private XacmlResourceAttributes GetResourceAttributeValues(XacmlContextAttributes resourceContextAttributes)
{
XacmlResourceAttributes resourceAttributes = new XacmlResourceAttributes();
foreach (XacmlAttribute attribute in resourceContextAttributes.Attributes)
{
if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.OrgAttribute))
{
resourceAttributes.OrgValue = attribute.AttributeValues.First().Value;
}
if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.AppAttribute))
{
resourceAttributes.AppValue = attribute.AttributeValues.First().Value;
}
if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.InstanceAttribute))
{
resourceAttributes.InstanceValue = attribute.AttributeValues.First().Value;
}
if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.PartyAttribute))
{
resourceAttributes.ResourcePartyValue = attribute.AttributeValues.First().Value;
}
if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.TaskAttribute))
{
resourceAttributes.TaskValue = attribute.AttributeValues.First().Value;
}
}
return(resourceAttributes);
}
private async Task EnrichResourceAttributes(XacmlContextRequest request)
{
XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes();
XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes);
await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue);
}
private async Task EnrichResourceAttributes(XacmlContextRequest request)
{
XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes();
XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes);
bool resourceAttributeComplete = false;
if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) &&
!string.IsNullOrEmpty(resourceAttributes.AppValue) &&
!string.IsNullOrEmpty(resourceAttributes.InstanceValue) &&
!string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) &&
!string.IsNullOrEmpty(resourceAttributes.TaskValue))
{
// The resource attributes are complete
resourceAttributeComplete = true;
}
else if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) &&
!string.IsNullOrEmpty(resourceAttributes.AppValue) &&
string.IsNullOrEmpty(resourceAttributes.InstanceValue) &&
!string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) &&
string.IsNullOrEmpty(resourceAttributes.TaskValue))
{
// The resource attributes are complete
resourceAttributeComplete = true;
}
if (!resourceAttributeComplete)
{
Instance instanceData = await _instanceService.GetInstance(resourceAttributes.AppValue, resourceAttributes.OrgValue, Convert.ToInt32(resourceAttributes.InstanceValue.Split('/')[0]), new Guid(resourceAttributes.InstanceValue.Split('/')[1]));
if (instanceData != null)
{
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org);
string app = instanceData.AppId.Split("/")[1];
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app);
if (instanceData.Process?.CurrentTask != null)
{
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId);
}
else if (instanceData.Process?.EndEvent != null)
{
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.EndEventAttribute, null, instanceData.Process.EndEvent);
}
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId);
resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId;
}
}
await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue);
}
private async Task EnrichResourceAttributes(XacmlContextRequest request)
{
XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes();
XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes);
bool resourceAttributeComplete = false;
if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) &&
!string.IsNullOrEmpty(resourceAttributes.AppValue) &&
!string.IsNullOrEmpty(resourceAttributes.InstanceValue) &&
!string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) &&
!string.IsNullOrEmpty(resourceAttributes.TaskValue))
{
// The resource attributes are complete
resourceAttributeComplete = true;
}
else if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) &&
!string.IsNullOrEmpty(resourceAttributes.AppValue) &&
string.IsNullOrEmpty(resourceAttributes.InstanceValue) &&
!string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) &&
string.IsNullOrEmpty(resourceAttributes.TaskValue))
{
// The resource attributes are complete
resourceAttributeComplete = true;
}
if (!resourceAttributeComplete && !string.IsNullOrEmpty(resourceAttributes.InstanceValue))
{
Instance instanceData = await _policyInformationRepository.GetInstance(resourceAttributes.InstanceValue);
if (instanceData != null)
{
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org);
string app = instanceData.AppId.Split("/")[1];
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app);
if (instanceData.Process?.CurrentTask != null)
{
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId);
}
AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId);
resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId;
}
}
await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue);
}
private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy)
{
XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
});
XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest);
int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest);
if (resourceAttributes == null ||
string.IsNullOrEmpty(resourceAttributes.OrgValue) ||
string.IsNullOrEmpty(resourceAttributes.AppValue) ||
subjectUserId == 0 ||
!int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId))
{
// Not able to continue authorization based on delegations because of incomplete decision request
string request = JsonConvert.SerializeObject(decisionRequest);
_logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request);
return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
}));
}
List <string> appIds = new List <string> {
$"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}"
};
List <int> offeredByPartyIds = new List <int> {
reporteePartyId
};
List <int> coveredByUserIds = new List <int> {
subjectUserId
};
// 1. Direct user delegations
List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
// 2. Direct user delegations from mainunit
List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId);
List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList();
if (mainunitPartyIds.Any())
{
offeredByPartyIds.AddRange(mainunitPartyIds);
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
}
// 3. Direct party delegations to keyrole units
List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId);
if (keyrolePartyIds.Any())
{
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds);
if (delegations.Any())
{
_delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds);
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
}
}
return(delegationContextResponse);
}