// // ServiceCredentialsSecurityTokenManagerTest.cs // // Author: // Atsushi Enomoto // // Copyright (C) 2006-2007 Novell, Inc. http://www.novell.com // // Permission is hereby granted, free of charge, to any person obtaining // a copy of this software and associated documentation files (the // "Software"), to deal in the Software without restriction, including // without limitation the rights to use, copy, modify, merge, publish, // distribute, sublicense, and/or sell copies of the Software, and to // permit persons to whom the Software is furnished to do so, subject to // the following conditions: // // The above copyright notice and this permission notice shall be // included in all copies or substantial portions of the Software. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. // #if !MOBILE && !XAMMAC_4_5 using System; using System.IdentityModel.Selectors; using System.IdentityModel.Tokens; using System.Net; using System.Security.Cryptography.X509Certificates; using System.ServiceModel; using System.ServiceModel.Channels; using System.ServiceModel.Description; using System.ServiceModel.Security; using System.ServiceModel.Security.Tokens; using System.Xml; using NUnit.Framework; using ReqType = System.ServiceModel.Security.Tokens.ServiceModelSecurityTokenRequirement; namespace MonoTests.System.ServiceModel.Security { [TestFixture] public class ServiceCredentialsSecurityTokenManagerTest { class MyManager : ServiceCredentialsSecurityTokenManager { public MyManager () : this (new ServiceCredentials ()) { } public MyManager (ServiceCredentials cred) : base (cred) { } public bool IsIssued (SecurityTokenRequirement r) { return IsIssuedSecurityTokenRequirement (r); } } class MySslSecurityTokenParameters : SslSecurityTokenParameters { public void InitRequirement (SecurityTokenRequirement r) { InitializeSecurityTokenRequirement (r); } } MyManager def_c; [SetUp] public void Initialize () { def_c = new MyManager (); } [Test] public void DefaultValues () { // FIXME: check more MyManager mgr = new MyManager (); Assert.IsTrue (mgr.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder is DataProtectionSecurityStateEncoder, "#n-1"); } [Test] public void IsIssuedSecurityTokenRequirement () { RecipientServiceModelSecurityTokenRequirement r; MyManager mgr = new MyManager (); r = new RecipientServiceModelSecurityTokenRequirement (); MySslSecurityTokenParameters ssl = new MySslSecurityTokenParameters (); ssl.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "ssl"); r = new RecipientServiceModelSecurityTokenRequirement (); MySspiSecurityTokenParameters sspi = new MySspiSecurityTokenParameters (); sspi.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "sspi"); r = new RecipientServiceModelSecurityTokenRequirement (); MyIssuedSecurityTokenParameters issued = new MyIssuedSecurityTokenParameters (); issued.InitRequirement (r); Assert.IsTrue (mgr.IsIssued (r), "issued"); /* r = new RecipientServiceModelSecurityTokenRequirement (); MySecureConversationSecurityTokenParameters sc = new MySecureConversationSecurityTokenParameters ( new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()), false, new ChannelProtectionRequirements ()); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.Properties [ReqType.MessageSecurityVersionProperty] = MessageSecurityVersion.Default; r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection (); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = sc.Clone (); r.Properties [ReqType.IssuerBindingProperty] = new CustomBinding (new HttpTransportBindingElement ()); r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input; r.SecureConversationSecurityBindingElement = new SymmetricSecurityBindingElement ( new X509SecurityTokenParameters ()); r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default; r.Properties [ReqType.SupportSecurityContextCancellationProperty] = true; r.ListenUri = new Uri ("http://localhost:8080"); r.KeySize = 256; sc.InitRequirement (r); Assert.IsFalse (mgr.IsIssued (r), "sc"); */ } [Test] [ExpectedException (typeof (NotSupportedException))] public void CreateProviderDefault () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); def_c.CreateSecurityTokenProvider (r); } [Test] [ExpectedException (typeof (InvalidOperationException))] [Ignore ("")] public void CreateProviderUserNameWithoutName () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.UserName; def_c.CreateSecurityTokenProvider (r); } [Test] [ExpectedException (typeof (NotSupportedException))] public void CreateProviderUserName () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.UserName; def_c.CreateSecurityTokenProvider (r); } class MyUserNameValidator : UserNamePasswordValidator { public override void Validate (string userName, string password) { throw new Exception (); } } [Test] public void CreateAuthenticatorUserName () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.UserName; SecurityTokenResolver resolver; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); Assert.AreEqual (typeof (WindowsUserNameSecurityTokenAuthenticator), a.GetType (), "#1"); Assert.IsNull (resolver, "#2"); def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; def_c.ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNameValidator (); a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); Assert.AreEqual (typeof (CustomUserNameSecurityTokenAuthenticator), a.GetType (), "#3"); Assert.IsNull (resolver, "#4"); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void CreateAuthenticatorUserNameCustomWithoutValidator () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.UserName; SecurityTokenResolver resolver; def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (NotSupportedException))] public void CreateProviderRsaDefault () { // actually is Rsa usable here?? SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.Rsa; def_c.CreateSecurityTokenProvider (r); } [Test] public void CreateAuthenticatorRsaDefault () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); SecurityTokenResolver resolver; r.TokenType = SecurityTokenTypes.Rsa; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); Assert.AreEqual (typeof (RsaSecurityTokenAuthenticator), a.GetType (), "#1"); Assert.IsNull (resolver, "#2"); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void CreateProviderX509WithoutCert () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.CreateSecurityTokenProvider (r); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateProviderX509PublicOnlyKey () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.cer"); def_c.ServiceCredentials.ServiceCertificate.Certificate = cert; def_c.CreateSecurityTokenProvider (r); } [Test] public void CreateProviderX509 () { SecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r) as X509SecurityTokenProvider; Assert.IsNotNull (p, "#1"); } [Test] [ExpectedException (typeof (InvalidOperationException))] public void CreateProviderX509Initiator () { InitiatorServiceModelSecurityTokenRequirement r = new InitiatorServiceModelSecurityTokenRequirement (); r.TokenType = SecurityTokenTypes.X509Certificate; r.KeyUsage = SecurityKeyUsage.Exchange; // ClientCredential is somehow required ... def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); X509SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r) as X509SecurityTokenProvider; Assert.IsNotNull (p, "#1"); } [Test] [ExpectedException (typeof (NotSupportedException))] public void CreateProviderAnonSslError () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri ("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r); Assert.IsNotNull (p, "#1"); } [Test] [Ignore ("incomplete")] [Category ("NotWorking")] public void CreateProviderAnonSsl () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); new MySslSecurityTokenParameters ().InitRequirement (r); Assert.IsFalse (r.Properties.ContainsKey (ReqType.ChannelParametersCollectionProperty), "#1"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.EndpointFilterTableProperty), "#2"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.HttpAuthenticationSchemeProperty), "#3"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.IsOutOfBandTokenProperty), "#4"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.IssuerAddressProperty), "#5"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageDirectionProperty), "#6"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageSecurityVersionProperty), "#7"); //Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityAlgorithmSuiteProperty), "#9"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityBindingElementProperty), "#10"); Assert.IsFalse (r.Properties.ContainsKey (ReqType.SupportingTokenAttachmentModeProperty), "#11"); Assert.AreEqual (null, r.TransportScheme, "#12"); r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego; r.ListenUri = new Uri ("http://localhost:8080"); r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; r.Properties [ReqType.SecurityAlgorithmSuiteProperty] = SecurityAlgorithmSuite.Default; r.TransportScheme = "https"; r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection (); r.Properties [ReqType.EndpointFilterTableProperty] = null; r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous; r.Properties [ReqType.IsOutOfBandTokenProperty] = true; r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress ("http://localhost:9090"); // r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input; r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement (); r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed; SecurityTokenProvider p = def_c.CreateSecurityTokenProvider (r); Assert.IsNotNull (p, "#1"); } RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); MySslSecurityTokenParameters p = new MySslSecurityTokenParameters (); p.InitRequirement (r); r.SecurityBindingElement = new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ()); r.Properties [ReqType.MessageSecurityVersionProperty] = MessageSecurityVersion.Default.SecurityTokenVersion; return r; } RecipientServiceModelSecurityTokenRequirement CreateSecureConvRequirement () { RecipientServiceModelSecurityTokenRequirement r = CreateRecipientRequirement (ServiceModelSecurityTokenTypes.SecureConversation); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new SecureConversationSecurityTokenParameters (new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ())); // without it, "The key length (...) is not a multiple of 8 for symmetric keys" occurs. r.SecureConversationSecurityBindingElement = new SymmetricSecurityBindingElement (); return r; } RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement (string tokenType) { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = tokenType; r.SecurityBindingElement = new SymmetricSecurityBindingElement (); r.Properties [ReqType.IssuerBindingContextProperty] = new BindingContext (new CustomBinding (), new BindingParameterCollection ()); r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters (); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; return r; } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorAnonSslNoSecurityBindingElement () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); r.SecurityBindingElement = null; SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorAnonSslNoIssuedSecurityTokenParameters () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorAnonSslNoIssuerBindingContext () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); r.Properties.Remove (ReqType.IssuerBindingContextProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] // The type of exception should not matter though. [ExpectedException (typeof (NotSupportedException))] [Category ("NotWorking")] public void CreateAuthenticatorAnonSslNullMessageSecurityVersion () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); r.MessageSecurityVersion = null; SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorAnonSslNoMessageSecurityVersion () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); r.Properties.Remove (ReqType.MessageSecurityVersionProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (InvalidOperationException))] [Category ("NotWorking")] public void CreateAuthenticatorAnonSslNoServiceCertificate () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorAnonSslCertPublicOnly () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); SecurityTokenResolver resolver; def_c.ServiceCredentials.ServiceCertificate.Certificate = new X509Certificate2 ("Test/Resources/test.cer"); def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [Category ("NotWorking")] public void CreateAuthenticatorAnonSsl () { RecipientServiceModelSecurityTokenRequirement r = CreateAnonSslRequirement (); SecurityTokenResolver resolver; X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.pfx", "mono"); def_c.ServiceCredentials.ServiceCertificate.Certificate = cert; SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); // non-standard authenticator type. Assert.IsNotNull (resolver, "#1"); Assert.IsTrue (a is IIssuanceSecurityTokenAuthenticator, "#2"); try { a.ValidateToken (new X509SecurityToken (cert)); Assert.Fail ("It cannot validate raw X509SecurityToken"); } catch (SecurityTokenValidationException) { } } [Test] [ExpectedException (typeof (NotSupportedException))] public void CreateProviderSecureConv () { RecipientServiceModelSecurityTokenRequirement r = new RecipientServiceModelSecurityTokenRequirement (); r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation; r.ListenUri = new Uri ("http://localhost:8080"); r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion; r.KeySize = 256; def_c.CreateSecurityTokenProvider (r); } [Test] [ExpectedException (typeof (NotSupportedException))] [Category ("NotDotNet")] // it results in NRE inside InitializeSecurityTokenRequirement(). public void CreateProviderSecureConv2 () { var sbe = (SymmetricSecurityBindingElement) SecurityBindingElement.CreateSecureConversationBindingElement (SecurityBindingElement.CreateUserNameForCertificateBindingElement ()); var p = new MySecureConversationSecurityTokenParameters ((SecureConversationSecurityTokenParameters) sbe.ProtectionTokenParameters); var r = new RecipientServiceModelSecurityTokenRequirement (); p.InitRequirement (r); def_c.CreateSecurityTokenProvider (r); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorSecureConvNoSecurityBindingElement () { RecipientServiceModelSecurityTokenRequirement r = CreateSecureConvRequirement (); r.SecurityBindingElement = null; SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorSecureConvNoIssuedSecurityTokenParameters () { RecipientServiceModelSecurityTokenRequirement r = CreateSecureConvRequirement (); r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorSecureConvNoIssuerBindingContext () { RecipientServiceModelSecurityTokenRequirement r = CreateSecureConvRequirement (); r.Properties.Remove (ReqType.IssuerBindingContextProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] [ExpectedException (typeof (ArgumentException))] public void CreateAuthenticatorSecureConvNoMessageSecurityVersion () { RecipientServiceModelSecurityTokenRequirement r = CreateSecureConvRequirement (); r.Properties.Remove (ReqType.MessageSecurityVersionProperty); SecurityTokenResolver resolver; def_c.CreateSecurityTokenAuthenticator (r, out resolver); } [Test] public void CreateAuthenticatorSecureConv () { // service certificate is not required RecipientServiceModelSecurityTokenRequirement r = CreateSecureConvRequirement (); SecurityTokenResolver resolver; //SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver); Assert.IsNotNull (resolver, "#1"); } } } #endif