benfoster/gist:7562771

## gistfile1.cs
using NSubstitute;
using NUnit.Framework;
using System.Collections.ObjectModel;
using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Security.Principal;
using System.Threading;
using System.Web.Http;
using System.Web.Http.Controllers;

namespace API.Tests
{
    [TestFixture]
    public class FabrikAuthorizeAttributeTests
    {
        FabrikAuthorizeAttribute filter;
        HttpActionContext actionContext;
        IPrincipal originalPrincipal;

        [SetUp]
        public void SetUp()
        {
            var attributes = new Collection<AllowAnonymousAttribute>();

            var controllerDescriptor = Substitute.For<HttpControllerDescriptor>();
            controllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Returns(attributes);

            var controllerContext = new HttpControllerContext
            {
                Request = new HttpRequestMessage(),
                ControllerDescriptor = controllerDescriptor
            };

            var actionDescriptor = Substitute.For<HttpActionDescriptor>();
            actionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>()
                .Returns(attributes);


            actionContext = new HttpActionContext(controllerContext, actionDescriptor);

            originalPrincipal = Thread.CurrentPrincipal;
            filter = new FabrikAuthorizeAttribute();
        }

        [TearDown]
        public void TearDown()
        {
            Thread.CurrentPrincipal = originalPrincipal;
        }

        [Test]
        public void Returns_unauthorized_response_if_user_is_not_authenticated()
        {
            filter.OnAuthorization(actionContext);

            Assert.NotNull(actionContext.Response);
            Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
        }

        [Test]
        public void Returns_unauthorized_response_if_user_is_authenticated_but_does_not_have_a_subscription()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: false);

            filter.OnAuthorization(actionContext);

            Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
        }

        [Test]
        public void Short_circuits_request_if_user_is_authenticated_and_has_a_subscription()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: true);

            filter.OnAuthorization(actionContext);

            Assert.IsNull(actionContext.Response);
        }

        [Test]
        public void Short_circuits_request_if_user_is_authenticated_and_in_system_role()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: false, role: Constants.TrustedClientRole);

            filter.OnAuthorization(actionContext);

            Assert.IsNull(actionContext.Response);
        }

        private IPrincipal GetTestUser(bool hasSubscription, string role = "user")
        {
            var identity = new ClaimsIdentity(new[] {
                new Claim(CustomClaimTypes.Subscription, hasSubscription.ToString()),
                new Claim(ClaimTypes.Name, "Test User"),
                new Claim(ClaimTypes.Role, role)
            }, "basic");

            var claimsPrincipal = new ClaimsPrincipal(identity);
            return claimsPrincipal;
        }
    }
}
	using NSubstitute;
	using NUnit.Framework;
	using System.Collections.ObjectModel;
	using System.Net;
	using System.Net.Http;
	using System.Security.Claims;
	using System.Security.Principal;
	using System.Threading;
	using System.Web.Http;
	using System.Web.Http.Controllers;

	namespace API.Tests
	{
	[TestFixture]
	public class FabrikAuthorizeAttributeTests
	{
	FabrikAuthorizeAttribute filter;
	HttpActionContext actionContext;
	IPrincipal originalPrincipal;

	[SetUp]
	public void SetUp()
	{
	var attributes = new Collection<AllowAnonymousAttribute>();

	var controllerDescriptor = Substitute.For<HttpControllerDescriptor>();
	controllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Returns(attributes);

	var controllerContext = new HttpControllerContext
	{
	Request = new HttpRequestMessage(),
	ControllerDescriptor = controllerDescriptor
	};

	var actionDescriptor = Substitute.For<HttpActionDescriptor>();
	actionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>()
	.Returns(attributes);


	actionContext = new HttpActionContext(controllerContext, actionDescriptor);

	originalPrincipal = Thread.CurrentPrincipal;
	filter = new FabrikAuthorizeAttribute();
	}

	[TearDown]
	public void TearDown()
	{
	Thread.CurrentPrincipal = originalPrincipal;
	}

	[Test]
	public void Returns_unauthorized_response_if_user_is_not_authenticated()
	{
	filter.OnAuthorization(actionContext);

	Assert.NotNull(actionContext.Response);
	Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
	}

	[Test]
	public void Returns_unauthorized_response_if_user_is_authenticated_but_does_not_have_a_subscription()
	{
	Thread.CurrentPrincipal = GetTestUser(hasSubscription: false);

	filter.OnAuthorization(actionContext);

	Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
	}

	[Test]
	public void Short_circuits_request_if_user_is_authenticated_and_has_a_subscription()
	{
	Thread.CurrentPrincipal = GetTestUser(hasSubscription: true);

	filter.OnAuthorization(actionContext);

	Assert.IsNull(actionContext.Response);
	}

	[Test]
	public void Short_circuits_request_if_user_is_authenticated_and_in_system_role()
	{
	Thread.CurrentPrincipal = GetTestUser(hasSubscription: false, role: Constants.TrustedClientRole);

	filter.OnAuthorization(actionContext);

	Assert.IsNull(actionContext.Response);
	}

	private IPrincipal GetTestUser(bool hasSubscription, string role = "user")
	{
	var identity = new ClaimsIdentity(new[] {
	new Claim(CustomClaimTypes.Subscription, hasSubscription.ToString()),
	new Claim(ClaimTypes.Name, "Test User"),
	new Claim(ClaimTypes.Role, role)
	}, "basic");

	var claimsPrincipal = new ClaimsPrincipal(identity);
	return claimsPrincipal;
	}
	}
	}