I am trying to unit test, with NUnit in C #, a custom authorization attribute. In particular, in case of non-authorization, a specific status code and an http message are returned.
My attribute is super simple - it looks like this:
public class AuthorizationAttribute : AuthorizeAttribute { public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext) { if (IsAuthorized(actionContext)) return; HandleUnauthorizedRequest(actionContext); } protected override void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext) { actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Forbidden, "You are not authorized to access this resource"); } }
So, to test this (and currently new in testing), I combined the following code. In it, I add a common identifier with the username and some role data.
public void Given_UserIsNotInAuthorizedRoles_When_Auhtorizing_ReturnsForbidden() { // Arrange IPrincipal principal = new GenericPrincipal(new GenericIdentity("TestName"), new[] { "TestRole" }); HttpActionContext mockActionContext = new HttpActionContext() { ControllerContext = new HttpControllerContext() { Request = new HttpRequestMessage(), RequestContext = new HttpRequestContext() { Principal = principal } }, ActionArguments = { { "SomeArgument", "null" } } }; mockActionContext.ControllerContext.Configuration = new HttpConfiguration(); mockActionContext.ControllerContext.Configuration.Formatters.Add(new JsonMediaTypeFormatter()); // Act AuthorizationAttribute authAttr = new AuthorizationAttribute(); authAttr.OnAuthorization(mockActionContext); // Assert Assert.IsTrue(mockActionContext.Response.StatusCode == System.Net.HttpStatusCode.Forbidden); }
The mock controller is as follows:
[Authorization(Roles = "AdminRoleOnly", Users = "A user")] internal class MockController : ApiController { }
When I debug, I found that if (IsAuthorized(actionContext)) returns true - which I don't understand.
Can someone please tell me why my authorize attribute passes this credential as good?
For what it's worth, this code works in production. I am filling out some tests again.
Some of them are interconnected.
I read the question and answer on a similar ASP.NET MVC question , checking the custom attribute AuthorizeAttribute , although neither actually work nor are related, especially considering re for MVC controllers, not Api Controllers.
I also read and tried to implement the code in the answer to this question too Mocking HttpActionContext.ActionArguments when testing Web.Api ActionFilter
The latter gets me somewhere close to the fact that my authorization attribute runs in the test, and I can pass the necessary contextual information.