public void GetUriReturnsTheRequestUrlWithProtocolReplacedWhenNoBaseUriIsSupplied() { // Arrange. const string BaseRequestUri = "http://www.testsite.com"; const string PathRequestUri = "/Manage/Default.aspx?Param=SomeValue"; var mockRequest = new Mock <HttpRequestBase>(); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri); var mockResponse = new Mock <HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s); var settings = new Settings { Mode = Mode.On, Paths = { new TestPathSetting("/Manage") } }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(BaseRequestUri.Replace("http://", "https://") + PathRequestUri, targetUrl); }
public void GetUriRequestReturnsNullIfRequestSecurityAlreadyMatchesSpecifiedSecurity() { // Arrange. var mockRequest = new Mock <HttpRequestBase>(); var mockResponse = new Mock <HttpResponseBase>(); var settings = new Settings(); var evaluator = new StandardSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true); var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false); var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Null(targetUrlForAlreadySecuredRequest); Assert.Null(targetUrlForAlreadyInsecureRequest); }
public void GetUriDoesNotIncludeApplicationPathWithSuppliedBaseUri() { const string BaseRequestUri = "http://www.testsite.com"; const string ApplicationPathRequestUri = "/MySuperDuperApplication"; const string PathRequestUri = ApplicationPathRequestUri + "/Manage/Default.aspx"; const string QueryRequestUri = "?Param=SomeValue"; var mockRequest = new Mock <HttpRequestBase>(); mockRequest.SetupGet(req => req.ApplicationPath).Returns(ApplicationPathRequestUri); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri); var mockResponse = new Mock <HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s); var settings = new Settings { Mode = Mode.On, BaseSecureUri = "https://secure.someotherwebsite.com/testsite/" }; var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); // Assert. Assert.Equal(settings.BaseSecureUri + PathRequestUri.Remove(0, ApplicationPathRequestUri.Length + 1) + QueryRequestUri, targetUrl); }
public void GetUriReturnsSwitchedUriBasedOnSuppliedBaseInsecureUri() { const string BaseRequestUri = "https://www.testsite.com"; const string PathRequestUri = "/Info/Default.aspx"; const string QueryRequestUri = "?Param=SomeValue"; var mockRequest = new Mock <HttpRequestBase>(); mockRequest.SetupGet(req => req.ApplicationPath).Returns("/"); mockRequest.SetupGet(req => req.Url).Returns(new Uri(BaseRequestUri + PathRequestUri + QueryRequestUri)); mockRequest.SetupGet(req => req.RawUrl).Returns(PathRequestUri + QueryRequestUri); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(true); var mockResponse = new Mock <HttpResponseBase>(); mockResponse.Setup(resp => resp.ApplyAppPathModifier(It.IsAny <string>())).Returns <string>(s => s); var settings = new Settings { Mode = Mode.On, BaseInsecureUri = "http://www.someotherwebsite.com/" }; var evaluator = new StandardSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. var targetUrl = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Equal(settings.BaseInsecureUri + PathRequestUri.Remove(0, 1) + QueryRequestUri, targetUrl); }
public override void SetUp() { base.SetUp(); CreatePersister(); parser = mocks.StrictMock <N2.Web.IUrlParser>(); context = CreateWebContext(false); EditSection editSection = new EditSection(); security = new SecurityManager(context, editSection); enforcer = new SecurityEnforcer(persister, security, new ContentActivator(null, null, null), parser, context); enforcer.Start(); }
public void Item_Inherits_AllowedEditors_FromParent() { var enforcer = new SecurityEnforcer(persister, new SecurityManager(new ThreadContext(), new EditSection()), activator, MockRepository.GenerateStub <IUrlParser>(), new ThreadContext()); enforcer.Start(); DefinitionTextPage page = definitions.CreateInstance <DefinitionTextPage>(null); DynamicPermissionMap.SetRoles(page, Permission.Publish, new string[] { "Group1" }); try { DefinitionTextPage child = definitions.CreateInstance <DefinitionTextPage>(page); Assert.That(DynamicPermissionMap.GetRoles(child, Permission.Publish).Count(), Is.EqualTo(1)); Assert.That(DynamicPermissionMap.GetRoles(child, Permission.Publish).Contains("Group1")); } finally { enforcer.Stop(); } }
public void Item_Inherits_AllowedReaders_FromParent() { var enforcer = new SecurityEnforcer(persister, new SecurityManager(new ThreadContext(), new EditSection()), activator, MockRepository.GenerateStub <IUrlParser>(), new ThreadContext()); enforcer.Start(); DefinitionTextPage page = definitions.CreateInstance <DefinitionTextPage>(null); page.AuthorizedRoles.Add(new N2.Security.AuthorizedRole(page, "Administrators")); try { DefinitionTextPage child = definitions.CreateInstance <DefinitionTextPage>(page); Assert.That(child.AuthorizedRoles.Count, Is.EqualTo(1)); Assert.That(child.AuthorizedRoles[0].Role, Is.EqualTo("Administrators")); Assert.That(child.AuthorizedRoles[0].EnclosingItem, Is.EqualTo(child)); } finally { enforcer.Stop(); } }
public void GetUriRequestReturnsNullIfOffloadedHeaderSecurityAlreadyMatchesSpecifiedSecurity() { // Arrange. var mockRequest = new Mock <HttpRequestBase>(); mockRequest.SetupGet(req => req.IsSecureConnection).Returns(false); var mockResponse = new Mock <HttpResponseBase>(); var settings = new Settings(); var evaluator = new HeadersSecurityEvaluator(); var enforcer = new SecurityEnforcer(evaluator); // Act. mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "SSL_REQUEST", "on" }, { "OTHER_HEADER", "some-value" } }); settings.OffloadedSecurityHeaders = "SSL_REQUEST="; var targetUrlForAlreadySecuredRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Secure, settings); mockRequest.SetupGet(req => req.Headers).Returns(new NameValueCollection { { "OTHER_HEADER", "some-value" } }); var targetUrlForAlreadyInsecureRequest = enforcer.GetUriForMatchedSecurityRequest(mockRequest.Object, mockResponse.Object, RequestSecurity.Insecure, settings); // Assert. Assert.Null(targetUrlForAlreadySecuredRequest); Assert.Null(targetUrlForAlreadyInsecureRequest); }
/// <summary>Authorize the user against the current content item. Throw an exception if not authorized.</summary> /// <param name="user">The user for which to authorize the request.</param> public virtual void AuthorizeRequest(PathData path, IPrincipal user) { SecurityEnforcer.AuthorizeRequest(user, path.CurrentPage, Permission.Read); }