private Task <SecurityPolicyResult> EvaluateAsync(string minProtocolVersions, string actualClientVersion, string actualProtocolVersion)
        {
            var headers = new NameValueCollection();

            if (!string.IsNullOrEmpty(actualClientVersion))
            {
                headers[Constants.ClientVersionHeaderName] = actualClientVersion;
            }

            if (!string.IsNullOrEmpty(actualProtocolVersion))
            {
                headers[Constants.NuGetProtocolHeaderName] = actualProtocolVersion;
            }

            var httpRequest = new Mock <HttpRequestBase>();

            httpRequest.Setup(r => r.Headers).Returns(headers);

            var httpContext = new Mock <HttpContextBase>();

            httpContext.Setup(c => c.Request).Returns(httpRequest.Object);

            var policies = minProtocolVersions.Split(',').Select(
                v => RequireMinProtocolVersionForPushPolicy.CreatePolicy("Subscription", new NuGetVersion(v))
                ).ToArray();
            var context = new UserSecurityPolicyEvaluationContext(policies, httpContext.Object);

            return(new RequireMinProtocolVersionForPushPolicy().EvaluateAsync(context));
        }
Esempio n. 2
0
        /// <summary>
        /// Evaluate if this security policy is met.
        /// </summary>
        public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var minProtocolVersion = GetMaxOfMinProtocolVersions(context);

            // Do we have X-NuGet-Protocol-Version header?
            var protocolVersion = GetProtocolVersion(context);

            if (protocolVersion == null)
            {
                // Do we have X-NuGet-Client-Version header? This header is DEPRECATED, and here for backwards compatibility!
                protocolVersion = GetClientVersion(context);
            }

            if (protocolVersion == null || protocolVersion < minProtocolVersion)
            {
                return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                                            ServicesStrings.SecurityPolicy_RequireMinProtocolVersionForPush, minProtocolVersion))));
            }

            return(Task.FromResult(SecurityPolicyResult.SuccessResult));
        }
Esempio n. 3
0
        /// <summary>
        /// Evaluate if this security policy is met.
        /// </summary>
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var minClientVersion = GetMaxOfMinClientVersions(context);

            // Do we have X-NuGet-Protocol-Version header?
            var protocolVersion = GetProtocolVersion(context);

            if (protocolVersion == null)
            {
                // Do we have X-NuGet-Client-Version header?
                protocolVersion = GetClientVersion(context);
            }

            if (protocolVersion == null || protocolVersion < minClientVersion)
            {
                return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                            Strings.SecurityPolicy_RequireMinProtocolVersionForPush, minClientVersion)));
            }

            return(SecurityPolicyResult.SuccessResult);
        }
Esempio n. 4
0
            private Task <SecurityPolicyResult> EvaluateAsync(string userTenantId)
            {
                var credentialBuilder = new CredentialBuilder();
                var fakes             = new Fakes();

                if (!string.IsNullOrEmpty(userTenantId))
                {
                    fakes.User.Credentials.Add(
                        credentialBuilder.CreateExternalCredential(
                            issuer: "AzureActiveDirectory",
                            value: "value",
                            identity: "identity",
                            tenantId: userTenantId));
                }

                foreach (var policy in RequireOrganizationTenantPolicy.Create(TenantId).Policies)
                {
                    fakes.Organization.SecurityPolicies.Add(policy);
                }

                var context = new UserSecurityPolicyEvaluationContext(
                    fakes.Organization.SecurityPolicies,
                    sourceAccount: fakes.Organization,
                    targetAccount: fakes.User
                    );

                return(RequireOrganizationTenantPolicy
                       .Create()
                       .EvaluateAsync(context));
            }
        private Task <SecurityPolicyResult> EvaluateAsync(string scopes)
        {
            var identity = AuthenticationService.CreateIdentity(
                new User("testUser"),
                AuthenticationTypes.ApiKey,
                new Claim(NuGetClaims.ApiKey, string.Empty));

            if (!string.IsNullOrEmpty(scopes))
            {
                identity.AddClaim(new Claim(NuGetClaims.Scope, scopes));
            }

            var principal = new Mock <IPrincipal>();

            principal.Setup(p => p.Identity).Returns(identity);

            var httpContext = new Mock <HttpContextBase>();

            httpContext.Setup(c => c.User).Returns(principal.Object);

            var context = new UserSecurityPolicyEvaluationContext(
                new UserSecurityPolicy[] { new UserSecurityPolicy("RequireApiKeyWithPackageVerifyScopePolicy", "Subscription") },
                httpContext.Object);

            return(new RequirePackageVerifyScopePolicy().EvaluateAsync(context));
        }
        /// <summary>
        /// In case of multiple, select the max of the minimum required client versions.
        /// </summary>
        private NuGetVersion GetMaxOfMinClientVersions(UserSecurityPolicyEvaluationContext context)
        {
            var policyStates = context.Policies
                               .Where(p => !string.IsNullOrEmpty(p.Value))
                               .Select(p => JsonConvert.DeserializeObject <State>(p.Value));

            return(policyStates.Max(s => s.MinClientVersion));
        }
Esempio n. 7
0
        /// <summary>
        /// Get the current protocol version from the request.
        /// </summary>
        private NuGetVersion GetProtocolVersion(UserSecurityPolicyEvaluationContext context)
        {
            var protocolVersionString = context.HttpContext.Request?.Headers[Constants.NuGetProtocolHeaderName];

            NuGetVersion protocolVersion;

            return(NuGetVersion.TryParse(protocolVersionString, out protocolVersion) ? protocolVersion : null);
        }
        /// <summary>
        /// Get the current client version from the request.
        /// </summary>
        private NuGetVersion GetClientVersion(UserSecurityPolicyEvaluationContext context)
        {
            var clientVersionString = context.HttpContext.Request?.Headers[Constants.ClientVersionHeaderName];

            NuGetVersion clientVersion;

            return(NuGetVersion.TryParse(clientVersionString, out clientVersion) ? clientVersion : null);
        }
Esempio n. 9
0
        /// <summary>
        /// Retrieve the policy state.
        /// </summary>
        private State GetState(UserSecurityPolicyEvaluationContext context)
        {
            var policyStates = context.Policies
                               .Where(p => !string.IsNullOrEmpty(p.Value))
                               .Select(p => JsonConvert.DeserializeObject <State>(p.Value));

            // TODO: what if there are multiple?
            return(policyStates.First());
        }
        public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var identity = context.HttpContext.User.Identity;

            if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify))
            {
                return(Task.FromResult(SecurityPolicyResult.SuccessResult));
            }

            return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope)));
        }
Esempio n. 11
0
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var identity = context.HttpContext.User.Identity;

            if (identity.HasPackageVerifyScopeClaim())
            {
                return(SecurityPolicyResult.SuccessResult);
            }

            return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope));
        }
Esempio n. 12
0
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            context = context ?? throw new ArgumentNullException(nameof(context));

            var state            = GetPolicyState(context);
            var targetAccount    = context.TargetAccount;
            var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential();

            if (targetCredential == null ||
                !state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase))
            {
                return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                            Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username)));
            }

            return(SecurityPolicyResult.SuccessResult);
        }
        /// <summary>
        /// Evaluate if this security policy is met.
        /// </summary>
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var minClientVersion = GetMaxOfMinClientVersions(context);

            var clientVersion = GetClientVersion(context);

            if (clientVersion == null || clientVersion < minClientVersion)
            {
                return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                            Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion)));
            }

            return(SecurityPolicyResult.SuccessResult);
        }
            private Task <SecurityPolicyResult> EvaluateAsync(string userTenantId)
            {
                var credentialBuilder = new CredentialBuilder();
                var fakes             = new Fakes();

                if (!string.IsNullOrEmpty(userTenantId))
                {
                    // We can only have a single AAD account, remove previous one if present.
                    var aadCredential = fakes.User.Credentials.Single(c => c.Type.Contains(CredentialTypes.External.AzureActiveDirectoryAccount));
                    if (aadCredential != null)
                    {
                        fakes.User.Credentials.Remove(aadCredential);
                    }

                    // Add the new AAD credential
                    fakes.User.Credentials.Add(
                        credentialBuilder.CreateExternalCredential(
                            issuer: "AzureActiveDirectory",
                            value: "value",
                            identity: "identity",
                            tenantId: userTenantId));
                }

                foreach (var policy in RequireOrganizationTenantPolicy.Create(TenantId).Policies)
                {
                    fakes.Organization.SecurityPolicies.Add(policy);
                }

                var context = new UserSecurityPolicyEvaluationContext(
                    fakes.Organization.SecurityPolicies,
                    sourceAccount: fakes.Organization,
                    targetAccount: fakes.User
                    );

                return(RequireOrganizationTenantPolicy
                       .Create()
                       .EvaluateAsync(context));
            }
        private async Task <SecurityPolicyResult> EvaluateInternalAsync(
            SecurityPolicyAction action,
            IEnumerable <UserSecurityPolicy> policies,
            User sourceAccount,
            User targetAccount,
            HttpContextBase httpContext = null,
            bool auditSuccess           = true)
        {
            var relevantHandlers = UserHandlers.Where(h => h.Action == action).ToList();

            foreach (var handler in relevantHandlers)
            {
                var foundPolicies = policies.Where(p => p.Name.Equals(handler.Name, StringComparison.OrdinalIgnoreCase)).ToList();

                if (foundPolicies.Any())
                {
                    var context = new UserSecurityPolicyEvaluationContext(foundPolicies, sourceAccount, targetAccount, httpContext);
                    var result  = await handler.EvaluateAsync(context);

                    if (auditSuccess || !result.Success)
                    {
                        await Auditing.SaveAuditRecordAsync(new UserSecurityPolicyAuditRecord(
                                                                context.TargetAccount.Username, GetAuditAction(action), foundPolicies, result.Success, result.ErrorMessage));
                    }

                    if (!result.Success)
                    {
                        Diagnostics.Information(
                            $"Security policy from subscription '{foundPolicies.First().Subscription}' - '{handler.Name}' failed with error '{result.ErrorMessage}'.");

                        return(result);
                    }
                }
            }

            return(SecurityPolicyResult.SuccessResult);
        }
Esempio n. 16
0
 public abstract SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context);
Esempio n. 17
0
 private static State GetPolicyState(UserSecurityPolicyEvaluationContext context)
 {
     return(context.Policies
            .Select(p => JsonConvert.DeserializeObject <State>(p.Value))
            .FirstOrDefault());
 }
Esempio n. 18
0
 public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
 {
     return(SecurityPolicyResult.SuccessResult);
 }
 public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
 {
     throw new NotImplementedException();  // Not used.
 }