2 // ServiceCredentialsSecurityTokenManagerTest.cs
5 // Atsushi Enomoto <atsushi@ximian.com>
7 // Copyright (C) 2006-2007 Novell, Inc. http://www.novell.com
9 // Permission is hereby granted, free of charge, to any person obtaining
10 // a copy of this software and associated documentation files (the
11 // "Software"), to deal in the Software without restriction, including
12 // without limitation the rights to use, copy, modify, merge, publish,
13 // distribute, sublicense, and/or sell copies of the Software, and to
14 // permit persons to whom the Software is furnished to do so, subject to
15 // the following conditions:
17 // The above copyright notice and this permission notice shall be
18 // included in all copies or substantial portions of the Software.
20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
24 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
25 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
26 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 using System.IdentityModel.Selectors;
30 using System.IdentityModel.Tokens;
32 using System.Security.Cryptography.X509Certificates;
33 using System.ServiceModel;
34 using System.ServiceModel.Channels;
35 using System.ServiceModel.Description;
36 using System.ServiceModel.Security;
37 using System.ServiceModel.Security.Tokens;
39 using NUnit.Framework;
41 using ReqType = System.ServiceModel.Security.Tokens.ServiceModelSecurityTokenRequirement;
43 namespace MonoTests.System.ServiceModel.Security
46 public class ServiceCredentialsSecurityTokenManagerTest
48 class MyManager : ServiceCredentialsSecurityTokenManager
51 : this (new ServiceCredentials ())
55 public MyManager (ServiceCredentials cred)
60 public bool IsIssued (SecurityTokenRequirement r)
62 return IsIssuedSecurityTokenRequirement (r);
66 class MySslSecurityTokenParameters : SslSecurityTokenParameters
68 public void InitRequirement (SecurityTokenRequirement r)
70 InitializeSecurityTokenRequirement (r);
77 public void Initialize ()
79 def_c = new MyManager ();
83 public void DefaultValues ()
86 MyManager mgr = new MyManager ();
87 Assert.IsTrue (mgr.ServiceCredentials.SecureConversationAuthentication.SecurityStateEncoder is DataProtectionSecurityStateEncoder, "#n-1");
91 public void IsIssuedSecurityTokenRequirement ()
93 RecipientServiceModelSecurityTokenRequirement r;
94 MyManager mgr = new MyManager ();
96 r = new RecipientServiceModelSecurityTokenRequirement ();
97 MySslSecurityTokenParameters ssl =
98 new MySslSecurityTokenParameters ();
99 ssl.InitRequirement (r);
100 Assert.IsFalse (mgr.IsIssued (r), "ssl");
102 r = new RecipientServiceModelSecurityTokenRequirement ();
103 MySspiSecurityTokenParameters sspi =
104 new MySspiSecurityTokenParameters ();
105 sspi.InitRequirement (r);
106 Assert.IsFalse (mgr.IsIssued (r), "sspi");
108 r = new RecipientServiceModelSecurityTokenRequirement ();
109 MyIssuedSecurityTokenParameters issued =
110 new MyIssuedSecurityTokenParameters ();
111 issued.InitRequirement (r);
112 Assert.IsTrue (mgr.IsIssued (r), "issued");
115 r = new RecipientServiceModelSecurityTokenRequirement ();
116 MySecureConversationSecurityTokenParameters sc =
117 new MySecureConversationSecurityTokenParameters (
118 new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()),
120 new ChannelProtectionRequirements ());
121 r.Properties [ReqType.IssuerBindingContextProperty] =
122 new BindingContext (new CustomBinding (), new BindingParameterCollection ());
123 r.Properties [ReqType.MessageSecurityVersionProperty] =
124 MessageSecurityVersion.Default;
125 r.Properties [ReqType.ChannelParametersCollectionProperty] =
126 new ChannelParameterCollection ();
127 r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = sc.Clone ();
128 r.Properties [ReqType.IssuerBindingProperty] =
129 new CustomBinding (new HttpTransportBindingElement ());
130 r.Properties [ReqType.MessageDirectionProperty] =
131 MessageDirection.Input;
132 r.SecureConversationSecurityBindingElement =
133 new SymmetricSecurityBindingElement (
134 new X509SecurityTokenParameters ());
135 r.SecurityAlgorithmSuite = SecurityAlgorithmSuite.Default;
136 r.Properties [ReqType.SupportSecurityContextCancellationProperty] = true;
137 r.ListenUri = new Uri ("http://localhost:8080");
139 sc.InitRequirement (r);
140 Assert.IsFalse (mgr.IsIssued (r), "sc");
145 [ExpectedException (typeof (NotSupportedException))]
146 public void CreateProviderDefault ()
148 SecurityTokenRequirement r =
149 new RecipientServiceModelSecurityTokenRequirement ();
150 def_c.CreateSecurityTokenProvider (r);
154 [ExpectedException (typeof (InvalidOperationException))]
156 public void CreateProviderUserNameWithoutName ()
158 SecurityTokenRequirement r =
159 new RecipientServiceModelSecurityTokenRequirement ();
160 r.TokenType = SecurityTokenTypes.UserName;
161 def_c.CreateSecurityTokenProvider (r);
165 [ExpectedException (typeof (NotSupportedException))]
166 public void CreateProviderUserName ()
168 SecurityTokenRequirement r =
169 new RecipientServiceModelSecurityTokenRequirement ();
170 r.TokenType = SecurityTokenTypes.UserName;
171 def_c.CreateSecurityTokenProvider (r);
174 class MyUserNameValidator : UserNamePasswordValidator
176 public override void Validate (string userName, string password)
178 throw new Exception ();
183 public void CreateAuthenticatorUserName ()
185 SecurityTokenRequirement r =
186 new RecipientServiceModelSecurityTokenRequirement ();
187 r.TokenType = SecurityTokenTypes.UserName;
188 SecurityTokenResolver resolver;
190 SecurityTokenAuthenticator a =
191 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
192 Assert.AreEqual (typeof (WindowsUserNameSecurityTokenAuthenticator), a.GetType (), "#1");
193 Assert.IsNull (resolver, "#2");
195 def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
196 def_c.ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator = new MyUserNameValidator ();
197 a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
198 Assert.AreEqual (typeof (CustomUserNameSecurityTokenAuthenticator), a.GetType (), "#3");
199 Assert.IsNull (resolver, "#4");
203 [ExpectedException (typeof (InvalidOperationException))]
204 public void CreateAuthenticatorUserNameCustomWithoutValidator ()
206 SecurityTokenRequirement r =
207 new RecipientServiceModelSecurityTokenRequirement ();
208 r.TokenType = SecurityTokenTypes.UserName;
209 SecurityTokenResolver resolver;
210 def_c.ServiceCredentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
211 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
215 [ExpectedException (typeof (NotSupportedException))]
216 public void CreateProviderRsaDefault ()
218 // actually is Rsa usable here??
220 SecurityTokenRequirement r =
221 new RecipientServiceModelSecurityTokenRequirement ();
222 r.TokenType = SecurityTokenTypes.Rsa;
223 def_c.CreateSecurityTokenProvider (r);
227 public void CreateAuthenticatorRsaDefault ()
229 SecurityTokenRequirement r =
230 new RecipientServiceModelSecurityTokenRequirement ();
231 SecurityTokenResolver resolver;
232 r.TokenType = SecurityTokenTypes.Rsa;
233 SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
234 Assert.AreEqual (typeof (RsaSecurityTokenAuthenticator), a.GetType (), "#1");
235 Assert.IsNull (resolver, "#2");
239 [ExpectedException (typeof (InvalidOperationException))]
240 public void CreateProviderX509WithoutCert ()
242 SecurityTokenRequirement r =
243 new RecipientServiceModelSecurityTokenRequirement ();
244 r.TokenType = SecurityTokenTypes.X509Certificate;
245 def_c.CreateSecurityTokenProvider (r);
249 [ExpectedException (typeof (ArgumentException))]
250 public void CreateProviderX509PublicOnlyKey ()
252 SecurityTokenRequirement r =
253 new RecipientServiceModelSecurityTokenRequirement ();
254 r.TokenType = SecurityTokenTypes.X509Certificate;
255 X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.cer");
256 def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
257 def_c.CreateSecurityTokenProvider (r);
261 public void CreateProviderX509 ()
263 SecurityTokenRequirement r =
264 new RecipientServiceModelSecurityTokenRequirement ();
265 r.TokenType = SecurityTokenTypes.X509Certificate;
266 def_c.ServiceCredentials.ServiceCertificate.Certificate =
267 new X509Certificate2 ("Test/Resources/test.pfx", "mono");
268 X509SecurityTokenProvider p =
269 def_c.CreateSecurityTokenProvider (r)
270 as X509SecurityTokenProvider;
271 Assert.IsNotNull (p, "#1");
275 [ExpectedException (typeof (InvalidOperationException))]
276 public void CreateProviderX509Initiator ()
278 InitiatorServiceModelSecurityTokenRequirement r =
279 new InitiatorServiceModelSecurityTokenRequirement ();
280 r.TokenType = SecurityTokenTypes.X509Certificate;
281 r.KeyUsage = SecurityKeyUsage.Exchange;
282 // ClientCredential is somehow required ...
283 def_c.ServiceCredentials.ServiceCertificate.Certificate =
284 new X509Certificate2 ("Test/Resources/test.pfx", "mono");
286 X509SecurityTokenProvider p =
287 def_c.CreateSecurityTokenProvider (r)
288 as X509SecurityTokenProvider;
289 Assert.IsNotNull (p, "#1");
293 [ExpectedException (typeof (NotSupportedException))]
294 public void CreateProviderAnonSslError ()
296 RecipientServiceModelSecurityTokenRequirement r =
297 new RecipientServiceModelSecurityTokenRequirement ();
298 r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
299 r.ListenUri = new Uri ("http://localhost:8080");
300 r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
301 r.Properties [ReqType.IssuerBindingContextProperty] =
302 new BindingContext (new CustomBinding (), new BindingParameterCollection ());
303 r.MessageSecurityVersion =
304 MessageSecurityVersion.Default.SecurityTokenVersion;
305 SecurityTokenProvider p =
306 def_c.CreateSecurityTokenProvider (r);
307 Assert.IsNotNull (p, "#1");
311 [Ignore ("incomplete")]
312 [Category ("NotWorking")]
313 public void CreateProviderAnonSsl ()
315 RecipientServiceModelSecurityTokenRequirement r =
316 new RecipientServiceModelSecurityTokenRequirement ();
317 new MySslSecurityTokenParameters ().InitRequirement (r);
319 Assert.IsFalse (r.Properties.ContainsKey (ReqType.ChannelParametersCollectionProperty), "#1");
320 Assert.IsFalse (r.Properties.ContainsKey (ReqType.EndpointFilterTableProperty), "#2");
321 Assert.IsFalse (r.Properties.ContainsKey (ReqType.HttpAuthenticationSchemeProperty), "#3");
322 Assert.IsFalse (r.Properties.ContainsKey (ReqType.IsOutOfBandTokenProperty), "#4");
323 Assert.IsFalse (r.Properties.ContainsKey (ReqType.IssuerAddressProperty), "#5");
324 Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageDirectionProperty), "#6");
325 Assert.IsFalse (r.Properties.ContainsKey (ReqType.MessageSecurityVersionProperty), "#7");
326 //Assert.IsTrue (r.Properties.ContainsKey (SecurityTokenRequirement.PeerAuthenticationMode), "#8");
327 Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityAlgorithmSuiteProperty), "#9");
328 Assert.IsFalse (r.Properties.ContainsKey (ReqType.SecurityBindingElementProperty), "#10");
329 Assert.IsFalse (r.Properties.ContainsKey (ReqType.SupportingTokenAttachmentModeProperty), "#11");
330 Assert.AreEqual (null, r.TransportScheme, "#12");
332 r.TokenType = ServiceModelSecurityTokenTypes.AnonymousSslnego;
333 r.ListenUri = new Uri ("http://localhost:8080");
334 r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
335 r.Properties [ReqType.IssuerBindingContextProperty] =
336 new BindingContext (new CustomBinding (), new BindingParameterCollection ());
337 r.MessageSecurityVersion =
338 MessageSecurityVersion.Default.SecurityTokenVersion;
340 r.Properties [ReqType.SecurityAlgorithmSuiteProperty] =
341 SecurityAlgorithmSuite.Default;
342 r.TransportScheme = "https";
344 r.Properties [ReqType.ChannelParametersCollectionProperty] = new ChannelParameterCollection ();
345 r.Properties [ReqType.EndpointFilterTableProperty] = null;
346 r.Properties [ReqType.HttpAuthenticationSchemeProperty] = AuthenticationSchemes.Anonymous;
347 r.Properties [ReqType.IsOutOfBandTokenProperty] = true;
348 r.Properties [ReqType.IssuerAddressProperty] = new EndpointAddress ("http://localhost:9090");
349 // r.Properties [ReqType.MessageDirectionProperty] = MessageDirection.Input;
350 r.Properties [ReqType.SecurityBindingElementProperty] = new SymmetricSecurityBindingElement ();
351 r.Properties [ReqType.SupportingTokenAttachmentModeProperty] = SecurityTokenAttachmentMode.Signed;
353 SecurityTokenProvider p =
354 def_c.CreateSecurityTokenProvider (r);
355 Assert.IsNotNull (p, "#1");
358 RecipientServiceModelSecurityTokenRequirement CreateAnonSslRequirement ()
360 RecipientServiceModelSecurityTokenRequirement r =
361 new RecipientServiceModelSecurityTokenRequirement ();
362 MySslSecurityTokenParameters p = new MySslSecurityTokenParameters ();
363 p.InitRequirement (r);
364 r.SecurityBindingElement = new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ());
365 r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = p.Clone ();
366 r.Properties [ReqType.IssuerBindingContextProperty] =
367 new BindingContext (new CustomBinding (new HttpTransportBindingElement ()), new BindingParameterCollection ());
368 r.Properties [ReqType.MessageSecurityVersionProperty] =
369 MessageSecurityVersion.Default.SecurityTokenVersion;
373 RecipientServiceModelSecurityTokenRequirement CreateSecureConvRequirement ()
375 RecipientServiceModelSecurityTokenRequirement r =
376 CreateRecipientRequirement (ServiceModelSecurityTokenTypes.SecureConversation);
377 r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new SecureConversationSecurityTokenParameters (new SymmetricSecurityBindingElement (new X509SecurityTokenParameters ()));
378 // without it, "The key length (...) is not a multiple of 8 for symmetric keys" occurs.
379 r.SecureConversationSecurityBindingElement =
380 new SymmetricSecurityBindingElement ();
384 RecipientServiceModelSecurityTokenRequirement CreateRecipientRequirement (string tokenType)
386 RecipientServiceModelSecurityTokenRequirement r =
387 new RecipientServiceModelSecurityTokenRequirement ();
388 r.TokenType = tokenType;
389 r.SecurityBindingElement = new SymmetricSecurityBindingElement ();
390 r.Properties [ReqType.IssuerBindingContextProperty] =
391 new BindingContext (new CustomBinding (), new BindingParameterCollection ());
392 r.Properties [ReqType.IssuedSecurityTokenParametersProperty] = new IssuedSecurityTokenParameters ();
393 r.MessageSecurityVersion =
394 MessageSecurityVersion.Default.SecurityTokenVersion;
399 [ExpectedException (typeof (ArgumentException))]
400 public void CreateAuthenticatorAnonSslNoSecurityBindingElement ()
402 RecipientServiceModelSecurityTokenRequirement r =
403 CreateAnonSslRequirement ();
404 r.SecurityBindingElement = null;
405 SecurityTokenResolver resolver;
406 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
410 [ExpectedException (typeof (ArgumentException))]
411 public void CreateAuthenticatorAnonSslNoIssuedSecurityTokenParameters ()
413 RecipientServiceModelSecurityTokenRequirement r =
414 CreateAnonSslRequirement ();
415 r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty);
416 SecurityTokenResolver resolver;
417 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
421 [ExpectedException (typeof (ArgumentException))]
422 public void CreateAuthenticatorAnonSslNoIssuerBindingContext ()
424 RecipientServiceModelSecurityTokenRequirement r =
425 CreateAnonSslRequirement ();
426 r.Properties.Remove (ReqType.IssuerBindingContextProperty);
427 SecurityTokenResolver resolver;
428 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
432 // The type of exception should not matter though.
433 [ExpectedException (typeof (NotSupportedException))]
434 [Category ("NotWorking")]
435 public void CreateAuthenticatorAnonSslNullMessageSecurityVersion ()
437 RecipientServiceModelSecurityTokenRequirement r =
438 CreateAnonSslRequirement ();
439 r.MessageSecurityVersion = null;
440 SecurityTokenResolver resolver;
441 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
445 [ExpectedException (typeof (ArgumentException))]
446 public void CreateAuthenticatorAnonSslNoMessageSecurityVersion ()
448 RecipientServiceModelSecurityTokenRequirement r =
449 CreateAnonSslRequirement ();
450 r.Properties.Remove (ReqType.MessageSecurityVersionProperty);
451 SecurityTokenResolver resolver;
452 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
456 [ExpectedException (typeof (InvalidOperationException))]
457 [Category ("NotWorking")]
458 public void CreateAuthenticatorAnonSslNoServiceCertificate ()
460 RecipientServiceModelSecurityTokenRequirement r =
461 CreateAnonSslRequirement ();
462 SecurityTokenResolver resolver;
463 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
467 [ExpectedException (typeof (ArgumentException))]
468 public void CreateAuthenticatorAnonSslCertPublicOnly ()
470 RecipientServiceModelSecurityTokenRequirement r =
471 CreateAnonSslRequirement ();
472 SecurityTokenResolver resolver;
473 def_c.ServiceCredentials.ServiceCertificate.Certificate =
474 new X509Certificate2 ("Test/Resources/test.cer");
475 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
479 [Category ("NotWorking")]
480 public void CreateAuthenticatorAnonSsl ()
482 RecipientServiceModelSecurityTokenRequirement r =
483 CreateAnonSslRequirement ();
484 SecurityTokenResolver resolver;
485 X509Certificate2 cert = new X509Certificate2 ("Test/Resources/test.pfx", "mono");
486 def_c.ServiceCredentials.ServiceCertificate.Certificate = cert;
487 SecurityTokenAuthenticator a = def_c.CreateSecurityTokenAuthenticator (r, out resolver);
488 // non-standard authenticator type.
489 Assert.IsNotNull (resolver, "#1");
490 Assert.IsTrue (a is IIssuanceSecurityTokenAuthenticator, "#2");
493 a.ValidateToken (new X509SecurityToken (cert));
494 Assert.Fail ("It cannot validate raw X509SecurityToken");
495 } catch (SecurityTokenValidationException) {
500 [ExpectedException (typeof (NotSupportedException))]
501 public void CreateProviderSecureConv ()
503 RecipientServiceModelSecurityTokenRequirement r =
504 new RecipientServiceModelSecurityTokenRequirement ();
505 r.TokenType = ServiceModelSecurityTokenTypes.SecureConversation;
506 r.ListenUri = new Uri ("http://localhost:8080");
507 r.MessageSecurityVersion = MessageSecurityVersion.Default.SecurityTokenVersion;
509 def_c.CreateSecurityTokenProvider (r);
513 [ExpectedException (typeof (ArgumentException))]
514 [Category ("NotWorking")]
515 public void CreateAuthenticatorSecureConvNoSecurityBindingElement ()
517 RecipientServiceModelSecurityTokenRequirement r =
518 CreateSecureConvRequirement ();
519 r.SecurityBindingElement = null;
520 SecurityTokenResolver resolver;
521 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
525 [ExpectedException (typeof (ArgumentException))]
526 [Category ("NotWorking")]
527 public void CreateAuthenticatorSecureConvNoIssuedSecurityTokenParameters ()
529 RecipientServiceModelSecurityTokenRequirement r =
530 CreateSecureConvRequirement ();
531 r.Properties.Remove (ReqType.IssuedSecurityTokenParametersProperty);
532 SecurityTokenResolver resolver;
533 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
537 [ExpectedException (typeof (ArgumentException))]
538 [Category ("NotWorking")]
539 public void CreateAuthenticatorSecureConvNoIssuerBindingContext ()
541 RecipientServiceModelSecurityTokenRequirement r =
542 CreateSecureConvRequirement ();
543 r.Properties.Remove (ReqType.IssuerBindingContextProperty);
544 SecurityTokenResolver resolver;
545 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
549 // The type of exception should not matter though.
550 [ExpectedException (typeof (NotSupportedException))]
551 [Category ("NotWorking")]
552 public void CreateAuthenticatorSecureConvNullMessageSecurityVersion ()
554 RecipientServiceModelSecurityTokenRequirement r =
555 CreateSecureConvRequirement ();
556 r.MessageSecurityVersion = null;
557 SecurityTokenResolver resolver;
558 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
562 [ExpectedException (typeof (ArgumentException))]
563 [Category ("NotWorking")]
564 public void CreateAuthenticatorSecureConvNoMessageSecurityVersion ()
566 RecipientServiceModelSecurityTokenRequirement r =
567 CreateSecureConvRequirement ();
568 r.Properties.Remove (ReqType.MessageSecurityVersionProperty);
569 SecurityTokenResolver resolver;
570 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
574 public void CreateAuthenticatorSecureConv ()
576 // service certificate is not required
577 RecipientServiceModelSecurityTokenRequirement r =
578 CreateSecureConvRequirement ();
579 SecurityTokenResolver resolver;
580 //SecurityTokenAuthenticator a =
581 def_c.CreateSecurityTokenAuthenticator (r, out resolver);
582 Assert.IsNotNull (resolver, "#1");