Ejemplo n.º 1
0
        public async Task TestAccessControlChecks()
        {
            var log = new LoggerConfiguration()
                      .WriteTo.Debug()
                      .CreateLogger();

            var loggy = new Loggy(log);

            var access = new AccessControl(loggy, new MemoryObjectStore());

            var contextUserId = "[test]";

            // add test security principles
            var allPrinciples = GetTestSecurityPrinciples();

            foreach (var p in allPrinciples)
            {
                _ = await access.AddSecurityPrinciple(p, contextUserId, bypassIntegrityCheck : true);
            }

            // assign resource roles per principle
            var allResourceProfiles = GetTestResourceProfiles();

            foreach (var r in allResourceProfiles)
            {
                _ = await access.AddResourceProfile(r, contextUserId, bypassIntegrityCheck : true);
            }

            // assert

            var hasAccess = await access.IsPrincipleInRole("admin_01", StandardRoles.Administrator.Id, contextUserId);

            Assert.IsTrue(hasAccess, "User should be in role");

            hasAccess = await access.IsPrincipleInRole("admin_02", StandardRoles.Administrator.Id, contextUserId);

            Assert.IsFalse(hasAccess, "User should not be in role");

            // check user can consume a cert for a given domain
            var isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "www.example.com", contextUserId);

            Assert.IsTrue(isAuthorised, "User should be a cert consumer for this domain");

            // check user can't consume a cert for a subdomain they haven't been granted
            isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "secure.example.com", contextUserId);

            Assert.IsFalse(isAuthorised, "User should not be a cert consumer for this domain");

            // check user can consume any subdomain via a granted wildcard
            isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "random.microsoft.com", contextUserId);

            Assert.IsTrue(isAuthorised, "User should be a cert consumer for this subdomain via wildcard");

            // check user can't consume a random wildcard
            isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "*  lkjhasdf98862364", contextUserId);

            Assert.IsFalse(isAuthorised, "User should not be a cert consumer for random wildcard");

            // check user can't consume a random wildcard
            isAuthorised = await access.IsAuthorised("devops_user_01", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "  lkjhasdf98862364.*.microsoft.com", contextUserId);

            Assert.IsFalse(isAuthorised, "User should not be a cert consumer for random wildcard");

            // random user should not be authorised
            isAuthorised = await access.IsAuthorised("randomuser", StandardRoles.CertificateConsumer.Id, ResourceTypes.Domain, "random.microsoft.com", contextUserId);

            Assert.IsFalse(isAuthorised, "Unknown user should not be a cert consumer for this subdomain via wildcard");
        }