public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied()
{
// Arrange.
const string BaseRequestUri = "http://www.testsite.com";
const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue";
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri);
var mockResponse = new Mock <HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s);
var settings = new Settings {
Mode = Mode.On,
Paths =
{
new TestPathSetting("/Manage")
}
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl);
}
public void GetUriRequestReturnsNullIfRequestSecurityAlreadyMatchesSpecifiedSecurity()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
var mockResponse = new Mock <HttpResponseBase>();
var settings = new Settings();
var evaluator = new StandardSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);
var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Null(targetUrlForAlreadySecuredRequest);
Assert.Null(targetUrlForAlreadyInsecureRequest);
}
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri()
{
const string BaseRequestUri = "http://www.testsite.com";
const string ApplicationPathRequestUri = "/MySuperDuperApplication";
const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx";
const string QueryRequestUri = "?Param=SomeValue";
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri);
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
var mockResponse = new Mock <HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s);
var settings = new Settings {
Mode = Mode.On,
BaseSecureUri = "https://secure.someotherwebsite.com/testsite/"
};
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
// Assert.
Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl);
}
public void GetUriReturnsSwitchedUriBasedOnSuppliedBaseInsecureUri()
{
const string BaseRequestUri = "https://www.testsite.com";
const string PathRequestUri = "/Info/Default.aspx";
const string QueryRequestUri = "?Param=SomeValue";
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.ApplicationPath).Returns("/");
mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri));
mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri);
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true);
var mockResponse = new Mock <HttpResponseBase>();
mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s);
var settings = new Settings {
Mode = Mode.On,
BaseInsecureUri = "http://www.someotherwebsite.com/"
};
var evaluator = new StandardSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Equal(settings.BaseInsecureUri + PathRequestUri.Remove(0, 1) + QueryRequestUri, targetUrl);
}
public override void SetUp()
{
base.SetUp();
CreatePersister();
parser = mocks.StrictMock <N2.Web.IUrlParser>();
context = CreateWebContext(false);
EditSection editSection = new EditSection();
security = new SecurityManager(context, editSection);
enforcer = new SecurityEnforcer(persister, security, new ContentActivator(null, null, null), parser, context);
enforcer.Start();
}
public void Item_Inherits_AllowedEditors_FromParent()
{
var enforcer = new SecurityEnforcer(persister, new SecurityManager(new ThreadContext(), new EditSection()), activator, MockRepository.GenerateStub <IUrlParser>(), new ThreadContext());
enforcer.Start();
DefinitionTextPage page = definitions.CreateInstance <DefinitionTextPage>(null);
DynamicPermissionMap.SetRoles(page, Permission.Publish, new string[] { "Group1" });
try
{
DefinitionTextPage child = definitions.CreateInstance <DefinitionTextPage>(page);
Assert.That(DynamicPermissionMap.GetRoles(child, Permission.Publish).Count(), Is.EqualTo(1));
Assert.That(DynamicPermissionMap.GetRoles(child, Permission.Publish).Contains("Group1"));
}
finally
{
enforcer.Stop();
}
}
public void Item_Inherits_AllowedReaders_FromParent()
{
var enforcer = new SecurityEnforcer(persister, new SecurityManager(new ThreadContext(), new EditSection()), activator, MockRepository.GenerateStub <IUrlParser>(), new ThreadContext());
enforcer.Start();
DefinitionTextPage page = definitions.CreateInstance <DefinitionTextPage>(null);
page.AuthorizedRoles.Add(new N2.Security.AuthorizedRole(page, "Administrators"));
try
{
DefinitionTextPage child = definitions.CreateInstance <DefinitionTextPage>(page);
Assert.That(child.AuthorizedRoles.Count, Is.EqualTo(1));
Assert.That(child.AuthorizedRoles[0].Role, Is.EqualTo("Administrators"));
Assert.That(child.AuthorizedRoles[0].EnclosingItem, Is.EqualTo(child));
}
finally
{
enforcer.Stop();
}
}
public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false);
var mockResponse = new Mock <HttpResponseBase>();
var settings = new Settings();
var evaluator = new HeadersSecurityEvaluator();
var enforcer = new SecurityEnforcer(evaluator);
// Act.
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "SSL_REQUEST", "on" },
{ "OTHER_HEADER", "some-value" }
});
settings.OffloadedSecurityHeaders = "SSL_REQUEST=";
var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Secure,
settings);
mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection {
{ "OTHER_HEADER", "some-value" }
});
var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object,
mockResponse.Object,
RequestSecurity.Insecure,
settings);
// Assert.
Assert.Null(targetUrlForAlreadySecuredRequest);
Assert.Null(targetUrlForAlreadyInsecureRequest);
}
/// <summary>Authorize the user against the current content item. Throw an exception if not authorized.</summary>
/// <param name="user">The user for which to authorize the request.</param>
public virtual void AuthorizeRequest(PathData path, IPrincipal user)
{
SecurityEnforcer.AuthorizeRequest(user, path.CurrentPage, Permission.Read);
}
