Merge branch 'dev' into trwalke/ConsolidateTestStatics

Author: trwalke

.github/workflows/dotnetcore.yml

@@ -1,5 +1,9 @@
 name: .NET Core
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches:
@@ -30,20 +34,43 @@ jobs:
       uses: actions/[email protected]
       with:
         dotnet-version: 6.0.x
-
     - name: Setup .NET 8.0.x
       uses: actions/[email protected]
       with:
         dotnet-version: 8.0.x
-
     - name: Setup .NET 9.0.x
       uses: actions/[email protected]
       with:
         dotnet-version: 9.0.100-rc.2.24474.11
 
     - name: Run the tests
-      run: dotnet test Wilson.sln
+      run: dotnet test Wilson.sln --collect:"XPlat Code Coverage" --settings:./build/CodeCoverage.runsettings
+
+    - name: Create code coverage report
+      run: |
+        dotnet tool install -g dotnet-reportgenerator-globaltool
+        reportgenerator -reports:./**/coverage.cobertura.xml -targetdir:CodeCoverage -reporttypes:'MarkdownSummaryGithub;Cobertura'
+
+    - name: Write Coverage to Job Summary
+      shell: bash
+      run: |
+        cat CodeCoverage/SummaryGithub.md >> $GITHUB_STEP_SUMMARY
+        echo "COMMENT_CONTENT_ENV_VAR<<EOF" >> $GITHUB_ENV
+        echo $(cat CodeCoverage/SummaryGithub.md) >> $GITHUB_ENV
+        echo "EOF" >> $GITHUB_ENV
+
+    - name: Comment Coverage in PR
+      uses: actions/github-script@v7
+      id: comment
+      with:
+        script: |
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: process.env.COMMENT_CONTENT_ENV_VAR
+          })
 
     # Run baseline package validation
     - name: Pack
-      run: dotnet pack Product.proj --no-restore --no-build
+      run: dotnet pack Product.proj --no-restore --no-build

build/CodeCoverage.runsettings

@@ -40,6 +40,10 @@ Included items must then not match any entries in the exclude list to remain inc
                                 <ModulePath>.*\microsoft.identitymodel.xml.dll</ModulePath>
                                 <ModulePath>.*\system.identitymodel.tokens.jwt.dll</ModulePath>
                             </Include>
+                            <Exclude>
+                                <ModulePath>.*\\test\\.*</ModulePath>
+                                <ModulePath>.*Test\.dll</ModulePath>
+                            </Exclude>
                         </ModulePaths>
                         <Attributes>
                             <Exclude>

build/commonTest.props

@@ -39,6 +39,10 @@
   </ItemGroup>
 
   <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
     <PackageReference Include="Microsoft.CodeAnalysis.BannedApiAnalyzers" Version="$(BannedApiAnalyzersVersion)">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>

build/dependenciesTest.props

@@ -1,5 +1,6 @@
 <Project>
   <PropertyGroup>
+    <CoverletCollectorVersion>6.0.2</CoverletCollectorVersion>
     <BannedApiAnalyzersVersion>3.3.4</BannedApiAnalyzersVersion>
     <DotNetCoreAppRuntimeVersion>2.1.30</DotNetCoreAppRuntimeVersion>
     <MicrosoftAzureKeyVaultCryptographyVersion>3.0.5</MicrosoftAzureKeyVaultCryptographyVersion>

test/Microsoft.IdentityModel.AotCompatibility.Tests/AotCompatibilityTests.cs

@@ -32,7 +32,7 @@ public AotCompatibilityTests(ITestOutputHelper testOutputHelper)
         ///
         /// You can also 'dotnet publish' the 'Microsoft.IdentityModel.AotCompatibility.TestApp.csproj' as well to get the errors.
         /// </summary>
-        [Fact(Skip = "need to adjust timeout")]
+        [Fact]
         public void EnsureAotCompatibility()
         {
             string testAppPath = Path.Combine("..", "..", "..", "..", "Microsoft.IdentityModel.AotCompatibility.TestApp");

test/Microsoft.IdentityModel.JsonWebTokens.Tests/JsonWebTokenHandler.ValidateTokenAsyncTests.Decryption.cs

@@ -0,0 +1,183 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#nullable enable
+#if NET472 || NET6_0_OR_GREATER
+using System;
+using Newtonsoft.Json.Linq;
+#endif
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.TestUtils;
+using Microsoft.IdentityModel.Tokens;
+using Xunit;
+
+namespace Microsoft.IdentityModel.JsonWebTokens.Tests
+{
+    public partial class JsonWebTokenHandlerValidateTokenAsyncTests
+    {
+        [Theory, MemberData(nameof(ValidateTokenAsync_DecryptionTestCases), DisableDiscoveryEnumeration = true)]
+        public async Task ValidateTokenAsync_Decryption(ValidateTokenAsyncDecryptionTheoryData theoryData)
+        {
+            var context = TestUtilities.WriteHeader($"{this}.ValidateTokenAsync_Decryption", theoryData);
+
+            string jwtString = CreateEncryptedToken(theoryData.EncryptingCredentials, theoryData.AdditionalHeaderClaims);
+
+            await ValidateAndCompareResults(jwtString, theoryData, context);
+
+            TestUtilities.AssertFailIfErrors(context);
+        }
+
+        public static TheoryData<ValidateTokenAsyncDecryptionTheoryData> ValidateTokenAsync_DecryptionTestCases
+        {
+            get
+            {
+                var theoryData = new TheoryData<ValidateTokenAsyncDecryptionTheoryData>();
+
+                theoryData.Add(new ValidateTokenAsyncDecryptionTheoryData("Valid_JWE_Aes128Cbc_HmacSha256")
+                {
+                    EncryptingCredentials = new EncryptingCredentials(
+                        KeyingMaterial.DefaultX509Key_2048,
+                        SecurityAlgorithms.RsaPKCS1,
+                        SecurityAlgorithms.Aes128CbcHmacSha256),
+                    TokenValidationParameters = CreateTokenValidationParameters(KeyingMaterial.DefaultX509Key_2048),
+                    ValidationParameters = CreateValidationParameters(KeyingMaterial.DefaultX509Key_2048),
+                });
+
+#if NET472 || NET6_0_OR_GREATER
+                theoryData.Add(new ValidateTokenAsyncDecryptionTheoryData("Valid_JWE_EcdhEs")
+                {
+                    EncryptingCredentials = new EncryptingCredentials(
+                                    new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true),
+                                    SecurityAlgorithms.EcdhEsA256kw,
+                                    SecurityAlgorithms.Aes128CbcHmacSha256)
+                    {
+                        KeyExchangePublicKey = KeyingMaterial.JsonWebKeyP521_Public
+                    },
+                    AdditionalHeaderClaims = AdditionalEcdhEsHeaderParameters(KeyingMaterial.JsonWebKeyP521_Public),
+                    TokenValidationParameters = CreateTokenValidationParameters(new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)),
+                    ValidationParameters = CreateValidationParameters(new ECDsaSecurityKey(KeyingMaterial.JsonWebKeyP521, true)),
+                });
+#endif
+
+                theoryData.Add(new ValidateTokenAsyncDecryptionTheoryData("Invalid_JWE_NoDecryptionKeys")
+                {
+                    EncryptingCredentials = new EncryptingCredentials(
+                            KeyingMaterial.DefaultX509Key_2048,
+                            SecurityAlgorithms.RsaPKCS1,
+                            SecurityAlgorithms.Aes128CbcHmacSha256),
+                    TokenValidationParameters = CreateTokenValidationParameters(),
+                    ValidationParameters = CreateValidationParameters(),
+                    ExpectedIsValid = false,
+                    ExpectedException = ExpectedException.SecurityTokenDecryptionFailedException("IDX10609:"),
+                });
+
+                theoryData.Add(new ValidateTokenAsyncDecryptionTheoryData("Invalid_JWE_WrongDecryptionKey")
+                {
+                    EncryptingCredentials = new EncryptingCredentials(
+                            KeyingMaterial.DefaultX509Key_2048,
+                            SecurityAlgorithms.RsaPKCS1,
+                            SecurityAlgorithms.Aes128CbcHmacSha256),
+                    TokenValidationParameters = CreateTokenValidationParameters(KeyingMaterial.DefaultRsaSecurityKey1),
+                    ValidationParameters = CreateValidationParameters(KeyingMaterial.DefaultRsaSecurityKey1),
+                    ExpectedIsValid = false,
+                    ExpectedException = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"),
+                    // Avoid comparing the full exception message as the stack traces for the inner exceptions are different.
+                    ExpectedExceptionValidationParameters = ExpectedException.SecurityTokenKeyWrapException("IDX10618:"),
+                });
+
+                return theoryData;
+
+                static TokenValidationParameters CreateTokenValidationParameters(
+                    SecurityKey? tokenDecryptionKey = null, bool tryAllKeys = false)
+                {
+                    // Skip all validations. We just want to decrypt the JWE.
+                    var tokenValidationParameters = new TokenValidationParameters
+                    {
+                        ValidateAudience = false,
+                        ValidateIssuer = false,
+                        ValidateLifetime = false,
+                        ValidateTokenReplay = false,
+                        ValidateIssuerSigningKey = false,
+                        RequireSignedTokens = false,
+                        TokenDecryptionKey = tokenDecryptionKey,
+                    };
+
+                    return tokenValidationParameters;
+                }
+
+                static ValidationParameters CreateValidationParameters(SecurityKey? tokenDecryptionKey = null)
+                {
+                    ValidationParameters validationParameters = new ValidationParameters();
+
+                    if (tokenDecryptionKey is not null)
+                        validationParameters.TokenDecryptionKeys = [tokenDecryptionKey];
+
+
+                    // Skip all validations. We just want to decrypt the JWE
+                    validationParameters.AlgorithmValidator = SkipValidationDelegates.SkipAlgorithmValidation;
+                    validationParameters.AudienceValidator = SkipValidationDelegates.SkipAudienceValidation;
+                    validationParameters.IssuerSigningKeyValidator = SkipValidationDelegates.SkipIssuerSigningKeyValidation;
+                    validationParameters.IssuerValidatorAsync = SkipValidationDelegates.SkipIssuerValidation;
+                    validationParameters.LifetimeValidator = SkipValidationDelegates.SkipLifetimeValidation;
+                    validationParameters.SignatureValidator = SkipValidationDelegates.SkipSignatureValidation;
+                    validationParameters.TokenReplayValidator = SkipValidationDelegates.SkipTokenReplayValidation;
+                    validationParameters.TokenTypeValidator = SkipValidationDelegates.SkipTokenTypeValidation;
+
+                    return validationParameters;
+                }
+
+
+#if NET472 || NET6_0_OR_GREATER
+                static Dictionary<string, object> AdditionalEcdhEsHeaderParameters(JsonWebKey publicKeySender)
+                {
+                    // Create the Ephemeral Public Key (Epk) header parameter as a JWK.
+                    var epkJObject = new JObject();
+                    epkJObject.Add(JsonWebKeyParameterNames.Kty, publicKeySender.Kty);
+                    epkJObject.Add(JsonWebKeyParameterNames.Crv, publicKeySender.Crv);
+                    epkJObject.Add(JsonWebKeyParameterNames.X, publicKeySender.X);
+                    epkJObject.Add(JsonWebKeyParameterNames.Y, publicKeySender.Y);
+
+                    // Set the Ephemeral Public Key (Epk) header parameter, along with the
+                    // Agreement PartyUInfo (Apu) and Agreement PartyVInfo (Apv) header parameters
+                    // to ensure that the ECDH-ES key agreement is successful.
+                    Dictionary<string, object> additionalHeaderParams = new Dictionary<string, object>()
+                    {
+                        { JsonWebTokens.JwtHeaderParameterNames.Apu, Guid.NewGuid().ToString() },
+                        { JsonWebTokens.JwtHeaderParameterNames.Apv, Guid.NewGuid().ToString() },
+                        { JsonWebTokens.JwtHeaderParameterNames.Epk, epkJObject.ToString(Newtonsoft.Json.Formatting.None) }
+                    };
+
+                    return additionalHeaderParams;
+                }
+#endif
+            }
+        }
+
+        public class ValidateTokenAsyncDecryptionTheoryData : ValidateTokenAsyncBaseTheoryData
+        {
+            public ValidateTokenAsyncDecryptionTheoryData(string testId) : base(testId) { }
+
+            public EncryptingCredentials? EncryptingCredentials { get; set; }
+
+            public Dictionary<string, object>? AdditionalHeaderClaims { get; set; } = null;
+        }
+
+        private static string CreateEncryptedToken(
+            EncryptingCredentials? encryptingCredentials,
+            Dictionary<string, object>? additionalHeaderClaims = null)
+        {
+            JsonWebTokenHandler jsonWebTokenHandler = new JsonWebTokenHandler();
+
+            SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor
+            {
+                Subject = Default.ClaimsIdentity,
+                EncryptingCredentials = encryptingCredentials,
+                AdditionalHeaderClaims = additionalHeaderClaims,
+            };
+
+            return jsonWebTokenHandler.CreateToken(securityTokenDescriptor);
+        }
+    }
+}
+#nullable restore