public void Should_throw_when_the_user_does_not_have_the_role_Owner()
{
// Arrange
SecurityConfigurator.Configure(policy =>
{
policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue);
policy.GetRolesFrom(StaticHelper.GetRolesExcludingOwner);
policy.For <BlogController>(x => x.DeletePost(0)).RequireAnyRole(UserRole.Owner);
});
var securityHandler = new SecurityHandler();
// Act
var exception = Assert.Throws <PolicyViolationException>(() => securityHandler.HandleSecurityFor(NameHelper.Controller <BlogController>(), "DeletePost", SecurityContext.Current));
// Assert
Assert.That(exception.PolicyType, Is.EqualTo(typeof(RequireAnyRolePolicy)));
Assert.That(exception.Message, Does.Contain("Access requires one of the following roles: Owner."));
}
protected void Application_Start()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
//Chamada para as configurações de segurança da aplicação
ControllersConfiguration.Configure(configuration);
//Chamada para as configurações de segurança das controllers especificas de autenticação/autorização
//Ex.: Criação e configuração de usuários, criação e configurações de roles
Core.Security.Authorization.SecurityControllers.ControllersConfiguration.Configure(configuration);
});
XmlConfigurator.Configure();
AreaRegistration.RegisterAllAreas();
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
}
public void Should_not_throw_ConfigurationErrorsException_when_IgnoreMissingConfigurations_is_true()
{
// Arrange
var events = new List <ISecurityEvent>();
SecurityDoctor.Register(events.Add);
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue);
configuration.Advanced.IgnoreMissingConfiguration();
configuration.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
});
var securityHandler = new SecurityHandler();
// Act & Assert
Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor("NonConfiguredController", "Action", SecurityContext.Current));
Assert.That(events.Any(e => e.Message == "Ignoring missing configuration."));
}
public void Should_create_security_context_from_configuration()
{
// Arrange
const bool status = true;
var roles = new object[3];
SecurityConfigurator.Configure(c =>
{
c.GetAuthenticationStatusFrom(() => status);
c.GetRolesFrom(() => roles);
});
// Act
var context = SecurityContext.Current;
// Assert
Assert.That(context.Data, Is.TypeOf(typeof(ExpandoObject)));
Assert.That(context.CurrenUserAuthenticated(), Is.EqualTo(status));
Assert.That(context.CurrenUserRoles(), Is.EqualTo(roles));
}
public void Install(IWindsorContainer container, IConfigurationStore store)
{
SecurityConfigurator.Configure(configuration =>
{
configuration.ResolveServicesUsing(type => container.ResolveAll(type).OfType <object>());
// Let Fluent Security know how to get the authentication status of the current user
configuration.GetAuthenticationStatusFrom(() => UserManager.IsUserLogged);
configuration.ForAllControllers().DenyAnonymousAccess();
// This is where you set up the policies you want Fluent Security to enforce on your controllers and actions
configuration.For <HomeController>(x => x.Index()).Ignore();
//configuration.For<HomeController>(x => x.Test()).DenyAuthenticatedAccess();
configuration.For <AuthenticationController>().Ignore();
configuration.For <AuthenticationController>(x => x.Logoff()).DenyAnonymousAccess();
});
}
public static ISecurityConfiguration CreateSecurityConfiguration()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(() => false);
configuration.IgnoreMissingConfiguration();
configuration.For <SampleController>(x => x.Index()).DenyAuthenticatedAccess();
configuration.For <SampleController>(x => x.List()).DenyAnonymousAccess();
configuration.For <SampleController>(x => x.New()).RequireRole("Editor").AddPolicy(new DenyInternetExplorerPolicy());
configuration.For <AdminController>().DenyAnonymousAccess();
configuration.For <AdminController>(x => x.Login()).DenyAuthenticatedAccess();
configuration.For <AdminController>(x => x.NewUser()).RequireRole(UserRole.UserEditor);
configuration.For <IgnoreController>().Ignore();
});
return(SecurityConfiguration.Current);
}
public static void Configure()
{
SecurityConfigurator.Configure(configuration =>
{
// Let FluentSecurity know how to get the authentication status of the current user
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
configuration.IgnoreMissingConfiguration();
// This is where you set up the policies you want FluentSecurity to enforce on your controllers and actions
configuration.For <HomeController>().Ignore();
configuration.For <HomeController>().Ignore();
configuration.For <AccountController>().DenyAuthenticatedAccess();
// configuration.For<AccountController>(x => x.ChangePassword()).DenyAnonymousAccess();
// configuration.For<AccountController>(x => x.LogOff()).DenyAnonymousAccess();
// configuration.For<StoreController>().RequireRole(roles:)
});
GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);
}
public static ISecurityConfiguration SetupFluentSecurity()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(Helpers.SecurityHelper.UserIsAuthenticated);
configuration.GetRolesFrom(Helpers.SecurityHelper.UserRoles);
configuration.ResolveServicesUsing(type =>
{
var results = new List <object>();
if (type == typeof(IPolicyViolationHandler))
{
results.Add(new DefaultPolicyViolationHandler());
}
return(results);
});
configuration.Advanced.ModifySecurityContext(context => context.Data.QueryString = HttpContext.Current.Request.QueryString);
configuration.For <HomeController>().Ignore();
configuration.For <AccountController>(x => x.LogInAsAdministrator()).DenyAuthenticatedAccess();
configuration.For <AccountController>(x => x.LogInAsPublisher()).DenyAuthenticatedAccess();
configuration.For <AccountController>(x => x.LogOut()).DenyAnonymousAccess();
configuration.For <ExampleController>(x => x.DenyAnonymousAccess()).DenyAnonymousAccess();
configuration.For <ExampleController>(x => x.DenyAuthenticatedAccess()).DenyAuthenticatedAccess();
configuration.For <ExampleController>(x => x.RequireAdministratorRole()).RequireRole(UserRole.Administrator);
configuration.For <ExampleController>(x => x.RequirePublisherRole()).RequireRole(UserRole.Publisher);
configuration.For <AdminController>().AddPolicy(new AdministratorPolicy());
configuration.For <AdminController>(x => x.Delete()).DelegatePolicy("LocalOnlyPolicy",
context => HttpContext.Current.Request.IsLocal
);
configuration.For <Areas.ExampleArea.Controllers.HomeController>().DenyAnonymousAccess();
configuration.For <Areas.ExampleArea.Controllers.HomeController>(x => x.PublishersOnly()).RequireRole(UserRole.Publisher);
configuration.For <Areas.ExampleArea.Controllers.HomeController>(x => x.AdministratorsOnly()).RequireRole(UserRole.Administrator);
});
return(SecurityConfiguration.Current);
}
public static ISecurityConfiguration CreateSecurityConfigurationWithTwoExpectations()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(() => false);
configuration.IgnoreMissingConfiguration();
configuration.For <SampleController>(x => x.Index());
configuration.For <SampleController>(x => x.List());
configuration.For <SampleController>(x => x.New()).RequireRole("Writer");
configuration.For <AdminController>();
configuration.For <AdminController>(x => x.Login());
configuration.For <IgnoreController>();
configuration.For <TestController>().Ignore();
});
return(SecurityConfiguration.Current);
}
public void Should_not_throw_when_instance_is_registered_in_an_external_IoC_container()
{
// Arrange
var expectedInstance = TestDataFactory.CreateSecurityContext(true);
FakeIoC.Reset();
FakeIoC.GetInstanceProvider = () => new List <object> {
expectedInstance
};
SecurityConfigurator.Configure(configuration =>
{
configuration.ResolveServicesUsing(FakeIoC.GetAllInstances, FakeIoC.GetInstance);
});
var serviceLocator = new ServiceLocator();
// Act
var instance = serviceLocator.Resolve <ISecurityContext>();
// Assert
Assert.That(instance, Is.EqualTo(expectedInstance));
}
public void Should_handle_loading_policy_from_container()
{
// Arrange
var expectedPolicy = new PolicyWithConstructorArguments("arg1", "arg2", "arg3");
FakeIoC.GetAllInstancesProvider = () => new List <object> {
expectedPolicy
};
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(() => true);
configuration.ResolveServicesUsing(FakeIoC.GetAllInstances);
});
var lazySecurityPolicy = new LazySecurityPolicy <PolicyWithConstructorArguments>();
// Act
var policy = lazySecurityPolicy.Load();
// Assert
Assert.That(policy, Is.EqualTo(expectedPolicy));
}
public void Should_be_configured_base_actions()
{
// Arrange
var _expectations = new PolicyExpectations();
_expectations.For <HomeController>().Has <DenyAnonymousAccessPolicy>();
_expectations.For <Areas.ExampleArea.Controllers.BaseController>().Has(new RequireRolePolicy(UserRole.Administrator));
_expectations.For <Areas.ExampleArea.Controllers.RolesController>(p => p.Index()).Has(new RequireRolePolicy(UserRole.Administrator));
_expectations.For <Areas.ExampleArea.Controllers.RolesController>().Has(new RequireRolePolicy(UserRole.Administrator));
SecurityConfigurator.Configure(c => {
c.ForAllControllersInAssembly(typeof(HomeController).Assembly).DenyAnonymousAccess();
c.ForAllControllersInAssemblyThatInherit <Areas.ExampleArea.Controllers.BaseController>().RequireRole(UserRole.Administrator);
});
// Act
var results = _expectations.VerifyAll(SecurityConfiguration.Current);
// Assert
Assert.That(results.Valid(), results.ErrorMessages());
}
public void ConfigureServices(IServiceCollection services)
{
services.AddSingleton <IAuthorizationHandler, StatusAuthorizationHandler>();
services.AddMvc(options => options.Filters.Add(
new AuthorizeFilter(SecurityConfigurator.BuildUserPolicy()))
).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
services.AddCookieAuthenticationScheme();
services.AddAuthorization(options => {
options.AddAdministratorPolicy();
options.AddUserPolicy();
});
services.AddDbContext <ArticleLibraryContext>(options =>
options.UseLazyLoadingProxies()
.UseSqlServer(Configuration.GetConnectionString("WebArticle")));
services.AddSignalR();
}
public static void Configure()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
configuration.GetRolesFrom(SecurityHelpers.UserRoles);
configuration.ForAllControllers().DenyAnonymousAccess();
configuration.For <AccountController>().Ignore();
configuration.For <AccountSignUpController>().Ignore();
configuration.For <PasswordRecoveryController>().Ignore();
configuration.For <PasswordResetController>().Ignore();
configuration.For <AccountController>(x => x.Confirmed("")).Ignore();
//configuration.For<DiskController>().RequireRole(new object[] { "User" });
configuration.For <RegisteredUsersListController>().RequireRole(new object[] { "Admin" });
configuration.For <PackageListController>().RequireRole(new object[] { "Admin" });
configuration.For <CreateEditPackageController>().RequireRole(new object[] { "Admin" });
configuration.For <ChangeUserSpaceLimitController>().RequireRole(new object[] { "Admin" });
configuration.ResolveServicesUsing(type =>
{
if (type == typeof(IPolicyViolationHandler))
{
var types = Assembly
.GetAssembly(typeof(MvcApplication))
.GetTypes()
.Where(x => typeof(IPolicyViolationHandler).IsAssignableFrom(x)).ToList();
var handlers = types.Select(t => Activator.CreateInstance(t) as IPolicyViolationHandler).ToList();
return(handlers);
}
return(Enumerable.Empty <object>());
});
});
}
public void Should_return_the_current_configuration()
{
var baseDirectory = AppDomain.CurrentDomain.BaseDirectory;
var fullFilePath = Path.Combine(baseDirectory, "TestData", "DiagnosticsOutputExample.txt");
var expectedOutput = File.ReadAllText(fullFilePath);
var securityConfiguration = new SecurityConfiguration(configuration =>
{
configuration.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse);
configuration.IgnoreMissingConfiguration();
configuration.For <BlogController>(x => x.DeletePost(0)).DenyAnonymousAccess().RequireRole(UserRole.Owner, UserRole.Publisher);
configuration.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
});
SecurityConfigurator.SetConfiguration(securityConfiguration);
// Act
var whatIHave = securityConfiguration.WhatDoIHave();
// Assert
Assert.That(whatIHave, Is.EqualTo(expectedOutput));
}
public void Should_resolve_policy_violation_handler_for_exception_from_container()
{
// Arrange
var controllerName = NameHelper.Controller <BlogController>();
const string actionName = "Index";
var events = new List <ISecurityEvent>();
SecurityDoctor.Register(events.Add);
var expectedActionResult = new ViewResult {
ViewName = "SomeViewName"
};
var violationHandler = new DenyAnonymousAccessPolicyViolationHandler(expectedActionResult);
FakeIoC.GetAllInstancesProvider = () => new List <IPolicyViolationHandler>
{
violationHandler
};
SecurityConfigurator.Configure(policy =>
{
policy.ResolveServicesUsing(FakeIoC.GetAllInstances);
policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse);
policy.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
});
var securityHandler = new SecurityHandler();
// Act
var result = securityHandler.HandleSecurityFor(controllerName, actionName, SecurityContext.Current);
// Assert
Assert.That(result, Is.EqualTo(expectedActionResult));
Assert.That(events.Any(e => e.Message == "Handling security for {0} action {1}.".FormatWith(controllerName, actionName)));
Assert.That(events.Any(e => e.Message == "Finding policy violation handler using convention {0}.".FormatWith(typeof(FindByPolicyNameConvention))));
Assert.That(events.Any(e => e.Message == "Found policy violation handler {0}.".FormatWith(violationHandler.GetType().FullName)));
Assert.That(events.Any(e => e.Message == "Handling violation with {0}.".FormatWith(violationHandler.GetType().FullName)));
Assert.That(events.Any(e => e.Message == "Done enforcing policies. Violation occured!"));
}
public void Should_not_throw_exception_when_the_user_is_authenticated()
{
// Arrange
var controllerName = NameHelper.Controller <BlogController>();
const string actionName = "Index";
var events = new List <ISecurityEvent>();
SecurityDoctor.Register(events.Add);
SecurityConfigurator.Configure(policy =>
{
policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue);
policy.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
});
var securityHandler = new SecurityHandler();
// Act & Assert
Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor(controllerName, actionName, SecurityContext.Current));
Assert.That(events.Any(e => e.Message == "Handling security for {0} action {1}.".FormatWith(controllerName, actionName)));
Assert.That(events.Any(e => e.Message == "Done enforcing policies. Success!"));
}
public void Should_enforce_lazy_policy_with_cache_key_exactly_twice_during_execution_with_caching_on()
{
// Arrange
var callsToContainer = 0;
var policy = new LazyLoadedPolicyWithCacheKey();
FakeIoC.GetAllInstancesProvider = () =>
{
callsToContainer++;
return(new List <object> {
policy
});
};
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(TestDataFactory.ValidIsAuthenticatedFunction);
configuration.ResolveServicesUsing(FakeIoC.GetAllInstances);
configuration.Advanced.SetDefaultResultsCacheLifecycle(Cache.PerHttpRequest);
});
var context = new MockSecurityContext();
var policyContainer = new PolicyContainer(TestDataFactory.ValidControllerName, TestDataFactory.ValidActionName, TestDataFactory.CreateValidPolicyAppender());
policyContainer.AddPolicy <LazyLoadedPolicyWithCacheKey>();
// Act
policy.CacheKey = "101";
policyContainer.EnforcePolicies(context);
policyContainer.EnforcePolicies(context);
policyContainer.EnforcePolicies(context);
policy.CacheKey = "102";
policyContainer.EnforcePolicies(context);
policyContainer.EnforcePolicies(context);
// Assert
Assert.That(callsToContainer, Is.EqualTo(5));
Assert.That(policy.CacheKeyCallCount, Is.EqualTo(5), "Did not get the custom cache key the expected amount of times");
Assert.That(policy.EnforceCallCount, Is.EqualTo(2), "Did not call enforce the expected amount of times");
}
public static ISecurityConfiguration SetupFluentSecurity()
{
SecurityDoctor.Register(Events.Add);
SecurityConfigurator.Configure(configuration =>
{
configuration.Advanced.IgnoreMissingConfiguration();
configuration.GetAuthenticationStatusFrom(Helpers.SecurityHelper.UserIsAuthenticated);
configuration.GetRolesFrom(Helpers.SecurityHelper.UserRoles);
configuration.DefaultPolicyViolationHandlerIs(() => new DefaultPolicyViolationHandler());
configuration.Advanced.ModifySecurityContext(context => context.Data.QueryString = System.Web.HttpContext.Current.Request.QueryString);
configuration.For <HomeController>().Ignore();
configuration.For <AccountController>(x => x.LogInAsAdministrator()).DenyAuthenticatedAccess();
configuration.For <AccountController>(x => x.LogInAsPublisher()).DenyAuthenticatedAccess();
configuration.For <AccountController>(x => x.LogOut()).DenyAnonymousAccess();
configuration.For <ExampleController>(x => x.DenyAnonymousAccess()).DenyAnonymousAccess();
configuration.For <ExampleController>(x => x.DenyAuthenticatedAccess()).DenyAuthenticatedAccess();
configuration.For <ExampleController>(x => x.RequireAdministratorRole()).RequireAnyRole(UserRole.Administrator);
configuration.For <ExampleController>(x => x.RequirePublisherRole()).RequireAnyRole(UserRole.Publisher);
configuration.For <AdminController>().AddPolicy(new AdministratorPolicy());
configuration.For <AdminController>(x => x.Delete()).DelegatePolicy("LocalOnlyPolicy",
context => false//System.Web.HttpContext.Current.Request.IsLocal
);
configuration.Scan(scan =>
{
scan.AssembliesFromApplicationBaseDirectory();
scan.LookForProfiles();
});
configuration.ApplyProfile <CrudControllerProfile>();
});
return(SecurityConfiguration.Current);
}
public static ISecurityConfiguration SetFluentSecurity()
{
SecurityConfigurator.Configure(configue =>
{
//設定去那裡取得關於驗證訊息
configue.GetAuthenticationStatusFrom(IsUserAuthenticated);
configue.GetRolesFrom(UserRoles);
//所有頁面都可以瀏覽
configue.ForAllControllers().Ignore();
//Home/About 頁面一定要登入了才能進入
configue.For <HomeController>(hc => hc.About()).DenyAnonymousAccess();
//Home/Contact頁面一定要Role是User才能進入
configue.For <HomeController>(hc => hc.Contact()).RequireAnyRole("User");
//如果不符合Policy,預設傳回UnAuthorized。換句話說,重新導向登入頁面
//如果沒有加,預設是直接丟出exception
configue.DefaultPolicyViolationHandlerIs(() => new HttpUnauthorizedPolicyViolationHandler());
configue.ForAllControllersInNamespaceContainingType <FluentSecurityDemo.Areas.Admin.Controllers.AdminHomeController>()
.AddPolicy <AdminPolicy>();
//如果沒有加上這一行會鬼打牆,因為上面那一個說所有Area.Admin.Controllers都需要符合
//AdminPolicy,而下面又說如果不符合轉向到Account/Index,如果Account/Index不允許任何人
//進入,那麼就會進入無限回圈。
configue.For <FluentSecurityDemo.Areas.Admin.Controllers.AdminAccountController>()
.Ignore();
configue.Advanced.Violations(violation =>
{
violation.Of <AdminPolicy>().IsHandledBy(() => new AdminPolicyViolationHandler());
});
});
return(SecurityConfiguration.Current);
}
public static void Configure()
{
SecurityConfigurator.Configure(c =>
{
c.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
c.GetRolesFrom(() => (HttpContext.Current.Session["Roles"] as string[]));
// Blanket Deny All
c.ForAllControllers().DenyAnonymousAccess();
// Publicly Available Controllers
c.For <HomeController>().Ignore();
c.For <RegistrationsController>().Ignore();
c.For <LoginController>().Ignore();
// Only allow Admin To Create
c.For <ReservationsController>(x => x.Create())
.RequireRole(UserRoles.Admin.ToString());
c.For <ReservationsController>(x => x.Edit(""))
.RequireRole(UserRoles.Admin.ToString(), UserRoles.User.ToString());
c.For <ReservationsController>(x => x.Delete(""))
.RequireRole(UserRoles.Admin.ToString(), UserRoles.User.ToString());
});
}
public void SetUp()
{
// Arrange
_defaultPolicyAppender = TestDataFactory.CreateValidPolicyAppender();
_fakePolicyAppender = TestDataFactory.CreateFakePolicyAppender();
SecurityConfigurator.Reset();
// Act
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse);
configuration.GetRolesFrom(StaticHelper.GetRolesExcludingOwner);
configuration.SetPolicyAppender(_defaultPolicyAppender);
configuration.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
configuration.SetPolicyAppender(_fakePolicyAppender);
configuration.For <BlogController>(x => x.AddPost()).RequireRole(UserRole.Writer, UserRole.Publisher, UserRole.Owner);
});
_policyContainers = SecurityConfiguration.Current.PolicyContainers;
}
public void Should_call_HandleSecurityFor_with_the_controllername_Blog_and_actionname_Index()
{
// Arrange
SecurityConfigurator.Configure(policy =>
{
policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue);
policy.For <BlogController>(x => x.Index()).DenyAnonymousAccess();
});
var securityHandler = MockRepository.GenerateMock <ISecurityHandler>();
securityHandler.Expect(x => x.HandleSecurityFor(typeof(BlogController).FullName, "Index")).Repeat.Once().Return(null);
securityHandler.Replay();
var handleSecurityAttribute = new HandleSecurityAttribute(securityHandler);
var filterContext = MvcHelpers.GetFilterContextFor <BlogController>(x => x.Index());
// Act
handleSecurityAttribute.OnActionExecuting(filterContext);
// Assert
Assert.That(filterContext.Result, Is.Null);
securityHandler.VerifyAllExpectations();
}
public void SetUp()
{
// Arrange
SecurityConfigurator.Reset();
_configurationExpression = delegate { TestDataFactory.CreateValidConfigurationExpression(); };
}
public void Should_not_throw_when_setting_the_modifyer_to_null()
{
Assert.DoesNotThrow(() => SecurityConfigurator.Configure(configuration => configuration.Advanced.ModifySecurityContext(null)));
}
public void SetUp()
{
SecurityConfigurator.Configure(configuration => {});
}
public static void SetupRoles()
{
SecurityConfigurator.Configure(configuration =>
{
configuration.GetAuthenticationStatusFrom(SecurityHelper.IsUserAuthenticated);
configuration.GetRolesFrom(SecurityHelper.GetUserRoles);
//configuration.ResolveServicesUsing(type =>
//{
// if (type == typeof (IPolicyViolationHandler))
// {
// return new List<IPolicyViolationHandler>()
// {
// new RequireAnyRolePolicyViolationHandler(),
// new DefaultSecurityPolicyViolationHandler(),
// new HasAccessToMarketPolicyViolationHandler(),
// new HasAccessToProgrammePolicyViolationHandler()
// };
// }
// return Enumerable.Empty<object>();
//});
configuration.ResolveServicesUsing(DependencyResolver.Current.GetServices, DependencyResolver.Current.GetService);
// Default policy with a friendly handler for all controllers, just in case we forget to implement something
configuration.ForAllControllers()
.AddPolicy <DefaultSecurityPolicy>();
configuration.For <HomeController>()
.DenyAnonymousAccess();
configuration.For <ImportController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <ImportController>(i => i.DeleteImport(new ImportParameters()))
.RequireAnyRole("CanDelete");
configuration.For <ImportExceptionController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <AdminController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <UserController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator");
configuration.For <UserController>(x => x.MyAccount())
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("User");
// My user account needs to allow all users access
configuration.ForActionsMatching(
a => a.ControllerType == typeof(UserController) && a.ActionName.Equals("MyAccount"))
.Ignore();
configuration.For <TakeRateController>()
.RemovePolicy <DefaultSecurityPolicy>()
.AddPolicy <HasAccessToMarketPolicy>()
.AddPolicy <HasAccessToProgrammePolicy>();
configuration.For <TakeRateController>(t => t.Clone(new TakeRateParameters()))
.RequireAnyRole("Cloner");
configuration.For <TakeRateDataController>()
.RemovePolicy <DefaultSecurityPolicy>()
.AddPolicy <HasAccessToMarketPolicy>()
.AddPolicy <HasAccessToProgrammePolicy>();
configuration.For <MarketReviewController>()
.RemovePolicy <DefaultSecurityPolicy>()
.AddPolicy <HasAccessToMarketPolicy>()
.AddPolicy <HasAccessToProgrammePolicy>()
.RequireAnyRole("Administrator", "Editor", "MarketReviewer");
configuration.For <PublishController>()
.RemovePolicy <DefaultSecurityPolicy>()
.AddPolicy <HasAccessToMarketPolicy>()
.AddPolicy <HasAccessToProgrammePolicy>()
.RequireAnyRole("Administrator", "Editor", "Publisher");
configuration.For <DerivativeController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <DerivativeMappingController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <TrimController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <TrimMappingController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <FeatureController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <FeatureMappingController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <MarketController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <MarketMappingController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <IgnoredExceptionController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <SpecialFeatureMappingController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("Administrator", "Importer");
configuration.For <NewsController>()
.RemovePolicy <DefaultSecurityPolicy>()
.RequireAnyRole("User");
});
GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);
}
public void SetUp()
{
SecurityConfigurator.Reset();
}
public void SetUp()
{
SecurityConfigurator.Reset();
FakeIoC.Reset();
_context = new MockSecurityContext();
}
