AntiForgery: Add documentation and update variable names for readability
This commit is contained in:
parent
68026add28
commit
3c9456e2a3
|
|
@ -38,7 +38,7 @@ namespace Microsoft.AspNet.Mvc
|
||||||
|
|
||||||
var serializer = new AntiForgeryTokenSerializer(dataProtectionProvider.CreateProtector(_purpose));
|
var serializer = new AntiForgeryTokenSerializer(dataProtectionProvider.CreateProtector(_purpose));
|
||||||
var tokenStore = new AntiForgeryTokenStore(config, serializer);
|
var tokenStore = new AntiForgeryTokenStore(config, serializer);
|
||||||
var tokenProvider = new TokenProvider(config, claimUidExtractor, additionalDataProvider);
|
var tokenProvider = new AntiForgeryTokenProvider(config, claimUidExtractor, additionalDataProvider);
|
||||||
_worker = new AntiForgeryWorker(serializer, config, tokenStore, tokenProvider, tokenProvider, htmlEncoder);
|
_worker = new AntiForgeryWorker(serializer, config, tokenStore, tokenProvider, tokenProvider, htmlEncoder);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -105,6 +105,12 @@ namespace Microsoft.AspNet.Mvc
|
||||||
_worker.Validate(context, cookieToken, formToken);
|
_worker.Validate(context, cookieToken, formToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Validates an anti-forgery token pair that was generated by the GetTokens method.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="context">The HTTP context associated with the current call.</param>
|
||||||
|
/// <param name="antiForgeryTokenSet">The anti-forgery token pair (cookie and form token) for this request.
|
||||||
|
/// </param>
|
||||||
public void Validate([NotNull] HttpContext context, AntiForgeryTokenSet antiForgeryTokenSet)
|
public void Validate([NotNull] HttpContext context, AntiForgeryTokenSet antiForgeryTokenSet)
|
||||||
{
|
{
|
||||||
Validate(context, antiForgeryTokenSet.CookieToken, antiForgeryTokenSet.FormToken);
|
Validate(context, antiForgeryTokenSet.CookieToken, antiForgeryTokenSet.FormToken);
|
||||||
|
|
|
||||||
|
|
@ -9,13 +9,13 @@ using Microsoft.AspNet.Mvc.Core;
|
||||||
|
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
internal sealed class TokenProvider : ITokenValidator, ITokenGenerator
|
internal sealed class AntiForgeryTokenProvider : IAntiForgeryTokenValidator, IAntiForgeryTokenGenerator
|
||||||
{
|
{
|
||||||
private readonly IClaimUidExtractor _claimUidExtractor;
|
private readonly IClaimUidExtractor _claimUidExtractor;
|
||||||
private readonly AntiForgeryOptions _config;
|
private readonly AntiForgeryOptions _config;
|
||||||
private readonly IAntiForgeryAdditionalDataProvider _additionalDataProvider;
|
private readonly IAntiForgeryAdditionalDataProvider _additionalDataProvider;
|
||||||
|
|
||||||
internal TokenProvider(AntiForgeryOptions config,
|
internal AntiForgeryTokenProvider(AntiForgeryOptions config,
|
||||||
IClaimUidExtractor claimUidExtractor,
|
IClaimUidExtractor claimUidExtractor,
|
||||||
IAntiForgeryAdditionalDataProvider additionalDataProvider)
|
IAntiForgeryAdditionalDataProvider additionalDataProvider)
|
||||||
{
|
{
|
||||||
|
|
@ -6,8 +6,16 @@ using Microsoft.AspNet.Mvc.Core;
|
||||||
|
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// The anti-forgery token pair (cookie and form token) for a request.
|
||||||
|
/// </summary>
|
||||||
public class AntiForgeryTokenSet
|
public class AntiForgeryTokenSet
|
||||||
{
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Creates the anti-forgery token pair (cookie and form token) for a request.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="formToken">The token that is supplied in the request form body.</param>
|
||||||
|
/// <param name="cookieToken">The token that is supplied in the request cookie.</param>
|
||||||
public AntiForgeryTokenSet(string formToken, string cookieToken)
|
public AntiForgeryTokenSet(string formToken, string cookieToken)
|
||||||
{
|
{
|
||||||
if (string.IsNullOrEmpty(formToken))
|
if (string.IsNullOrEmpty(formToken))
|
||||||
|
|
@ -22,11 +30,14 @@ namespace Microsoft.AspNet.Mvc
|
||||||
CookieToken = cookieToken;
|
CookieToken = cookieToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// The token that is supplied in the request form body.
|
||||||
|
/// </summary>
|
||||||
public string FormToken { get; private set; }
|
public string FormToken { get; private set; }
|
||||||
|
|
||||||
// The cookie token is allowed to be null.
|
/// The cookie token is allowed to be null.
|
||||||
// This would be the case when the old cookie token is still valid.
|
/// This would be the case when the old cookie token is still valid.
|
||||||
// In such cases a call to GetTokens would return a token set with null cookie token.
|
/// In such cases a call to GetTokens would return a token set with null cookie token.
|
||||||
public string CookieToken { get; private set; }
|
public string CookieToken { get; private set; }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -10,7 +10,7 @@ using Microsoft.Framework.Internal;
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Saves anti-XSRF tokens split between HttpRequest.Cookies and HttpRequest.Form
|
// Saves anti-XSRF tokens split between HttpRequest.Cookies and HttpRequest.Form
|
||||||
internal sealed class AntiForgeryTokenStore : ITokenStore
|
internal sealed class AntiForgeryTokenStore : IAntiForgeryTokenStore
|
||||||
{
|
{
|
||||||
private readonly AntiForgeryOptions _config;
|
private readonly AntiForgeryOptions _config;
|
||||||
private readonly IAntiForgeryTokenSerializer _serializer;
|
private readonly IAntiForgeryTokenSerializer _serializer;
|
||||||
|
|
|
||||||
|
|
@ -17,16 +17,16 @@ namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
private readonly AntiForgeryOptions _config;
|
private readonly AntiForgeryOptions _config;
|
||||||
private readonly IAntiForgeryTokenSerializer _serializer;
|
private readonly IAntiForgeryTokenSerializer _serializer;
|
||||||
private readonly ITokenStore _tokenStore;
|
private readonly IAntiForgeryTokenStore _tokenStore;
|
||||||
private readonly ITokenValidator _validator;
|
private readonly IAntiForgeryTokenValidator _validator;
|
||||||
private readonly ITokenGenerator _generator;
|
private readonly IAntiForgeryTokenGenerator _generator;
|
||||||
private readonly IHtmlEncoder _htmlEncoder;
|
private readonly IHtmlEncoder _htmlEncoder;
|
||||||
|
|
||||||
internal AntiForgeryWorker([NotNull] IAntiForgeryTokenSerializer serializer,
|
internal AntiForgeryWorker([NotNull] IAntiForgeryTokenSerializer serializer,
|
||||||
[NotNull] AntiForgeryOptions config,
|
[NotNull] AntiForgeryOptions config,
|
||||||
[NotNull] ITokenStore tokenStore,
|
[NotNull] IAntiForgeryTokenStore tokenStore,
|
||||||
[NotNull] ITokenGenerator generator,
|
[NotNull] IAntiForgeryTokenGenerator generator,
|
||||||
[NotNull] ITokenValidator validator,
|
[NotNull] IAntiForgeryTokenValidator validator,
|
||||||
[NotNull] IHtmlEncoder htmlEncoder)
|
[NotNull] IHtmlEncoder htmlEncoder)
|
||||||
{
|
{
|
||||||
_serializer = serializer;
|
_serializer = serializer;
|
||||||
|
|
@ -52,7 +52,7 @@ namespace Microsoft.AspNet.Mvc
|
||||||
: null;
|
: null;
|
||||||
}
|
}
|
||||||
|
|
||||||
private AntiForgeryToken DeserializeTokenNoThrow(string serializedToken)
|
private AntiForgeryToken DeserializeTokenDoesNotThrow(string serializedToken)
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|
@ -81,7 +81,7 @@ namespace Microsoft.AspNet.Mvc
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
private AntiForgeryToken GetCookieTokenNoThrow(HttpContext httpContext)
|
private AntiForgeryToken GetCookieTokenDoesNotThrow(HttpContext httpContext)
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|
@ -103,12 +103,12 @@ namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
CheckSSLConfig(httpContext);
|
CheckSSLConfig(httpContext);
|
||||||
|
|
||||||
var oldCookieToken = GetCookieTokenNoThrow(httpContext);
|
var cookieToken = GetCookieTokenDoesNotThrow(httpContext);
|
||||||
var tokenSet = GetTokens(httpContext, oldCookieToken);
|
var tokenSet = GetTokens(httpContext, cookieToken);
|
||||||
var newCookieToken = tokenSet.CookieToken;
|
cookieToken = tokenSet.CookieToken;
|
||||||
var formToken = tokenSet.FormToken;
|
var formToken = tokenSet.FormToken;
|
||||||
|
|
||||||
SaveCookieTokenAndHeader(httpContext, newCookieToken);
|
SaveCookieTokenAndHeader(httpContext, cookieToken);
|
||||||
|
|
||||||
// <input type="hidden" name="__AntiForgeryToken" value="..." />
|
// <input type="hidden" name="__AntiForgeryToken" value="..." />
|
||||||
var inputTag = new TagBuilder("input", _htmlEncoder)
|
var inputTag = new TagBuilder("input", _htmlEncoder)
|
||||||
|
|
@ -129,28 +129,28 @@ namespace Microsoft.AspNet.Mvc
|
||||||
// 'new cookie value' out param is non-null, the caller *must* persist
|
// 'new cookie value' out param is non-null, the caller *must* persist
|
||||||
// the new value to cookie storage since the original value was null or
|
// the new value to cookie storage since the original value was null or
|
||||||
// invalid. This method is side-effect free.
|
// invalid. This method is side-effect free.
|
||||||
public AntiForgeryTokenSet GetTokens([NotNull] HttpContext httpContext, string serializedOldCookieToken)
|
public AntiForgeryTokenSet GetTokens([NotNull] HttpContext httpContext, string cookieToken)
|
||||||
{
|
{
|
||||||
CheckSSLConfig(httpContext);
|
CheckSSLConfig(httpContext);
|
||||||
var oldCookieToken = DeserializeTokenNoThrow(serializedOldCookieToken);
|
var deSerializedcookieToken = DeserializeTokenDoesNotThrow(cookieToken);
|
||||||
var tokenSet = GetTokens(httpContext, oldCookieToken);
|
var tokenSet = GetTokens(httpContext, deSerializedcookieToken);
|
||||||
|
|
||||||
var serializedNewCookieToken = Serialize(tokenSet.CookieToken);
|
var serializedCookieToken = Serialize(tokenSet.CookieToken);
|
||||||
var serializedFormToken = Serialize(tokenSet.FormToken);
|
var serializedFormToken = Serialize(tokenSet.FormToken);
|
||||||
return new AntiForgeryTokenSet(serializedFormToken, serializedNewCookieToken);
|
return new AntiForgeryTokenSet(serializedFormToken, serializedCookieToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
private AntiForgeryTokenSetInternal GetTokens(HttpContext httpContext, AntiForgeryToken oldCookieToken)
|
private AntiForgeryTokenSetInternal GetTokens(HttpContext httpContext, AntiForgeryToken cookieToken)
|
||||||
{
|
{
|
||||||
var newCookieToken = ValidateAndGenerateNewToken(oldCookieToken);
|
var newCookieToken = ValidateAndGenerateNewCookieToken(cookieToken);
|
||||||
if (newCookieToken != null)
|
if (newCookieToken != null)
|
||||||
{
|
{
|
||||||
oldCookieToken = newCookieToken;
|
cookieToken = newCookieToken;
|
||||||
}
|
}
|
||||||
var formToken = _generator.GenerateFormToken(
|
var formToken = _generator.GenerateFormToken(
|
||||||
httpContext,
|
httpContext,
|
||||||
ExtractIdentity(httpContext),
|
ExtractIdentity(httpContext),
|
||||||
oldCookieToken);
|
cookieToken);
|
||||||
|
|
||||||
return new AntiForgeryTokenSetInternal()
|
return new AntiForgeryTokenSetInternal()
|
||||||
{
|
{
|
||||||
|
|
@ -208,16 +208,16 @@ namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
CheckSSLConfig(httpContext);
|
CheckSSLConfig(httpContext);
|
||||||
|
|
||||||
var oldCookieToken = GetCookieTokenNoThrow(httpContext);
|
var cookieToken = GetCookieTokenDoesNotThrow(httpContext);
|
||||||
var newCookieToken = ValidateAndGenerateNewToken(oldCookieToken);
|
cookieToken = ValidateAndGenerateNewCookieToken(cookieToken);
|
||||||
|
|
||||||
SaveCookieTokenAndHeader(httpContext, newCookieToken);
|
SaveCookieTokenAndHeader(httpContext, cookieToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
// This method returns null if oldCookieToken is valid.
|
// This method returns null if oldCookieToken is valid.
|
||||||
private AntiForgeryToken ValidateAndGenerateNewToken(AntiForgeryToken oldCookieToken)
|
private AntiForgeryToken ValidateAndGenerateNewCookieToken(AntiForgeryToken cookieToken)
|
||||||
{
|
{
|
||||||
if (!_validator.IsCookieTokenValid(oldCookieToken))
|
if (!_validator.IsCookieTokenValid(cookieToken))
|
||||||
{
|
{
|
||||||
// Need to make sure we're always operating with a good cookie token.
|
// Need to make sure we're always operating with a good cookie token.
|
||||||
var newCookieToken = _generator.GenerateCookieToken();
|
var newCookieToken = _generator.GenerateCookieToken();
|
||||||
|
|
@ -230,12 +230,12 @@ namespace Microsoft.AspNet.Mvc
|
||||||
|
|
||||||
private void SaveCookieTokenAndHeader(
|
private void SaveCookieTokenAndHeader(
|
||||||
[NotNull] HttpContext httpContext,
|
[NotNull] HttpContext httpContext,
|
||||||
AntiForgeryToken newCookieToken)
|
AntiForgeryToken cookieToken)
|
||||||
{
|
{
|
||||||
if (newCookieToken != null)
|
if (cookieToken != null)
|
||||||
{
|
{
|
||||||
// Persist the new cookie if it is not null.
|
// Persist the new cookie if it is not null.
|
||||||
_tokenStore.SaveCookieToken(httpContext, newCookieToken);
|
_tokenStore.SaveCookieToken(httpContext, cookieToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!_config.SuppressXFrameOptionsHeader)
|
if (!_config.SuppressXFrameOptionsHeader)
|
||||||
|
|
|
||||||
|
|
@ -5,13 +5,18 @@ using Microsoft.AspNet.Http;
|
||||||
|
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// A default <see cref="IAntiForgeryAdditionalDataProvider"/> implementation.
|
||||||
|
/// </summary>
|
||||||
public class DefaultAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
|
public class DefaultAntiForgeryAdditionalDataProvider : IAntiForgeryAdditionalDataProvider
|
||||||
{
|
{
|
||||||
|
/// <inheritdoc />
|
||||||
public virtual string GetAdditionalData(HttpContext context)
|
public virtual string GetAdditionalData(HttpContext context)
|
||||||
{
|
{
|
||||||
return string.Empty;
|
return string.Empty;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <inheritdoc />
|
||||||
public virtual bool ValidateAdditionalData(HttpContext context, string additionalData)
|
public virtual bool ValidateAdditionalData(HttpContext context, string additionalData)
|
||||||
{
|
{
|
||||||
// Default implementation does not understand anything but empty data.
|
// Default implementation does not understand anything but empty data.
|
||||||
|
|
|
||||||
|
|
@ -10,9 +10,12 @@ using System.Security.Cryptography;
|
||||||
|
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Can extract unique identifers for a claims-based identity
|
/// <summary>
|
||||||
|
/// Default implementation of <see cref="IClaimUidExtractor"/>.
|
||||||
|
/// </summary>
|
||||||
public class DefaultClaimUidExtractor : IClaimUidExtractor
|
public class DefaultClaimUidExtractor : IClaimUidExtractor
|
||||||
{
|
{
|
||||||
|
/// <inheritdoc />
|
||||||
public string ExtractClaimUid(ClaimsIdentity claimsIdentity)
|
public string ExtractClaimUid(ClaimsIdentity claimsIdentity)
|
||||||
{
|
{
|
||||||
if (claimsIdentity == null || !claimsIdentity.IsAuthenticated)
|
if (claimsIdentity == null || !claimsIdentity.IsAuthenticated)
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ using Microsoft.AspNet.Http;
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Provides configuration information about the anti-forgery system.
|
// Provides configuration information about the anti-forgery system.
|
||||||
internal interface ITokenGenerator
|
internal interface IAntiForgeryTokenGenerator
|
||||||
{
|
{
|
||||||
// Generates a new random cookie token.
|
// Generates a new random cookie token.
|
||||||
AntiForgeryToken GenerateCookieToken();
|
AntiForgeryToken GenerateCookieToken();
|
||||||
|
|
@ -7,7 +7,7 @@ using Microsoft.AspNet.Http;
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Provides an abstraction around how tokens are persisted and retrieved for a request
|
// Provides an abstraction around how tokens are persisted and retrieved for a request
|
||||||
internal interface ITokenStore
|
internal interface IAntiForgeryTokenStore
|
||||||
{
|
{
|
||||||
AntiForgeryToken GetCookieToken(HttpContext httpContext);
|
AntiForgeryToken GetCookieToken(HttpContext httpContext);
|
||||||
Task<AntiForgeryToken> GetFormTokenAsync(HttpContext httpContext);
|
Task<AntiForgeryToken> GetFormTokenAsync(HttpContext httpContext);
|
||||||
|
|
@ -7,7 +7,7 @@ using Microsoft.AspNet.Http;
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Provides an abstraction around something that can validate anti-XSRF tokens
|
// Provides an abstraction around something that can validate anti-XSRF tokens
|
||||||
internal interface ITokenValidator
|
internal interface IAntiForgeryTokenValidator
|
||||||
{
|
{
|
||||||
// Determines whether an existing cookie token is valid (well-formed).
|
// Determines whether an existing cookie token is valid (well-formed).
|
||||||
// If it is not, the caller must call GenerateCookieToken() before calling GenerateFormToken().
|
// If it is not, the caller must call GenerateCookieToken() before calling GenerateFormToken().
|
||||||
|
|
@ -5,9 +5,16 @@ using System.Security.Claims;
|
||||||
|
|
||||||
namespace Microsoft.AspNet.Mvc
|
namespace Microsoft.AspNet.Mvc
|
||||||
{
|
{
|
||||||
// Can extract unique identifers for a claims-based identity
|
/// <summary>
|
||||||
|
/// This interface can extract unique identifers for a claims-based identity.
|
||||||
|
/// </summary>
|
||||||
public interface IClaimUidExtractor
|
public interface IClaimUidExtractor
|
||||||
{
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Extracts claims identifier.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="identity">The <see cref="ClaimsIdentity"/>.</param>
|
||||||
|
/// <returns>The claims identifier.</returns>
|
||||||
string ExtractClaimUid(ClaimsIdentity identity);
|
string ExtractClaimUid(ClaimsIdentity identity);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -130,7 +130,8 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
htmlEncoder: new CommonTestEncoder());
|
htmlEncoder: new CommonTestEncoder());
|
||||||
|
|
||||||
// Act & assert
|
// Act & assert
|
||||||
var ex = Assert.Throws<InvalidOperationException>(() => worker.GetTokens(mockHttpContext.Object, "cookie-token"));
|
var ex = Assert.Throws<InvalidOperationException>(() =>
|
||||||
|
worker.GetTokens(mockHttpContext.Object, "cookie-token"));
|
||||||
Assert.Equal(
|
Assert.Equal(
|
||||||
@"The anti-forgery system has the configuration value AntiForgeryOptions.RequireSsl = true, " +
|
@"The anti-forgery system has the configuration value AntiForgeryOptions.RequireSsl = true, " +
|
||||||
"but the current request is not an SSL request.",
|
"but the current request is not an SSL request.",
|
||||||
|
|
@ -241,7 +242,10 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
// Genreate a new cookie.
|
// Genreate a new cookie.
|
||||||
var context = GetAntiForgeryWorkerContext(new AntiForgeryOptions(), useOldCookie: false, isOldCookieValid: false);
|
var context = GetAntiForgeryWorkerContext(
|
||||||
|
new AntiForgeryOptions(),
|
||||||
|
useOldCookie: false,
|
||||||
|
isOldCookieValid: false);
|
||||||
var worker = GetAntiForgeryWorker(context);
|
var worker = GetAntiForgeryWorker(context);
|
||||||
|
|
||||||
// Act
|
// Act
|
||||||
|
|
@ -257,7 +261,10 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
// Make sure the existing cookie is invalid.
|
// Make sure the existing cookie is invalid.
|
||||||
var context = GetAntiForgeryWorkerContext(new AntiForgeryOptions(), useOldCookie: false, isOldCookieValid: false);
|
var context = GetAntiForgeryWorkerContext(
|
||||||
|
new AntiForgeryOptions(),
|
||||||
|
useOldCookie: false,
|
||||||
|
isOldCookieValid: false);
|
||||||
|
|
||||||
// This will cause the cookieToken to be null.
|
// This will cause the cookieToken to be null.
|
||||||
context.TokenSerializer.Setup(o => o.Deserialize("serialized-old-cookie-token"))
|
context.TokenSerializer.Setup(o => o.Deserialize("serialized-old-cookie-token"))
|
||||||
|
|
@ -280,7 +287,10 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
public void GetTokens_ExistingValidCookieToken_GeneratesANewFormToken()
|
public void GetTokens_ExistingValidCookieToken_GeneratesANewFormToken()
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var context = GetAntiForgeryWorkerContext(new AntiForgeryOptions(), useOldCookie: true, isOldCookieValid: true);
|
var context = GetAntiForgeryWorkerContext(
|
||||||
|
new AntiForgeryOptions(),
|
||||||
|
useOldCookie: true,
|
||||||
|
isOldCookieValid: true);
|
||||||
context.TokenStore = null;
|
context.TokenStore = null;
|
||||||
var worker = GetAntiForgeryWorker(context);
|
var worker = GetAntiForgeryWorker(context);
|
||||||
|
|
||||||
|
|
@ -390,7 +400,9 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
[Theory]
|
[Theory]
|
||||||
[InlineData(false, "SAMEORIGIN")]
|
[InlineData(false, "SAMEORIGIN")]
|
||||||
[InlineData(true, null)]
|
[InlineData(true, null)]
|
||||||
public void SetCookieTokenAndHeader_AddsXFrameOptionsHeader(bool suppressXFrameOptions, string expectedHeaderValue)
|
public void SetCookieTokenAndHeader_AddsXFrameOptionsHeader(
|
||||||
|
bool suppressXFrameOptions,
|
||||||
|
string expectedHeaderValue)
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var options = new AntiForgeryOptions()
|
var options = new AntiForgeryOptions()
|
||||||
|
|
@ -440,13 +452,21 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
return mockHttpContext;
|
return mockHttpContext;
|
||||||
}
|
}
|
||||||
|
|
||||||
private Mock<ITokenProvider> GetTokenProvider(HttpContext context, TestTokenSet testTokenSet, bool useOldCookie, bool isOldCookieValid = true, bool isNewCookieValid = true)
|
private Mock<IAntiForgeryTokenProvider> GetTokenProvider(
|
||||||
|
HttpContext context,
|
||||||
|
TestTokenSet testTokenSet,
|
||||||
|
bool useOldCookie,
|
||||||
|
bool isOldCookieValid = true,
|
||||||
|
bool isNewCookieValid = true)
|
||||||
{
|
{
|
||||||
var oldCookieToken = testTokenSet.OldCookieToken;
|
var oldCookieToken = testTokenSet.OldCookieToken;
|
||||||
var newCookieToken = testTokenSet.NewCookieToken;
|
var newCookieToken = testTokenSet.NewCookieToken;
|
||||||
var formToken = testTokenSet.FormToken;
|
var formToken = testTokenSet.FormToken;
|
||||||
var mockValidator = new Mock<ITokenProvider>(MockBehavior.Strict);
|
var mockValidator = new Mock<IAntiForgeryTokenProvider>(MockBehavior.Strict);
|
||||||
mockValidator.Setup(o => o.GenerateFormToken(context, context.User.Identity as ClaimsIdentity, useOldCookie ? oldCookieToken : newCookieToken))
|
mockValidator.Setup(o => o.GenerateFormToken(
|
||||||
|
context,
|
||||||
|
context.User.Identity as ClaimsIdentity,
|
||||||
|
useOldCookie ? oldCookieToken : newCookieToken))
|
||||||
.Returns(formToken);
|
.Returns(formToken);
|
||||||
mockValidator.Setup(o => o.IsCookieTokenValid(oldCookieToken))
|
mockValidator.Setup(o => o.IsCookieTokenValid(oldCookieToken))
|
||||||
.Returns(isOldCookieValid);
|
.Returns(isOldCookieValid);
|
||||||
|
|
@ -459,11 +479,14 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
return mockValidator;
|
return mockValidator;
|
||||||
}
|
}
|
||||||
|
|
||||||
private Mock<ITokenStore> GetTokenStore(HttpContext context, TestTokenSet testTokenSet, bool saveNewCookie = true)
|
private Mock<IAntiForgeryTokenStore> GetTokenStore(
|
||||||
|
HttpContext context,
|
||||||
|
TestTokenSet testTokenSet,
|
||||||
|
bool saveNewCookie = true)
|
||||||
{
|
{
|
||||||
var oldCookieToken = testTokenSet.OldCookieToken;
|
var oldCookieToken = testTokenSet.OldCookieToken;
|
||||||
var formToken = testTokenSet.FormToken;
|
var formToken = testTokenSet.FormToken;
|
||||||
var mockTokenStore = new Mock<ITokenStore>(MockBehavior.Strict);
|
var mockTokenStore = new Mock<IAntiForgeryTokenStore>(MockBehavior.Strict);
|
||||||
mockTokenStore.Setup(o => o.GetCookieToken(context))
|
mockTokenStore.Setup(o => o.GetCookieToken(context))
|
||||||
.Returns(oldCookieToken);
|
.Returns(oldCookieToken);
|
||||||
mockTokenStore.Setup(o => o.GetFormTokenAsync(context))
|
mockTokenStore.Setup(o => o.GetFormTokenAsync(context))
|
||||||
|
|
@ -504,7 +527,10 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
private AntiForgeryWorkerContext GetAntiForgeryWorkerContext(AntiForgeryOptions config, bool useOldCookie = false, bool isOldCookieValid = true)
|
private AntiForgeryWorkerContext GetAntiForgeryWorkerContext(
|
||||||
|
AntiForgeryOptions config,
|
||||||
|
bool useOldCookie = false,
|
||||||
|
bool isOldCookieValid = true)
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var mockHttpContext = GetHttpContext();
|
var mockHttpContext = GetHttpContext();
|
||||||
|
|
@ -513,7 +539,11 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
var mockSerializer = GetTokenSerializer(testTokenSet);
|
var mockSerializer = GetTokenSerializer(testTokenSet);
|
||||||
|
|
||||||
var mockTokenStore = GetTokenStore(mockHttpContext.Object, testTokenSet);
|
var mockTokenStore = GetTokenStore(mockHttpContext.Object, testTokenSet);
|
||||||
var mockTokenProvider = GetTokenProvider(mockHttpContext.Object, testTokenSet, useOldCookie: useOldCookie, isOldCookieValid: isOldCookieValid);
|
var mockTokenProvider = GetTokenProvider(
|
||||||
|
mockHttpContext.Object,
|
||||||
|
testTokenSet,
|
||||||
|
useOldCookie: useOldCookie,
|
||||||
|
isOldCookieValid: isOldCookieValid);
|
||||||
|
|
||||||
return new AntiForgeryWorkerContext()
|
return new AntiForgeryWorkerContext()
|
||||||
{
|
{
|
||||||
|
|
@ -544,9 +574,9 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
|
|
||||||
public Mock<HttpContext> HttpContext { get; set; }
|
public Mock<HttpContext> HttpContext { get; set; }
|
||||||
|
|
||||||
public Mock<ITokenProvider> TokenProvider { get; set; }
|
public Mock<IAntiForgeryTokenProvider> TokenProvider { get; set; }
|
||||||
|
|
||||||
public Mock<ITokenStore> TokenStore { get; set; }
|
public Mock<IAntiForgeryTokenStore> TokenStore { get; set; }
|
||||||
|
|
||||||
public Mock<IAntiForgeryTokenSerializer> TokenSerializer { get; set; }
|
public Mock<IAntiForgeryTokenSerializer> TokenSerializer { get; set; }
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
namespace Microsoft.AspNet.Mvc.Core.Test
|
namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
{
|
{
|
||||||
// A TokenProvider that can be passed to MoQ
|
// A TokenProvider that can be passed to MoQ
|
||||||
internal interface ITokenProvider : ITokenValidator, ITokenGenerator
|
internal interface IAntiForgeryTokenProvider : IAntiForgeryTokenValidator, IAntiForgeryTokenGenerator
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -16,7 +16,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
public void GenerateCookieToken()
|
public void GenerateCookieToken()
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -40,7 +40,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
|
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -71,7 +71,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: claimUidExtractor,
|
claimUidExtractor: claimUidExtractor,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -106,7 +106,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: claimUidExtractor,
|
claimUidExtractor: claimUidExtractor,
|
||||||
additionalDataProvider: mockAdditionalDataProvider.Object);
|
additionalDataProvider: mockAdditionalDataProvider.Object);
|
||||||
|
|
@ -145,7 +145,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
||||||
.Returns(base64ClaimUId);
|
.Returns(base64ClaimUId);
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: mockClaimUidExtractor.Object,
|
claimUidExtractor: mockClaimUidExtractor.Object,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -178,7 +178,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object;
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: claimUidExtractor,
|
claimUidExtractor: claimUidExtractor,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -204,7 +204,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
IsSessionToken = false
|
IsSessionToken = false
|
||||||
};
|
};
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -221,7 +221,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
AntiForgeryToken cookieToken = null;
|
AntiForgeryToken cookieToken = null;
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -242,7 +242,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
IsSessionToken = true
|
IsSessionToken = true
|
||||||
};
|
};
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -267,7 +267,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
{
|
{
|
||||||
CookieName = "my-cookie-name"
|
CookieName = "my-cookie-name"
|
||||||
};
|
};
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -293,7 +293,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
FormFieldName = "my-form-field-name"
|
FormFieldName = "my-form-field-name"
|
||||||
};
|
};
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -320,7 +320,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
FormFieldName = "my-form-field-name"
|
FormFieldName = "my-form-field-name"
|
||||||
};
|
};
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -352,7 +352,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
var sessionToken = new AntiForgeryToken() { IsSessionToken = true };
|
var sessionToken = new AntiForgeryToken() { IsSessionToken = true };
|
||||||
var fieldtoken = new AntiForgeryToken() { IsSessionToken = false };
|
var fieldtoken = new AntiForgeryToken() { IsSessionToken = false };
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -385,7 +385,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
||||||
.Returns((string)null);
|
.Returns((string)null);
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: mockClaimUidExtractor.Object,
|
claimUidExtractor: mockClaimUidExtractor.Object,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -418,7 +418,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity))
|
||||||
.Returns(Convert.ToBase64String(differentToken.GetData()));
|
.Returns(Convert.ToBase64String(differentToken.GetData()));
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: null,
|
config: null,
|
||||||
claimUidExtractor: mockClaimUidExtractor.Object,
|
claimUidExtractor: mockClaimUidExtractor.Object,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
@ -452,7 +452,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
.Returns(false);
|
.Returns(false);
|
||||||
|
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: mockAdditionalDataProvider.Object);
|
additionalDataProvider: mockAdditionalDataProvider.Object);
|
||||||
|
|
@ -484,7 +484,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
.Returns(true);
|
.Returns(true);
|
||||||
|
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: null,
|
claimUidExtractor: null,
|
||||||
additionalDataProvider: mockAdditionalDataProvider.Object);
|
additionalDataProvider: mockAdditionalDataProvider.Object);
|
||||||
|
|
@ -516,7 +516,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
.Returns(true);
|
.Returns(true);
|
||||||
|
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: new Mock<IClaimUidExtractor>().Object,
|
claimUidExtractor: new Mock<IClaimUidExtractor>().Object,
|
||||||
additionalDataProvider: mockAdditionalDataProvider.Object);
|
additionalDataProvider: mockAdditionalDataProvider.Object);
|
||||||
|
|
@ -548,7 +548,7 @@ namespace Microsoft.AspNet.Mvc.Core.Test
|
||||||
|
|
||||||
var config = new AntiForgeryOptions();
|
var config = new AntiForgeryOptions();
|
||||||
|
|
||||||
var tokenProvider = new TokenProvider(
|
var tokenProvider = new AntiForgeryTokenProvider(
|
||||||
config: config,
|
config: config,
|
||||||
claimUidExtractor: mockClaimUidExtractor.Object,
|
claimUidExtractor: mockClaimUidExtractor.Object,
|
||||||
additionalDataProvider: null);
|
additionalDataProvider: null);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue