chevron-thin-right chevron-thin-left brand cancel-circle search youtube-icon google-plus-icon linkedin-icon facebook-icon twitter-icon toolbox download check linkedin phone twitter-old google-plus facebook profile-male chat calendar profile-male
0 votes
Hello,

I've got a problem. We've implemented federated security in our services, and we're using attributes to check if the user has the required claims and values. However, when testing the methods I want to ignore these attributes. Is this possible? And how?

I know I can refactor, and put all the logic in another method without the attributes, but it would be smooth if I could handle this without the refactoring.

Example of our code:

       

[BlackBoxClaimPermission(SecurityEnums.BlackBoxSecurityAction.DEMAND, ClaimConstants.ClaimTypes.ROLE, ClaimConstants.ClaimTypes.Roles.ADMINISTRATOR)]
public void GetDocument()
{
    Logger.Instance.Log("In GetDocument", LoggerEnums.Severity.DEBUG);
    // Logic to test goes here...
}

asked by Jan-Erik (1.4k points)

3 Answers

0 votes
Perhaps this can help - try to Mock the Constructor of BlackBoxClaimPermission using
var mock = MockManager.Mock(typeof(BlackBoxClaimPermission));
mock.ExpectUnmockedConstructor().Args(new Assign(...));

This way you can pass any argument you need during the test to the property
answered by dhelper (11.9k points)
0 votes
Perhaps this can help - try to Mock the Constructor of BlackBoxClaimPermission using
var mock = MockManager.Mock(typeof(BlackBoxClaimPermission));
mock.ExpectUnmockedConstructor().Args(new Assign(...));

This way you can pass any argument you need during the test to the property


Well, I don't think this will help me very much. The problem is that inside the BlackBoxPermission attribute, there's a check (AOP) that the current thread's principal has a set of claims (specified in the attribute itself). When testing, the thread doesn't have a claimset at all, and I will get an exception.

So, basically I would like to write something like:

            BlackBoxClaimPermissionAttribute attribute = Isolate.Fake.Instance<BlackBoxClaimPermissionAttribute>();
            Isolate.Swap.NextInstance<BlackBoxClaimPermissionAttribute>().With(attribute);
            Isolate.WhenCalled(() => attribute.Validate()).IgnoreCall();


But, either I'm doing something wrong, or this doesn't work. Remember I'm using dependency injection to make sure the security test (BlackBoxPermission) is running before the method logic.

By the way, there's a huge point here. This attribute is made because of security reasons. First of all, if I'm able to ignore it, wouldn't that be a great security issue? Second, if I refactor I have to make the refactored method public in order to test it. Yet again a great security issue (even though it wouldn't be available in the service itself, it would be available to anyone getting their hands in the dll).
answered by Jan-Erik (1.4k points)
0 votes
I need the test code to investigate this issue - let's take it offline.
answered by dhelper (11.9k points)
...