public PolicyVerificationParameters(ClaimsPrincipal user, Operation operation, string stream, StorageMessage.EffectiveAcl streamAcl, bool isAuthorized, bool shouldRequestAcl)
{
User = user;
Operation = operation;
Stream = stream;
StreamAcl = streamAcl;
IsAuthorized = isAuthorized;
ShouldRequestAcl = shouldRequestAcl;
}
public void ExpectedAcl(string stream, StorageMessage.EffectiveAcl acl)
{
MessageReceived = false;
if (stream == null)
{
return;
}
_expectedStream = SystemStreams.IsMetastream(stream) ? SystemStreams.OriginalStreamOf(stream) : stream;
_acl = acl;
}
public static IEnumerable <PolicyVerificationParameters> PolicyTests()
{
StorageMessage.EffectiveAcl systemStreamPermission = new StorageMessage.EffectiveAcl(
SystemSettings.Default.SystemStreamAcl,
SystemSettings.Default.SystemStreamAcl,
SystemSettings.Default.SystemStreamAcl
);
StorageMessage.EffectiveAcl defaultUseruserStreamPermission = new StorageMessage.EffectiveAcl(
SystemSettings.Default.UserStreamAcl,
SystemSettings.Default.UserStreamAcl,
SystemSettings.Default.UserStreamAcl
);
StorageMessage.EffectiveAcl userStreamPermission = new StorageMessage.EffectiveAcl(
new StreamAcl("test", "test", "test", "test", "test"),
SystemSettings.Default.UserStreamAcl,
SystemSettings.Default.UserStreamAcl
);
ClaimsPrincipal admin = CreatePrincipal("admin", SystemRoles.Admins);
ClaimsPrincipal userAdmin = CreatePrincipal("adminuser", SystemRoles.Admins);
ClaimsPrincipal ops = CreatePrincipal("ops", SystemRoles.Operations);
ClaimsPrincipal userOps = CreatePrincipal("opsuser", SystemRoles.Operations);
ClaimsPrincipal user1 = CreatePrincipal("test");
ClaimsPrincipal user2 = CreatePrincipal("test2");
ClaimsPrincipal userSystem = SystemAccounts.System;
var admins = new[] { admin, userAdmin };
var operations = new[] { ops, userOps };
var users = new[] { user1, user2 };
var system = new[] { userSystem };
var anonymous = new[] { new ClaimsPrincipal(), new ClaimsPrincipal(new ClaimsIdentity(new Claim[] { new Claim(ClaimTypes.Anonymous, ""), })), };
foreach (var user in system)
{
foreach (var operation in SystemOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
}
foreach (var user in admins)
{
foreach (var operation in SystemOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AdminOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
foreach (var operation in OpsOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
foreach (var operation in UserOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
foreach (var operation in AuthenticatedOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
foreach (var operation in AnonymousOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
}
foreach (var user in operations)
{
foreach (var operation in SystemOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AdminOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
operation.Item3 != null
));
}
foreach (var operation in OpsOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
false
));
}
foreach (var operation in UserOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
operation.Item2 == null || operation.Item3 == defaultUseruserStreamPermission,
operation.Item2 != null
));
}
foreach (var operation in AuthenticatedOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
operation.Item2 != null
));
}
foreach (var operation in AnonymousOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
operation.Item2 != null
));
}
}
foreach (var user in users)
{
foreach (var operation in SystemOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AdminOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
operation.Item3 != null
));
}
foreach (var operation in OpsOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in UserOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
operation.Item2 == null || user.Identity.Name != "test2" || operation.Item3 == defaultUseruserStreamPermission,
operation.Item3 != null
));
}
foreach (var operation in AuthenticatedOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
operation.Item3 != null
));
}
foreach (var operation in AnonymousOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
operation.Item3 != null
));
}
}
foreach (var user in anonymous)
{
foreach (var operation in SystemOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AdminOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
operation.Item3 != null
));
}
foreach (var operation in OpsOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
operation.Item3 != null
));
}
foreach (var operation in UserOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AuthenticatedOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
false,
false
));
}
foreach (var operation in AnonymousOperations())
{
yield return(new PolicyVerificationParameters(user,
operation.Item1, operation.Item2, operation.Item3,
true,
operation.Item3 != null
));
}
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> SystemOperations()
{
yield return(CreateOperation(Operations.Node.Gossip.Update));
yield return(CreateOperation(Operations.Node.Elections.Prepare));
yield return(CreateOperation(Operations.Node.Elections.PrepareOk));
yield return(CreateOperation(Operations.Node.Elections.ViewChange));
yield return(CreateOperation(Operations.Node.Elections.ViewChangeProof));
yield return(CreateOperation(Operations.Node.Elections.Proposal));
yield return(CreateOperation(Operations.Node.Elections.Accept));
yield return(CreateOperation(Operations.Node.Elections.LeaderIsResigning));
yield return(CreateOperation(Operations.Node.Elections.LeaderIsResigningOk));
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> AdminOperations()
{
yield return(new Operation(Operations.Streams.Read).WithParameter(
Operations.Streams.Parameters.StreamId("$$$scavenge")),
"$$$scavenge",
systemStreamPermission);
yield return(CreateOperation(Operations.Projections.Restart));
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> OpsOperations()
{
yield return(CreateOperation(Operations.Node.Information.Subsystems));
yield return(CreateOperation(Operations.Node.Shutdown));
yield return(CreateOperation(Operations.Node.Scavenge.Start));
yield return(CreateOperation(Operations.Node.Scavenge.Stop));
yield return(CreateOperation(Operations.Node.MergeIndexes));
yield return(CreateOperation(Operations.Node.SetPriority));
yield return(CreateOperation(Operations.Node.Resign));
yield return(CreateOperation(Operations.Subscriptions.Create));
yield return(CreateOperation(Operations.Subscriptions.Update));
yield return(CreateOperation(Operations.Subscriptions.Delete));
yield return(CreateOperation(Operations.Node.Information.Histogram));
yield return(CreateOperation(Operations.Node.Information.Options));
yield return(new Operation(Operations.Subscriptions.ReplayParked).WithParameter(Operations.Subscriptions.Parameters.StreamId(_streamWithCustomPermissions)), _streamWithCustomPermissions, null);
yield return(new Operation(Operations.Subscriptions.ReplayParked).WithParameter(Operations.Subscriptions.Parameters.StreamId(_streamWithDefaultPermissions)), _streamWithDefaultPermissions, null);
yield return(CreateOperation(Operations.Projections.UpdateConfiguration));
yield return(CreateOperation(Operations.Projections.ReadConfiguration));
yield return(CreateOperation(Operations.Projections.Delete));
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> UserOperations()
{
yield return(new Operation(Operations.Subscriptions.ProcessMessages).WithParameter(Operations.Subscriptions.Parameters.StreamId(_streamWithCustomPermissions)), _streamWithCustomPermissions, userStreamPermission);
yield return(new Operation(Operations.Subscriptions.ProcessMessages).WithParameter(Operations.Subscriptions.Parameters.StreamId(_streamWithDefaultPermissions)), _streamWithDefaultPermissions, defaultUseruserStreamPermission);
yield return(CreateOperation(Operations.Projections.List));
yield return(CreateOperation(Operations.Projections.Abort));
yield return(CreateOperation(Operations.Projections.Create));
yield return(CreateOperation(Operations.Projections.DebugProjection));
yield return(CreateOperation(Operations.Projections.Disable));
yield return(CreateOperation(Operations.Projections.Enable));
yield return(CreateOperation(Operations.Projections.Read));
yield return(CreateOperation(Operations.Projections.Reset));
yield return(CreateOperation(Operations.Projections.Update));
yield return(CreateOperation(Operations.Projections.State));
yield return(CreateOperation(Operations.Projections.Status));
yield return(CreateOperation(Operations.Projections.Statistics));
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> AuthenticatedOperations()
{
yield return(CreateOperation(Operations.Subscriptions.Statistics));
yield return(CreateOperation(Operations.Projections.List));
}
IEnumerable <(Operation, string, StorageMessage.EffectiveAcl)> AnonymousOperations()
{
yield return(CreateOperation(Operations.Node.Redirect));
yield return(CreateOperation(Operations.Node.StaticContent));
yield return(CreateOperation(Operations.Node.Ping));
yield return(CreateOperation(Operations.Node.Options));
yield return(CreateOperation(Operations.Node.Information.Read));
yield return(CreateOperation(Operations.Node.Information.Read));
yield return(CreateOperation(Operations.Node.Statistics.Read));
yield return(CreateOperation(Operations.Node.Statistics.Replication));
yield return(CreateOperation(Operations.Node.Statistics.Tcp));
yield return(CreateOperation(Operations.Node.Statistics.Custom));
yield return(CreateOperation(Operations.Node.Gossip.Read));
yield return(new Operation(Operations.Streams.Read).WithParameter(
Operations.Streams.Parameters.StreamId(_streamWithDefaultPermissions)),
_streamWithDefaultPermissions, defaultUseruserStreamPermission);
}
(Operation, string, StorageMessage.EffectiveAcl) CreateOperation(OperationDefinition def)
{
return(new Operation(def), null, null);
}
ClaimsPrincipal CreatePrincipal(string name, params string[] roles)
{
var claims =
(new[] { new Claim(ClaimTypes.Name, name) }).Concat(roles.Select(x => new Claim(ClaimTypes.Role, x)));
return(new ClaimsPrincipal(new ClaimsIdentity(claims)));
}
}
