#8 re-enable and expand NTLM tests.

Tratcher · Tratcher · commit a7a1ea59bfd1 · 2015-07-10T14:36:39.000-07:00
diff --git a/test/ServerComparison.FunctionalTests/NtlmAuthentationTest.cs b/test/ServerComparison.FunctionalTests/NtlmAuthentationTest.cs
@@ -19,9 +19,8 @@ public class NtlmAuthenticationTests
     {
         [ConditionalTheory, Trait("ServerComparison.FunctionalTests", "ServerComparison.FunctionalTests")]
         [OSSkipCondition(OperatingSystems.Linux | OperatingSystems.MacOSX)]
-        // TODO: Figure out why IISExpress failing
-        //[InlineData(ServerType.IISExpress, RuntimeFlavor.CoreClr, RuntimeArchitecture.x86, "http://localhost:5050/")]
-        //[InlineData(ServerType.IISExpress, RuntimeFlavor.Clr, RuntimeArchitecture.x64, "http://localhost:5051/")]
+        [InlineData(ServerType.IISExpress, RuntimeFlavor.CoreClr, RuntimeArchitecture.x86, "http://localhost:5050/")]
+        [InlineData(ServerType.IISExpress, RuntimeFlavor.Clr, RuntimeArchitecture.x64, "http://localhost:5051/")]
         [InlineData(ServerType.WebListener, RuntimeFlavor.Clr, RuntimeArchitecture.x86, "http://localhost:5052/")]
         [InlineData(ServerType.WebListener, RuntimeFlavor.CoreClr, RuntimeArchitecture.x64, "http://localhost:5052/")]
         public async Task NtlmAuthentication(ServerType serverType, RuntimeFlavor runtimeFlavor, RuntimeArchitecture architecture, string applicationBaseUrl)
@@ -61,14 +60,52 @@ public async Task NtlmAuthentication(ServerType serverType, RuntimeFlavor runtim
                         Assert.Equal("Anonymous?True", responseText);
 
                         response = await httpClient.GetAsync("/Restricted");
+                        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+                        Assert.Contains("NTLM", response.Headers.WwwAuthenticate.ToString());
+                        Assert.Contains("Negotiate", response.Headers.WwwAuthenticate.ToString());
 
+                        response = await httpClient.GetAsync("/RestrictedNTLM");
                         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
                         Assert.Contains("NTLM", response.Headers.WwwAuthenticate.ToString());
+                        // Note IIS can't restrict a challenge to a specific auth type, the native auth modules always add themselves.
+                        // However WebListener can.
+                        if (serverType == ServerType.WebListener)
+                        {
+                            Assert.DoesNotContain("Negotiate", response.Headers.WwwAuthenticate.ToString());
+                        }
+                        else if (serverType == ServerType.IISExpress)
+                        {
+                            Assert.Contains("Negotiate", response.Headers.WwwAuthenticate.ToString());
+                        }
+
+                        response = await httpClient.GetAsync("/Forbidden");
+                        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
 
                         httpClientHandler = new HttpClientHandler() { UseDefaultCredentials = true };
                         httpClient = new HttpClient(httpClientHandler) { BaseAddress = new Uri(deploymentResult.ApplicationBaseUri) };
+
+                        response = await httpClient.GetAsync("/AutoForbid");
+                        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
                         responseText = await httpClient.GetStringAsync("/Restricted");
-                        Assert.Equal("NotAnonymous", responseText);
+                        Assert.Equal("Negotiate", responseText);
+
+                        responseText = await httpClient.GetStringAsync("/RestrictedNegotiate");
+                        Assert.Equal("Negotiate", responseText);
+
+                        if (serverType == ServerType.WebListener)
+                        {
+                            responseText = await httpClient.GetStringAsync("/RestrictedNTLM");
+                            Assert.Equal("NTLM", responseText);
+                        }
+                        else if (serverType == ServerType.IISExpress)
+                        {
+                            response = await httpClient.GetAsync("/RestrictedNTLM");
+                            // This isn't a Forbidden because we authenticate with Negotiate and challenge for NTLM.
+                            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+                            // Note IIS can't restrict a challenge to a specific auth type, the native auth modules always add themselves,
+                            // so both Negotiate and NTLM get sent again.
+                        }
                     }
                     catch (XunitException)
                     {
diff --git a/test/ServerComparison.TestSites/StartupNtlmAuthentication.cs b/test/ServerComparison.TestSites/StartupNtlmAuthentication.cs
@@ -53,28 +53,63 @@ public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory)
             if ((app.Server as ServerInformation) != null)
             {
                 var serverInformation = (ServerInformation)app.Server;
-                serverInformation.Listener.AuthenticationManager.AuthenticationSchemes = AuthenticationSchemes.NTLM | AuthenticationSchemes.AllowAnonymous;
+                serverInformation.Listener.AuthenticationManager.AuthenticationSchemes =
+                    AuthenticationSchemes.Negotiate | AuthenticationSchemes.NTLM | AuthenticationSchemes.AllowAnonymous;
             }
 
             app.Use((context, next) => 
             {
-                if (context.Request.Path.Equals(new PathString("/Anonymous")))
+                if (context.Request.Path.Equals("/Anonymous"))
                 {
                     return context.Response.WriteAsync("Anonymous?" + !context.User.Identity.IsAuthenticated);
                 }
 
-                if (context.Request.Path.Equals(new PathString("/Restricted")))
+                if (context.Request.Path.Equals("/Restricted"))
                 {
                     if (context.User.Identity.IsAuthenticated)
                     {
-                        return context.Response.WriteAsync("NotAnonymous");
+                        return context.Response.WriteAsync(context.User.Identity.AuthenticationType);
                     }
                     else
                     {
                         return context.Authentication.ChallengeAsync();
                     }
                 }
 
+                if (context.Request.Path.Equals("/Forbidden"))
+                {
+                    return context.Authentication.ForbidAsync(string.Empty);
+                }
+
+                if (context.Request.Path.Equals("/AutoForbid"))
+                {
+                    return context.Authentication.ChallengeAsync();
+                }
+
+                if (context.Request.Path.Equals("/RestrictedNegotiate"))
+                {
+                    if (string.Equals("Negotiate", context.User.Identity.AuthenticationType, System.StringComparison.Ordinal))
+                    {
+                        return context.Response.WriteAsync("Negotiate");
+                    }
+                    else
+                    {
+                        return context.Authentication.ChallengeAsync("Negotiate");
+                    }
+                }
+
+                if (context.Request.Path.Equals("/RestrictedNTLM"))
+                {
+                    if (string.Equals("NTLM", context.User.Identity.AuthenticationType, System.StringComparison.Ordinal))
+                    {
+                        return context.Response.WriteAsync("NTLM");
+                    }
+                    else
+                    {
+                        return context.Authentication.ChallengeAsync("NTLM");
+                    }
+                }
+
                 return context.Response.WriteAsync("Hello World");
             });
         }
