public async Task EvaluateAsync_WhenDefaultSecurityPolicyNotMetReturnFailure()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: true, defaultPolicy1Result: true, defaultPolicy2Result: false);
var configuration = new AppConfiguration()
{
EnforceDefaultSecurityPolicies = true
};
var service = new TestSecurityPolicyService(policyData, null, null, null, null, configuration);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(false, result.Success);
// The error indicates which subscription failed
Assert.Contains(policyData.DefaultSubscription.Object.SubscriptionName, result.ErrorMessage);
// Audit record is saved
service.MockAuditingService.Verify(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>()), Times.Once);
// Policies are evaluated only once
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public async Task EvaluateAsync_EvaluatesOnlyPoliciesRelevantToTheAction()
{
// Arrange
const string extraPolicyName = "ExtraPolicy";
var extraPolicyHandlerMock = new Mock <UserSecurityPolicyHandler>(extraPolicyName, SecurityPolicyAction.ManagePackageOwners);
var policyData = new TestUserSecurityPolicyData();
var policyHandlers = new List <UserSecurityPolicyHandler>(policyData.Handlers.Select(x => x.Object));
policyHandlers.Add(extraPolicyHandlerMock.Object);
var service = new TestSecurityPolicyService(policyData, policyHandlers);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
var userSecurityPolicies = new List <UserSecurityPolicy>(subscription.Policies);
userSecurityPolicies.Add(new UserSecurityPolicy(extraPolicyName, "ExtraSubscription"));
user.SecurityPolicies = userSecurityPolicies;
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
extraPolicyHandlerMock.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
}
public async Task EvaluateAsync_ReturnsSuccessWithoutEvaluationIfNoPoliciesWereFound()
{
// Arrange
var service = new TestSecurityPolicyService();
var user = new User("testUser");
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Never);
}
public async Task EvaluateAsync_ReturnsNonSuccessAfterFirstFailure()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: false, policy2Result: true);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
service.Mocks.VerifyPolicyEvaluation(expectedPolicy1: false, expectedPolicy2: null, actual: result);
}
public async Task EvaluateAsync_SavesAuditRecordsForSuccessAndFailureCases(bool success, int times)
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: success, policy2Result: success);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(success, result.Success);
service.MockAuditingService.Verify(s => s.SaveAuditRecordAsync(It.IsAny <AuditRecord>()), Times.Exactly(times));
}
public async Task EvaluateAsync_ReturnsSuccessWithEvaluationIfPoliciesFoundAndMet()
{
// Arrange
var service = new TestSecurityPolicyService();
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public async Task EvaluateAsync_WhenEnforceDefaultSecurityPoliciesIsFalseDefaultPolicyNotEvaluated()
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: true, defaultPolicy1Result: false, defaultPolicy2Result: false);
var service = new TestSecurityPolicyService(policyData);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.True(result.Success);
Assert.Null(result.ErrorMessage);
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
}
public async Task EvaluateAsync_WhenDefaultSecurityPolicyIsMetUserPolicyIsEvaluated(bool userPolicyMet)
{
// Arrange
var policyData = new TestUserSecurityPolicyData(policy1Result: true, policy2Result: userPolicyMet, defaultPolicy1Result: true, defaultPolicy2Result: true);
var configuration = new AppConfiguration()
{
EnforceDefaultSecurityPolicies = true
};
var service = new TestSecurityPolicyService(policyData, null, null, null, null, configuration);
var user = new User("testUser");
var subscription = service.Mocks.Subscription.Object;
user.SecurityPolicies = subscription.Policies.ToList();
// Act
var result = await service.EvaluateUserPoliciesAsync(SecurityPolicyAction.PackagePush, CreateHttpContext(user));
// Assert
Assert.Equal(userPolicyMet, result.Success);
// Default policies and user policies are evaluated
service.Mocks.MockPolicyHandler1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Exactly(2));
service.Mocks.MockPolicyHandler2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Exactly(2));
}