public void MatchingPermissionReturnsRight()
{
RolePermission assertion = new RolePermission("testrole", SecurityRight.Inherit, SecurityRight.Inherit, SecurityRight.Allow, SecurityRight.Inherit, new UserName("johndoe"));
SecurityRight result = assertion.CheckPermission(null, SecurityPermission.ForceAbortBuild);
Assert.AreEqual(SecurityRight.Allow, result);
}
public void DifferentPermissionReturnsInherited()
{
RolePermission assertion = new RolePermission("testrole", SecurityRight.Inherit, SecurityRight.Inherit, SecurityRight.Allow, SecurityRight.Inherit, new UserName("johndoe"));
SecurityRight result = assertion.CheckPermission(null, SecurityPermission.SendMessage);
Assert.AreEqual(SecurityRight.Inherit, result);
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
return manager.CheckServerPermission(userName, permission);
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
SecurityRight currentRight = SecurityRight.Inherit;
// Iterate through the assertions stopping when we hit the first non-inherited permission
foreach (IPermission assertion in permissions)
{
if (assertion.CheckUser(manager, userName))
{
currentRight = assertion.CheckPermission(manager, permission);
}
if (currentRight != SecurityRight.Inherit)
{
break;
}
}
// If we don't have a result, then use the default right
if (currentRight == SecurityRight.Inherit)
{
currentRight = this.defaultRight;
}
if (currentRight == SecurityRight.Inherit)
{
currentRight = defaultRight;
}
return(currentRight == SecurityRight.Allow);
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
return(manager.CheckServerPermission(userName, permission));
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
return true;
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
return(true);
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="userName">The name of the user.</param>
/// <param name="defaultRight">The default right.</param>
/// <param name="sendMessage">Their send message right.</param>
/// <param name="forceBuild">Their force build right.</param>
/// <param name="startProject">Their start project right.</param>
public UserPermission(string userName, SecurityRight defaultRight, SecurityRight sendMessage, SecurityRight forceBuild, SecurityRight startProject)
{
this.userName = userName;
base.DefaultRight = defaultRight;
base.SendMessageRight = sendMessage;
base.ForceBuildRight = forceBuild;
base.StartProjectRight = startProject;
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="userName">The name of the user.</param>
/// <param name="defaultRight">The default right.</param>
/// <param name="sendMessage">Their send message right.</param>
/// <param name="forceBuild">Their force build right.</param>
/// <param name="startProject">Their start project right.</param>
public UserPermission(string userName, SecurityRight defaultRight, SecurityRight sendMessage, SecurityRight forceBuild, SecurityRight startProject)
{
this.userName = userName;
base.DefaultRight = defaultRight;
base.SendMessageRight = sendMessage;
base.ForceBuildRight = forceBuild;
base.StartProjectRight = startProject;
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="roleName">The name of the role.</param>
/// <param name="defaultRight">The default right.</param>
/// <param name="sendMessage">Their send message right.</param>
/// <param name="forceBuild">Their force build right.</param>
/// <param name="startProject">Their start project right.</param>
/// <param name="users">The users in this role.</param>
public RolePermission(string roleName, SecurityRight defaultRight, SecurityRight sendMessage, SecurityRight forceBuild, SecurityRight startProject, params UserName[] users)
{
this.roleName = roleName;
base.DefaultRight = defaultRight;
base.SendMessageRight = sendMessage;
base.ForceBuildRight = forceBuild;
base.StartProjectRight = startProject;
this.users = users;
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="roleName">The name of the role.</param>
/// <param name="defaultRight">The default right.</param>
/// <param name="sendMessage">Their send message right.</param>
/// <param name="forceBuild">Their force build right.</param>
/// <param name="startProject">Their start project right.</param>
/// <param name="users">The users in this role.</param>
public RolePermission(string roleName, SecurityRight defaultRight, SecurityRight sendMessage, SecurityRight forceBuild, SecurityRight startProject, params UserName[] users)
{
this.roleName = roleName;
base.DefaultRight = defaultRight;
base.SendMessageRight = sendMessage;
base.ForceBuildRight = forceBuild;
base.StartProjectRight = startProject;
this.users = users;
}
public void CorrectPermissionsReturnedForceBuild()
{
UserPermission assertion = new UserPermission("johnDoe",
SecurityRight.Deny,
SecurityRight.Deny,
SecurityRight.Allow,
SecurityRight.Deny);
SecurityRight right = assertion.CheckPermission(null, SecurityPermission.ForceAbortBuild);
Assert.AreEqual(SecurityRight.Allow, right);
}
public void CorrectPermissionsReturnedStartProject()
{
UserPermission assertion = new UserPermission("johnDoe",
SecurityRight.Deny,
SecurityRight.Deny,
SecurityRight.Deny,
SecurityRight.Allow);
SecurityRight right = assertion.CheckPermission(null, SecurityPermission.StartStopProject);
Assert.AreEqual(SecurityRight.Allow, right);
}
public void CorrectPermissionsReturnedSendMessage()
{
UserPermission assertion = new UserPermission("johnDoe",
SecurityRight.Deny,
SecurityRight.Allow,
SecurityRight.Deny,
SecurityRight.Deny);
SecurityRight right = assertion.CheckPermission(null, SecurityPermission.SendMessage);
Assert.AreEqual(SecurityRight.Allow, right);
}
/// <summary>
/// Logs a security event.
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
public virtual void LogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
if ((eventRight == SecurityRight.Allow) && this.logSuccessfulEvents)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
else if ((eventRight == SecurityRight.Deny) && this.logFailureEvents)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
else if (eventRight == SecurityRight.Inherit)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
}
public void LogEventSendsEventToLogger()
{
string projectName = "Test Project";
string userName = "******";
SecurityEvent eventType = SecurityEvent.ForceBuild;
SecurityRight eventRight = SecurityRight.Allow;
string message = "A message";
IAuditLogger logger = mocks.Create <IAuditLogger>(MockBehavior.Strict).Object;
Mock.Get(logger).Setup(_logger => _logger.LogEvent(projectName, userName, eventType, eventRight, message)).Verifiable();
manager.AuditLoggers = new IAuditLogger[] {
logger
};
manager.Initialise();
manager.LogEvent(projectName, userName, eventType, eventRight, message);
}
public void CheckPermissionWithValidReference()
{
SecurityPermission permission = SecurityPermission.ForceAbortBuild;
string goodReference = "doesExist";
IPermission goodAssertion = mocks.Create <IPermission>(MockBehavior.Strict).Object;
ISecurityManager manager = mocks.Create <ISecurityManager>(MockBehavior.Strict).Object;
Mock.Get(manager).Setup(_manager => _manager.RetrievePermission(goodReference)).Returns(goodAssertion).Verifiable();
Mock.Get(goodAssertion).Setup(_goodAssertion => _goodAssertion.CheckPermission(manager, permission)).Returns(SecurityRight.Allow).Verifiable();
UserPermission assertion = new UserPermission();
assertion.RefId = goodReference;
SecurityRight result = assertion.CheckPermission(manager, permission);
Assert.AreEqual(SecurityRight.Allow, result);
mocks.VerifyAll();
}
public void CheckPermissionWithValidReference()
{
SecurityPermission permission = SecurityPermission.ForceAbortBuild;
string goodReference = "doesExist";
IPermission goodAssertion = mocks.StrictMock <IPermission>();
ISecurityManager manager = mocks.StrictMock <ISecurityManager>();
Expect.Call(manager.RetrievePermission(goodReference)).Return(goodAssertion);
Expect.Call(goodAssertion.CheckPermission(manager, permission)).Return(SecurityRight.Allow);
mocks.ReplayAll();
UserPermission assertion = new UserPermission();
assertion.RefId = goodReference;
SecurityRight result = assertion.CheckPermission(manager, permission);
Assert.AreEqual(SecurityRight.Allow, result);
mocks.VerifyAll();
}
public void LogEventSendsEventToLogger()
{
string projectName = "Test Project";
string userName = "******";
SecurityEvent eventType = SecurityEvent.ForceBuild;
SecurityRight eventRight = SecurityRight.Allow;
string message = "A message";
IAuditLogger logger = mocks.CreateMock <IAuditLogger>();
Expect.Call(delegate { logger.LogEvent(projectName, userName, eventType, eventRight, message); });
mocks.ReplayAll();
manager.AuditLoggers = new IAuditLogger[] {
logger
};
manager.Initialise();
manager.LogEvent(projectName, userName, eventType, eventRight, message);
}
/// <summary>
/// Performs the actual logging of a security event
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
protected override void DoLogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
// Generate the log entry
XmlDocument auditXml = new XmlDocument();
XmlElement xmlRoot = auditXml.CreateElement("event");
auditXml.AppendChild(xmlRoot);
AddXmlElement(auditXml, xmlRoot, "dateTime", DateTime.Now.ToString("o", CultureInfo.CurrentCulture));
if (!string.IsNullOrEmpty(projectName)) AddXmlElement(auditXml, xmlRoot, "project", projectName);
if (!string.IsNullOrEmpty(userName)) AddXmlElement(auditXml, xmlRoot, "user", userName);
AddXmlElement(auditXml, xmlRoot, "type", eventType.ToString());
if (eventRight != SecurityRight.Inherit) AddXmlElement(auditXml, xmlRoot, "outcome", eventRight.ToString());
if (!string.IsNullOrEmpty(message)) AddXmlElement(auditXml, xmlRoot, "message", message);
// Write the entry
string auditLog = executionEnvironment.EnsurePathIsRooted(this.auditFile);
lock (this)
{
File.AppendAllText(auditLog, auditXml.OuterXml.Replace(Environment.NewLine, " ") + Environment.NewLine);
}
}
/// <summary>
/// Checks whether the user can perform the specified action at the server level.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public override bool CheckServerPermission(string userName, SecurityPermission permission)
{
SecurityRight currentRight = SecurityRight.Inherit;
// Iterate through the permissions stopping when we hit the first non-inherited permission
foreach (IPermission permissionToCheck in permissions)
{
if (permissionToCheck.CheckUser(this, userName))
{
currentRight = permissionToCheck.CheckPermission(this, permission);
}
if (currentRight != SecurityRight.Inherit)
{
break;
}
}
// If we don't have a result, then use the default right
if (currentRight == SecurityRight.Inherit)
{
currentRight = GetDefaultRight(permission);
}
return(currentRight == SecurityRight.Allow);
}
/// <summary>
/// Starts a new filter with the security right.
/// </summary>
/// <param name="securityRight"></param>
public SecurityRightAuditFilter(SecurityRight securityRight)
: this(securityRight, null)
{
}
/// <summary>
/// Starts a new filter with the security right and inner filter.
/// </summary>
/// <param name="securityRight"></param>
/// <param name="innerFilter"></param>
public SecurityRightAuditFilter(SecurityRight securityRight, AuditFilterBase innerFilter)
: base(innerFilter)
{
this.right = securityRight;
}
/// <summary>
/// Filters by security right.
/// </summary>
/// <param name="right"></param>
/// <returns></returns>
public virtual AuditFilterBase ByRight(SecurityRight right)
{
return(new SecurityRightAuditFilter(right, this));
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="defaultRight">The default right.</param>
/// <param name="assertions">The assertions.</param>
public DefaultProjectAuthorisation(SecurityRight defaultRight, params IPermission[] assertions)
{
this.defaultRight = defaultRight;
this.permissions = assertions;
}
/// <summary>
/// Start a fully load instance.
/// </summary>
/// <param name="defaultRight">The default right.</param>
/// <param name="assertions">The assertions.</param>
public DefaultProjectAuthorisation(SecurityRight defaultRight, params IPermission[] assertions)
{
this.defaultRight = defaultRight;
this.permissions = assertions;
}
/// <summary>
/// Filters by security right.
/// </summary>
/// <param name="right"></param>
/// <returns></returns>
public static AuditFilterBase ByRight(SecurityRight right)
{
return(new SecurityRightAuditFilter(right));
}
/// <summary>
/// Logs a security event.
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
public virtual void LogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
if ((eventRight == SecurityRight.Allow) && this.logSuccessfulEvents)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
else if ((eventRight == SecurityRight.Deny) && this.logFailureEvents)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
else if (eventRight == SecurityRight.Inherit)
{
DoLogEvent(projectName, userName, eventType, eventRight, message);
}
}
/// <summary>
/// Sends a security event to the audit loggers.
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
public virtual void LogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
if (loggers != null)
{
foreach (IAuditLogger logger in loggers)
{
logger.LogEvent(projectName, userName, eventType, eventRight, message);
}
}
}
/// <summary>
/// Filters by security right.
/// </summary>
/// <param name="right"></param>
/// <returns></returns>
public static AuditFilterBase ByRight(SecurityRight right)
{
return new SecurityRightAuditFilter(right);
}
/// <summary>
/// Sends a security event to the audit loggers.
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
public void LogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
// Do nothing
}
/// <summary>
/// Performs the actual logging of a security event
/// </summary>
/// <param name="projectName">The name of the project.</param>
/// <param name="userName">The name of the user.</param>
/// <param name="eventType">The type of event.</param>
/// <param name="eventRight">The right of the event.</param>
/// <param name="message">Any security message.</param>
protected override void DoLogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message)
{
// Generate the log entry
XmlDocument auditXml = new XmlDocument();
XmlElement xmlRoot = auditXml.CreateElement("event");
auditXml.AppendChild(xmlRoot);
AddXmlElement(auditXml, xmlRoot, "dateTime", DateTime.Now.ToString("o", CultureInfo.CurrentCulture));
if (!string.IsNullOrEmpty(projectName))
{
AddXmlElement(auditXml, xmlRoot, "project", projectName);
}
if (!string.IsNullOrEmpty(userName))
{
AddXmlElement(auditXml, xmlRoot, "user", userName);
}
AddXmlElement(auditXml, xmlRoot, "type", eventType.ToString());
if (eventRight != SecurityRight.Inherit)
{
AddXmlElement(auditXml, xmlRoot, "outcome", eventRight.ToString());
}
if (!string.IsNullOrEmpty(message))
{
AddXmlElement(auditXml, xmlRoot, "message", message);
}
// Write the entry
string auditLog = executionEnvironment.EnsurePathIsRooted(this.auditFile);
lock (this)
{
File.AppendAllText(auditLog, auditXml.OuterXml.Replace(Environment.NewLine, " ") + Environment.NewLine);
}
}
/// <summary>
/// Starts a new filter with the security right.
/// </summary>
/// <param name="securityRight"></param>
public SecurityRightAuditFilter(SecurityRight securityRight)
: this(securityRight, null) { }
/// <summary> /// Performs the actual logging of a security event /// </summary> /// <param name="projectName">The name of the project.</param> /// <param name="userName">The name of the user.</param> /// <param name="eventType">The type of event.</param> /// <param name="eventRight">The right of the event.</param> /// <param name="message">Any security message.</param> protected abstract void DoLogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message);
/// <summary>
/// Starts a new filter with the security right and inner filter.
/// </summary>
/// <param name="securityRight"></param>
/// <param name="innerFilter"></param>
public SecurityRightAuditFilter(SecurityRight securityRight, AuditFilterBase innerFilter)
: base(innerFilter)
{
this.right = securityRight;
}
/// <summary>
/// Checks whether the user can perform the specified action.
/// </summary>
/// <param name="userName">The name of the user that is being checked.</param>
/// <param name="permission">The permission to check.</param>
/// <param name="defaultRight">The default right to use.</param>
/// <param name="manager"></param>
/// <returns>True if the permission is valid, false otherwise.</returns>
public virtual bool CheckPermission(ISecurityManager manager,
string userName,
SecurityPermission permission,
SecurityRight defaultRight)
{
SecurityRight currentRight = SecurityRight.Inherit;
// Iterate through the assertions stopping when we hit the first non-inherited permission
foreach (IPermission assertion in permissions)
{
if (assertion.CheckUser(manager, userName)) currentRight = assertion.CheckPermission(manager, permission);
if (currentRight != SecurityRight.Inherit) break;
}
// If we don't have a result, then use the default right
if (currentRight == SecurityRight.Inherit) currentRight = this.defaultRight;
if (currentRight == SecurityRight.Inherit) currentRight = defaultRight;
return (currentRight == SecurityRight.Allow);
}
/// <summary>
/// Filters by security right.
/// </summary>
/// <param name="right"></param>
/// <returns></returns>
public virtual AuditFilterBase ByRight(SecurityRight right)
{
return new SecurityRightAuditFilter(right, this);
}
/// <summary> /// Performs the actual logging of a security event /// </summary> /// <param name="projectName">The name of the project.</param> /// <param name="userName">The name of the user.</param> /// <param name="eventType">The type of event.</param> /// <param name="eventRight">The right of the event.</param> /// <param name="message">Any security message.</param> protected abstract void DoLogEvent(string projectName, string userName, SecurityEvent eventType, SecurityRight eventRight, string message);
