private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await this._contextHandler.Enrich(decisionRequest);
_logger.LogInformation($"// DecisionController // Authorize // Roles // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);
XacmlContextResponse rolesContextResponse = _pdp.Authorize(decisionRequest, policy);
_logger.LogInformation($"// DecisionController // Authorize // Roles // XACML ContextResponse: {JsonConvert.SerializeObject(rolesContextResponse)}.");
XacmlContextResult roleResult = rolesContextResponse.Results.First();
if (roleResult.Decision.Equals(XacmlContextDecision.NotApplicable))
{
try
{
XacmlContextResponse delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, policy);
XacmlContextResult delegationResult = delegationContextResponse.Results.First();
if (delegationResult.Decision.Equals(XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
catch (Exception ex)
{
_logger.LogError(ex, "// DecisionController // Authorize // Delegation // Unexpected Exception");
}
}
return(rolesContextResponse);
}
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
{
XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetConformancePath());
XacmlContextRequest contextRequestEnriched = contextRequest;
if (contextRequstIsEnriched)
{
contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetConformancePath());
}
Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);
Moq.Mock <IPolicyRetrievalPoint> moqPRP = new Mock <IPolicyRetrievalPoint>();
XacmlPolicy policy = null;
try
{
policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetConformancePath());
moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).ReturnsAsync(policy);
}
catch (XmlException ex)
{
moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).Throws(ex);
}
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);
return(xacmlResponse);
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await Enrich(decisionRequest);
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
return(xacmlContextResponse);
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await this._contextHandler.Enrich(decisionRequest);
_logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
_logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}.");
return(xacmlContextResponse);
}
public void PolicyDecisionPointShouldAllowReadForAllMedicalRecords()
{
var policyManagementPoint = new PolicyManagementPoint();
policyManagementPoint.Policies.Add(
new Policy(
id: "urn:oasis:names:tc:xacml:3.0:example:policyid:1",
target: new Target(
new AnyOf(
new AllOf(
new StringEqualMatch(
new AttributeDesignator(
Constants.Category.Resource,
Resource.TargetNamespace,
DataType.AnyUri),
new AttributeValue(
DataType.AnyUri,
""))))),
combiningAlgorithm: new DenyOverridesCombiningAlgorithm(),
rules: new IRule[] { }));
var policyDecisionPoint = new PolicyDecisionPoint(policyManagementPoint);
var authorizationResponse = policyDecisionPoint.Authorize(
new AuthorizationRequest(
new AuthorizationContext(
new AttributeCategory(
Constants.Category.AccessSubject,
new Attribute(
Constants.Attribute.SubjectId,
new AttributeValue(
dataType: DataType.Rfc822Name,
value: "*****@*****.**"))),
new AttributeCategory(
Constants.Category.Resource,
new Attribute(
Constants.Attribute.ResourceId,
new AttributeValue(
dataType: DataType.AnyUri,
value: "urn:simple:medical:record:12345"))),
new AttributeCategory(
Constants.Category.Action,
new Attribute(
Constants.Attribute.ActionId,
new AttributeValue(
dataType: DataType.String,
value: "read"))))));
Assert.IsNotNull(authorizationResponse);
Assert.AreEqual(1, authorizationResponse.Results.Count());
Assert.AreEqual(authorizationResponse.Results.First().Decision, Decision.Permit);
}
public ActionResult Post([FromBody] XacmlRequestApiModel model)
{
XacmlContextRequest request = null;
XacmlContextResponse xacmlContextResponse = null;
try
{
request = ParseApiBody(model);
}
catch (Exception)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
xacmlContextResponse = new XacmlContextResponse(result);
}
if (request != null)
{
PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp);
xacmlContextResponse = pdp.Authorize(request);
}
string accept = HttpContext.Request.Headers["Accept"];
if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json"))
{
XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonReponse));
}
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
}
string xml = builder.ToString();
return(Content(xml));
}
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
{
XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath());
XacmlContextRequest contextRequestEnriched = contextRequest;
if (contextRequstIsEnriched)
{
contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath());
}
XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath());
Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);
return(xacmlResponse);
}
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
string jsonResponse = string.Empty;
if (xacmlJsonRequest.Request.MultiRequests != null)
{
try
{
Authorization.ABAC.PolicyDecisionPoint pdp = new Authorization.ABAC.PolicyDecisionPoint();
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer));
if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer));
if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer));
if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
catch
{
}
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && int.Parse(a.Value) >= 3)) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request);
decisionRequest = await Enrich(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy);
return(XacmlJsonXmlConverter.ConvertResponse(contextResponse));
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
jsonResponse = File.ReadAllText("data/response_permit.json");
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "-1")))
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
else
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse);
return(response);
}
