dotnet
/
aspnetcore
зеркало из https://github.com/dotnet/aspnetcore.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276
							// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Collections.Generic;
using System.Globalization;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
using Moq;
using Xunit;

namespace Microsoft.AspNetCore.DataProtection.KeyManagement
{
    public class DefaultKeyResolverTests
    {
        [Fact]
        public void ResolveDefaultKeyPolicy_EmptyKeyRing_ReturnsNullDefaultKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy(DateTimeOffset.Now, new IKey[0]);

            // Assert
            Assert.Null(resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_ValidExistingKey_ReturnsExistingKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-20 23:59:00Z", key1, key2);

            // Assert
            Assert.Same(key1, resolution.DefaultKey);
            Assert.False(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_KeysStraddleSkewLine_ReturnsExistingKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1, key2);

            // Assert
            Assert.Same(key2, resolution.DefaultKey);
            Assert.False(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_ValidExistingKey_AllowsForClockSkew_AllKeysInFuture_ReturnsExistingKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1);

            // Assert
            Assert.Same(key1, resolution.DefaultKey);
            Assert.False(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_ValidExistingKey_NoSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:59:00Z", key1);

            // Assert
            Assert.Same(key1, resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_ValidExistingKey_NoLegitimateSuccessor_ReturnsExistingKey_SignalsGenerateNewKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
            var key2 = CreateKey("2016-03-01 00:00:00Z", "2017-03-01 00:00:00Z", isRevoked: true);
            var key3 = CreateKey("2016-03-01 00:00:00Z", "2016-03-02 00:00:00Z"); // key expires too soon

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2016-02-29 23:50:00Z", key1, key2, key3);

            // Assert
            Assert.Same(key1, resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfRevocation_ReturnsNull()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", isRevoked: true);

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);

            // Assert
            Assert.Null(resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_MostRecentKeyIsInvalid_BecauseOfFailureToDecipher_ReturnsNull()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");
            var key2 = CreateKey("2015-03-02 00:00:00Z", "2016-03-01 00:00:00Z", createEncryptorInstanceThrows: true);

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2015-04-01 00:00:00Z", key1, key2);

            // Assert
            Assert.Null(resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_FutureKeyIsValidAndWithinClockSkew_ReturnsFutureKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:53:00Z", key1);

            // Assert
            Assert.Same(key1, resolution.DefaultKey);
            Assert.False(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_FutureKeyIsValidButNotWithinClockSkew_ReturnsNull()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2016-03-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:00:00Z", key1);

            // Assert
            Assert.Null(resolution.DefaultKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_IgnoresExpiredOrRevokedFutureKeys()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2015-03-01 00:00:00Z", "2014-03-01 00:00:00Z"); // expiration before activation should never occur
            var key2 = CreateKey("2015-03-01 00:01:00Z", "2015-04-01 00:00:00Z", isRevoked: true);
            var key3 = CreateKey("2015-03-01 00:02:00Z", "2015-04-01 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2015-02-28 23:59:00Z", key1, key2, key3);

            // Assert
            Assert.Same(key3, resolution.DefaultKey);
            Assert.False(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresRevokedKeys()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
            var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);

            // Assert
            Assert.Same(key2, resolution.FallbackKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_FallbackKey_SelectsLatestBeforePriorPropagationWindow_IgnoresFailures()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-01 00:00:00Z");
            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-02 00:00:00Z");
            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", createEncryptorInstanceThrows: true);
            var key4 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3, key4);

            // Assert
            Assert.Same(key2, resolution.FallbackKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        [Fact]
        public void ResolveDefaultKeyPolicy_FallbackKey_NoNonRevokedKeysBeforePriorPropagationWindow_SelectsEarliestNonRevokedKey()
        {
            // Arrange
            var resolver = CreateDefaultKeyResolver();
            var key1 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-03 00:00:00Z", isRevoked: true);
            var key2 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-04 00:00:00Z");
            var key3 = CreateKey("2010-01-01 00:00:00Z", "2010-01-01 00:00:00Z", creationDate: "2000-01-05 00:00:00Z");

            // Act
            var resolution = resolver.ResolveDefaultKeyPolicy("2000-01-05 00:00:00Z", key1, key2, key3);

            // Assert
            Assert.Same(key2, resolution.FallbackKey);
            Assert.True(resolution.ShouldGenerateNewKey);
        }

        private static IDefaultKeyResolver CreateDefaultKeyResolver()
        {
            return new DefaultKeyResolver(
                keyPropagationWindow: TimeSpan.FromDays(2),
                maxServerToServerClockSkew: TimeSpan.FromMinutes(7),
                services: null);
        }

        private static IKey CreateKey(string activationDate, string expirationDate, string creationDate = null, bool isRevoked = false, bool createEncryptorInstanceThrows = false)
        {
            var mockKey = new Mock<IKey>();
            mockKey.Setup(o => o.KeyId).Returns(Guid.NewGuid());
            mockKey.Setup(o => o.CreationDate).Returns((creationDate != null) ? DateTimeOffset.ParseExact(creationDate, "u", CultureInfo.InvariantCulture) : DateTimeOffset.MinValue);
            mockKey.Setup(o => o.ActivationDate).Returns(DateTimeOffset.ParseExact(activationDate, "u", CultureInfo.InvariantCulture));
            mockKey.Setup(o => o.ExpirationDate).Returns(DateTimeOffset.ParseExact(expirationDate, "u", CultureInfo.InvariantCulture));
            mockKey.Setup(o => o.IsRevoked).Returns(isRevoked);
            if (createEncryptorInstanceThrows)
            {
                mockKey.Setup(o => o.CreateEncryptorInstance()).Throws(new Exception("This method fails."));
            }
            else
            {
                mockKey.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock<IAuthenticatedEncryptor>().Object);
            }
            return mockKey.Object;
        }
    }

    internal static class DefaultKeyResolverExtensions
    {
        public static DefaultKeyResolution ResolveDefaultKeyPolicy(this IDefaultKeyResolver resolver, string now, params IKey[] allKeys)
        {
            return resolver.ResolveDefaultKeyPolicy(DateTimeOffset.ParseExact(now, "u", CultureInfo.InvariantCulture), (IEnumerable<IKey>)allKeys);
        }
    }
}