Update AzureADAuthenticationMatcher to support V2 Azure AAD tokens (#1288)

* Update AzureADAuthenticationMatcher to support V2 Azure AAD tokens * fix ;-) * add tests * Update test/WireMock.Net.Tests/Authentication/MockJwtSecurityTokenHandler.cs Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * . * WIREMOCK_AAD_TENANT * update logging * throw new SecurityTokenInvalidIssuerException($"tenant {extractedTenant} does not match {_tenant}."); --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-03-24 18:11:10 +01:00 · 2025-05-06 18:49:21 +02:00
parent cfc13b2449
commit 249b3562ab
6 changed files with 227 additions and 20 deletions
--- a/test/WireMock.Net.Tests/Authentication/AzureADAuthenticationMatcherTests.cs
+++ b/test/WireMock.Net.Tests/Authentication/AzureADAuthenticationMatcherTests.cs
@@ -0,0 +1,148 @@
+// Copyright © WireMock.Net
+
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using System.Threading;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
+using Moq;
+using WireMock.Authentication;
+using Xunit;
+
+namespace WireMock.Net.Tests.Authentication;
+
+public class AzureADAuthenticationMatcherTests
+{
+    public enum AzureADTokenVersion
+    {
+        V1,
+        V2
+    }
+
+    private const string Tenant = "test-tenant-id";
+    private const string Audience = "test-audience";
+    private static readonly Dictionary<AzureADTokenVersion, string> IssuerUrlTemplates = new()
+    {
+        { AzureADTokenVersion.V1, "https://sts.windows.net/{0}/" },
+        { AzureADTokenVersion.V2, "https://login.microsoftonline.com/{0}/v2.0" }
+    };
+    private readonly Mock<IConfigurationManager<OpenIdConnectConfiguration>> _openIdConnectConfigurationManagerMock = new();
+
+    private readonly AzureADAuthenticationMatcher _sut;
+
+    public AzureADAuthenticationMatcherTests()
+    {
+        var jwtSecurityTokenHandler = new MockJwtSecurityTokenHandler();
+        _openIdConnectConfigurationManagerMock.Setup(c => c.GetConfigurationAsync(It.IsAny<CancellationToken>())).ReturnsAsync(new OpenIdConnectConfiguration());
+        
+        _sut = new(jwtSecurityTokenHandler, _openIdConnectConfigurationManagerMock.Object, Tenant, Audience);
+    }
+
+    [Fact]
+    public void AzureADAuthenticationMatcher_Name_ShouldReturnCorrectName()
+    {
+        // Act
+        var name = _sut.Name;
+
+        // Assert
+        Assert.Equal("AzureADAuthenticationMatcher", name);
+    }
+
+    [Fact]
+    public void AzureADAuthenticationMatcher_GetPatterns_ShouldReturnEmptyPatterns()
+    {
+        // Act
+        var patterns = _sut.GetPatterns();
+
+        // Assert
+        Assert.NotNull(patterns);
+        Assert.Empty(patterns);
+    }
+
+    [Fact]
+    public void AzureADAuthenticationMatcher_IsMatch_ShouldReturnMismatch_WhenTokenIsInvalid()
+    {
+        // Arrange
+        var sut = new AzureADAuthenticationMatcher(new JwtSecurityTokenHandler(), _openIdConnectConfigurationManagerMock.Object, Tenant, Audience);
+        var invalidToken = "invalid-token";
+
+        // Act
+        var result = sut.IsMatch($"Bearer {invalidToken}");
+
+        // Assert
+        Assert.Equal(0.0, result.Score);
+        Assert.NotNull(result.Exception);
+    }
+
+    [Fact]
+    public void AzureADAuthenticationMatcher_IsMatch_ShouldReturnMismatch_WhenTokenIsNullOrEmpty()
+    {
+        // Act
+        var result = _sut.IsMatch(null);
+
+        // Assert
+        Assert.Equal(0.0, result.Score);
+        Assert.Null(result.Exception);
+    }
+
+    [Theory]
+    [InlineData(AzureADTokenVersion.V1)]
+    [InlineData(AzureADTokenVersion.V2)]
+    public void AzureADAuthenticationMatcher_IsMatch_ShouldReturnPerfect_WhenTokenIsValid(AzureADTokenVersion version)
+    {
+        // Arrange
+        var token = GenerateValidToken(Tenant, Audience, version);
+
+        // Act
+        var result = _sut.IsMatch($"Bearer {token}");
+
+        // Assert
+        Assert.Equal(1.0, result.Score);
+        Assert.Null(result.Exception);
+    }
+
+    [Theory]
+    [InlineData(AzureADTokenVersion.V1)]
+    [InlineData(AzureADTokenVersion.V2)]
+    public void AzureADAuthenticationMatcher_IsMatch_ShouldReturnMismatch_WhenTenantMismatch(AzureADTokenVersion version)
+    {
+        // Arrange
+        var sut = new AzureADAuthenticationMatcher(new JwtSecurityTokenHandler(), _openIdConnectConfigurationManagerMock.Object, Tenant, Audience);
+        var token = GenerateValidToken("different-tenant", Audience, version);
+
+        // Act
+        var result = sut.IsMatch($"Bearer {token}");
+
+        // Assert
+        Assert.Equal(0.0, result.Score);
+        Assert.NotNull(result.Exception);
+    }
+
+    private static string GenerateValidToken(string tenant, string audience, AzureADTokenVersion version)
+    {
+        var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes($"test-signing-key-{Guid.NewGuid()}"));
+        var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
+
+        var claims = new[]
+        {
+            new Claim(JwtRegisteredClaimNames.Sub, "test-user"),
+            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
+            new Claim("tid", tenant)
+        };
+
+        var issuer = string.Format(IssuerUrlTemplates[version], tenant);
+
+        var token = new JwtSecurityToken(
+            issuer: issuer,
+            audience: audience,
+            claims: claims,
+            expires: DateTime.UtcNow.AddMinutes(30),
+            signingCredentials: credentials);
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+}
--- a/test/WireMock.Net.Tests/Authentication/MockJwtSecurityTokenHandler.cs
+++ b/test/WireMock.Net.Tests/Authentication/MockJwtSecurityTokenHandler.cs
@@ -0,0 +1,18 @@
+// Copyright © WireMock.Net
+
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using Microsoft.IdentityModel.Tokens;
+
+namespace WireMock.Net.Tests.Authentication;
+
+internal class MockJwtSecurityTokenHandler : JwtSecurityTokenHandler
+{
+    public override ClaimsPrincipal ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
+    {
+        validatedToken = new JwtSecurityToken();
+        var claims = new[] { new Claim(ClaimTypes.Name, "TestUser") };
+        var identity = new ClaimsIdentity(claims, "TestAuthType");
+        return new ClaimsPrincipal(identity);
+    }
+}