Asp.Net MVC Unit Testing Authorization

-

Asp.Net provides the Authorize attribute for checking to make sure you have an authenticated user and that they are in the correct role(s). Since this is part of the framework, I don’t need to test the attribute (that’s Microsoft’s job). I do want to test that I have applied the attribute with the correct properties.

Here’s my unit test code for checking that the attribute has been applied.

[TestMethod()]
public void Autorization_Attributes_Have_Been_Applied()
{

MethodInfo[] methodInfos = typeof(CustomersController).GetMethods(BindingFlags.Public |
BindingFlags.Static);

foreach (MethodInfo methodInfo in methodInfos)
{
ParameterInfo[] parmInfo = methodInfo.GetParameters();
if (methodInfo.Name == "Create" | methodInfo.Name == "Edit")
{
var attributes = methodInfo.GetCustomAttributes(typeof(AuthorizeAttribute), true);
Assert.IsNotNull(attributes);
Assert.AreEqual(1, attributes.Length);
var authorizeAttribute = (AuthorizeAttribute)attributes[0];
Assert.IsTrue(authorizeAttribute.Roles.Contains(ApplicationRoles.ChangeCustomersGroup));
}

if (methodInfo.Name == "Index")
{
var attributes = methodInfo.GetCustomAttributes(typeof(AuthorizeAttribute), true);
Assert.IsNotNull(attributes);
Assert.AreEqual(1, attributes.Length);
var authorizeAttribute = (AuthorizeAttribute)attributes[0];
Assert.IsTrue(authorizeAttribute.Roles.Contains(ApplicationRoles.ViewCustomersGroup));
}
}
}
Depending on how much you need to test, you can make sure that only specific roles are applied, etc. My sample above only checks for the Index, Create and Edit methods and allows all others to fall through. You could make it fail so that any public method that wasn’t checked failed the test. Remember, if it’s public on your controller it can be called.



Update: April 1, 2010 -- Josh has taken this to the next step. Check it out here.

Comments

Josh Schramm said…
hey Paul, great post, helped me out a lot. I hope you don't mind but I took your example here and tweaked it a bit. I wrote about it here if your curious - http://joshreedschramm.com/2010/03/unit-testing-role-based-security-w-asp-net-mvc/

Thanks again.
April 1, 2010 at 9:47 AM
Paul G Brown said…
Thanks Josh. Your stuff looks great and I've added a link in the post so everyone will see it. I'll also be posting some stuff that I've developed for testing around the move to declarative validation.
April 1, 2010 at 12:14 PM
Post a Comment

Popular posts from this blog

Migrating Legacy Apps to the New SimpleMembership Provider

-
Image
Asp.Net MVC4 uses the new SimpleMembership provider, changes the table structure and adds a new hashing algorithm. The reasons for the changes can be found in this article by Jon Galloway. This article shows how to migrate your existing apps to the new provider. I’m assuming that you stored your passwords in the unrecoverable SHA-1 format. If you didn’t, then you’ll have to change a couple of things. All of my apps are done this way so… I’m also assuming that you have created the basic skeleton of the new app and ran it once so the correct tables will be created. First, we’ll look at the new tables. Previously, we had all of those aspnet_xxxxxx tables. Here’s the new ones. UserProfile Contains all of the elements relevant to the user. This is a combination of the aspnet_Users table and the aspnet_Profiles table. webpages_Membership Stores the password info when not using OAuth, Live, Facebook, etc. This table is somewhat of a match to the aspnet_Membership table. webpage...
Read more

Windows 8 Keyboard Shortcuts

-
Image
There are numerous posts on the keyboard shortcuts in Windows 8. I’m not going to regurgitate those. Here are the common things you’ll want to do. Shut Your Computer Off, Network / Wi-Fi, Volume, Keyboard Press Windows+I which brings up the Settings bar (below left). Search, Change Application Settings, Manage Devices Windows+C which brings up the Charms bar (above right). Want to find a song or artist in Music, use The rest of the story If you want to read about other short-cuts and print a handy-dandy cheat sheet, visit the Windows Experience Blog . IE 10 Want to get the most out of IE10, then How-To Geek’s The Best Tips and Tricks for Getting the Most out of Internet Explorer 10 is exactly what you need. There’s also Internet Explorer 10 Shortcut Keys In Windows 8 which has some Windows 8 stuff also.
Read more

Get Asp.Net Profile properties from Sql

-
Image
Ever wanted to include the profile information from an Asp.Net profile in a query? It’s not that hard once you understand the structure. I’ve written a little function that does all the work. Note: I’m using Sql Server as my repository. First we need to understand how the profile data is stored. Looking at the aspnet_Profile table, we can see that it stores the information in two columns: PropertyNames and PropertyValuesString. Looking at PropertyNames we can see that it has a basic structure of Property Name, Data Type, Starting Position and Length. For example, in the string “FirstName:S:0:4:Phone:S:4:10:LastName:S:14:5:” we can see that FirstName is of type string, starts at position 0 and has a length of 4. Notice the zero base for the starting position, we need to correct for that in our function. This means in the PropertyValuesString “John2175551212Smith”, we would start with the first position and proceed 4 c...
Read more