more end to end tests for sidecar (#3477)

* Adding E2E test

* Improving the tests

* Fix name

* Apply suggestion from @keegan-caruso

Co-authored-by: Keegan <[email protected]>

---------

Co-authored-by: Keegan <[email protected]>

Author: 2 people

src/Microsoft.Identity.Web.AgentIdentities/Microsoft.Identity.Web.AgentIdentities.csproj

@@ -3,7 +3,7 @@
 
     <Title>Microsoft Identity Web Agentic Identity support</Title>
     <Product>Microsoft Identity Web for Agent Identities</Product>
-    <Description>Helper methods for Agent applications to act as the agent identities.</Description>
+    <Description>Helper methods for Agent identity blueprint to act as the agent identities.</Description>
     <PackageReadmeFile>README.md</PackageReadmeFile>
 
     <!-- The package is new in 3.10.0.-->

src/Microsoft.Identity.Web.Sidecar/Endpoints/ValidateRequestEndpoints.cs

@@ -23,8 +23,10 @@ public static void AddValidateRequestEndpoints(this WebApplication app)
     private static Results<Ok<ValidateAuthorizationHeaderResult>, ProblemHttpResult> ValidateEndpoint(HttpContext httpContext, IConfiguration configuration)
     {
         string scopeRequiredByApi = configuration["AzureAd:Scopes"] ?? string.Empty;
-        httpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
-
+        if (!string.IsNullOrWhiteSpace(scopeRequiredByApi))
+        {
+            httpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
+        }
         var claimsPrincipal = httpContext.User;
         var token = claimsPrincipal.GetBootstrapToken() as JsonWebToken;
 

src/Microsoft.Identity.Web.Sidecar/appsettings.json

@@ -20,7 +20,8 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
             }
         ],
 
-        "EnablePiiLogging": false
+        "EnablePiiLogging": false,
+        "AllowWebApiToBeAuthorizedByACL": true,
     },
 
     "DownstreamApi": {
@@ -37,7 +38,7 @@ For more info see https://aka.ms/dotnet-template-ms-identity-platform
             "Microsoft.AspNetCore": "Warning"
         }
     },
-    "AllowedHosts": "*"
+    "AllowedHosts": "*",
 }
 
 

tests/E2E Tests/Sidecar.Tests/Sidecar.Tests.csproj

@@ -10,6 +10,15 @@
 
   </PropertyGroup>
   <ItemGroup>
+    <None Remove="appsettings.agentids.json" />
+  </ItemGroup>
+  <ItemGroup>
+    <Content Include="appsettings.agentids.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </Content>
+  </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="9.0.9" NoWarn="NU1605" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="9.0.0" />
     <PackageReference Include="xunit" Version="2.9.0" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" />

tests/E2E Tests/Sidecar.Tests/ValidateEndpointTests.cs

@@ -2,16 +2,29 @@
 // Licensed under the MIT License.
 
 using System.Net.Http.Headers;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Identity.Abstractions;
+using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.Sidecar;
+using Microsoft.Identity.Web.TokenCacheProviders.InMemory;
 using Xunit;
 
 namespace Sidecar.Tests;
 
 public class SidecarApiFactory : WebApplicationFactory<Program>
 {
-    protected override void ConfigureWebHost(Microsoft.AspNetCore.Hosting.IWebHostBuilder builder)
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
+        builder.ConfigureAppConfiguration(builder =>
+        {
+            builder.AddJsonFile(
+                 path: Path.Combine(Directory.GetCurrentDirectory().ToString(), "appsettings.agentids.json"),
+                 optional: false,
+                 reloadOnChange: true);
+        });
         builder.ConfigureServices(services =>
         {
         });
@@ -34,4 +47,50 @@ public async Task Validate_WhenBadTokenAsync()
         var content = await response.Content.ReadAsStringAsync();
         Assert.Contains("invalid_token", response.Headers.WwwAuthenticate.ToString(), StringComparison.CurrentCultureIgnoreCase);
     }
+
+    [Fact]
+    public async Task Validate_WhenGoodTokenAsync()
+    {
+        // Getting a token to call the API.
+        string authorizationHeader = await GetAuthorizationHeaderToCallTheSideCarAsync();
+
+        // Calling the API
+        var client = _factory.CreateClient();
+
+        client.DefaultRequestHeaders.Authorization = AuthenticationHeaderValue.Parse(authorizationHeader);
+        var response = await client.GetAsync("/Validate");
+        Assert.Equal(System.Net.HttpStatusCode.OK, response.StatusCode);
+        var content = await response.Content.ReadAsStringAsync();
+
+        Assert.NotEmpty(content);
+    }
+
+    private static async Task<string> GetAuthorizationHeaderToCallTheSideCarAsync()
+    {
+        ServiceCollection services = new();
+        IConfiguration configuration = new ConfigurationBuilder().AddInMemoryCollection().Build();
+        services.AddSingleton<IConfiguration>(configuration);
+        configuration["Instance"] = "https://login.microsoftonline.com/";
+        configuration["TenantId"] = "31a58c3b-ae9c-4448-9e8f-e9e143e800df";
+        configuration["ClientId"] = "5cbcd9ff-c994-49ac-87e7-08a93a9c0794";
+        configuration["SendX5C"] = "true";
+        configuration["ClientCredentials:0:SourceType"] = "StoreWithDistinguishedName";
+        configuration["ClientCredentials:0:CertificateStorePath"] = "LocalMachine/My";
+        configuration["ClientCredentials:0:CertificateDistinguishedName"] = "CN=LabAuth.MSIDLab.com";
+
+        services.AddTokenAcquisition().AddHttpClient().AddInMemoryTokenCaches();
+        services.Configure<MicrosoftIdentityApplicationOptions>(configuration);
+        IServiceProvider serviceProvider = services.BuildServiceProvider();
+
+        IAuthorizationHeaderProvider authorizationHeaderProvider = serviceProvider.GetRequiredService<IAuthorizationHeaderProvider>();
+        string authorizationHeader = await authorizationHeaderProvider.CreateAuthorizationHeaderForAppAsync("api://d15884b6-a447-4dd5-a5a5-a668c49f6300/.default",
+            new AuthorizationHeaderProviderOptions()
+            {
+                AcquireTokenOptions = new AcquireTokenOptions()
+                {
+                    AuthenticationOptionsName = ""
+                }
+            });
+        return authorizationHeader;
+    }
 }

tests/E2E Tests/Sidecar.Tests/appsettings.agentids.json

@@ -0,0 +1,22 @@
+{
+    "$schema": "https://raw.githubusercontent.com/AzureAD/microsoft-identity-web/refs/heads/master/JsonSchemas/microsoft-identity-web.json",
+    "AzureAd": {
+        "Instance": "https://login.microsoftonline.com/",
+        "TenantId": "31a58c3b-ae9c-4448-9e8f-e9e143e800df",
+        "ClientId": "d15884b6-a447-4dd5-a5a5-a668c49f6300", // Agent application ClientId
+        "ClientCredentials": [
+            {
+                "SourceType": "StoreWithDistinguishedName",
+                "CertificateStorePath": "LocalMachine/My",
+                "CertificateDistinguishedName": "CN=LabAuth.MSIDLab.com"
+            }
+        ],
+        "Scopes": "",
+
+        "Audience": "d15884b6-a447-4dd5-a5a5-a668c49f6300"
+    },
+ 
+    "DownstreamApis": {
+    
+    }
+}