add a security module （#628） (#629)

* Add security mechanisms, IP whitelists, blacklists, and extended security interfaces.

* Optimized configuration name

* Fix IP Security Bug

* Repair Security Protection Module Bug

* Add security module unit test

* Optimize log prompts

src/Ocelot/Configuration/Builder/DownstreamReRouteBuilder.cs

@@ -38,7 +38,7 @@ namespace Ocelot.Configuration.Builder
         private List<AddHeader> _addHeadersToDownstream;
         private List<AddHeader> _addHeadersToUpstream;
         private bool _dangerousAcceptAnyServerCertificateValidator;
-
+        private SecurityOptions _securityOptions;
         public DownstreamReRouteBuilder()
         {
             _downstreamAddresses = new List<DownstreamHostAndPort>();
@@ -227,6 +227,12 @@ namespace Ocelot.Configuration.Builder
             return this;
         }
 
+        public DownstreamReRouteBuilder WithSecurityOptions(SecurityOptions securityOptions)
+        {
+            _securityOptions = securityOptions;
+            return this;
+        }
+
         public DownstreamReRoute Build()
         {
             return new DownstreamReRoute(
@@ -258,7 +264,8 @@ namespace Ocelot.Configuration.Builder
                 _delegatingHandlers,
                 _addHeadersToDownstream,
                 _addHeadersToUpstream,
-                _dangerousAcceptAnyServerCertificateValidator);
+                _dangerousAcceptAnyServerCertificateValidator,
+                _securityOptions);
         }
     }
 }

src/Ocelot/Configuration/Creator/ISecurityOptionsCreator.cs

@@ -0,0 +1,12 @@
+using Ocelot.Configuration.File;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Ocelot.Configuration.Creator
+{
+    public interface ISecurityOptionsCreator
+    {
+        SecurityOptions Create(FileSecurityOptions securityOptions);
+    }
+}

src/Ocelot/Configuration/Creator/ReRoutesCreator.cs

@@ -21,6 +21,7 @@ namespace Ocelot.Configuration.Creator
         private readonly IHeaderFindAndReplaceCreator _headerFAndRCreator;
         private readonly IDownstreamAddressesCreator _downstreamAddressesCreator;
         private readonly IReRouteKeyCreator _reRouteKeyCreator;
+        private readonly ISecurityOptionsCreator _securityOptionsCreator;
 
         public ReRoutesCreator(
             IClaimsToThingCreator claimsToThingCreator,
@@ -35,7 +36,8 @@ namespace Ocelot.Configuration.Creator
             IHeaderFindAndReplaceCreator headerFAndRCreator,
             IDownstreamAddressesCreator downstreamAddressesCreator,
             ILoadBalancerOptionsCreator loadBalancerOptionsCreator,
-            IReRouteKeyCreator reRouteKeyCreator
+            IReRouteKeyCreator reRouteKeyCreator,
+            ISecurityOptionsCreator securityOptionsCreator
             )
         {
             _reRouteKeyCreator = reRouteKeyCreator;
@@ -52,6 +54,7 @@ namespace Ocelot.Configuration.Creator
             _fileReRouteOptionsCreator = fileReRouteOptionsCreator;
             _httpHandlerOptionsCreator = httpHandlerOptionsCreator;
             _loadBalancerOptionsCreator = loadBalancerOptionsCreator;
+            _securityOptionsCreator = securityOptionsCreator;
         }
 
         public List<ReRoute> Create(FileConfiguration fileConfiguration)
@@ -97,6 +100,8 @@ namespace Ocelot.Configuration.Creator
 
             var lbOptions = _loadBalancerOptionsCreator.Create(fileReRoute.LoadBalancerOptions);
 
+            var securityOptions = _securityOptionsCreator.Create(fileReRoute.SecurityOptions);
+
             var reRoute = new DownstreamReRouteBuilder()
                 .WithKey(fileReRoute.Key)
                 .WithDownstreamPathTemplate(fileReRoute.DownstreamPathTemplate)
@@ -128,6 +133,7 @@ namespace Ocelot.Configuration.Creator
                 .WithAddHeadersToDownstream(hAndRs.AddHeadersToDownstream)
                 .WithAddHeadersToUpstream(hAndRs.AddHeadersToUpstream)
                 .WithDangerousAcceptAnyServerCertificateValidator(fileReRoute.DangerousAcceptAnyServerCertificateValidator)
+                .WithSecurityOptions(securityOptions)
                 .Build();
 
             return reRoute;

src/Ocelot/Configuration/Creator/SecurityOptionsCreator.cs

@@ -0,0 +1,15 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Ocelot.Configuration.File;
+
+namespace Ocelot.Configuration.Creator
+{
+    public class SecurityOptionsCreator : ISecurityOptionsCreator
+    {
+        public SecurityOptions Create(FileSecurityOptions securityOptions)
+        {
+            return new SecurityOptions(securityOptions.IPAllowedList, securityOptions.IPBlockedList);
+        }
+    }
+}

src/Ocelot/Configuration/DownstreamReRoute.cs

@@ -35,7 +35,8 @@ namespace Ocelot.Configuration
             List<string> delegatingHandlers,
             List<AddHeader> addHeadersToDownstream,
             List<AddHeader> addHeadersToUpstream,
-            bool dangerousAcceptAnyServerCertificateValidator)
+            bool dangerousAcceptAnyServerCertificateValidator,
+            SecurityOptions securityOptions)
         {
             DangerousAcceptAnyServerCertificateValidator = dangerousAcceptAnyServerCertificateValidator;
             AddHeadersToDownstream = addHeadersToDownstream;
@@ -66,6 +67,7 @@ namespace Ocelot.Configuration
             DownstreamPathTemplate = downstreamPathTemplate;
             LoadBalancerKey = loadBalancerKey;
             AddHeadersToUpstream = addHeadersToUpstream;
+            SecurityOptions = securityOptions;
         }
 
         public string Key { get; }
@@ -97,5 +99,6 @@ namespace Ocelot.Configuration
         public List<AddHeader> AddHeadersToDownstream { get; }
         public List<AddHeader> AddHeadersToUpstream { get; }
         public bool DangerousAcceptAnyServerCertificateValidator { get; }
+        public SecurityOptions SecurityOptions { get; }
     }
 }

src/Ocelot/Configuration/File/FileReRoute.cs

@@ -21,6 +21,7 @@ namespace Ocelot.Configuration.File
             DownstreamHostAndPorts = new List<FileHostAndPort>();
             DelegatingHandlers = new List<string>();
             LoadBalancerOptions = new FileLoadBalancerOptions();
+            SecurityOptions = new FileSecurityOptions();
             Priority = 1;
         }
 
@@ -50,5 +51,6 @@ namespace Ocelot.Configuration.File
         public int Priority { get;set; }
         public int Timeout { get; set; }
         public bool DangerousAcceptAnyServerCertificateValidator { get; set; }
+        public FileSecurityOptions SecurityOptions { get; set; }
     }
 }

src/Ocelot/Configuration/File/FileSecurityOptions.cs

@@ -0,0 +1,19 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Ocelot.Configuration.File
+{
+    public class FileSecurityOptions
+    {
+        public FileSecurityOptions()
+        {
+            IPAllowedList = new List<string>();
+            IPBlockedList = new List<string>();
+        }
+
+        public List<string> IPAllowedList { get; set; } 
+
+        public List<string> IPBlockedList { get; set; }
+    }
+}

src/Ocelot/Configuration/SecurityOptions.cs

@@ -0,0 +1,19 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Ocelot.Configuration
+{
+    public class SecurityOptions
+    {
+        public SecurityOptions(List<string> allowedList, List<string> blockedList)
+        {
+            this.IPAllowedList = allowedList;
+            this.IPBlockedList = blockedList;
+        }
+
+        public List<string> IPAllowedList { get; private set; }
+
+        public List<string> IPBlockedList { get; private set; }
+    }
+}

src/Ocelot/DependencyInjection/OcelotBuilder.cs

@@ -35,6 +35,8 @@ namespace Ocelot.DependencyInjection
     using Ocelot.Infrastructure;
     using Ocelot.Middleware.Multiplexer;
     using Ocelot.Request.Creator;
+    using Ocelot.Security.IPSecurity;
+    using Ocelot.Security;
 
     public class OcelotBuilder : IOcelotBuilder
     {
@@ -125,6 +127,9 @@ namespace Ocelot.DependencyInjection
             Services.TryAddSingleton<IQoSFactory, QoSFactory>();
             Services.TryAddSingleton<IExceptionToErrorMapper, HttpExeptionToErrorMapper>();
 
+            //add security 
+            this.AddSecurity();
+
             //add asp.net services..
             var assembly = typeof(FileConfigurationController).GetTypeInfo().Assembly;
 
@@ -153,6 +158,12 @@ namespace Ocelot.DependencyInjection
             return this;
         }
 
+        private void AddSecurity()
+        {
+            Services.TryAddSingleton<ISecurityOptionsCreator, SecurityOptionsCreator>();
+            Services.TryAddSingleton<ISecurityPolicy, IPSecurityPolicy>();
+        }
+
         public IOcelotBuilder AddDelegatingHandler<THandler>(bool global = false)
             where THandler : DelegatingHandler
         {

src/Ocelot/Middleware/Pipeline/OcelotPipelineExtensions.cs

@@ -15,6 +15,7 @@ using Ocelot.Request.Middleware;
 using Ocelot.Requester.Middleware;
 using Ocelot.RequestId.Middleware;
 using Ocelot.Responder.Middleware;
+using Ocelot.Security.Middleware;
 using Ocelot.WebSockets.Middleware;
 
 namespace Ocelot.Middleware.Pipeline
@@ -48,6 +49,9 @@ namespace Ocelot.Middleware.Pipeline
             // Then we get the downstream route information
             builder.UseDownstreamRouteFinderMiddleware();
 
+            // This security module, IP whitelist blacklist, extended security mechanism
+            builder.UseSecurityMiddleware();
+
             //Expand other branch pipes
             if (pipelineConfiguration.MapWhenOcelotPipeline != null)
             {

src/Ocelot/Security/IPSecurity/IPSecurityPolicy.cs

@@ -0,0 +1,44 @@
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Text;
+using System.Threading.Tasks;
+using Ocelot.Configuration;
+using Ocelot.Middleware;
+using Ocelot.Responses;
+
+namespace Ocelot.Security.IPSecurity
+{
+    public class IPSecurityPolicy : ISecurityPolicy
+    {
+        public async Task<Response> Security(DownstreamContext context)
+        {
+            IPAddress clientIp = context.HttpContext.Connection.RemoteIpAddress;
+            SecurityOptions securityOptions = context.DownstreamReRoute.SecurityOptions;
+            if (securityOptions == null)
+            {
+                return new OkResponse();
+            }
+
+            if (securityOptions.IPBlockedList != null)
+            {
+                if (securityOptions.IPBlockedList.Exists(f => f == clientIp.ToString()))
+                {
+                    var error = new UnauthenticatedError($" This request rejects access to {clientIp.ToString()} IP");
+                    return new ErrorResponse(error);
+                }
+            }
+
+            if (securityOptions.IPAllowedList != null && securityOptions.IPAllowedList.Count > 0)
+            {
+                if (!securityOptions.IPAllowedList.Exists(f => f == clientIp.ToString()))
+                {
+                    var error = new UnauthenticatedError($"{clientIp.ToString()} does not allow access, the request is invalid");
+                    return new ErrorResponse(error);
+                }
+            }
+         
+            return await Task.FromResult(new OkResponse());
+        }
+    }
+}

src/Ocelot/Security/ISecurityPolicy.cs

@@ -0,0 +1,14 @@
+using Ocelot.Middleware;
+using Ocelot.Responses;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Ocelot.Security
+{
+    public interface ISecurityPolicy
+    {
+        Task<Response> Security(DownstreamContext context);
+    }
+}

src/Ocelot/Security/Middleware/SecurityMiddleware.cs

@@ -0,0 +1,43 @@
+using Ocelot.Logging;
+using Ocelot.Middleware;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace Ocelot.Security.Middleware
+{
+    public class SecurityMiddleware : OcelotMiddleware
+    {
+        private readonly OcelotRequestDelegate _next;
+        private readonly IOcelotLogger _logger;
+        private readonly IEnumerable<ISecurityPolicy> _securityPolicies;
+        public SecurityMiddleware(IOcelotLoggerFactory loggerFactory,
+            IEnumerable<ISecurityPolicy> securityPolicies,
+            OcelotRequestDelegate next)
+            : base(loggerFactory.CreateLogger<SecurityMiddleware>())
+        {
+            _logger = loggerFactory.CreateLogger<SecurityMiddleware>();
+            _securityPolicies = securityPolicies;
+            _next = next;
+        }
+
+        public async Task Invoke(DownstreamContext context)
+        {
+            if (_securityPolicies != null)
+            {
+                foreach (var policie in _securityPolicies)
+                {
+                    var result = await policie.Security(context);
+                    if (!result.IsError)
+                    {
+                        continue;
+                    }
+
+                    this.SetPipelineError(context, result.Errors);
+                    return;
+                }
+            }
+
+            await _next.Invoke(context);
+        }
+    }
+}

src/Ocelot/Security/Middleware/SecurityMiddlewareExtensions.cs

@@ -0,0 +1,15 @@
+using Ocelot.Middleware.Pipeline;
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Ocelot.Security.Middleware
+{
+    public static class SecurityMiddlewareExtensions
+    {
+        public static IOcelotPipelineBuilder UseSecurityMiddleware(this IOcelotPipelineBuilder builder)
+        {
+            return builder.UseMiddleware<SecurityMiddleware>();
+        }
+    }
+}

test/Ocelot.UnitTests/Configuration/ReRoutesCreatorTests.cs

@@ -30,6 +30,7 @@
         private Mock<IDownstreamAddressesCreator> _daCreator;
         private Mock<ILoadBalancerOptionsCreator> _lboCreator;
         private Mock<IReRouteKeyCreator> _rrkCreator;
+        private Mock<ISecurityOptionsCreator> _soCreator;
          private FileConfiguration _fileConfig;
         private ReRouteOptions _rro;
         private string _requestId;
@@ -45,6 +46,7 @@
         private List<DownstreamHostAndPort> _dhp;
         private LoadBalancerOptions _lbo;
         private List<ReRoute> _result;
+        private SecurityOptions _securityOptions;
 
         public ReRoutesCreatorTests()
         {
@@ -61,6 +63,7 @@
             _daCreator = new Mock<IDownstreamAddressesCreator>();
             _lboCreator = new Mock<ILoadBalancerOptionsCreator>();
             _rrkCreator = new Mock<IReRouteKeyCreator>();
+            _soCreator = new Mock<ISecurityOptionsCreator>();
 
             _creator = new ReRoutesCreator(
                 _cthCreator.Object,
@@ -75,7 +78,8 @@
                 _hfarCreator.Object,
                 _daCreator.Object,
                 _lboCreator.Object,
-                _rrkCreator.Object
+                _rrkCreator.Object,
+                _soCreator.Object
                 );
         }
 
@@ -266,6 +270,7 @@
             _hfarCreator.Verify(x => x.Create(fileReRoute), Times.Once);
             _daCreator.Verify(x => x.Create(fileReRoute), Times.Once);
             _lboCreator.Verify(x => x.Create(fileReRoute.LoadBalancerOptions), Times.Once);
+            _soCreator.Verify(x => x.Create(fileReRoute.SecurityOptions), Times.Once);
         }
     }
 }

test/Ocelot.UnitTests/Configuration/SecurityOptionsCreatorTests.cs

@@ -0,0 +1,72 @@
+using Ocelot.Configuration;
+using Ocelot.Configuration.Creator;
+using Ocelot.Configuration.File;
+using Shouldly;
+using System;
+using System.Collections.Generic;
+using System.Text;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Configuration
+{
+    public class SecurityOptionsCreatorTests
+    {
+        private FileReRoute _fileReRoute;
+        private FileGlobalConfiguration _fileGlobalConfig;
+        private SecurityOptions _result;
+        private ISecurityOptionsCreator _creator;
+
+        public SecurityOptionsCreatorTests()
+        {
+            _creator = new SecurityOptionsCreator();
+        }
+
+        [Fact]
+        public void should_create_security_config()
+        {
+            var ipAllowedList = new List<string>() { "127.0.0.1", "192.168.1.1" };
+            var ipBlockedList = new List<string>() { "127.0.0.1", "192.168.1.1" };
+            var fileReRoute = new FileReRoute
+            {
+                SecurityOptions = new FileSecurityOptions()
+                {
+                    IPAllowedList = ipAllowedList,
+                    IPBlockedList = ipBlockedList
+                }
+            };
+
+            var expected = new SecurityOptions(ipAllowedList, ipBlockedList);
+
+            this.Given(x => x.GivenThe(fileReRoute))
+              .When(x => x.WhenICreate())
+              .Then(x => x.ThenTheResultIs(expected))
+              .BDDfy();
+        }
+
+        private void GivenThe(FileReRoute reRoute)
+        {
+            _fileReRoute = reRoute;
+        }
+
+
+        private void WhenICreate()
+        {
+            _result = _creator.Create(_fileReRoute.SecurityOptions);
+        }
+
+        private void ThenTheResultIs(SecurityOptions expected)
+        {
+            for (int i = 0; i < expected.IPAllowedList.Count; i++)
+            {
+                _result.IPAllowedList[i].ShouldBe(expected.IPAllowedList[i]);
+            }
+
+            for (int i = 0; i < expected.IPBlockedList.Count; i++)
+            {
+                _result.IPBlockedList[i].ShouldBe(expected.IPBlockedList[i]);
+            }
+        }
+
+    }
+}

test/Ocelot.UnitTests/Security/IPSecurityPolicyTests.cs

@@ -0,0 +1,117 @@
+using Microsoft.AspNetCore.Http;
+using Ocelot.Configuration;
+using Ocelot.Configuration.Builder;
+using Ocelot.Middleware;
+using Ocelot.Request.Middleware;
+using Ocelot.Responses;
+using Ocelot.Security.IPSecurity;
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Security
+{
+    public class IPSecurityPolicyTests
+    {
+        private readonly DownstreamContext _downstreamContext;
+        private readonly DownstreamReRouteBuilder _downstreamReRouteBuilder;
+        private readonly IPSecurityPolicy _ipSecurityPolicy;
+        private Response response;
+        public IPSecurityPolicyTests()
+        {
+            _downstreamContext = new DownstreamContext(new DefaultHttpContext());
+            _downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            _downstreamReRouteBuilder = new DownstreamReRouteBuilder();
+            _ipSecurityPolicy = new IPSecurityPolicy();
+        }
+
+        [Fact]
+        private void should_No_blocked_Ip_and_allowed_Ip()
+        {
+            this.Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_blockedIp_clientIp_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            this.Given(x => x.GivenSetBlockedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenNotSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_blockedIp_clientIp_Not_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
+            this.Given(x => x.GivenSetBlockedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+
+        [Fact]
+        private void should_allowedIp_clientIp_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.1")[0];
+            this.Given(x => x.GivenSetAllowedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenSecurityPassing())
+                .BDDfy();
+        }
+
+        [Fact]
+        private void should_allowedIp_clientIp_Not_block()
+        {
+            _downstreamContext.HttpContext.Connection.RemoteIpAddress = Dns.GetHostAddresses("192.168.1.2")[0];
+            this.Given(x => x.GivenSetAllowedIP())
+                .Given(x => x.GivenSetDownstreamReRoute())
+                .When(x => x.WhenTheSecurityPolicy())
+                .Then(x => x.ThenNotSecurityPassing())
+                .BDDfy();
+        }
+
+        private void GivenSetAllowedIP()
+        {
+            _downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string> { "192.168.1.1" }, new List<string>()));
+        }
+
+        private void GivenSetBlockedIP()
+        {
+            _downstreamReRouteBuilder.WithSecurityOptions(new SecurityOptions(new List<string>(), new List<string> { "192.168.1.1" }));
+        }
+
+        private void GivenSetDownstreamReRoute()
+        {
+            _downstreamContext.DownstreamReRoute = _downstreamReRouteBuilder.Build();
+        }
+
+        private void WhenTheSecurityPolicy()
+        {
+            response = this._ipSecurityPolicy.Security(_downstreamContext).GetAwaiter().GetResult();
+        }
+
+        private void ThenSecurityPassing()
+        {
+            Assert.False(response.IsError);
+        }
+
+        private void ThenNotSecurityPassing()
+        {
+            Assert.True(response.IsError);
+        }
+    }
+}

test/Ocelot.UnitTests/Security/SecurityMiddlewareTests.cs

@@ -0,0 +1,108 @@
+using Microsoft.AspNetCore.Http;
+using Moq;
+using Ocelot.Errors;
+using Ocelot.Logging;
+using Ocelot.Middleware;
+using Ocelot.Request.Middleware;
+using Ocelot.Responses;
+using Ocelot.Security;
+using Ocelot.Security.IPSecurity;
+using Ocelot.Security.Middleware;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Text;
+using System.Threading.Tasks;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Security
+{
+    public class SecurityMiddlewareTests
+    {
+        private List<Mock<ISecurityPolicy>> _securityPolicyList;
+        private Mock<IOcelotLoggerFactory> _loggerFactory;
+        private Mock<IOcelotLogger> _logger;
+        private readonly SecurityMiddleware _middleware;
+        private readonly DownstreamContext _downstreamContext;
+        private readonly OcelotRequestDelegate _next;
+
+        public SecurityMiddlewareTests()
+        {
+            _loggerFactory = new Mock<IOcelotLoggerFactory>();
+            _logger = new Mock<IOcelotLogger>();
+            _loggerFactory.Setup(x => x.CreateLogger<SecurityMiddleware>()).Returns(_logger.Object);
+            _securityPolicyList = new List<Mock<ISecurityPolicy>>();
+            _securityPolicyList.Add(new Mock<ISecurityPolicy>());
+            _securityPolicyList.Add(new Mock<ISecurityPolicy>());
+            _next = context =>
+            {
+                return Task.CompletedTask;
+            };
+            _middleware = new SecurityMiddleware(_loggerFactory.Object, _securityPolicyList.Select(f => f.Object).ToList(), _next);
+            _downstreamContext = new DownstreamContext(new DefaultHttpContext());
+            _downstreamContext.DownstreamRequest = new DownstreamRequest(new HttpRequestMessage(HttpMethod.Get, "http://test.com"));
+        }
+        [Fact]
+        public void should_legal_request()
+        {
+            this.Given(x => x.GivenPassingSecurityVerification())
+                .When(x => x.WhenICallTheMiddleware())
+                .Then(x => x.ThenTheRequestIsPassingSecurity())
+                .BDDfy();
+        }
+
+        [Fact]
+        public void should_verification_failed_request()
+        {
+            this.Given(x => x.GivenNotPassingSecurityVerification())
+                .When(x => x.WhenICallTheMiddleware())
+                .Then(x => x.ThenTheRequestIsNotPassingSecurity())
+                .BDDfy();
+        }
+
+        private void GivenPassingSecurityVerification()
+        {
+            foreach (var item in _securityPolicyList)
+            {
+                Response response = new OkResponse();
+                item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+            }
+        }
+
+        private void GivenNotPassingSecurityVerification()
+        {
+            for (int i = 0; i < _securityPolicyList.Count; i++)
+            {
+                Mock<ISecurityPolicy> item = _securityPolicyList[i];
+                if (i == 0)
+                {
+                    Error error = new UnauthenticatedError($"Not passing security verification");
+                    Response response = new ErrorResponse(error);
+                    item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+                }
+                else
+                {
+                    Response response = new OkResponse();
+                    item.Setup(x => x.Security(_downstreamContext)).Returns(Task.FromResult(response));
+                }
+            }
+        }
+
+        private void WhenICallTheMiddleware()
+        {
+            _middleware.Invoke(_downstreamContext).GetAwaiter().GetResult();
+        }
+
+        private void ThenTheRequestIsPassingSecurity()
+        {
+            Assert.False(_downstreamContext.IsError);
+        }
+
+        private void ThenTheRequestIsNotPassingSecurity()
+        {
+            Assert.True(_downstreamContext.IsError);
+        }
+    }
+}