// // SymmetricSecurityBindingElementTest.cs // // Author: // Atsushi Enomoto // // Copyright (C) 2006 Novell, Inc. http://www.novell.com // // Permission is hereby granted, free of charge, to any person obtaining // a copy of this software and associated documentation files (the // "Software"), to deal in the Software without restriction, including // without limitation the rights to use, copy, modify, merge, publish, // distribute, sublicense, and/or sell copies of the Software, and to // permit persons to whom the Software is furnished to do so, subject to // the following conditions: // // The above copyright notice and this permission notice shall be // included in all copies or substantial portions of the Software. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. // using System; using System.Collections.Generic; using System.Collections.ObjectModel; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates; using System.IdentityModel.Selectors; using System.IdentityModel.Tokens; using System.ServiceModel; using System.ServiceModel.Channels; using System.ServiceModel.Description; using System.ServiceModel.Security; using System.ServiceModel.Security.Tokens; using System.Xml; using NUnit.Framework; namespace MonoTests.System.ServiceModel.Channels { [TestFixture] public class SymmetricSecurityBindingElementTest { [Test] public void DefaultValues () { SymmetricSecurityBindingElement be = new SymmetricSecurityBindingElement (); SecurityAssert.AssertSymmetricSecurityBindingElement ( SecurityAlgorithmSuite.Default, true, // IncludeTimestamp SecurityKeyEntropyMode.CombinedEntropy, MessageProtectionOrder.SignBeforeEncryptAndEncryptSignature, MessageSecurityVersion.Default, false, // RequireSignatureConfirmation SecurityHeaderLayout.Strict, // EndpointSupportingTokenParameters: endorsing, signed, signedEncrypted, signedEndorsing (by count) 0, 0, 0, 0, // ProtectionTokenParameters false, default (SecurityTokenInclusionMode), default (SecurityTokenReferenceStyle), default (bool), // LocalClientSettings true, 60, true, be, ""); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void BuildChannelWithoutProtectionTokenParameters () { CustomBinding b = new CustomBinding ( new SymmetricSecurityBindingElement (), new TextMessageEncodingBindingElement (), new HttpTransportBindingElement ()); b.BuildChannelFactory (new BindingParameterCollection ()); } CustomBinding CreateBinding () { RequestSender handler = delegate (Message input) { throw new Exception (); }; return CreateBinding (handler); } CustomBinding CreateBinding (RequestSender sender) { return CreateBinding (sender, new X509SecurityTokenParameters ()); } CustomBinding CreateBinding (RequestSender sender, bool isOneWay) { return CreateBinding (sender, new X509SecurityTokenParameters (), isOneWay); } CustomBinding CreateBinding (SecurityTokenParameters protectionTokenParameters) { RequestSender handler = delegate (Message input) { throw new Exception (); }; return CreateBinding (handler, protectionTokenParameters); } CustomBinding CreateBinding (RequestSender sender, SecurityTokenParameters protectionTokenParameters) { return CreateBinding (sender, protectionTokenParameters, false); } CustomBinding CreateBinding (RequestSender sender, SecurityTokenParameters protectionTokenParameters, bool isOneWay) { SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement (); sbe.ProtectionTokenParameters = protectionTokenParameters; List l = new List (); l.Add (sbe); l.Add (new TextMessageEncodingBindingElement ()); if (isOneWay) l.Add (new OneWayBindingElement ()); l.Add (new HandlerTransportBindingElement (sender)); CustomBinding b = new CustomBinding (l); return b; } CustomBinding CreateBinding (ReplyHandler replier, RequestReceiver receiver) { SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement (); sbe.ProtectionTokenParameters = new X509SecurityTokenParameters (); CustomBinding b = new CustomBinding ( sbe, new TextMessageEncodingBindingElement (), new HandlerTransportBindingElement (replier, receiver)); return b; } EndpointAddress CreateX509EndpointAddress (string uri) { EndpointIdentity identity = new X509CertificateEndpointIdentity (new X509Certificate2 ("Test/Resources/test.pfx", "mono")); return new EndpointAddress (new Uri (uri), identity); } IChannelListener CreateListener (ReplyHandler handler, RequestReceiver receiver) { CustomBinding rb = CreateBinding (handler, receiver); BindingParameterCollection bpl = new BindingParameterCollection (); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); IServiceBehavior sb = cred; sb.AddBindingParameters (null, null, null, bpl); IChannelListener listener = rb.BuildChannelListener (bpl); return listener; } [Test] public void OpenChannelFactory () { CustomBinding b = CreateBinding (); IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.Open (); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void BuildChannelWithoutOpen () { CustomBinding b = CreateBinding (); IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.CreateChannel (CreateX509EndpointAddress ("stream:dummy")); } [Test] public void OpenRequestNonAuthenticatable () { SymmetricSecurityBindingElement sbe = new SymmetricSecurityBindingElement (); sbe.ProtectionTokenParameters = new UserNameSecurityTokenParameters (); Binding binding = new CustomBinding (sbe, new HandlerTransportBindingElement (null)); BindingParameterCollection pl = new BindingParameterCollection (); ClientCredentials cred = new ClientCredentials (); cred.UserName.UserName = "mono"; pl.Add (cred); IChannelFactory f = binding.BuildChannelFactory (pl); f.Open (); IRequestChannel ch = f.CreateChannel (new EndpointAddress ("stream:dummy")); try { ch.Open (); Assert.Fail ("NotSupportedException is expected."); } catch (NotSupportedException) { } } // The service certificate is not provided for target // 'stream:dummy'. Specify a service certificate in // ClientCredentials. [Test] public void OpenRequestWithoutServiceCertificate () { CustomBinding b = CreateBinding (); IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.Open (); // This EndpointAddress does not contain X509 identity IRequestChannel ch = f.CreateChannel (new EndpointAddress ("stream:dummy")); try { ch.Open (); Assert.Fail ("expected InvalidOperationException here."); } catch (InvalidOperationException) { } } IChannelFactory CreateDefaultServiceCertFactory () { CustomBinding b = CreateBinding (delegate (Message req) { return null; }); ClientCredentials cred = new ClientCredentials (); cred.ServiceCertificate.DefaultCertificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); BindingParameterCollection parameters = new BindingParameterCollection (); parameters.Add (cred); ChannelProtectionRequirements cp = new ChannelProtectionRequirements (); cp.IncomingSignatureParts.AddParts ( new MessagePartSpecification (true), "http://tempuri.org/MyAction"); cp.IncomingEncryptionParts.AddParts ( new MessagePartSpecification (true), "http://tempuri.org/MyAction"); parameters.Add (cp); return b.BuildChannelFactory (parameters); } [Test] public void OpenRequestWithDefaultServiceCertificate () { IChannelFactory f = CreateDefaultServiceCertFactory (); f.Open (); // This EndpointAddress does not contain X509 identity IRequestChannel ch = f.CreateChannel (new EndpointAddress ("stream:dummy")); ch.Open (); // stop here. } [Test] [ExpectedException (typeof (MessageSecurityException))] [Category ("NotWorking")] // from WinFX: // MessageSecurityException : Identity check failed for outgoing // message. The expected DNS identity of the remote endpoint was // '' but the remote endpoint provided DNS claim 'Poupou's- // Software-Factory'. If this is a legitimate remote endpoint, // you can fix the problem by explicitly specifying DNS identity // 'Poupou's-Software-Factory' as the Identity property of // EndpointAddress when creating channel proxy. public void RequestWithDefaultServiceCertificateWithoutDns () { IChannelFactory f = CreateDefaultServiceCertFactory (); f.Open (); // This EndpointAddress does not contain X509 identity IRequestChannel ch = f.CreateChannel (new EndpointAddress ("stream:dummy")); ch.Open (); // -> MessageSecurityException (IdentityVerifier complains DNS claim) ch.Request (Message.CreateMessage (MessageVersion.Default, "http://tempuri.org/MyAction")); } [Test] [Category ("NotWorking")] public void RequestWithDefaultServiceCertificateWithDns () { IChannelFactory f = CreateDefaultServiceCertFactory (); f.Open (); // This EndpointAddress does not contain X509 identity IRequestChannel ch = f.CreateChannel (new EndpointAddress (new Uri ("stream:dummy"), new DnsEndpointIdentity ("Poupou's-Software-Factory"))); ch.Open (); // -> MessageSecurityException (IdentityVerifier complains DNS claim) ch.Request (Message.CreateMessage (MessageVersion.Default, "http://tempuri.org/MyAction")); } [Test] [Category ("NotWorking")] // it depends on Kerberos public void OpenRequestWithoutServiceCertificateForNonX509 () { CustomBinding b = CreateBinding (new MyOwnSecurityTokenParameters ()); IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.Open (); // This EndpointAddress does not contain X509 identity IRequestChannel ch = f.CreateChannel (new EndpointAddress ("stream:dummy")); ch.Open (); } [Test] public void SendRequestWithoutOpen () { CustomBinding b = CreateBinding (); IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.Open (); IRequestChannel ch = f.CreateChannel (CreateX509EndpointAddress ("stream:dummy")); try { ch.Request (Message.CreateMessage (MessageVersion.Default, "myAction")); Assert.Fail ("expected InvalidOperationException here."); } catch (InvalidOperationException) { } } [Test] [Category ("NotWorking")] public void SendRequestWithoutSignatureMessagePart () { CustomBinding b = CreateBinding (); // without ChannelProtectionRequirements it won't be // signed and/or encrypted. IChannelFactory f = b.BuildChannelFactory (new BindingParameterCollection ()); f.Open (); IRequestChannel ch = f.CreateChannel (CreateX509EndpointAddress ("stream:dummy")); ch.Open (); // MessageSecurityException : No signature message parts // were specified for messages with the 'myAction' // action. try { ch.Request (Message.CreateMessage (b.MessageVersion, "myAction")); Assert.Fail ("MessageSecurityException is expected here."); } catch (MessageSecurityException) { } } [Test] [ExpectedException (typeof (Exception))] [Category ("NotWorking")] public void SendRequestWithSignatureMessagePart () { CustomBinding b = CreateBinding (); ChannelProtectionRequirements cp = new ChannelProtectionRequirements (); cp.IncomingSignatureParts.AddParts (new MessagePartSpecification (true), "myAction"); cp.IncomingEncryptionParts.AddParts (new MessagePartSpecification (true), "myAction"); BindingParameterCollection parameters = new BindingParameterCollection (); parameters.Add (cp); IChannelFactory f = b.BuildChannelFactory (parameters); f.Open (); IRequestChannel ch = f.CreateChannel (CreateX509EndpointAddress ("stream:dummy")); ch.Open (); ch.Request (Message.CreateMessage (b.MessageVersion, "myAction")); } [Test] [Category ("NotWorking")] // it requires OneWay public void RequestBasedOnContract1 () { CustomBinding b = CreateBinding (delegate (Message input) { return null; }, true); IFoo foo = ChannelFactory.CreateChannel (b, CreateX509EndpointAddress ("stream:dummy")); foo.Bar (Message.CreateMessage (b.MessageVersion, "http://tempuri.org/IFoo/Bar")); } [Test] [Category ("NotWorking")] // it requires OneWay public void RequestBasedOnContract2 () { CustomBinding b = CreateBinding (delegate (Message input) { return null; }, true); IFoo foo = ChannelFactory.CreateChannel (b, CreateX509EndpointAddress ("stream:dummy")); foo.Baz ("TEST"); } [Test] // it still does not produce secure message ... [Category ("NotWorking")] public void RequestBasedOnContract3 () { CustomBinding b = CreateBinding (delegate (Message input) { // seems like security message property is not attached to the request. foreach (object o in input.Properties.Values) if (o is SecurityMessageProperty) Assert.Fail ("there should be a SecurityMessageProperty."); return null; }, true); IFoo foo = ChannelFactory.CreateChannel (b, CreateX509EndpointAddress ("stream:dummy")); foo.Bleh ("TEST"); } // from WCF (beta2): // "MessageSecurityException : Security processor was unable // to find a security header in the message. This might be // because the message is an unsecured fault or because there // is a binding mismatch between the communicating parties. // This can occur if the service is configured for security // and the client is not using security." [Test] [ExpectedException (typeof (MessageSecurityException))] [Category ("NotWorking")] public void RequestUnsecuredReply () { CustomBinding b = CreateBinding (delegate (Message input) { return input; }); IFoo foo = ChannelFactory.CreateChannel (b, CreateX509EndpointAddress ("stream:dummy")); foo.Bar (Message.CreateMessage (b.MessageVersion, "http://tempuri.org/IFoo/Bar")); } [ServiceContract] interface IFoo { [OperationContract (IsOneWay = true)] void Bar (Message msg); [OperationContract (IsOneWay = true)] void Baz (string src); [OperationContract (ProtectionLevel = ProtectionLevel.Sign, IsOneWay = true)] void Bleh (string src); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void BuildListenerWithoutProtectionTokenParameters () { CustomBinding b = new CustomBinding ( new SymmetricSecurityBindingElement (), new TextMessageEncodingBindingElement (), new HttpTransportBindingElement ()); b.BuildChannelListener (new BindingParameterCollection ()); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void OpenListenerWithoutServiceCertificate () { CustomBinding rb = CreateBinding (); IChannelListener listener = rb.BuildChannelListener (new BindingParameterCollection ()); listener.Open (); } [Test] [ExpectedException (typeof (ArgumentException))] public void OpenListenerNoPrivateKeyInServiceCertificate () { CustomBinding rb = CreateBinding (); BindingParameterCollection bpl = new BindingParameterCollection (); ServiceCredentials cred = new ServiceCredentials (); cred.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.cer"); IServiceBehavior sb = cred; sb.AddBindingParameters (null, null, null, bpl); IChannelListener listener = rb.BuildChannelListener (bpl); listener.Open (); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void AcceptChannelWithoutOpenListener () { IChannelListener listener = CreateListener (null, null); listener.AcceptChannel (); } [Test] [ExpectedException (typeof (InvalidOperationException))] [Category ("NotWorking")] public void ReceiveRequestWithoutOpenChannel () { IChannelListener listener = CreateListener (null, null); listener.Open (); IReplyChannel reply = listener.AcceptChannel (); reply.ReceiveRequest (); } [Test] [Ignore ("It's not working")] [ExpectedException (typeof (ApplicationException))] public void ReceiveRequest () { // Seems like this method is invoked to send a reply // with related to "already created" SOAP fault. // // It is still not understandable that this delegate // is invoked as an infinite loop ... ReplyHandler handler = delegate (Message input) { Console.Error.WriteLine ("Processing a reply."); // a:InvalidSecurity // An error occurred when verifying security for the message. Assert.IsTrue (input.IsFault); throw new ApplicationException (); }; Message msg = Message.CreateMessage (MessageVersion.Default, "myAction"); RequestReceiver receiver = delegate () { return msg; }; IChannelListener listener = CreateListener (handler, receiver); listener.Open (); IReplyChannel reply = listener.AcceptChannel (); reply.Open (); RequestContext ctx = reply.EndReceiveRequest (reply.BeginReceiveRequest (null, null)); } // Without SecurityBindingElement it works. // With it, it causes kind of infinite loop around // RequestContext.get_RequestMessage() which somehow blocks // finishing HandlerTransportRequestChannel.Request() (and // it continues until the timeout). [Test] [Ignore ("It's not working")] [Category ("NotWorking")] public void FullRequest () { EndpointIdentity identity = new X509CertificateEndpointIdentity (new X509Certificate2 ("Test/Resources/test.pfx", "mono")); EndpointAddress address = new EndpointAddress (new Uri ("stream:dummy"), identity); Message mreq = Message.CreateMessage (MessageVersion.Default, "myAction"); Message mreply = null; XmlWriterSettings settings = new XmlWriterSettings (); settings.Indent = true; // listener setup ReplyHandler replyHandler = delegate (Message rinput) { mreply = rinput; }; RequestReceiver receiver = delegate () { return mreq; }; IChannelListener listener = CreateListener (replyHandler, receiver); listener.Open (); IReplyChannel reply = listener.AcceptChannel (); reply.Open (); RequestSender reqHandler = delegate (Message input) { try { // sync version somehow causes an infinite loop (!?) RequestContext ctx = reply.EndReceiveRequest (reply.BeginReceiveRequest (TimeSpan.FromSeconds (5), null, null)); // RequestContext ctx = reply.ReceiveRequest (TimeSpan.FromSeconds (5)); Console.Error.WriteLine ("Acquired RequestContext."); ctx.Reply (input); } catch (Exception ex) { Console.Error.WriteLine ("ERROR during processing a request in FullRequest()"); Console.Error.WriteLine (ex); Console.Error.Flush (); throw; } return mreply; }; CustomBinding b = CreateBinding (reqHandler); IRequestChannel ch = ChannelFactory.CreateChannel (b, address); ch.Open (); Console.Error.WriteLine ("**** starting a request ****"); IAsyncResult async = ch.BeginRequest (mreq, null, null); Console.Error.WriteLine ("**** request started. ****"); Message res = ch.EndRequest (async); } [Test] public void SetKeyDerivation () { SymmetricSecurityBindingElement be; X509SecurityTokenParameters p; be = new SymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); be.ProtectionTokenParameters = p; be.SetKeyDerivation (false); Assert.AreEqual (false, p.RequireDerivedKeys, "#1"); be = new SymmetricSecurityBindingElement (); p = new X509SecurityTokenParameters (); be.SetKeyDerivation (false); // set in prior - makes no sense be.ProtectionTokenParameters = p; Assert.AreEqual (true, p.RequireDerivedKeys, "#2"); } } class MyOwnSecurityTokenParameters : SecurityTokenParameters { public MyOwnSecurityTokenParameters () { } protected MyOwnSecurityTokenParameters (MyOwnSecurityTokenParameters source) { } protected override bool HasAsymmetricKey { get { return false; } } protected override bool SupportsClientAuthentication { get { return true; } } protected override bool SupportsClientWindowsIdentity { get { return false; } } protected override bool SupportsServerAuthentication { get { return true; } } protected override SecurityTokenParameters CloneCore () { return new MyOwnSecurityTokenParameters (this); } protected override SecurityKeyIdentifierClause CreateKeyIdentifierClause ( SecurityToken token, SecurityTokenReferenceStyle referenceStyle) { throw new NotImplementedException (); } protected override void InitializeSecurityTokenRequirement (SecurityTokenRequirement requirement) { // If there were another token type that supports protection // and does not require X509, it should be used instead ... requirement.TokenType = SecurityTokenTypes.Kerberos; } } }