/// <summary> /// Evaluate if this security policy is met. /// </summary> public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var minClientVersion = GetMaxOfMinClientVersions(context); // Do we have X-NuGet-Protocol-Version header? var protocolVersion = GetProtocolVersion(context); if (protocolVersion == null) { // Do we have X-NuGet-Client-Version header? protocolVersion = GetClientVersion(context); } if (protocolVersion == null || protocolVersion < minClientVersion) { return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture, Strings.SecurityPolicy_RequireMinProtocolVersionForPush, minClientVersion))); } return(SecurityPolicyResult.SuccessResult); }
/// <summary> /// Evaluate if this security policy is met. /// </summary> public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var minProtocolVersion = GetMaxOfMinProtocolVersions(context); // Do we have X-NuGet-Protocol-Version header? var protocolVersion = GetProtocolVersion(context); if (protocolVersion == null) { // Do we have X-NuGet-Client-Version header? This header is DEPRECATED, and here for backwards compatibility! protocolVersion = GetClientVersion(context); } if (protocolVersion == null || protocolVersion < minProtocolVersion) { return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture, ServicesStrings.SecurityPolicy_RequireMinProtocolVersionForPush, minProtocolVersion)))); } return(Task.FromResult(SecurityPolicyResult.SuccessResult)); }
private Mock <UserSecurityPolicyHandler> MockHandler(string name, bool success) { var result = success ? SecurityPolicyResult.SuccessResult : SecurityPolicyResult.CreateErrorResult(name); var mock = new Mock <UserSecurityPolicyHandler>(name, SecurityPolicyAction.PackagePush); mock.Setup(m => m.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>())).Returns(result).Verifiable(); return(mock); }
private static Mock <UserSecurityPolicyHandler> MockHandler(string name, Dictionary <string, bool> resultPerSubscription) { var mock = new Mock <UserSecurityPolicyHandler>(name, SecurityPolicyAction.PackagePush); mock.Setup(m => m.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>())) .Returns <UserSecurityPolicyEvaluationContext>(x => { var subscription = x.Policies.First().Subscription; return(resultPerSubscription[subscription] == true ? SecurityPolicyResult.SuccessResult : SecurityPolicyResult.CreateErrorResult($"{subscription}-{name}")); }).Verifiable(); return(mock); }
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var identity = context.HttpContext.User.Identity; if (identity.HasPackageVerifyScopeClaim()) { return(SecurityPolicyResult.SuccessResult); } return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope)); }
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var identity = context.HttpContext.User.Identity; if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify)) { return(Task.FromResult(SecurityPolicyResult.SuccessResult)); } return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope))); }
/// <summary> /// Evaluate if this package compliance policy is met. /// </summary> public override async Task <SecurityPolicyResult> EvaluateAsync(PackageSecurityPolicyEvaluationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } // This particular package policy assumes the existence of a particular user. // Succeed silently (effectively ignoring this policy when enabled) when that user does not exist. var state = GetState(context); var requiredCoOwner = context.UserService.FindByUsername(state.RequiredCoOwnerUsername); if (requiredCoOwner == null) { // This may happen on gallery deployments that don't have this particular user. return(SecurityPolicyResult.SuccessResult); } // Evaluate package metadata validations if (!IsPackageMetadataCompliant(context.Package, state, out var complianceFailures)) { // Package policy not met. return(SecurityPolicyResult.CreateErrorResult( string.Format( CultureInfo.CurrentCulture, state.ErrorMessageFormat, Environment.NewLine + string.Join(Environment.NewLine, complianceFailures)))); } // Automatically add the required co-owner when metadata is compliant. if (!context.Package.PackageRegistration.Owners.Select(o => o.Username).Contains(state.RequiredCoOwnerUsername, StringComparer.OrdinalIgnoreCase)) { // This will also mark the package as verified if the prefix has been reserved by the co-owner. // The entities context is committed later as a single atomic transaction (see PackageUploadService). await context.PackageOwnershipManagementService.AddPackageOwnerAsync(context.Package.PackageRegistration, requiredCoOwner, commitChanges : false); } // If the PackageRegistration is not marked as verified, // the account pushing the package has not registered the prefix yet. if (!context.Package.PackageRegistration.IsVerified) { return(SecurityPolicyResult.CreateWarningResult(Strings.SecurityPolicy_RequirePackagePrefixReserved)); } // All good! return(SecurityPolicyResult.SuccessResult); }
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context) { context = context ?? throw new ArgumentNullException(nameof(context)); var state = GetPolicyState(context); var targetAccount = context.TargetAccount; var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential(); if (targetCredential == null || !state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase)) { return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture, Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username))); } return(SecurityPolicyResult.SuccessResult); }
public override SecurityPolicyResult Evaluate(UserSecurityPolicyContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var minClientVersion = GetMaxOfMinClientVersions(context); var clientVersion = GetClientVersion(context); if (clientVersion == null || clientVersion < minClientVersion) { return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture, Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion))); } return(SecurityPolicyResult.SuccessResult); }