public void AuthorizeAction_NullGroups() { Assert.Throws <ArgumentNullException>(() => { AclEvaluator.AuthorizeAction("Res", "Action", "U.User", null, new AclEntry[0]); }); }
public void AuthorizeAction_InvalidUser_ShouldThrowArgumentException(string u) { Assert.Throws <ArgumentException>(() => { AclEvaluator.AuthorizeAction("Res", "Action", u, new string[0], new AclEntry[0]); }); }
public void AuthorizeAction_InvalidAction_ShouldThrowArgumentNullException(string a) { Assert.Throws <ArgumentNullException>(() => { AclEvaluator.AuthorizeAction("Res", a, "U.User", new string[0], new AclEntry[0]); }); }
public void AuthorizeAction_InvalidResource_ShouldThrowArgumentException(string r) { Assert.Throws <ArgumentException>(() => { AclEvaluator.AuthorizeAction(r, "Action", "U.User", new string[0], new AclEntry[0]); }); }
public void AuthorizeAction_NullEntries() { Assert.Throws <ArgumentNullException>(() => { AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[0], null); }); }
private static Authorization LocalCheckActionForGlobals(string action, string currentUser, string[] groups) { AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix); Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); return(auth); }
public void AuthorizeAction_GrantOneGroupExplicit_GrantOtherGroupFullControl( ) { List <AclEntry> entries = new List <AclEntry>( ); entries.Add(new AclEntry("Res", "*", "G.Group1", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "G.Group2", Value.Grant)); Assert.AreEqual(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new[] { "G.Group1", "G.Group2" }, entries.ToArray( )), "Wrong auth result"); }
public void AuthorizeAction_DenyGroupExplicit_DenyUserFullControl( ) { List <AclEntry> entries = new List <AclEntry>( ); entries.Add(new AclEntry("Res", "Action", "G.Group", Value.Deny)); entries.Add(new AclEntry("Res", "*", "U.User", Value.Deny)); Assert.AreEqual(Authorization.Denied, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new[] { "G.Group" }, entries.ToArray( )), "Wrong auth result"); }
public void AuthorizeAction_GrantOneGroupExplicit_GrantOtherGroupExplicit() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "Action", "G.Group1", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "G.Group2", Value.Grant)); Assert.Equal(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[] { "G.Group1", "G.Group2" }, entries.ToArray())); }
public void AuthorizeAction_GrantGroupExplicit_DenyGroupFullControl() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "*", "G.Group", Value.Deny)); entries.Add(new AclEntry("Res", "Action", "G.Group", Value.Grant)); Assert.Equal(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[] { "G.Group" }, entries.ToArray())); }
public void AuthorizeAction_GrantGroupExplicit_GrantUserExplicit() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "Action", "G.Group", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "U.User", Value.Grant)); Assert.AreEqual(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[] { "G.Group" }, entries.ToArray()), "Wrong auth result"); }
public void AuthorizeAction_DenyOneGroupFullControl_DenyOtherGroupFullControl() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "*", "G.Group1", Value.Deny)); entries.Add(new AclEntry("Res", "*", "G.Group2", Value.Deny)); Assert.Equal(Authorization.Denied, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[] { "G.Group1", "G.Group2" }, entries.ToArray())); }
public void AuthorizeAction_DenyOneGroupExplicit_DenyOtherGroupExplicit() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "Action", "G.Group1", Value.Deny)); entries.Add(new AclEntry("Res", "Action", "G.Group2", Value.Deny)); Assert.AreEqual(Authorization.Denied, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[] { "G.Group1", "G.Group2" }, entries.ToArray()), "Wrong auth result"); }
public void AuthorizeAction_DenyUserExplicit_GrantUserFullControl() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "*", "U.User", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "U.User", Value.Deny)); Assert.Equal(Authorization.Denied, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[0], entries.ToArray())); }
private static Authorization LocalCheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups, bool localEscalator = false) { string namespaceName = nspace != null ? nspace.Name : ""; AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource( Actions.ForNamespaces.ResourceMasterPrefix + namespaceName); Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); if (localEscalator || auth != Authorization.Unknown) { return(auth); } // Try local escalators string[] localEscalators = null; if (Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators)) { foreach (string localAction in localEscalators) { Authorization authorization = LocalCheckActionForNamespace(nspace, localAction, currentUser, groups, true); if (authorization != Authorization.Unknown) { return(authorization); } } } // Try root escalation if (nspace != null) { Authorization authorization = LocalCheckActionForNamespace(null, action, currentUser, groups); if (authorization != Authorization.Unknown) { return(authorization); } } // Try global escalators string[] globalEscalators = null; if (Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators)) { foreach (string globalAction in globalEscalators) { Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups); if (authorization != Authorization.Unknown) { return(authorization); } } } return(Authorization.Unknown); }
public void AuthorizeAction_GrantUserExplicit_DenyUserFullControl() { var entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "*", "U.User", Value.Deny)); entries.Add(new AclEntry("Res", "Action", "U.User", Value.Grant)); Assert.AreEqual(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[0], entries.ToArray()), "Wrong auth result"); }
public void AuthorizeAction_InexistentResource() { List <AclEntry> entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "Action", "U.User", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "U.User2", Value.Deny)); entries.Add(new AclEntry("Res", "Action2", "U.User", Value.Deny)); entries.Add(new AclEntry("Res", "*", "U.User3", Value.Grant)); entries.Add(new AclEntry("Res2", "Action", "U.User", Value.Deny)); Assert.Equal(Authorization.Unknown, AclEvaluator.AuthorizeAction("Res3", "Action", "U.User", new string[0], entries.ToArray())); }
public void AuthorizeAction_GrantGroupFullControl() { var entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "*", "G.Group", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "U.User2", Value.Deny)); entries.Add(new AclEntry("Res", "Action2", "G.Group", Value.Deny)); entries.Add(new AclEntry("Res2", "Action", "G.Group", Value.Deny)); entries.Add(new AclEntry("Res", "*", "U.User3", Value.Grant)); Assert.AreEqual(Authorization.Granted, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new[] { "G.Group" }, entries.ToArray()), "Wrong auth result"); }
public void AuthorizeAction_InexistentAction() { var entries = new List <AclEntry>(); entries.Add(new AclEntry("Res", "Action", "U.User", Value.Grant)); entries.Add(new AclEntry("Res", "Action", "U.User2", Value.Deny)); entries.Add(new AclEntry("Res", "Action2", "U.User", Value.Deny)); entries.Add(new AclEntry("Res", "*", "U.User3", Value.Grant)); entries.Add(new AclEntry("Res2", "Action", "U.User", Value.Deny)); Assert.AreEqual(Authorization.Unknown, AclEvaluator.AuthorizeAction("Res", "Action3", "U.User", new string[0], entries.ToArray()), "Wrong auth result"); }
/// <summary> /// Checks whether an action is allowed for the global resources. /// </summary> /// <param name="action">The action the user is attempting to perform.</param> /// <param name="currentUser">The current user.</param> /// <param name="groups">The groups the user is member of.</param> /// <returns><c>true</c> if the action is allowed.</returns> public static bool CheckActionForGlobals(string action, string currentUser, string[] groups) { if (action == null) { throw new ArgumentNullException("action"); } if (action.Length == 0) { throw new ArgumentException("Action cannot be empty", "action"); } if (!AuthTools.IsValidAction(action, Actions.ForGlobals.All)) { throw new ArgumentException("Invalid action", "action"); } if (currentUser == null) { throw new ArgumentNullException("currentUser"); } if (currentUser.Length == 0) { throw new ArgumentException("Current User cannot be empty", "currentUser"); } if (groups == null) { throw new ArgumentNullException("groups"); } if (currentUser == "admin") { return(true); } AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix); Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); return(auth == Authorization.Granted); }
private static Authorization LocalCheckActionForPage(PageInfo page, string action, string currentUser, string[] groups, bool localEscalator = false) { AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForPages.ResourceMasterPrefix + page.FullName); Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForPages.ResourceMasterPrefix + page.FullName, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); if (localEscalator || auth != Authorization.Unknown) { return(auth); } // Try local escalators string[] localEscalators = null; if (Actions.ForPages.LocalEscalators.TryGetValue(action, out localEscalators)) { foreach (string localAction in localEscalators) { Authorization authorization = LocalCheckActionForPage(page, localAction, currentUser, groups, true); if (authorization != Authorization.Unknown) { return(authorization); } } } // Try namespace escalators string[] namespaceEscalators = null; string nsName = NameTools.GetNamespace(page.FullName); NamespaceInfo ns = string.IsNullOrEmpty(nsName) ? null : new NamespaceInfo(nsName, null, null); if (Actions.ForPages.NamespaceEscalators.TryGetValue(action, out namespaceEscalators)) { foreach (string namespaceAction in namespaceEscalators) { Authorization authorization = LocalCheckActionForNamespace(ns, namespaceAction, currentUser, groups, true); if (authorization != Authorization.Unknown) { return(authorization); } // Try root escalation if (ns != null) { authorization = LocalCheckActionForNamespace(null, namespaceAction, currentUser, groups, true); if (authorization != Authorization.Unknown) { return(authorization); } } } } // Try global escalators string[] globalEscalators = null; if (Actions.ForPages.GlobalEscalators.TryGetValue(action, out globalEscalators)) { foreach (string globalAction in globalEscalators) { Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups); if (authorization != Authorization.Unknown) { return(authorization); } } } return(Authorization.Unknown); }
public void AuthorizeAction_InvalidAction(string a) { AclEvaluator.AuthorizeAction("Res", a, "U.User", new string[0], new AclEntry[0]); }
/// <summary> /// Checks whether an action is allowed for a namespace. /// </summary> /// <param name="nspace">The current namespace (<c>null</c> for the root).</param> /// <param name="action">The action the user is attempting to perform.</param> /// <param name="currentUser">The current user.</param> /// <param name="groups">The groups the user is member of.</param> /// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns> public static bool CheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups) { if (action == null) { throw new ArgumentNullException("action"); } if (action.Length == 0) { throw new ArgumentException("Action cannot be empty", "action"); } if (!AuthTools.IsValidAction(action, Actions.ForNamespaces.All)) { throw new ArgumentException("Invalid action", "action"); } if (currentUser == null) { throw new ArgumentNullException("currentUser"); } if (currentUser.Length == 0) { throw new ArgumentException("Current User cannot be empty", "currentUser"); } if (groups == null) { throw new ArgumentNullException("groups"); } if (currentUser == "admin") { return(true); } string namespaceName = nspace != null ? nspace.Name : ""; AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource( Actions.ForNamespaces.ResourceMasterPrefix + namespaceName); Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); if (auth != Authorization.Unknown) { return(auth == Authorization.Granted); } // Try local escalators string[] localEscalators = null; if (Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators)) { foreach (string localAction in localEscalators) { bool authorized = CheckActionForNamespace(nspace, localAction, currentUser, groups); if (authorized) { return(true); } } } // Try root escalation if (nspace != null) { bool authorized = CheckActionForNamespace(null, action, currentUser, groups); if (authorized) { return(true); } } // Try global escalators string[] globalEscalators = null; if (Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators)) { foreach (string globalAction in globalEscalators) { bool authorized = CheckActionForGlobals(globalAction, currentUser, groups); if (authorized) { return(true); } } } return(false); }
public void AuthorizeAction_InvalidResource(string r) { AclEvaluator.AuthorizeAction(r, "Action", "U.User", new string[0], new AclEntry[0]); }
public void AuthorizeAction_EmptyEntries() { Assert.Equal(Authorization.Unknown, AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[0], new AclEntry[0])); }
public void Authorize_Action_Null_Entries() { var ex = Assert.Throws <ArgumentNullException>(() => AclEvaluator.AuthorizeAction("Res", "Action", "U.User", new string[0], null)); Assert.Equal("Value cannot be null.\r\nParameter name: entries", ex.Message); }
public void Authorize_User_Empty() { var ex = Assert.Throws <ArgumentException>(() => AclEvaluator.AuthorizeAction("Res", "Action", "", new string[0], new AclEntry[0])); Assert.Equal("User cannot be empty.\r\nParameter name: user", ex.Message); }
/// <summary> /// Checks whether an action is allowed for a directory. /// </summary> /// <param name="provider">The provider that manages the directory.</param> /// <param name="directory">The full path of the directory.</param> /// <param name="action">The action the user is attempting to perform.</param> /// <param name="currentUser">The current user.</param> /// <param name="groups">The groups the user is member of.</param> /// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns> public static bool CheckActionForDirectory(IFilesStorageProviderV30 provider, string directory, string action, string currentUser, string[] groups) { if (provider == null) { throw new ArgumentNullException("provider"); } if (directory == null) { throw new ArgumentNullException("directory"); } if (directory.Length == 0) { throw new ArgumentException("Directory cannot be empty", "directory"); } if (action == null) { throw new ArgumentNullException("action"); } if (action.Length == 0) { throw new ArgumentException("Action cannot be empty", "action"); } if (!AuthTools.IsValidAction(action, Actions.ForDirectories.All)) { throw new ArgumentException("Invalid action", "action"); } if (currentUser == null) { throw new ArgumentNullException("currentUser"); } if (currentUser.Length == 0) { throw new ArgumentException("Current User cannot be empty", "currentUser"); } if (groups == null) { throw new ArgumentNullException("groups"); } if (currentUser == "admin") { return(true); } string resourceName = Actions.ForDirectories.ResourceMasterPrefix + AuthTools.GetDirectoryName(provider, directory); AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(resourceName); Authorization auth = AclEvaluator.AuthorizeAction(resourceName, action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); if (auth != Authorization.Unknown) { return(auth == Authorization.Granted); } // Try local escalators string[] localEscalators = null; if (Actions.ForDirectories.LocalEscalators.TryGetValue(action, out localEscalators)) { foreach (string localAction in localEscalators) { bool authorized = CheckActionForDirectory(provider, directory, localAction, currentUser, groups); if (authorized) { return(true); } } } // Try directory escalation (extract parent directory and check its permissions) // Path manipulation keeps the format used by the caller (leading and trailing slashes are preserved if appropriate) string trimmedDirectory = directory.Trim('/'); if (trimmedDirectory.Length > 0) { int slashIndex = trimmedDirectory.LastIndexOf('/'); string parentDir = ""; if (slashIndex > 0) { // Navigate one level up, using the same slash format as the current one parentDir = (directory.StartsWith("/") ? "/" : "") + trimmedDirectory.Substring(0, slashIndex) + (directory.EndsWith("/") ? "/" : ""); } else { // This is the root parentDir = directory.StartsWith("/") ? "/" : ""; } bool authorized = CheckActionForDirectory(provider, parentDir, action, currentUser, groups); if (authorized) { return(true); } } // Try global escalators string[] globalEscalators = null; if (Actions.ForDirectories.GlobalEscalators.TryGetValue(action, out globalEscalators)) { foreach (string globalAction in globalEscalators) { bool authorized = CheckActionForGlobals(globalAction, currentUser, groups); if (authorized) { return(true); } } } return(false); }
public void Authorize_Resource_Null() { var ex = Assert.Throws <ArgumentNullException>(() => AclEvaluator.AuthorizeAction(null, "Action", "U.User", new string[0], new AclEntry[0])); Assert.Equal("Value cannot be null.\r\nParameter name: resource", ex.Message); }
public void AuthorizeAction_InvalidUser(string u) { AclEvaluator.AuthorizeAction("Res", "Action", u, new string[0], new AclEntry[0]); }