public bool isElevated(IElevatableSession session) { //We're reading so we need a lock //We could reduce contention if this bottlenecks something lockObj.EnterReadLock(); try { //If the session has a token we granted if (authTokenMap.ContainsKey(session.UniqueAuthToken)) { //We need to check if the token was stolen if (authTokenMap[session.UniqueAuthToken].Session != session) { Logger.WarnFormat("Session {0} tried to check elevation with Token {1} when it doesn't belong to the session.", session.ToString(), session.UniqueAuthToken); return(false); } //If we're managing the session check if it's authenticated //This will mean it's also elvated return(authTokenMap[session.UniqueAuthToken].isAuthenticated); } } finally { lockObj.ExitReadLock(); } Logger.DebugFormat("Session {0} had elevation checked but failed.", session.ToString()); return(false); }
public static void Test_Returns_False_For_Session_Who_Stole_Others_Token() { //arrange Mock <ISigningService> signingService = new Mock <ISigningService>(); signingService.Setup(x => x.isSigned(It.IsAny <byte[]>(), It.IsAny <byte[]>())) .Returns(true); ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), signingService.Object); IElevatableSession session = Mock.Of <IElevatableSession>(); AuthenticationMessage message = new AuthenticationMessage(new byte[0]); session.UniqueAuthToken = elevationManager.RequestSingleUseToken(session); //act:Preform a authentication elevationManager.TryAuthenticate(session, message); //assert Assert.True(elevationManager.isElevated(session)); //Should fail because this session isn't authorized with this token IElevatableSession criminalSession = Mock.Of <IElevatableSession>(); criminalSession.UniqueAuthToken = session.UniqueAuthToken; Assert.False(elevationManager.isElevated(criminalSession)); }
/// <summary> /// Tries to revoke auth status of the <paramref name="session"/>. /// </summary> /// <param name="session">Session to revoke for.</param> /// <returns>True if the session was found and unelevated.</returns> public bool TryRevokeAuthentication(IElevatableSession session) { lockObj.EnterWriteLock(); try { //We have to find the session key //Don't trust the session instance to have a valid key Guid?key = authTokenMap.Where(x => x.Value.Session == session) .Select(x => (Nullable <Guid>)x.Key) .FirstOrDefault(); if (!key.HasValue) { return(false); } else { return(authTokenMap.Remove(key.Value)); } } finally { Logger.WarnFormat("Finished removing Session {0} from Auth table.", session.ToString()); lockObj.ExitWriteLock(); } }
public static void Test_Returns_False_After_Failed_Authentication_Without_Valid_Token() { //arrange ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), Mock.Of <ISigningService>()); IElevatableSession session = Mock.Of <IElevatableSession>(); //act:Preform a failed authentication elevationManager.TryAuthenticate(session, Mock.Of <AuthenticationMessage>()); //assrt Assert.False(elevationManager.isElevated(session)); }
private void AddAuthenticatedSession(Guid token, IElevatableSession session) { lockObj.EnterWriteLock(); try { authTokenMap[token].isAuthenticated = true; } finally { Logger.WarnFormat("Authenticated Session {0} with Token {1}.", session.ToString(), token.ToString()); lockObj.ExitWriteLock(); } }
public static void Test_Returns_True_After_Sucessful_Authentication() { //arrange Mock <ISigningService> signingService = new Mock <ISigningService>(); signingService.Setup(x => x.isSigned(It.IsAny <byte[]>(), It.IsAny <byte[]>())) .Returns(true); ElevationManager elevationManager = new ElevationManager(Mock.Of <ILog>(), signingService.Object); IElevatableSession session = Mock.Of <IElevatableSession>(); AuthenticationMessage message = new AuthenticationMessage(new byte[0]); session.UniqueAuthToken = elevationManager.RequestSingleUseToken(session); //act:Preform a authentication elevationManager.TryAuthenticate(session, message); //assrt Assert.True(elevationManager.isElevated(session)); }
/// <summary> /// Grants a tracked token for a single given <see cref="IElevatableSession"/>. /// </summary> /// <param name="session">Session to grant the token for.</param> /// <returns>A new <see cref="Guid"/> token for the session</returns> public Guid RequestSingleUseToken(IElevatableSession session) { lockObj.EnterWriteLock(); try { Guid newToken = Guid.NewGuid(); Logger.DebugFormat("Created new Guid {0} adding to managed sessions for Session {1}.", newToken.ToString(), session.ToString()); authTokenMap.Add(newToken, new ManagedSession(session, false)); session.UniqueAuthToken = newToken; return(newToken); } finally { lockObj.ExitWriteLock(); } }
/// <summary> /// Tries to authenticate/elevate the <paramref name="session"/> with the <paramref name="authMessage"/>. /// </summary> /// <param name="session">Session attempting to authenticate.</param> /// <param name="authMessage">Auth message.</param> /// <returns>True if the session authenticated.</returns> public bool TryAuthenticate(IElevatableSession session, AuthenticationMessage authMessage) { Logger.DebugFormat("Authenticated requested for Session {0}.", session.ToString()); //We reduce contention by only read locking for a short moment lockObj.EnterReadLock(); try { //Check if this is a token we granted if (!authTokenMap.ContainsKey(session.UniqueAuthToken)) { Logger.WarnFormat("Session {0} tried to authenticate with Token {1} but that token was not issued.", session.ToString(), session.UniqueAuthToken); return(false); } //Check if the session matches the token if (authTokenMap[session.UniqueAuthToken].Session != session) { Logger.WarnFormat("Session {0} tried to authenticate with Token {1} but that token was not issued for that session. Was issued for {2}.", session.ToString(), session.UniqueAuthToken, authTokenMap[session.UniqueAuthToken].Session); return(false); } } finally { lockObj.ExitReadLock(); } bool result = HandleAuthentication(session.UniqueAuthToken.ToByteArray(), authMessage.SignedMessage); if (!result) { return(false); } AddAuthenticatedSession(session.UniqueAuthToken, session); return(true); }
public ManagedSession(IElevatableSession session, bool authenticated) { Session = session; isAuthenticated = authenticated; }