private Task <SecurityPolicyResult> EvaluateAsync(string minProtocolVersions, string actualClientVersion, string actualProtocolVersion)
{
var headers = new NameValueCollection();
if (!string.IsNullOrEmpty(actualClientVersion))
{
headers[Constants.ClientVersionHeaderName] = actualClientVersion;
}
if (!string.IsNullOrEmpty(actualProtocolVersion))
{
headers[Constants.NuGetProtocolHeaderName] = actualProtocolVersion;
}
var httpRequest = new Mock <HttpRequestBase>();
httpRequest.Setup(r => r.Headers).Returns(headers);
var httpContext = new Mock <HttpContextBase>();
httpContext.Setup(c => c.Request).Returns(httpRequest.Object);
var policies = minProtocolVersions.Split(',').Select(
v => RequireMinProtocolVersionForPushPolicy.CreatePolicy("Subscription", new NuGetVersion(v))
).ToArray();
var context = new UserSecurityPolicyEvaluationContext(policies, httpContext.Object);
return(new RequireMinProtocolVersionForPushPolicy().EvaluateAsync(context));
}
/// <summary>
/// Evaluate if this security policy is met.
/// </summary>
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minProtocolVersion = GetMaxOfMinProtocolVersions(context);
// Do we have X-NuGet-Protocol-Version header?
var protocolVersion = GetProtocolVersion(context);
if (protocolVersion == null)
{
// Do we have X-NuGet-Client-Version header? This header is DEPRECATED, and here for backwards compatibility!
protocolVersion = GetClientVersion(context);
}
if (protocolVersion == null || protocolVersion < minProtocolVersion)
{
return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
ServicesStrings.SecurityPolicy_RequireMinProtocolVersionForPush, minProtocolVersion))));
}
return(Task.FromResult(SecurityPolicyResult.SuccessResult));
}
/// <summary>
/// Evaluate if this security policy is met.
/// </summary>
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minClientVersion = GetMaxOfMinClientVersions(context);
// Do we have X-NuGet-Protocol-Version header?
var protocolVersion = GetProtocolVersion(context);
if (protocolVersion == null)
{
// Do we have X-NuGet-Client-Version header?
protocolVersion = GetClientVersion(context);
}
if (protocolVersion == null || protocolVersion < minClientVersion)
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.SecurityPolicy_RequireMinProtocolVersionForPush, minClientVersion)));
}
return(SecurityPolicyResult.SuccessResult);
}
private Task <SecurityPolicyResult> EvaluateAsync(string userTenantId)
{
var credentialBuilder = new CredentialBuilder();
var fakes = new Fakes();
if (!string.IsNullOrEmpty(userTenantId))
{
fakes.User.Credentials.Add(
credentialBuilder.CreateExternalCredential(
issuer: "AzureActiveDirectory",
value: "value",
identity: "identity",
tenantId: userTenantId));
}
foreach (var policy in RequireOrganizationTenantPolicy.Create(TenantId).Policies)
{
fakes.Organization.SecurityPolicies.Add(policy);
}
var context = new UserSecurityPolicyEvaluationContext(
fakes.Organization.SecurityPolicies,
sourceAccount: fakes.Organization,
targetAccount: fakes.User
);
return(RequireOrganizationTenantPolicy
.Create()
.EvaluateAsync(context));
}
private Task <SecurityPolicyResult> EvaluateAsync(string scopes)
{
var identity = AuthenticationService.CreateIdentity(
new User("testUser"),
AuthenticationTypes.ApiKey,
new Claim(NuGetClaims.ApiKey, string.Empty));
if (!string.IsNullOrEmpty(scopes))
{
identity.AddClaim(new Claim(NuGetClaims.Scope, scopes));
}
var principal = new Mock <IPrincipal>();
principal.Setup(p => p.Identity).Returns(identity);
var httpContext = new Mock <HttpContextBase>();
httpContext.Setup(c => c.User).Returns(principal.Object);
var context = new UserSecurityPolicyEvaluationContext(
new UserSecurityPolicy[] { new UserSecurityPolicy("RequireApiKeyWithPackageVerifyScopePolicy", "Subscription") },
httpContext.Object);
return(new RequirePackageVerifyScopePolicy().EvaluateAsync(context));
}
/// <summary>
/// In case of multiple, select the max of the minimum required client versions.
/// </summary>
private NuGetVersion GetMaxOfMinClientVersions(UserSecurityPolicyEvaluationContext context)
{
var policyStates = context.Policies
.Where(p => !string.IsNullOrEmpty(p.Value))
.Select(p => JsonConvert.DeserializeObject <State>(p.Value));
return(policyStates.Max(s => s.MinClientVersion));
}
/// <summary>
/// Get the current protocol version from the request.
/// </summary>
private NuGetVersion GetProtocolVersion(UserSecurityPolicyEvaluationContext context)
{
var protocolVersionString = context.HttpContext.Request?.Headers[Constants.NuGetProtocolHeaderName];
NuGetVersion protocolVersion;
return(NuGetVersion.TryParse(protocolVersionString, out protocolVersion) ? protocolVersion : null);
}
/// <summary>
/// Get the current client version from the request.
/// </summary>
private NuGetVersion GetClientVersion(UserSecurityPolicyEvaluationContext context)
{
var clientVersionString = context.HttpContext.Request?.Headers[Constants.ClientVersionHeaderName];
NuGetVersion clientVersion;
return(NuGetVersion.TryParse(clientVersionString, out clientVersion) ? clientVersion : null);
}
/// <summary>
/// Retrieve the policy state.
/// </summary>
private State GetState(UserSecurityPolicyEvaluationContext context)
{
var policyStates = context.Policies
.Where(p => !string.IsNullOrEmpty(p.Value))
.Select(p => JsonConvert.DeserializeObject <State>(p.Value));
// TODO: what if there are multiple?
return(policyStates.First());
}
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var identity = context.HttpContext.User.Identity;
if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify))
{
return(Task.FromResult(SecurityPolicyResult.SuccessResult));
}
return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope)));
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var identity = context.HttpContext.User.Identity;
if (identity.HasPackageVerifyScopeClaim())
{
return(SecurityPolicyResult.SuccessResult);
}
return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope));
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
context = context ?? throw new ArgumentNullException(nameof(context));
var state = GetPolicyState(context);
var targetAccount = context.TargetAccount;
var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential();
if (targetCredential == null ||
!state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase))
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username)));
}
return(SecurityPolicyResult.SuccessResult);
}
/// <summary>
/// Evaluate if this security policy is met.
/// </summary>
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minClientVersion = GetMaxOfMinClientVersions(context);
var clientVersion = GetClientVersion(context);
if (clientVersion == null || clientVersion < minClientVersion)
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion)));
}
return(SecurityPolicyResult.SuccessResult);
}
private Task <SecurityPolicyResult> EvaluateAsync(string userTenantId)
{
var credentialBuilder = new CredentialBuilder();
var fakes = new Fakes();
if (!string.IsNullOrEmpty(userTenantId))
{
// We can only have a single AAD account, remove previous one if present.
var aadCredential = fakes.User.Credentials.Single(c => c.Type.Contains(CredentialTypes.External.AzureActiveDirectoryAccount));
if (aadCredential != null)
{
fakes.User.Credentials.Remove(aadCredential);
}
// Add the new AAD credential
fakes.User.Credentials.Add(
credentialBuilder.CreateExternalCredential(
issuer: "AzureActiveDirectory",
value: "value",
identity: "identity",
tenantId: userTenantId));
}
foreach (var policy in RequireOrganizationTenantPolicy.Create(TenantId).Policies)
{
fakes.Organization.SecurityPolicies.Add(policy);
}
var context = new UserSecurityPolicyEvaluationContext(
fakes.Organization.SecurityPolicies,
sourceAccount: fakes.Organization,
targetAccount: fakes.User
);
return(RequireOrganizationTenantPolicy
.Create()
.EvaluateAsync(context));
}
private async Task <SecurityPolicyResult> EvaluateInternalAsync(
SecurityPolicyAction action,
IEnumerable <UserSecurityPolicy> policies,
User sourceAccount,
User targetAccount,
HttpContextBase httpContext = null,
bool auditSuccess = true)
{
var relevantHandlers = UserHandlers.Where(h => h.Action == action).ToList();
foreach (var handler in relevantHandlers)
{
var foundPolicies = policies.Where(p => p.Name.Equals(handler.Name, StringComparison.OrdinalIgnoreCase)).ToList();
if (foundPolicies.Any())
{
var context = new UserSecurityPolicyEvaluationContext(foundPolicies, sourceAccount, targetAccount, httpContext);
var result = await handler.EvaluateAsync(context);
if (auditSuccess || !result.Success)
{
await Auditing.SaveAuditRecordAsync(new UserSecurityPolicyAuditRecord(
context.TargetAccount.Username, GetAuditAction(action), foundPolicies, result.Success, result.ErrorMessage));
}
if (!result.Success)
{
Diagnostics.Information(
$"Security policy from subscription '{foundPolicies.First().Subscription}' - '{handler.Name}' failed with error '{result.ErrorMessage}'.");
return(result);
}
}
}
return(SecurityPolicyResult.SuccessResult);
}
public abstract SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context);
private static State GetPolicyState(UserSecurityPolicyEvaluationContext context)
{
return(context.Policies
.Select(p => JsonConvert.DeserializeObject <State>(p.Value))
.FirstOrDefault());
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
return(SecurityPolicyResult.SuccessResult);
}
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
{
throw new NotImplementedException(); // Not used.
}
