public async Task EvaluateAsync_EvaluatesOnlyPoliciesRelevantToTheAction()
{
// Arrange
const string extraPolicyName = "ExtraPolicy";
var extraPolicyHandlerMock = new Mock <UserSecurityPolicyHandler>(extraPolicyName, SecurityPolicyAction.ManagePackageOwners);
var policyData = new TestUserSecurityPolicyData();
var policyHandlers = new List <UserSecurityPolicyHandler>(policyData.Handlers.Select(x => x.Object));
policyHandlers.Add(extraPolicyHandlerMock.Object);
var service = new TestSecurityPolicyService(policyData, policyHandlers);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
var userSecurityPolicies = new List <UserSecurityPolicy>(subscription.Policies);
userSecurityPolicies.Add(new UserSecurityPolicy(extraPolicyName, "ExtraSubscription"));
user.SecurityPolicies = userSecurityPolicies;
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
extraPolicyHandlerMock.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
}
public async Task SubscribeAsync_AddsAllSubscriptionPoliciesWhenHasSameAsDifferentSubscription()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscriptionName2 = "MockSubscription2";
var subscription = service.Mocks.Subscription.Object;
foreach (var policy in subscription.Policies)
{
user.SecurityPolicies.Add(new UserSecurityPolicy(policy.Name, subscriptionName2));
}
// Act.
var subscribed = await service.SubscribeAsync(user, service.UserSubscriptions.First());
// Act & Assert.
Assert.True(subscribed);
var policies = user.SecurityPolicies.ToList();
Assert.Equal(4, policies.Count);
Assert.Equal(subscriptionName2, policies[0].Subscription);
Assert.Equal(subscriptionName2, policies[0].Subscription);
service.Mocks.VerifySubscriptionPolicies(policies.Skip(2));
service.Mocks.Subscription.Verify(s => s.OnSubscribeAsync(It.IsAny <UserSecurityPolicySubscriptionContext>()), Times.Once);
service.MockEntitiesContext.Verify(c => c.SaveChangesAsync(), Times.Once);
}
public async Task UnsubscribeAsync_DoesNotRemoveOtherSubscriptionPolicies()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscriptionName2 = "MockSubscription2";
var subscription = service.Mocks.Subscription.Object;
foreach (var policy in subscription.Policies)
{
user.SecurityPolicies.Add(new UserSecurityPolicy(policy));
user.SecurityPolicies.Add(new UserSecurityPolicy(policy.Name, subscriptionName2));
}
Assert.Equal(4, user.SecurityPolicies.Count);
// Act.
await service.UnsubscribeAsync(user, service.UserSubscriptions.First());
// Act & Assert.
var policies = user.SecurityPolicies.ToList();
Assert.Equal(2, policies.Count);
Assert.Equal(subscriptionName2, policies[0].Subscription);
Assert.Equal(subscriptionName2, policies[1].Subscription);
service.Mocks.Subscription.Verify(s => s.OnUnsubscribeAsync(It.IsAny <UserSecurityPolicySubscriptionContext>()), Times.Once);
service.MockEntitiesContext.Verify(c => c.SaveChangesAsync(), Times.Once);
service.MockUserSecurityPolicies.Verify(p => p.Remove(It.IsAny <UserSecurityPolicy>()), Times.Exactly(2));
}
public async Task EvaluateAsync_WhenDefaultSecurityPolicyNotMetReturnFailure()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: true, defaultPolicy1Result: true, defaultPolicy2Result: false);
var configuration = new AppConfiguration()
{
EnforceDefaultSecurityPolicies = true
};
var service = new TestSecurityPolicyService(policyData, null, null, null, null, configuration);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(false, result.Success);
// The error indicates which subscription failed
Assert.Contains(policyData.DefaultSubscription.Object.SubscriptionName, result.ErrorMessage);
// Audit record is saved
service.MockAuditingService.Verify(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>()), Times.Once);
// Policies are evaluated only once
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public void IsSubscribed_ReturnsTrueIfUserHasSubscriptionPolicies()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act & Assert.
Assert.True(service.IsSubscribed(user, service.UserSubscriptions.Single()));
}
public void IsSubscribed_ReturnsFalseIfUserDoesNotHaveAllSubscriptionPolicies()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies.Add(subscription.Policies.First());
// Act & Assert.
Assert.False(service.IsSubscribed(user, service.UserSubscriptions.First()));
}
public async Task UnsubscribeAsync_DoesNotSaveAuditRecordIfWasNotSubscribed()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.UserSubscriptions.First();
// Act.
await service.UnsubscribeAsync(user, subscription);
// Act & Assert.
service.MockAuditingService.Verify(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>()), Times.Never);
}
private TestSecurityPolicyService CreateSecurityPolicyService()
{
var auditing = new Mock <IAuditingService>();
auditing.Setup(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>())).Returns(Task.CompletedTask).Verifiable();
var subscription = new MicrosoftTeamSubscription();
var service = new TestSecurityPolicyService(
mockAuditing: auditing,
userSubscriptions: new[] { subscription },
organizationSubscriptions: new[] { subscription });
return(service);
}
public async Task SubscribeAsync_AddsAllSubscriptionPoliciesWhenHasNoneToStart()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
// Act.
await service.SubscribeAsync(user, service.UserSubscriptions.First());
// Act & Assert.
Assert.Equal(2, user.SecurityPolicies.Count);
service.Mocks.VerifySubscriptionPolicies(user.SecurityPolicies);
service.Mocks.Subscription.Verify(s => s.OnSubscribeAsync(It.IsAny <UserSecurityPolicySubscriptionContext>()), Times.Once);
service.MockEntitiesContext.Verify(c => c.SaveChangesAsync(), Times.Once);
}
public async Task EvaluateAsync_ReturnsNonSuccessAfterFirstFailure()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: false, policy2Result: true);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
service.Mocks.VerifyPolicyEvaluation(expectedPolicy1: false, expectedPolicy2: null, actual: result);
}
public async Task EvaluateAsync_ReturnsSuccessWithoutEvaluationIfNoPoliciesWereFound()
{
// Arrange
var service = new TestSecurityPolicyService();
var user = new User("testUser");
// Act
var result = await service.EvaluateAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
service.Mocks.MockPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
}
public void IsSubscribed_ReturnsTrueIfUserHasSubscriptionAndOtherPolicies()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
user.SecurityPolicies.Add(new UserSecurityPolicy("OtherPolicy", "OtherSubscription"));
var subscription = service.Mocks.Subscription.Object;
foreach (var policy in subscription.Policies)
{
user.SecurityPolicies.Add(policy);
}
// Act & Assert.
Assert.True(service.IsSubscribed(user, service.UserSubscriptions.First()));
}
public async Task EvaluateAsync_SavesAuditRecordsForSuccessAndFailureCases(bool success, int times)
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: success, policy2Result: success);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(success, result.Success);
service.MockAuditingService.Verify(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>()), Times.Exactly(times));
}
private TestSecurityPolicyService CreateSecurityPolicyService()
{
var auditing = new Mock <IAuditingService>();
auditing.Setup(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>())).Returns(Task.CompletedTask).Verifiable();
var subscription = new DefaultSubscription();
var service = new TestSecurityPolicyService(
mockAuditing: auditing,
userHandlers: new UserSecurityPolicyHandler[]
{
new RequireMinProtocolVersionForPushPolicy(),
new RequirePackageVerifyScopePolicy()
},
userSubscriptions: new[] { subscription });
return(service);
}
public async Task EvaluateAsync_ReturnsSuccessWithEvaluationIfPoliciesFoundAndMet()
{
// Arrange
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public void EvaluateReturnsSuccessWithEvaluationIfPoliciesFoundAndMet()
{
// Arrange
var service = new TestSecurityPolicyService();
var user = new User("testUser");
user.SecurityPolicies.Add(new UserSecurityPolicy("MockPushPolicy1"));
user.SecurityPolicies.Add(new UserSecurityPolicy("MockPushPolicy2"));
// Act
var result = service.Evaluate(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.MockPushPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyContext>()), Times.Once);
service.MockPushPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyContext>()), Times.Once);
}
public void EvaluateReturnsAfterFirstFailure()
{
// Arrange
var service = new TestSecurityPolicyService(success1: false, success2: true);
var user = new User("testUser");
user.SecurityPolicies.Add(new UserSecurityPolicy("MockPushPolicy1"));
user.SecurityPolicies.Add(new UserSecurityPolicy("MockPushPolicy2"));
// Act
var result = service.Evaluate(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.False(result.Success);
Assert.Equal("MockPushPolicy1", result.ErrorMessage);
service.MockPushPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyContext>()), Times.Once);
service.MockPushPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyContext>()), Times.Never);
}
public async Task EvaluateAsync_WhenEnforceDefaultSecurityPoliciesIsFalseDefaultPolicyNotEvaluated()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: true, defaultPolicy1Result: false, defaultPolicy2Result: false);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public async Task UnsubscribeAsync_RemovesAllSubscriptionPolicies()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.UserPoliciesSubscription.Object;
foreach (var policy in subscription.Policies)
{
user.SecurityPolicies.Add(new UserSecurityPolicy(policy));
}
Assert.Equal(2, user.SecurityPolicies.Count);
// Act.
await service.UnsubscribeAsync(user, service.Subscriptions.First());
// Act & Assert.
Assert.Equal(0, user.SecurityPolicies.Count);
service.Mocks.UserPoliciesSubscription.Verify(s => s.OnUnsubscribeAsync(It.IsAny <UserSecurityPolicySubscriptionContext>()), Times.Once);
service.MockEntitiesContext.Verify(c => c.SaveChangesAsync(), Times.Once);
service.MockUserSecurityPolicies.Verify(p => p.Remove(It.IsAny <UserSecurityPolicy>()), Times.Exactly(2));
}
public async Task SubscribeAsync_DoesNotAddSubscriptionPoliciesIfAlreadySubscribed()
{
// Arrange.
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
foreach (var policy in subscription.Policies)
{
user.SecurityPolicies.Add(new UserSecurityPolicy(policy));
}
Assert.Equal(2, user.SecurityPolicies.Count);
// Act.
await service.SubscribeAsync(user, service.UserSubscriptions.First());
// Act & Assert.
Assert.Equal(2, user.SecurityPolicies.Count);
service.Mocks.VerifySubscriptionPolicies(user.SecurityPolicies);
service.Mocks.Subscription.Verify(s => s.OnSubscribeAsync(It.IsAny <UserSecurityPolicySubscriptionContext>()), Times.Never);
service.MockEntitiesContext.Verify(c => c.SaveChangesAsync(), Times.Never);
}
private TestSecurityPolicyService CreateSecurityPolicyService()
{
var auditing = new Mock <IAuditingService>();
auditing.Setup(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>())).Returns(Task.CompletedTask).Verifiable();
var diagnostics = new DiagnosticsService().GetSource(nameof(SecurePushSubscriptionFacts));
var diagnosticsService = new Mock <IDiagnosticsService>();
diagnosticsService.Setup(s => s.GetSource(It.IsAny <string>())).Returns(diagnostics);
var subscription = new SecurePushSubscription(auditing.Object, diagnosticsService.Object);
var service = new TestSecurityPolicyService(
mockAuditing: auditing,
userHandlers: new UserSecurityPolicyHandler[]
{
new RequireMinClientVersionForPushPolicy(),
new RequirePackageVerifyScopePolicy()
},
userSubscriptions: new[] { subscription });
return(service);
}
public async Task EvaluateAsync_WhenDefaultSecurityPolicyIsMetUserPolicyIsEvaluated(bool userPolicyMet)
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: userPolicyMet, defaultPolicy1Result: true, defaultPolicy2Result: true);
var configuration = new AppConfiguration()
{
EnforceDefaultSecurityPolicies = true
};
var service = new TestSecurityPolicyService(policyData, null, null, null, null, configuration);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(userPolicyMet, result.Success);
// Default policies and user policies are evaluated
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Exactly(2));
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Exactly(2));
}