示例#1
0
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var identity = context.HttpContext.User.Identity;

            if (identity.HasExplicitScopeAction(NuGetScopes.PackageVerify))
            {
                return(SecurityPolicyResult.SuccessResult);
            }

            return(SecurityPolicyResult.CreateErrorResult(Strings.SecurityPolicy_RequireApiKeyWithPackageVerifyScope));
        }
        /// <summary>
        /// Evaluate if this package compliance policy is met.
        /// </summary>
        public override async Task <SecurityPolicyResult> EvaluateAsync(PackageSecurityPolicyEvaluationContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            // This particular package policy assumes the existence of a particular user.
            // Succeed silently (effectively ignoring this policy when enabled) when that user does not exist.
            var state           = GetState(context);
            var requiredCoOwner = context.UserService.FindByUsername(state.RequiredCoOwnerUsername);

            if (requiredCoOwner == null)
            {
                // This may happen on gallery deployments that don't have this particular user.
                return(SecurityPolicyResult.SuccessResult);
            }

            // Evaluate package metadata validations
            if (!IsPackageMetadataCompliant(context.Package, state, out var complianceFailures))
            {
                // Package policy not met.
                return(SecurityPolicyResult.CreateErrorResult(
                           string.Format(
                               CultureInfo.CurrentCulture,
                               state.ErrorMessageFormat,
                               Environment.NewLine + string.Join(Environment.NewLine, complianceFailures))));
            }

            // Automatically add the required co-owner when metadata is compliant.
            if (!context.Package.PackageRegistration.Owners.Select(o => o.Username).Contains(state.RequiredCoOwnerUsername, StringComparer.OrdinalIgnoreCase))
            {
                // This will also mark the package as verified if the prefix has been reserved by the co-owner.
                // The entities context is committed later as a single atomic transaction (see PackageUploadService).
                await context.PackageOwnershipManagementService.AddPackageOwnerAsync(context.Package.PackageRegistration, requiredCoOwner, commitChanges : false);
            }

            // If the PackageRegistration is not marked as verified,
            // the account pushing the package has not registered the prefix yet.
            if (!context.Package.PackageRegistration.IsVerified)
            {
                return(SecurityPolicyResult.CreateWarningResult(Strings.SecurityPolicy_RequirePackagePrefixReserved));
            }

            // All good!
            return(SecurityPolicyResult.SuccessResult);
        }
示例#3
0
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyEvaluationContext context)
        {
            context = context ?? throw new ArgumentNullException(nameof(context));

            var state            = GetPolicyState(context);
            var targetAccount    = context.TargetAccount;
            var targetCredential = targetAccount.Credentials.GetAzureActiveDirectoryCredential();

            if (targetCredential == null ||
                !state.Tenant.Equals(targetCredential.TenantId, StringComparison.OrdinalIgnoreCase))
            {
                return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                            Strings.AddMember_UserDoesNotMeetOrganizationPolicy, targetAccount.Username)));
            }

            return(SecurityPolicyResult.SuccessResult);
        }
示例#4
0
        public override SecurityPolicyResult Evaluate(UserSecurityPolicyContext context)
        {
            if (context == null)
            {
                throw new ArgumentNullException(nameof(context));
            }

            var minClientVersion = GetMaxOfMinClientVersions(context);

            var clientVersion = GetClientVersion(context);

            if (clientVersion == null || clientVersion < minClientVersion)
            {
                return(SecurityPolicyResult.CreateErrorResult(string.Format(CultureInfo.CurrentCulture,
                                                                            Strings.SecurityPolicy_RequireMinClientVersionForPush, minClientVersion)));
            }

            return(SecurityPolicyResult.SuccessResult);
        }
        public void VerifyPolicyEvaluation(bool expectedPolicy1, bool?expectedPolicy2, SecurityPolicyResult actual)
        {
            var expectedSuccess = expectedPolicy1 && expectedPolicy2.Value;

            Assert.Equal(expectedSuccess, actual.Success);

            string failedPolicy = null;

            if (!expectedSuccess)
            {
                failedPolicy = expectedPolicy1 ? nameof(MockPolicy2) : nameof(MockPolicy1);
            }
            Assert.Equal(failedPolicy, actual.ErrorMessage);

            MockPolicy1.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()), Times.Once);
            MockPolicy2.Verify(p => p.Evaluate(It.IsAny <UserSecurityPolicyEvaluationContext>()),
                               expectedPolicy2.HasValue ? Times.Once() : Times.Never());
        }