// Copyright (c) .NET Foundation. All rights reserved. // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. using System; using System.Security.Claims; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Options; using Moq; using Xunit; namespace Microsoft.AspNetCore.Identity.Test { public class SecurityStampTest { private class NoopHandler : IAuthenticationHandler { public Task AuthenticateAsync() { throw new NotImplementedException(); } public Task ChallengeAsync(AuthenticationProperties properties) { throw new NotImplementedException(); } public Task ForbidAsync(AuthenticationProperties properties) { throw new NotImplementedException(); } public Task HandleRequestAsync() { throw new NotImplementedException(); } public Task InitializeAsync(AuthenticationScheme scheme, HttpContext context) { throw new NotImplementedException(); } public Task SignInAsync(ClaimsPrincipal user, AuthenticationProperties properties) { throw new NotImplementedException(); } public Task SignOutAsync(AuthenticationProperties properties) { throw new NotImplementedException(); } } [Fact] public async Task OnValidatePrincipalThrowsWithEmptyServiceCollection() { var httpContext = new Mock(); httpContext.Setup(c => c.RequestServices).Returns(new ServiceCollection().BuildServiceProvider()); var id = new ClaimsPrincipal(new ClaimsIdentity(IdentityConstants.ApplicationScheme)); var ticket = new AuthenticationTicket(id, new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow }, IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); var ex = await Assert.ThrowsAsync(() => SecurityStampValidator.ValidatePrincipalAsync(context)); } [Theory] [InlineData(true)] [InlineData(false)] public async Task OnValidatePrincipalTestSuccess(bool isPersistent) { var user = new PocoUser("test"); var httpContext = new Mock(); await RunApplicationCookieTest(user, httpContext, /*shouldStampValidate*/true, async () => { var id = new ClaimsIdentity(IdentityConstants.ApplicationScheme); id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var principal = new ClaimsPrincipal(id); var properties = new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow.AddSeconds(-1), IsPersistent = isPersistent }; var ticket = new AuthenticationTicket(principal, properties, IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidatePrincipalAsync(context); Assert.NotNull(context.Principal); }); } private async Task RunApplicationCookieTest(PocoUser user, Mock httpContext, bool shouldStampValidate, Func testCode) { var userManager = MockHelpers.MockUserManager(); var claimsManager = new Mock>(); var identityOptions = new Mock>(); identityOptions.Setup(a => a.Value).Returns(new IdentityOptions()); var options = new Mock>(); options.Setup(a => a.Value).Returns(new SecurityStampValidatorOptions { ValidationInterval = TimeSpan.Zero }); var contextAccessor = new Mock(); contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object); var signInManager = new Mock>(userManager.Object, contextAccessor.Object, claimsManager.Object, identityOptions.Object, null, new Mock().Object); signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny())).ReturnsAsync(shouldStampValidate ? user : default).Verifiable(); if (shouldStampValidate) { var id = new ClaimsIdentity(IdentityConstants.ApplicationScheme); id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var principal = new ClaimsPrincipal(id); signInManager.Setup(s => s.CreateUserPrincipalAsync(user)).ReturnsAsync(principal).Verifiable(); } var services = new ServiceCollection(); services.AddSingleton(options.Object); services.AddSingleton(signInManager.Object); services.AddSingleton(new SecurityStampValidator(options.Object, signInManager.Object, new SystemClock())); httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider()); await testCode.Invoke(); signInManager.VerifyAll(); } [Fact] public async Task OnValidateIdentityRejectsWhenValidateSecurityStampFails() { var user = new PocoUser("test"); var httpContext = new Mock(); await RunApplicationCookieTest(user, httpContext, /*shouldStampValidate*/false, async () => { var id = new ClaimsIdentity(IdentityConstants.ApplicationScheme); id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var ticket = new AuthenticationTicket(new ClaimsPrincipal(id), new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow.AddSeconds(-1) }, IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidatePrincipalAsync(context); Assert.Null(context.Principal); }); } [Fact] public async Task OnValidateIdentityAcceptsWhenStoreDoesNotSupportSecurityStamp() { var user = new PocoUser("test"); var httpContext = new Mock(); var userManager = MockHelpers.MockUserManager(); var claimsManager = new Mock>(); var identityOptions = new Mock>(); identityOptions.Setup(a => a.Value).Returns(new IdentityOptions()); var options = new Mock>(); options.Setup(a => a.Value).Returns(new SecurityStampValidatorOptions { ValidationInterval = TimeSpan.Zero }); var contextAccessor = new Mock(); contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object); var signInManager = new SignInManager(userManager.Object, contextAccessor.Object, claimsManager.Object, identityOptions.Object, null, new Mock().Object); userManager.Setup(u => u.GetUserAsync(It.IsAny())).ReturnsAsync(user).Verifiable(); claimsManager.Setup(c => c.CreateAsync(user)).ReturnsAsync(new ClaimsPrincipal()).Verifiable(); var services = new ServiceCollection(); services.AddSingleton(options.Object); services.AddSingleton(signInManager); services.AddSingleton(new SecurityStampValidator(options.Object, signInManager, new SystemClock())); httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider()); var tid = new ClaimsIdentity(IdentityConstants.ApplicationScheme); tid.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var ticket = new AuthenticationTicket(new ClaimsPrincipal(tid), new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow.AddSeconds(-1) }, IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidatePrincipalAsync(context); Assert.NotNull(context.Principal); userManager.VerifyAll(); claimsManager.VerifyAll(); } [Fact] public async Task OnValidateIdentityRejectsWhenNoIssuedUtc() { var user = new PocoUser("test"); var httpContext = new Mock(); var userManager = MockHelpers.MockUserManager(); var identityOptions = new Mock>(); identityOptions.Setup(a => a.Value).Returns(new IdentityOptions()); var claimsManager = new Mock>(); var options = new Mock>(); options.Setup(a => a.Value).Returns(new SecurityStampValidatorOptions { ValidationInterval = TimeSpan.Zero }); var contextAccessor = new Mock(); contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object); var signInManager = new Mock>(userManager.Object, contextAccessor.Object, claimsManager.Object, identityOptions.Object, null, new Mock().Object); signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny())).ReturnsAsync(default(PocoUser)).Verifiable(); var services = new ServiceCollection(); services.AddSingleton(options.Object); services.AddSingleton(signInManager.Object); services.AddSingleton(new SecurityStampValidator(options.Object, signInManager.Object, new SystemClock())); httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider()); var id = new ClaimsIdentity(IdentityConstants.ApplicationScheme); id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var ticket = new AuthenticationTicket(new ClaimsPrincipal(id), new AuthenticationProperties(), IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidatePrincipalAsync(context); Assert.Null(context.Principal); signInManager.VerifyAll(); } [Fact] public async Task OnValidateIdentityDoesNotRejectsWhenNotExpired() { var user = new PocoUser("test"); var httpContext = new Mock(); var userManager = MockHelpers.MockUserManager(); var identityOptions = new Mock>(); identityOptions.Setup(a => a.Value).Returns(new IdentityOptions()); var claimsManager = new Mock>(); var options = new Mock>(); options.Setup(a => a.Value).Returns(new SecurityStampValidatorOptions { ValidationInterval = TimeSpan.FromDays(1) }); var contextAccessor = new Mock(); contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object); var signInManager = new Mock>(userManager.Object, contextAccessor.Object, claimsManager.Object, identityOptions.Object, null, new Mock().Object); signInManager.Setup(s => s.ValidateSecurityStampAsync(It.IsAny())).Throws(new Exception("Shouldn't be called")); signInManager.Setup(s => s.SignInAsync(user, false, null)).Throws(new Exception("Shouldn't be called")); var services = new ServiceCollection(); services.AddSingleton(options.Object); services.AddSingleton(signInManager.Object); services.AddSingleton(new SecurityStampValidator(options.Object, signInManager.Object, new SystemClock())); httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider()); var id = new ClaimsIdentity(IdentityConstants.ApplicationScheme); id.AddClaim(new Claim(ClaimTypes.NameIdentifier, user.Id)); var ticket = new AuthenticationTicket(new ClaimsPrincipal(id), new AuthenticationProperties { IssuedUtc = DateTimeOffset.UtcNow }, IdentityConstants.ApplicationScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidatePrincipalAsync(context); Assert.NotNull(context.Principal); } private async Task RunRememberClientCookieTest(bool shouldStampValidate, bool validationSuccess) { var user = new PocoUser("test"); var httpContext = new Mock(); var userManager = MockHelpers.MockUserManager(); userManager.Setup(u => u.GetUserIdAsync(user)).ReturnsAsync(user.Id).Verifiable(); var claimsManager = new Mock>(); var identityOptions = new Mock>(); identityOptions.Setup(a => a.Value).Returns(new IdentityOptions()); var options = new Mock>(); options.Setup(a => a.Value).Returns(new SecurityStampValidatorOptions { ValidationInterval = TimeSpan.Zero }); var contextAccessor = new Mock(); contextAccessor.Setup(a => a.HttpContext).Returns(httpContext.Object); var signInManager = new Mock>(userManager.Object, contextAccessor.Object, claimsManager.Object, identityOptions.Object, null, new Mock().Object); signInManager.Setup(s => s.ValidateTwoFactorSecurityStampAsync(It.IsAny())).ReturnsAsync(shouldStampValidate ? user : default).Verifiable(); var services = new ServiceCollection(); services.AddSingleton(options.Object); services.AddSingleton(signInManager.Object); services.AddSingleton(new TwoFactorSecurityStampValidator(options.Object, signInManager.Object, new SystemClock())); httpContext.Setup(c => c.RequestServices).Returns(services.BuildServiceProvider()); var principal = await signInManager.Object.StoreRememberClient(user); var ticket = new AuthenticationTicket(principal, new AuthenticationProperties { IsPersistent = true }, IdentityConstants.TwoFactorRememberMeScheme); var context = new CookieValidatePrincipalContext(httpContext.Object, new AuthenticationSchemeBuilder(IdentityConstants.ApplicationScheme) { HandlerType = typeof(NoopHandler) }.Build(), new CookieAuthenticationOptions(), ticket); Assert.NotNull(context.Properties); Assert.NotNull(context.Options); Assert.NotNull(context.Principal); await SecurityStampValidator.ValidateAsync(context); Assert.Equal(validationSuccess, context.Principal != null); signInManager.VerifyAll(); userManager.VerifyAll(); } [Fact] public Task TwoFactorRememberClientOnValidatePrincipalTestSuccess() => RunRememberClientCookieTest(shouldStampValidate: true, validationSuccess: true); [Fact] public Task TwoFactorRememberClientOnValidatePrincipalRejectsWhenValidateSecurityStampFails() => RunRememberClientCookieTest(shouldStampValidate: false, validationSuccess: false); } }