/// <summary>
/// Evaluate if this security policy is met.
/// </summary>
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minClientVersion = GetMaxOfMinClientVersions(context);
// Do we have X-NuGet-Protocol-Version header?
var protocolVersion = GetProtocolVersion(context);
if (protocolVersion == null)
{
// Do we have X-NuGet-Client-Version header?
protocolVersion = GetClientVersion(context);
}
if (protocolVersion == null || protocolVersion < minClientVersion)
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.SecurityPolicy_RequireMinProtocolVersionForPush, minClientVersion)));
}
return(SecurityPolicyResult.SuccessResult);
}
/// <summary>
/// Evaluate if this security policy is met.
/// </summary>
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minProtocolVersion = GetMaxOfMinProtocolVersions(context);
// Do we have X-NuGet-Protocol-Version header?
var protocolVersion = GetProtocolVersion(context);
if (protocolVersion == null)
{
// Do we have X-NuGet-Client-Version header? This header is DEPRECATED, and here for backwards compatibility!
protocolVersion = GetClientVersion(context);
}
if (protocolVersion == null || protocolVersion < minProtocolVersion)
{
return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
ServicesStrings.SecurityPolicy_RequireMinProtocolVersionForPush, minProtocolVersion))));
}
return(Task.FromResult(SecurityPolicyResult.SuccessResult));
}
private Mock <UserSecurityPolicyHandler> MockHandler(string name, bool success)
{
var result = success ? SecurityPolicyResult.SuccessResult : SecurityPolicyResult.CreateErrorResult(name);
var mock = new Mock <UserSecurityPolicyHandler>(name, SecurityPolicyAction.PackagePush);
mock.Setup(m => m.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>())).Returns(result).Verifiable();
return(mock);
}
private static Mock <UserSecurityPolicyHandler> MockHandler(string name, Dictionary <string, bool> resultPerSubscription)
{
var mock = new Mock <UserSecurityPolicyHandler>(name, SecurityPolicyAction.PackagePush);
mock.Setup(m => m.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()))
.Returns <UserSecurityPolicyEvaluationContext>(x =>
{
var subscription = x.Policies.First().Subscription;
return(resultPerSubscription[subscription] == true ?
SecurityPolicyResult.SuccessResult :
SecurityPolicyResult.CreateErrorResult($"{subscription}-{name}"));
}).Verifiable();
return(mock);
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var identity = context.HttpContext.User.Identity;
if (identity.HasPackageVerifyScopeClaim())
{
return(SecurityPolicyResult.SuccessResult);
}
return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope));
}
public override Task <SecurityPolicyResult> EvaluateAsync(UserSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var identity = context.HttpContext.User.Identity;
if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify))
{
return(Task.FromResult(SecurityPolicyResult.SuccessResult));
}
return(Task.FromResult(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope)));
}
/// <summary>
/// Evaluate if this package compliance policy is met.
/// </summary>
public override async Task <SecurityPolicyResult> EvaluateAsync(PackageSecurityPolicyEvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
// This particular package policy assumes the existence of a particular user.
// Succeed silently (effectively ignoring this policy when enabled) when that user does not exist.
var state = GetState(context);
var requiredCoOwner = context.UserService.FindByUsername(state.RequiredCoOwnerUsername);
if (requiredCoOwner == null)
{
// This may happen on gallery deployments that don't have this particular user.
return(SecurityPolicyResult.SuccessResult);
}
// Evaluate package metadata validations
if (!IsPackageMetadataCompliant(context.Package, state, out var complianceFailures))
{
// Package policy not met.
return(SecurityPolicyResult.CreateErrorResult(
string.Format(
CultureInfo.CurrentCulture,
state.ErrorMessageFormat,
Environment.NewLine + string.Join(Environment.NewLine, complianceFailures))));
}
// Automatically add the required co-owner when metadata is compliant.
if (!context.Package.PackageRegistration.Owners.Select(o => o.Username).Contains(state.RequiredCoOwnerUsername, StringComparer.OrdinalIgnoreCase))
{
// This will also mark the package as verified if the prefix has been reserved by the co-owner.
// The entities context is committed later as a single atomic transaction (see PackageUploadService).
await context.PackageOwnershipManagementService.AddPackageOwnerAsync(context.Package.PackageRegistration, requiredCoOwner, commitChanges : false);
}
// If the PackageRegistration is not marked as verified,
// the account pushing the package has not registered the prefix yet.
if (!context.Package.PackageRegistration.IsVerified)
{
return(SecurityPolicyResult.CreateWarningResult(Strings.SecurityPolicy_RequirePackagePrefixReserved));
}
// All good!
return(SecurityPolicyResult.SuccessResult);
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
{
context = context ?? throw new ArgumentNullException(nameof(context));
var state = GetPolicyState(context);
var targetAccount = context.TargetAccount;
var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential();
if (targetCredential == null ||
!state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase))
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username)));
}
return(SecurityPolicyResult.SuccessResult);
}
public override SecurityPolicyResult Evaluate(UserSecurityPolicyContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var minClientVersion = GetMaxOfMinClientVersions(context);
var clientVersion = GetClientVersion(context);
if (clientVersion == null || clientVersion < minClientVersion)
{
return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion)));
}
return(SecurityPolicyResult.SuccessResult);
}
