public bool isElevated(IElevatableSession session)
{
//We're reading so we need a lock
//We could reduce contention if this bottlenecks something
lockObj.EnterReadLock();
try
{
//If the session has a token we granted
if (authTokenMap.ContainsKey(session.UniqueAuthToken))
{
//We need to check if the token was stolen
if (authTokenMap[session.UniqueAuthToken].Session != session)
{
Logger.WarnFormat("Session {0} tried to check elevation with Token {1} when it doesn't belong to the session.", session.ToString(), session.UniqueAuthToken);
return(false);
}
//If we're managing the session check if it's authenticated
//This will mean it's also elvated
return(authTokenMap[session.UniqueAuthToken].isAuthenticated);
}
}
finally
{
lockObj.ExitReadLock();
}
Logger.DebugFormat("Session {0} had elevation checked but failed.", session.ToString());
return(false);
}
public static void Test_Returns_False_For_Session_Who_Stole_Others_Token()
{
//arrange
Mock <ISigningService> signingService = new Mock <ISigningService>();
signingService.Setup(x => x.isSigned(It.IsAny <byte[]>(), It.IsAny <byte[]>()))
.Returns(true);
ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), signingService.Object);
IElevatableSession session = Mock.Of <IElevatableSession>();
AuthenticationMessage message = new AuthenticationMessage(new byte[0]);
session.UniqueAuthToken = elevationManager.RequestSingleUseToken(session);
//act:Preform a authentication
elevationManager.TryAuthenticate(session, message);
//assert
Assert.True(elevationManager.isElevated(session));
//Should fail because this session isn't authorized with this token
IElevatableSession criminalSession = Mock.Of <IElevatableSession>();
criminalSession.UniqueAuthToken = session.UniqueAuthToken;
Assert.False(elevationManager.isElevated(criminalSession));
}
/// <summary>
/// Tries to revoke auth status of the <paramref name="session"/>.
/// </summary>
/// <param name="session">Session to revoke for.</param>
/// <returns>True if the session was found and unelevated.</returns>
public bool TryRevokeAuthentication(IElevatableSession session)
{
lockObj.EnterWriteLock();
try
{
//We have to find the session key
//Don't trust the session instance to have a valid key
Guid?key = authTokenMap.Where(x => x.Value.Session == session)
.Select(x => (Nullable <Guid>)x.Key)
.FirstOrDefault();
if (!key.HasValue)
{
return(false);
}
else
{
return(authTokenMap.Remove(key.Value));
}
}
finally
{
Logger.WarnFormat("Finished removing Session {0} from Auth table.", session.ToString());
lockObj.ExitWriteLock();
}
}
public static void Test_Returns_False_After_Failed_Authentication_Without_Valid_Token()
{
//arrange
ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), Mock.Of <ISigningService>());
IElevatableSession session = Mock.Of <IElevatableSession>();
//act:Preform a failed authentication
elevationManager.TryAuthenticate(session, Mock.Of <AuthenticationMessage>());
//assrt
Assert.False(elevationManager.isElevated(session));
}
private void AddAuthenticatedSession(Guid token, IElevatableSession session)
{
lockObj.EnterWriteLock();
try
{
authTokenMap[token].isAuthenticated = true;
}
finally
{
Logger.WarnFormat("Authenticated Session {0} with Token {1}.", session.ToString(), token.ToString());
lockObj.ExitWriteLock();
}
}
public static void Test_Returns_True_After_Sucessful_Authentication()
{
//arrange
Mock <ISigningService> signingService = new Mock <ISigningService>();
signingService.Setup(x => x.isSigned(It.IsAny <byte[]>(), It.IsAny <byte[]>()))
.Returns(true);
ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), signingService.Object);
IElevatableSession session = Mock.Of <IElevatableSession>();
AuthenticationMessage message = new AuthenticationMessage(new byte[0]);
session.UniqueAuthToken = elevationManager.RequestSingleUseToken(session);
//act:Preform a authentication
elevationManager.TryAuthenticate(session, message);
//assrt
Assert.True(elevationManager.isElevated(session));
}
/// <summary>
/// Grants a tracked token for a single given <see cref="IElevatableSession"/>.
/// </summary>
/// <param name="session">Session to grant the token for.</param>
/// <returns>A new <see cref="Guid"/> token for the session</returns>
public Guid RequestSingleUseToken(IElevatableSession session)
{
lockObj.EnterWriteLock();
try
{
Guid newToken = Guid.NewGuid();
Logger.DebugFormat("Created new Guid {0} adding to managed sessions for Session {1}.", newToken.ToString(), session.ToString());
authTokenMap.Add(newToken, new ManagedSession(session, false));
session.UniqueAuthToken = newToken;
return(newToken);
}
finally
{
lockObj.ExitWriteLock();
}
}
/// <summary>
/// Tries to authenticate/elevate the <paramref name="session"/> with the <paramref name="authMessage"/>.
/// </summary>
/// <param name="session">Session attempting to authenticate.</param>
/// <param name="authMessage">Auth message.</param>
/// <returns>True if the session authenticated.</returns>
public bool TryAuthenticate(IElevatableSession session, AuthenticationMessage authMessage)
{
Logger.DebugFormat("Authenticated requested for Session {0}.", session.ToString());
//We reduce contention by only read locking for a short moment
lockObj.EnterReadLock();
try
{
//Check if this is a token we granted
if (!authTokenMap.ContainsKey(session.UniqueAuthToken))
{
Logger.WarnFormat("Session {0} tried to authenticate with Token {1} but that token was not issued.", session.ToString(), session.UniqueAuthToken);
return(false);
}
//Check if the session matches the token
if (authTokenMap[session.UniqueAuthToken].Session != session)
{
Logger.WarnFormat("Session {0} tried to authenticate with Token {1} but that token was not issued for that session. Was issued for {2}.", session.ToString(), session.UniqueAuthToken, authTokenMap[session.UniqueAuthToken].Session);
return(false);
}
}
finally
{
lockObj.ExitReadLock();
}
bool result = HandleAuthentication(session.UniqueAuthToken.ToByteArray(), authMessage.SignedMessage);
if (!result)
{
return(false);
}
AddAuthenticatedSession(session.UniqueAuthToken, session);
return(true);
}
public ManagedSession(IElevatableSession session, bool authenticated)
{
Session = session;
isAuthenticated = authenticated;
}
