Testing custom Authorize Attribute in ASP.NET Web API

gistfile1.cs

using NSubstitute;
using NUnit.Framework;
using System.Collections.ObjectModel;
using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Security.Principal;
using System.Threading;
using System.Web.Http;
using System.Web.Http.Controllers;

namespace API.Tests
{
    [TestFixture]
    public class FabrikAuthorizeAttributeTests
    {
        FabrikAuthorizeAttribute filter;
        HttpActionContext actionContext;
        IPrincipal originalPrincipal;

        [SetUp]
        public void SetUp()
        {
            var attributes = new Collection<AllowAnonymousAttribute>();

            var controllerDescriptor = Substitute.For<HttpControllerDescriptor>();
            controllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Returns(attributes);

            var controllerContext = new HttpControllerContext
            {
                Request = new HttpRequestMessage(),
                ControllerDescriptor = controllerDescriptor
            };

            var actionDescriptor = Substitute.For<HttpActionDescriptor>();
            actionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>()
                .Returns(attributes);


            actionContext = new HttpActionContext(controllerContext, actionDescriptor);

            originalPrincipal = Thread.CurrentPrincipal;
            filter = new FabrikAuthorizeAttribute();
        }

        [TearDown]
        public void TearDown()
        {
            Thread.CurrentPrincipal = originalPrincipal;
        }
        
        [Test]
        public void Returns_unauthorized_response_if_user_is_not_authenticated()
        {
            filter.OnAuthorization(actionContext);

            Assert.NotNull(actionContext.Response);
            Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
        }

        [Test]
        public void Returns_unauthorized_response_if_user_is_authenticated_but_does_not_have_a_subscription()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: false);

            filter.OnAuthorization(actionContext);

            Assert.That(actionContext.Response.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
        }

        [Test]
        public void Short_circuits_request_if_user_is_authenticated_and_has_a_subscription()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: true);

            filter.OnAuthorization(actionContext);

            Assert.IsNull(actionContext.Response);
        }

        [Test]
        public void Short_circuits_request_if_user_is_authenticated_and_in_system_role()
        {
            Thread.CurrentPrincipal = GetTestUser(hasSubscription: false, role: Constants.TrustedClientRole);

            filter.OnAuthorization(actionContext);

            Assert.IsNull(actionContext.Response);
        }

        private IPrincipal GetTestUser(bool hasSubscription, string role = "user")
        {
            var identity = new ClaimsIdentity(new[] {
                new Claim(CustomClaimTypes.Subscription, hasSubscription.ToString()),
                new Claim(ClaimTypes.Name, "Test User"),
                new Claim(ClaimTypes.Role, role)
            }, "basic");

            var claimsPrincipal = new ClaimsPrincipal(identity);
            return claimsPrincipal;
        }
    }
}