private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
{
XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetConformancePath());
XacmlContextRequest contextRequestEnriched = contextRequest;
if (contextRequstIsEnriched)
{
contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetConformancePath());
}
Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);
Moq.Mock <IPolicyRetrievalPoint> moqPRP = new Mock <IPolicyRetrievalPoint>();
XacmlPolicy policy = null;
try
{
policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetConformancePath());
moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).ReturnsAsync(policy);
}
catch (XmlException ex)
{
moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).Throws(ex);
}
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);
return(xacmlResponse);
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement)
{
context.Succeed(requirement);
var ctx = context.Resource as AuthorizationFilterContext;
//Here we need to call the methods to work with our policies
var authRequest = new AuthorizationRequest();
var claims = context.User.Claims;
foreach (var claim in claims)
{
authRequest.SubjectAttributes.Add(claim.Type, claim.Value);
}
authRequest.ResourceAttributes.Add("resource", requirement.ResourceNamespace);
authRequest.ActionAttributes.Add("action", requirement.ActionNamespace);
PolicyDecisionPoint _pdp = new PolicyDecisionPoint(_policyRepository, _grouPermission);
var authResponse = _pdp.Evaluate(authRequest);
if (authResponse.Decision == AuthorizationDecision.Permit)
{
context.Succeed(requirement);
}
else
{
if (ctx.HttpContext.Request.ContentType == "application/json")
{
ctx.Result = new UnauthorizedResult();
}
else
{
context.Fail();
}
}
return(Task.CompletedTask);
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
string user = httpContext.User.Identity.Name;
string method = httpContext.Request.HttpMethod;
string resource = httpContext.Request.Url.AbsoluteUri;
return(PolicyDecisionPoint.IsAcesssible(user, method, resource));
}
/// <summary>
/// Initializes a new instance of the <see cref="DecisionController"/> class.
/// </summary>
/// <param name="contextHandler">The Context handler</param>
/// <param name="delegationContextHandler">The delegation context handler</param>
/// <param name="policyRetrievalPoint">The policy Retrieval point</param>
/// <param name="delegationRepository">The delegation repository</param>
/// <param name="logger">the logger.</param>
public DecisionController(IContextHandler contextHandler, IDelegationContextHandler delegationContextHandler, IPolicyRetrievalPoint policyRetrievalPoint, IDelegationMetadataRepository delegationRepository, ILogger <DecisionController> logger)
{
_pdp = new PolicyDecisionPoint();
_prp = policyRetrievalPoint;
_contextHandler = contextHandler;
_delegationContextHandler = delegationContextHandler;
_delegationRepository = delegationRepository;
_logger = logger;
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await Enrich(decisionRequest);
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
return(xacmlContextResponse);
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await this._contextHandler.Enrich(decisionRequest);
_logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
_logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}.");
return(xacmlContextResponse);
}
public void PolicyDecisionPointShouldAllowReadForAllMedicalRecords()
{
var policyManagementPoint = new PolicyManagementPoint();
policyManagementPoint.Policies.Add(
new Policy(
id: "urn:oasis:names:tc:xacml:3.0:example:policyid:1",
target: new Target(
new AnyOf(
new AllOf(
new StringEqualMatch(
new AttributeDesignator(
Constants.Category.Resource,
Resource.TargetNamespace,
DataType.AnyUri),
new AttributeValue(
DataType.AnyUri,
""))))),
combiningAlgorithm: new DenyOverridesCombiningAlgorithm(),
rules: new IRule[] { }));
var policyDecisionPoint = new PolicyDecisionPoint(policyManagementPoint);
var authorizationResponse = policyDecisionPoint.Authorize(
new AuthorizationRequest(
new AuthorizationContext(
new AttributeCategory(
Constants.Category.AccessSubject,
new Attribute(
Constants.Attribute.SubjectId,
new AttributeValue(
dataType: DataType.Rfc822Name,
value: "*****@*****.**"))),
new AttributeCategory(
Constants.Category.Resource,
new Attribute(
Constants.Attribute.ResourceId,
new AttributeValue(
dataType: DataType.AnyUri,
value: "urn:simple:medical:record:12345"))),
new AttributeCategory(
Constants.Category.Action,
new Attribute(
Constants.Attribute.ActionId,
new AttributeValue(
dataType: DataType.String,
value: "read"))))));
Assert.IsNotNull(authorizationResponse);
Assert.AreEqual(1, authorizationResponse.Results.Count());
Assert.AreEqual(authorizationResponse.Results.First().Decision, Decision.Permit);
}
public ActionResult Post([FromBody] XacmlRequestApiModel model)
{
XacmlContextRequest request = null;
XacmlContextResponse xacmlContextResponse = null;
try
{
request = ParseApiBody(model);
}
catch (Exception)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
xacmlContextResponse = new XacmlContextResponse(result);
}
if (request != null)
{
PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp);
xacmlContextResponse = pdp.Authorize(request);
}
string accept = HttpContext.Request.Headers["Accept"];
if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json"))
{
XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonReponse));
}
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
}
string xml = builder.ToString();
return(Content(xml));
}
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
{
XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath());
XacmlContextRequest contextRequestEnriched = contextRequest;
if (contextRequstIsEnriched)
{
contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath());
}
XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath());
Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);
return(xacmlResponse);
}
public static bool IsValidUser(string username, string password)
{
return(PolicyDecisionPoint.GetUser(username, password) != null);
}
public static bool IsAutorized(string user, string method, string resource)
{
return(PolicyDecisionPoint.IsAcesssible(user, method, resource));
}
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
string jsonResponse = string.Empty;
if (xacmlJsonRequest.Request.MultiRequests != null)
{
try
{
Authorization.ABAC.PolicyDecisionPoint pdp = new Authorization.ABAC.PolicyDecisionPoint();
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer));
if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer));
if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer));
if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
catch
{
}
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && int.Parse(a.Value) >= 3)) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request);
decisionRequest = await Enrich(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy);
return(XacmlJsonXmlConverter.ConvertResponse(contextResponse));
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
jsonResponse = File.ReadAllText("data/response_permit.json");
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "-1")))
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
else
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse);
return(response);
}
