private ApiScopeEvaluationResult EvaluateApiScope(IActionRequiringEntityPermissions <ActionOnNewPackageContext> action, ActionOnNewPackageContext context, params string[] requestedActions)
{
return(ApiScopeEvaluator.Evaluate(
GetCurrentUser(),
User.Identity.GetScopesFromClaim(),
action,
context,
requestedActions));
}
private ApiScopeEvaluationResult EvaluateApiScope(IActionRequiringEntityPermissions <PackageRegistration> action, PackageRegistration packageRegistration, params string[] requestedActions)
{
return(ApiScopeEvaluator.Evaluate(
GetCurrentUser(),
User.Identity.GetScopesFromClaim(),
action,
packageRegistration,
requestedActions));
}
public ApiScopeEvaluationResult Evaluate(
User currentUser,
IEnumerable <Scope> scopes,
IActionRequiringEntityPermissions <ActionOnNewPackageContext> action,
ActionOnNewPackageContext context,
params string[] requestedActions)
{
return(Evaluate(currentUser, scopes, action, context, c => c.PackageId, requestedActions));
}
public ApiScopeEvaluationResult Evaluate(
User currentUser,
IEnumerable <Scope> scopes,
IActionRequiringEntityPermissions <PackageRegistration> action,
PackageRegistration packageRegistration,
params string[] requestedActions)
{
return(Evaluate(currentUser, scopes, action, packageRegistration, pr => pr.Id, requestedActions));
}
/// <remarks>This method is internal because it is tested directly.</remarks>
internal ApiScopeEvaluationResult Evaluate <TEntity>(
User currentUser,
IEnumerable <Scope> scopes,
IActionRequiringEntityPermissions <TEntity> action,
TEntity entity,
Func <TEntity, string> getSubjectFromEntity,
params string[] requestedActions)
{
User ownerInScope = null;
if (scopes == null || !scopes.Any())
{
// Legacy V1 API key without scopes.
// Evaluate it as if it has an unlimited scope.
scopes = new[] { new Scope(ownerKey: null, subject: NuGetPackagePattern.AllInclusivePattern, allowedAction: NuGetScopes.All) };
}
// Check that all scopes provided have the same owner scope.
var ownerScopes = scopes.Select(s => s.OwnerKey);
var ownerScope = ownerScopes.FirstOrDefault();
if (ownerScopes.Any(o => o != ownerScope))
{
throw new ArgumentException("All scopes provided must have the same owner scope.");
}
var matchingScope = scopes
.FirstOrDefault(scope =>
scope.AllowsSubject(getSubjectFromEntity(entity)) &&
scope.AllowsActions(requestedActions));
ownerInScope = ownerScope.HasValue ? _userService.FindByKey(ownerScope.Value) : currentUser;
if (matchingScope == null)
{
return(new ApiScopeEvaluationResult(ownerInScope, PermissionsCheckResult.Unknown, scopesAreValid: false));
}
var isActionAllowed = action.CheckPermissions(currentUser, ownerInScope, entity);
return(new ApiScopeEvaluationResult(ownerInScope, isActionAllowed, scopesAreValid: true));
}
private void AssertIsAllowed(IActionRequiringEntityPermissions <TestablePermissionsEntity> action, PermissionsCheckResult expectedFailure)
{
Assert.Equal(expectedFailure, action.CheckPermissions((User)null, null, null));
Assert.Equal(expectedFailure, action.CheckPermissions((IPrincipal)null, null, null));
}
