I'm trying to implement a security mechanism to automatically test a particular plugins permissions and method security privileges and I've gotten a bit stuck on how to get this working.

I've writing a custom MEF Metadata attribute that takes a constructor property like:

params PluginPermission[] permission

This contains an array of all the permissions that the plugin is granted.

The PluginPermission class looks like:

PluginPermission.cs

public enum PluginPermission
{
    CreateUsers,
    DeleteUsers,
    ReadPassword,
    WritePassword,
    AddUsersToGroups,
    AddGroups,
    DeleteGroups
}

I've also written a RequiredPermissionAttribute that targets individual methods and takes one or more PluginPermission objects to tell the system what permissions are required for an individual method to be execute. These are applied to the interface for the plugins like:

 ILicensingManagement.cs

 [RequiredPermission(PluginPermission.CreateUsers)]
 bool AddUser(string userName);

Obviously if the plugin doesn't have the required permissions for a particular method the method is not executed.

What I'm stuck on is how to actually get the test method in the RequiredPermissionAttribute class to run before the method is executed and how to gracefully exit the execution if the permissions requirements for the method are not met by the plugin.

I looked at the xUnit BeforeAfterTestAttribute but the implementation seemed so specific I stuggled to pull the source code apart to arrive at the solution.

I can't comment on MEF specific things but one thing to keep in mind that custom attributes are nothing more than "tags", they do not do anything unless your code specifically checks for them, for example using reflection.

The BeforeAfterTestAttribute of xUnit probably works, because xUnit uses reflection to execute the methods. When it encounters this attribute it changes its behavious accordingly.

Attributes in the .NET framework namespace work because either the CLR checks for them or the compiler does.

I know this doesn't really answer your question completely but it was a bit too long to put into a comment.

Update: you can access the attributes using the Type if it's a class or the MethodInfo if it's a method, e.g.

MethodInfo mi = /* method info */;
Attribute[] attrs = mi.GetCustomAttributes(typeof(RequiredPermissionAttribute), false);
RequiredPermissionAttribute req = attrs.Cast<RequiredPermissionAttribute>().FirstOrDefault();

if ((req != null) && (/* current user does not have the required permission */)) throw new Exception();

But this is not a real security solution, a developer can easily avoid these checks. I've only briefly glanced at it but PostSharp could maybe help you.