeHttpMethods))]
public async Task ValidateRequestAsync_ValidatesAntiforgery_ForNonSafeHttpMethods(string httpMethod)
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = httpMethod;
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
It.IsAny<ClaimsPrincipal>(),
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(true)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
await antiforgery.ValidateRequestAsync(context.HttpContext);
// Assert
context.TokenGenerator.Verify();
}
[Fact]
public async Task ValidateRequestAsync_UsesPrincipalFromHttpContext()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = "POST";
var principal = new ClaimsPrincipal();
context.HttpContext.User = principal;
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
principal,
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(true)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
await antiforgery.ValidateRequestAsync(context.HttpContext);
// Assert
context.TokenGenerator.Verify();
}
[Fact]
public async Task ValidateRequestAsync_UsesPassedInPrincipal()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions());
context.HttpContext.Request.Method = "POST";
var principal = new ClaimsPrincipal();
context.HttpContext.User = new ClaimsPrincipal(); // This should be ignored.
string message;
context.TokenGenerator
.Setup(o => o.TryValidateTokenSet(
context.HttpContext,
principal,
It.IsAny<AntiforgeryToken>(),
It.IsAny<AntiforgeryToken>(),
out message))
.Returns(true)
.Verifiable();
var antiforgery = GetAntiforgery(context);
// Act
await antiforgery.ValidateRequestAsync(context.HttpContext, principal);
// Assert
context.TokenGenerator.Verify();
}
[Theory]
[InlineData(false, "SAMEORIGIN")]
[InlineData(true, null)]
@ -1267,7 +1022,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
mockGenerator
.Setup(o => o.GenerateRequestToken(
httpContext,
It.IsAny<ClaimsPrincipal>(),
useOldCookie ? testTokenSet.OldCookieToken : testTokenSet.NewCookieToken))
.Returns(testTokenSet.RequestToken);

68
test/Microsoft.AspNetCore.Antiforgery.Test/Internal/DefaultAntiforgeryTokenGeneratorTest.cs
View File

@ -34,7 +34,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var cookieToken = new AntiforgeryToken() { IsCookieToken = false };
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
Assert.False(httpContext.User.Identity.IsAuthenticated);
var tokenProvider = new DefaultAntiforgeryTokenGenerator(
@ -43,7 +43,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act & Assert
ExceptionAssert.ThrowsArgument(
() => tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken),
() => tokenProvider.GenerateRequestToken(httpContext, cookieToken),
"cookieToken",
"The antiforgery cookie token is invalid.");
}
@ -54,7 +54,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
Assert.False(httpContext.User.Identity.IsAuthenticated);
var tokenProvider = new DefaultAntiforgeryTokenGenerator(
@ -62,7 +62,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
additionalDataProvider: null);
// Act
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken);
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken);
// Assert
Assert.NotNull(fieldToken);
@ -83,7 +83,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
};
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new MyAuthenticatedIdentityWithoutUsername());
httpContext.User = new ClaimsPrincipal(new MyAuthenticatedIdentityWithoutUsername());
var options = new AntiforgeryOptions();
var claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
@ -94,7 +94,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act & assert
var exception = Assert.Throws<InvalidOperationException>(
() => tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken));
() => tokenProvider.GenerateRequestToken(httpContext, cookieToken));
Assert.Equal(
"The provided identity of type " +
$"'{typeof(MyAuthenticatedIdentityWithoutUsername).FullName}' " +
@ -114,7 +114,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new MyAuthenticatedIdentityWithoutUsername());
httpContext.User = new ClaimsPrincipal(new MyAuthenticatedIdentityWithoutUsername());
var mockAdditionalDataProvider = new Mock<IAntiforgeryAdditionalDataProvider>();
mockAdditionalDataProvider.Setup(o => o.GetAdditionalData(httpContext))
@ -127,7 +127,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
additionalDataProvider: mockAdditionalDataProvider.Object);
// Act
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken);
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken);
// Assert
Assert.NotNull(fieldToken);
@ -146,7 +146,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
var identity = GetAuthenticatedIdentity("some-identity");
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
byte[] data = new byte[256 / 8];
using (var rng = RandomNumberGenerator.Create())
@ -165,7 +165,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
additionalDataProvider: null);
// Act
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken);
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken);
// Assert
Assert.NotNull(fieldToken);
@ -189,7 +189,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
mockIdentity.Setup(o => o.Name)
.Returns("my-username");
var principal = new ClaimsPrincipal(mockIdentity.Object);
httpContext.User = new ClaimsPrincipal(mockIdentity.Object);
var claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
@ -198,7 +198,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
additionalDataProvider: null);
// Act
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, principal, cookieToken);
var fieldToken = tokenProvider.GenerateRequestToken(httpContext, cookieToken);
// Assert
Assert.NotNull(fieldToken);
@ -271,7 +271,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
// Arrange
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
var fieldtoken = new AntiforgeryToken() { IsCookieToken = false };
@ -282,7 +282,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act & Assert
string message;
var ex = Assert.Throws<ArgumentNullException>(
() => tokenProvider.TryValidateTokenSet(httpContext, principal, null, fieldtoken, out message));
() => tokenProvider.TryValidateTokenSet(httpContext, null, fieldtoken, out message));
var trimmed = ex.Message.Substring(0, ex.Message.IndexOf(Environment.NewLine));
Assert.Equal(@"The required antiforgery cookie token must be provided.", trimmed);
@ -293,7 +293,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
// Arrange
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
@ -305,7 +305,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act & Assert
string message;
var ex = Assert.Throws<ArgumentNullException>(
() => tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, null, out message));
() => tokenProvider.TryValidateTokenSet(httpContext, cookieToken, null, out message));
var trimmed = ex.Message.Substring(0, ex.Message.IndexOf(Environment.NewLine));
Assert.Equal("The required antiforgery request token must be provided.", trimmed);
@ -316,7 +316,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
// Arrange
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken() { IsCookieToken = false };
@ -331,7 +331,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, fieldtoken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, fieldtoken, fieldtoken, out message);
// Assert
Assert.False(result);
@ -343,7 +343,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
// Arrange
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken() { IsCookieToken = false };
@ -358,7 +358,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, cookieToken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, cookieToken, out message);
// Assert
Assert.False(result);
@ -370,7 +370,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
{
// Arrange
var httpContext = new DefaultHttpContext();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
httpContext.User = new ClaimsPrincipal(new ClaimsIdentity());
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken() { IsCookieToken = false };
@ -383,7 +383,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.False(result);
@ -399,7 +399,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = GetAuthenticatedIdentity(identityUsername);
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -423,7 +423,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.False(result);
@ -436,7 +436,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = GetAuthenticatedIdentity("the-user");
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -461,7 +461,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.False(result);
@ -474,7 +474,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = new ClaimsIdentity();
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -498,7 +498,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.False(result);
@ -511,7 +511,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = new ClaimsIdentity();
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -532,7 +532,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.True(result);
@ -545,7 +545,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = GetAuthenticatedIdentity("the-user");
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -566,7 +566,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.True(result);
@ -579,7 +579,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Arrange
var httpContext = new DefaultHttpContext();
var identity = GetAuthenticatedIdentity("the-user");
var principal = new ClaimsPrincipal(identity);
httpContext.User = new ClaimsPrincipal(identity);
var cookieToken = new AntiforgeryToken() { IsCookieToken = true };
var fieldtoken = new AntiforgeryToken()
@ -599,7 +599,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
// Act
string message;
var result = tokenProvider.TryValidateTokenSet(httpContext, principal, cookieToken, fieldtoken, out message);
var result = tokenProvider.TryValidateTokenSet(httpContext, cookieToken, fieldtoken, out message);
// Assert
Assert.True(result);