public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var identity = context.HttpContext.User.Identity;
if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify))
{
return(SecurityPolicyResult.SuccessResult);
}
return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope));
}
/// <summary>
/// Evaluate if this package compliance policy is met.
/// </summary>
public override async Task <SecurityPolicyResult> EvaluateAsync(PackageSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
// This particular package policy assumes the existence of a particular user.
// Succeed silently (effectively ignoring this policy when enabled) when that user does not exist.
var state = GetState(context);
var requiredCoOwner = context.UserService.FindByUsername(state.RequiredCoOwnerUsername);
if (requiredCoOwner == null)
{
// This may happen on gallery deployments that don't have this particular user.
return(SecurityPolicyResult.SuccessResult);
}
// Evaluate package metadata validations
if (!IsPackageMetadataCompliant(context.Package, state, out var complianceFailures))
{
// Package policy not met.
return(SecurityPolicyResult.CreateErrorResult(
string.Format(
CultureInfo.CurrentCulture,
state.ErrorMessageFormat,
Environment.NewLine + string.Join(Environment.NewLine, complianceFailures))));
}
// Automatically add the required co-owner when metadata is compliant.
if (!context.Package.PackageRegistration.Owners.Select(o => o.Username).Contains(state.RequiredCoOwnerUsername, StringComparer.OrdinalIgnoreCase))
{
// This will also mark the package as verified if the prefix has been reserved by the co-owner.
// The entities context is committed later as a single atomic transaction (see PackageUploadService).
await context.PackageOwnershipManagementService.AddPackageOwnerAsync(context.Package.PackageRegistration, requiredCoOwner, commitChanges : false);
}
// If the PackageRegistration is not marked as verified,
// the account pushing the package has not registered the prefix yet.
if (!context.Package.PackageRegistration.IsVerified)
{
return(SecurityPolicyResult.CreateWarningResult(Strings.SecurityPolicy_RequirePackagePrefixReserved));
}
// All good!
return(SecurityPolicyResult.SuccessResult);
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
context = context ?? throw new ArgumentNullException(nameof(context));
var state = GetPolicyState(context);
var targetAccount = context.TargetAccount;
var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential();
if (targetCredential == null ||
!state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase))
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username)));
}
return(SecurityPolicyResult.SuccessResult);
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minClientVersion = GetMaxOfMinClientVersions(context);
var clientVersion = GetClientVersion(context);
if (clientVersion == null || clientVersion < minClientVersion)
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion)));
}
return(SecurityPolicyResult.SuccessResult);
}
public void VerifyPolicyEvaluation(bool expectedPolicy1, bool?expectedPolicy2, SecurityPolicyResult actual)
{
var expectedSuccess = expectedPolicy1 && expectedPolicy2.Value;
Assert.Equal(expectedSuccess, actual.Success);
string failedPolicy = null;
if (!expectedSuccess)
{
failedPolicy = expectedPolicy1 ? nameof(MockPolicy2) : nameof(MockPolicy1);
}
Assert.Equal(failedPolicy, actual.ErrorMessage);
MockPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
MockPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()),
expectedPolicy2.HasValue ? Times.Once() : Times.Never());
}
