//
// ServiceCredentialsSecurityTokenManagerTest.cs
//
// Author:
// Atsushi Enomoto <atsushi@ximian.com>
//
// Copyright (C) 2006-2007 Novell, Inc. http://www.novell.com
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to
// permit persons to whom the Software is furnished to do so, subject to
// the following conditions:
//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
using System;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Security;
using System.ServiceModel.Security.Tokens;
using System.Xml;
using NUnit.Framework;
using ReqType = System.ServiceModel.Security.Tokens.ServiceModelSecurityTokenRequirement;
namespace MonoTests.System.ServiceModel.Security
{
[TestFixture]
public class ServiceCredentialsSecurityTokenManagerTest
{
class MyManager : ServiceCredentialsSecurityTokenManager
{
public MyManager ()
: this (new ServiceCredentials ())
{
}
public MyManager (ServiceCredentials cred)
: base (cred)
{
}
public bool IsIssued (SecurityTokenRequirement r)
{
return IsIssuedSecurityTokenRequirement (r);
}
}
class MySslSecurityTokenParameters : SslSecurityTokenParameters
{
public void InitRequirement (SecurityTokenRequirement r)
{
InitializeSecurityTokenRequirement (r);
}
}
MyManager def_c;
[SetUp]
public void Initialize ()
{
def_c = new MyManager ();
}
[Test]
public void DefaultValues ()
{
// FIXME: check more
MyManager mgr = new MyManager ();
Assert.IsTrue (mgr.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder is DataProtectionSecurityStateEncoder, "#n-1");
}
[Test]
public void IsIssuedSecurityTokenRequirement ()
{
RecipientServiceModelSecurityTokenRequirement r;
MyManager mgr = new MyManager ();
r = new RecipientServiceModelSecurityTokenRequirement ();
MySslSecurityTokenParameters ssl =
new MySslSecurityTokenParameters ();
ssl.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "ssl");
r = new RecipientServiceModelSecurityTokenRequirement ();
MySspiSecurityTokenParameters sspi =
new MySspiSecurityTokenParameters ();
sspi.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "sspi");
r = new RecipientServiceModelSecurityTokenRequirement ();
MyIssuedSecurityTokenParameters issued =
new MyIssuedSecurityTokenParameters ();
issued.InitRequirement (r);
Assert.IsTrue (mgr.IsIssued (r), "issued");
/*
r = new RecipientServiceModelSecurityTokenRequirement ();
MySecureConversationSecurityTokenParameters sc =
new MySecureConversationSecurityTokenParameters (
new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()),
false,
new ChannelProtectionRequirements ());
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.Properties [ReqType.MessageSecurityVersionProperty] =
MessageSecurityVersion.Default;
r.Properties [ReqType.ChannelParametersCollectionProperty] =
new ChannelParameterCollection ();
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = sc.Clone ();
r.Properties [ReqType.IssuerBindingProperty] =
new CustomBinding (new HttpTransportBindingElement ());
r.Properties [ReqType.MessageDirectionProperty] =
MessageDirection.Input;
r.SecureConversationSecurityBindingElement =
new SymmetricSecurityBindingElement (
new X509SecurityTokenParameters ());
r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default;
r.Properties [ReqType.SupportSecurityContextCancellationProperty] = true;
r.ListenUri = new Uri ("http://localhost:8080");
r.KeySize = 256;
sc.InitRequirement (r);
Assert.IsFalse (mgr.IsIssued (r), "sc");
*/
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
public void CreateProviderDefault ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
def_c.CreateSecurityTokenProvider (r);
}
[Test]
[ExpectedException (typeof (InvalidOperationException))]
[Ignore ("")]
public void CreateProviderUserNameWithoutName ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
def_c.CreateSecurityTokenProvider (r);
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
public void CreateProviderUserName ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
def_c.CreateSecurityTokenProvider (r);
}
class MyUserNameValidator : UserNamePasswordValidator
{
public override void Validate (string userName, string password)
{
throw new Exception ();
}
}
[Test]
public void CreateAuthenticatorUserName ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
SecurityTokenResolver resolver;
SecurityTokenAuthenticator a =
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.AreEqual (typeof (WindowsUserNameSecurityTokenAuthenticator), a.GetType (), "#1");
Assert.IsNull (resolver, "#2");
def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
def_c.ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNameValidator ();
a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.AreEqual (typeof (CustomUserNameSecurityTokenAuthenticator), a.GetType (), "#3");
Assert.IsNull (resolver, "#4");
}
[Test]
[ExpectedException (typeof (InvalidOperationException))]
public void CreateAuthenticatorUserNameCustomWithoutValidator ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.UserName;
SecurityTokenResolver resolver;
def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
public void CreateProviderRsaDefault ()
{
// actually is Rsa usable here??
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.Rsa;
def_c.CreateSecurityTokenProvider (r);
}
[Test]
public void CreateAuthenticatorRsaDefault ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
SecurityTokenResolver resolver;
r.TokenType = SecurityTokenTypes.Rsa;
SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.AreEqual (typeof (RsaSecurityTokenAuthenticator), a.GetType (), "#1");
Assert.IsNull (resolver, "#2");
}
[Test]
[ExpectedException (typeof (InvalidOperationException))]
public void CreateProviderX509WithoutCert ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.CreateSecurityTokenProvider (r);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateProviderX509PublicOnlyKey ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.cer");
def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
def_c.CreateSecurityTokenProvider (r);
}
[Test]
public void CreateProviderX509 ()
{
SecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2 ("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as X509SecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
[Test]
[ExpectedException (typeof (InvalidOperationException))]
public void CreateProviderX509Initiator ()
{
InitiatorServiceModelSecurityTokenRequirement r =
new InitiatorServiceModelSecurityTokenRequirement ();
r.TokenType = SecurityTokenTypes.X509Certificate;
r.KeyUsage = SecurityKeyUsage.Exchange;
// ClientCredential is somehow required ...
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2 ("Test/Resources/test.pfx", "mono");
X509SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r)
as X509SecurityTokenProvider;
Assert.IsNotNull (p, "#1");
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
public void CreateProviderAnonSslError ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri ("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
[Test]
[Ignore ("incomplete")]
[Category ("NotWorking")]
public void CreateProviderAnonSsl ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
new MySslSecurityTokenParameters ().InitRequirement (r);
Assert.IsFalse (r.Properties.ContainsKey (ReqType.ChannelParametersCollectionProperty), "#1");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.EndpointFilterTableProperty), "#2");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.HttpAuthenticationSchemeProperty), "#3");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.IsOutOfBandTokenProperty), "#4");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.IssuerAddressProperty), "#5");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageDirectionProperty), "#6");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageSecurityVersionProperty), "#7");
//Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityAlgorithmSuiteProperty), "#9");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityBindingElementProperty), "#10");
Assert.IsFalse (r.Properties.ContainsKey (ReqType.SupportingTokenAttachmentModeProperty), "#11");
Assert.AreEqual (null, r.TransportScheme, "#12");
r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
r.ListenUri = new Uri ("http://localhost:8080");
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
r.Properties [ReqType.SecurityAlgorithmSuiteProperty] =
SecurityAlgorithmSuite.Default;
r.TransportScheme = "https";
r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection ();
r.Properties [ReqType.EndpointFilterTableProperty] = null;
r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous;
r.Properties [ReqType.IsOutOfBandTokenProperty] = true;
r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress ("http://localhost:9090");
// r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed;
SecurityTokenProvider p =
def_c.CreateSecurityTokenProvider (r);
Assert.IsNotNull (p, "#1");
}
RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
MySslSecurityTokenParameters p = new MySslSecurityTokenParameters ();
p.InitRequirement (r);
r.SecurityBindingElement = new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ());
r.Properties [ReqType.MessageSecurityVersionProperty] =
MessageSecurityVersion.Default.SecurityTokenVersion;
return r;
}
RecipientServiceModelSecurityTokenRequirement CreateSecureConvRequirement ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateRecipientRequirement (ServiceModelSecurityTokenTypes.SecureConversation);
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new SecureConversationSecurityTokenParameters (new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()));
// without it, "The key length (...) is not a multiple of 8 for symmetric keys" occurs.
r.SecureConversationSecurityBindingElement =
new SymmetricSecurityBindingElement ();
return r;
}
RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement (string tokenType)
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = tokenType;
r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
r.Properties [ReqType.IssuerBindingContextProperty] =
new BindingContext (new CustomBinding (), new BindingParameterCollection ());
r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters ();
r.MessageSecurityVersion =
MessageSecurityVersion.Default.SecurityTokenVersion;
return r;
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorAnonSslNoSecurityBindingElement ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
r.SecurityBindingElement = null;
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorAnonSslNoIssuedSecurityTokenParameters ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorAnonSslNoIssuerBindingContext ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
r.Properties.Remove (ReqType.IssuerBindingContextProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
// The type of exception should not matter though.
[ExpectedException (typeof (NotSupportedException))]
[Category ("NotWorking")]
public void CreateAuthenticatorAnonSslNullMessageSecurityVersion ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
r.MessageSecurityVersion = null;
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorAnonSslNoMessageSecurityVersion ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
r.Properties.Remove (ReqType.MessageSecurityVersionProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (InvalidOperationException))]
[Category ("NotWorking")]
public void CreateAuthenticatorAnonSslNoServiceCertificate ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorAnonSslCertPublicOnly ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
SecurityTokenResolver resolver;
def_c.ServiceCredentials.ServiceCertificate.Certificate =
new X509Certificate2 ("Test/Resources/test.cer");
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[Category ("NotWorking")]
public void CreateAuthenticatorAnonSsl ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateAnonSslRequirement ();
SecurityTokenResolver resolver;
X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.pfx", "mono");
def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
// non-standard authenticator type.
Assert.IsNotNull (resolver, "#1");
Assert.IsTrue (a is IIssuanceSecurityTokenAuthenticator, "#2");
try {
a.ValidateToken (new X509SecurityToken (cert));
Assert.Fail ("It cannot validate raw X509SecurityToken");
} catch (SecurityTokenValidationException) {
}
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
public void CreateProviderSecureConv ()
{
RecipientServiceModelSecurityTokenRequirement r =
new RecipientServiceModelSecurityTokenRequirement ();
r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
r.ListenUri = new Uri ("http://localhost:8080");
r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion;
r.KeySize = 256;
def_c.CreateSecurityTokenProvider (r);
}
[Test]
[ExpectedException (typeof (NotSupportedException))]
[Category ("NotDotNet")] // it results in NRE inside InitializeSecurityTokenRequirement().
public void CreateProviderSecureConv2 ()
{
var sbe = (SymmetricSecurityBindingElement) SecurityBindingElement.CreateSecureConversationBindingElement (SecurityBindingElement.CreateUserNameForCertificateBindingElement ());
var p = new MySecureConversationSecurityTokenParameters ((SecureConversationSecurityTokenParameters) sbe.ProtectionTokenParameters);
var r = new RecipientServiceModelSecurityTokenRequirement ();
p.InitRequirement (r);
def_c.CreateSecurityTokenProvider (r);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorSecureConvNoSecurityBindingElement ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateSecureConvRequirement ();
r.SecurityBindingElement = null;
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorSecureConvNoIssuedSecurityTokenParameters ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateSecureConvRequirement ();
r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorSecureConvNoIssuerBindingContext ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateSecureConvRequirement ();
r.Properties.Remove (ReqType.IssuerBindingContextProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
[ExpectedException (typeof (ArgumentException))]
public void CreateAuthenticatorSecureConvNoMessageSecurityVersion ()
{
RecipientServiceModelSecurityTokenRequirement r =
CreateSecureConvRequirement ();
r.Properties.Remove (ReqType.MessageSecurityVersionProperty);
SecurityTokenResolver resolver;
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
}
[Test]
public void CreateAuthenticatorSecureConv ()
{
// service certificate is not required
RecipientServiceModelSecurityTokenRequirement r =
CreateSecureConvRequirement ();
SecurityTokenResolver resolver;
//SecurityTokenAuthenticator a =
def_c.CreateSecurityTokenAuthenticator (r, out resolver);
Assert.IsNotNull (resolver, "#1");
}
}
}