public void ShouldMatchInputClaim()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputClaim = new InputPolicyClaim(this.issuer, this.inputClaimType, "myInputClaim");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(this.outputClaimType, "myOutputClaimValue");
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
var policyScope = new PolicyScope(new Uri("http://myScope"), new[] { rule });
policyScope.AddIssuer(new Issuer("http://originalIssuer", string.Empty, "OriginalIssuer"));
store.RetrieveScopesReturnValue = new List <PolicyScope>()
{
policyScope
};
IEnumerable <Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "myInputClaim", string.Empty, "http://myInputClaimIssuer", "http://originalIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual("http://myOutputClaimType", evaluatedOutputClaims.ElementAt(0).ClaimType);
Assert.AreEqual("myOutputClaimValue", evaluatedOutputClaims.ElementAt(0).Value);
Assert.AreEqual("http://myInputClaimIssuer", evaluatedOutputClaims.ElementAt(0).Issuer);
Assert.AreEqual("OriginalIssuer", evaluatedOutputClaims.ElementAt(0).OriginalIssuer);
}
public void ShouldMatchInputClaimValueInCaseInsensitiveFashion()
{
var store = new MockPolicyStore();
var scopeUri = new Uri("http://myScope");
var inputClaimValue = "myInputClaimValue";
var outputClaimValue = "myOutputClaimValue";
InputPolicyClaim inputClaim = new InputPolicyClaim(
new Issuer("http://myInputClaimIssuer", "myInputClaimIssuer"),
new ClaimType("http://myInputClaimType", "myInputClaimType"),
inputClaimValue);
OutputPolicyClaim outputClaim = new OutputPolicyClaim(
new ClaimType("http://myOutputClaimType", "myOutputClaimType"),
outputClaimValue);
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List <PolicyScope> {
new PolicyScope(scopeUri, new[] { rule })
};
var evaluator = new ClaimsPolicyEvaluator(store);
var evaluatedOutputClaims = evaluator.Evaluate(scopeUri, new[] { new Claim("http://myInputClaimType", inputClaimValue.ToUpperInvariant(), string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual(outputClaimValue, evaluatedOutputClaims.ElementAt(0).Value);
}
public void ShouldOutputCorrectInputValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputPolicyClaim1 = new InputPolicyClaim(this.issuer, this.inputClaimType, "*");
ClaimType outputClaimType1 = new ClaimType("http://myOutputClaimType1");
OutputPolicyClaim outputPolicyClaim1 = new OutputPolicyClaim(outputClaimType1, "myOutputClaimValue");
PolicyRule policyRule1 = new PolicyRule(AssertionsMatch.Any, new[] { inputPolicyClaim1 }, outputPolicyClaim1);
InputPolicyClaim inputPolicyClaim2 = new InputPolicyClaim(this.issuer, this.inputClaimType, "inputClaimValue");
ClaimType outputClaimType2 = new ClaimType("http://myOutputClaimType2");
OutputPolicyClaim outputPolicyClaim2 = new OutputPolicyClaim(outputClaimType2, string.Empty, CopyFromConstants.InputValue);
PolicyRule policyRule2 = new PolicyRule(AssertionsMatch.Any, new[] { inputPolicyClaim2 }, outputPolicyClaim2);
store.RetrieveScopesReturnValue = new List <PolicyScope>()
{
new PolicyScope(new Uri("http://myScope"), new[] { policyRule1, policyRule2 })
};
IEnumerable <Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "inputClaimValue", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(2, evaluatedOutputClaims.Count());
var outputClaim1 = evaluatedOutputClaims.FirstOrDefault(c => c.ClaimType == "http://myOutputClaimType1");
Assert.IsNotNull(outputClaim1);
Assert.AreEqual("myOutputClaimValue", outputClaim1.Value);
var outputClaim2 = evaluatedOutputClaims.FirstOrDefault(c => c.ClaimType == "http://myOutputClaimType2");
Assert.IsNotNull(outputClaim2);
Assert.AreEqual("inputClaimValue", outputClaim2.Value);
}
public void ShouldMatchInputClaimAndCopyInputIssuerToOutputValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
ClaimType inputClaimType = new ClaimType("http://myInputClaimType");
ClaimType outputClaimType = new ClaimType("http://myOutputClaimType");
Issuer issuer = new Issuer("http://myInputClaimIssuer");
InputPolicyClaim inputClaim = new InputPolicyClaim(issuer, inputClaimType, "myInputClaim");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(outputClaimType, string.Empty, CopyFromConstants.InputIssuer);
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List <PolicyScope>()
{
new PolicyScope(new Uri("http://myScope"), new[] { rule })
};
IEnumerable <Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "myInputClaim", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual("http://myOutputClaimType", evaluatedOutputClaims.ElementAt(0).ClaimType);
Assert.AreEqual("http://myInputClaimIssuer", evaluatedOutputClaims.ElementAt(0).Value);
}
public PolicyRule(AssertionsMatch assertionsMatch, IEnumerable<InputPolicyClaim> inputClaims, OutputPolicyClaim outputClaim)
{
if (outputClaim.CopyFromInput && inputClaims.Count() > 1)
{
throw new PolicyRuleException(Resources.CopyFromInputWithMultipleInputClaims);
}
this.AssertionsMatch = assertionsMatch;
this.OutputClaim = outputClaim;
this.InputClaims = new List<InputPolicyClaim>();
this.InputClaims.AddRange(inputClaims);
}
public void ShouldAddRuleViaWCF()
{
ChannelFactory <IPolicyStore> factory = new ChannelFactory <IPolicyStore>(new BasicHttpBinding(), new EndpointAddress("http://localhost:3333/policystore"));
IPolicyStore store = factory.CreateChannel();
var scope = store.RetrieveScopes().ElementAt(0);
InputPolicyClaim inputClaim = new InputPolicyClaim(scope.Issuers.ElementAt(0), scope.ClaimTypes.ElementAt(0), "thevalue");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(scope.ClaimTypes.ElementAt(0), CopyFromConstants.InputValue);
PolicyRule rule = new PolicyRule(AssertionsMatch.All, new[] { inputClaim }, outputClaim);
store.AddPolicyRule(scope.Uri, rule);
var updatedScope = store.RetrieveScopes().ElementAt(0);
Assert.AreEqual(3, updatedScope.Rules.Count());
}
public void ShoudMatchInputClaimWithAssertionMatchAll()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputClaim = new InputPolicyClaim(this.issuer, this.inputClaimType, "myInputClaim");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(this.outputClaimType, "myOutputClaimValue");
PolicyRule rule = new PolicyRule(AssertionsMatch.All, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List<PolicyScope>() { new PolicyScope(new Uri("http://myScope"), new[] { rule }) };
IEnumerable<Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "myInputClaim", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual("http://myOutputClaimType", evaluatedOutputClaims.ElementAt(0).ClaimType);
Assert.AreEqual("myOutputClaimValue", evaluatedOutputClaims.ElementAt(0).Value);
}
public void ShouldNotMatchInputClaimWithDifferentValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputClaim = new InputPolicyClaim(this.issuer, this.inputClaimType, "myInputClaim");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(this.outputClaimType, "myOutputClaimValue");
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List <PolicyScope> {
new PolicyScope(new Uri("http://myScope"), new[] { rule })
};
IEnumerable <Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "otherInputClaim", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(0, evaluatedOutputClaims.Count());
}
private static XElement SerializeOutputClaim(OutputPolicyClaim outputPolicyClaim)
{
XElement outputElement = new XElement("output");
outputElement.SetAttributeValue("type", outputPolicyClaim.ClaimType.DisplayName);
if (!string.IsNullOrEmpty(outputPolicyClaim.Value))
{
outputElement.SetAttributeValue("value", outputPolicyClaim.Value);
}
if (outputPolicyClaim.CopyFromInput)
{
outputElement.SetAttributeValue("copyFrom", outputPolicyClaim.CopyFrom);
}
return(outputElement);
}
public void ShouldMatchInputClaimWithWildcardOnValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputClaim = new InputPolicyClaim(new Issuer("http://myInputClaimIssuer", "myInputClaimIssuer"), new ClaimType("http://myInputClaimType", "myInputClaimType"), "*");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(new ClaimType("http://myOutputClaimType", "myOutputClaimType"), "myOutputClaimValue");
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List <PolicyScope>()
{
new PolicyScope(new Uri("http://myScope"), new[] { rule })
};
IEnumerable <Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "anyValueShouldMatch", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual("http://myOutputClaimType", evaluatedOutputClaims.ElementAt(0).ClaimType);
Assert.AreEqual("myOutputClaimValue", evaluatedOutputClaims.ElementAt(0).Value);
}
private static PolicyScope RetrieveScope(XElement scopeElement)
{
IDictionary <string, string> claimTypes = RetrieveReferences(scopeElement.Element("claimTypes"), "claimType", "displayName", "fullName");
IDictionary <string, Issuer> issuers = new Dictionary <string, Issuer>();
PolicyScope scope = new PolicyScope(new Uri(scopeElement.Attribute("uri").Value), new List <PolicyRule>());
var issuerElements = scopeElement.Element("issuers").Descendants("issuer");
foreach (var item in issuerElements)
{
Issuer issuer = new Issuer(
item.Attribute("uri").Value,
item.Attribute("thumbprint").Value.ToUpperInvariant(),
item.Attribute("displayName").Value);
scope.AddIssuer(issuer);
issuers.Add(issuer.DisplayName, issuer);
}
foreach (var item in claimTypes)
{
scope.AddClaimType(new ClaimType(item.Value, item.Key));
}
foreach (XElement ruleElement in scopeElement.Element("rules").Descendants("rule"))
{
AssertionsMatch assertionsMatch = RetrieveRuleAssertionsMatch(ruleElement);
IEnumerable <InputPolicyClaim> inputClaims = RetrieveInputClaims(ruleElement, issuers, claimTypes);
OutputPolicyClaim outputClaim = RetrieveOutputClaim(ruleElement, claimTypes);
scope.AddRule(new PolicyRule(assertionsMatch, inputClaims, outputClaim));
}
return(scope);
}
public void ShouldMatchInputClaimAndCopyInputIssuerToOutputValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
ClaimType inputClaimType = new ClaimType("http://myInputClaimType");
ClaimType outputClaimType = new ClaimType("http://myOutputClaimType");
Issuer issuer = new Issuer("http://myInputClaimIssuer");
InputPolicyClaim inputClaim = new InputPolicyClaim(issuer, inputClaimType, "myInputClaim");
OutputPolicyClaim outputClaim = new OutputPolicyClaim(outputClaimType, string.Empty, CopyFromConstants.InputIssuer);
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List<PolicyScope>() { new PolicyScope(new Uri("http://myScope"), new[] { rule }) };
IEnumerable<Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "myInputClaim", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual("http://myOutputClaimType", evaluatedOutputClaims.ElementAt(0).ClaimType);
Assert.AreEqual("http://myInputClaimIssuer", evaluatedOutputClaims.ElementAt(0).Value);
}
public void ShouldOutputCorrectInputValue()
{
var store = new MockPolicyStore();
ClaimsPolicyEvaluator evaluator = new ClaimsPolicyEvaluator(store);
InputPolicyClaim inputPolicyClaim1 = new InputPolicyClaim(this.issuer, this.inputClaimType, "*");
ClaimType outputClaimType1 = new ClaimType("http://myOutputClaimType1");
OutputPolicyClaim outputPolicyClaim1 = new OutputPolicyClaim(outputClaimType1, "myOutputClaimValue");
PolicyRule policyRule1 = new PolicyRule(AssertionsMatch.Any, new[] { inputPolicyClaim1 }, outputPolicyClaim1);
InputPolicyClaim inputPolicyClaim2 = new InputPolicyClaim(this.issuer, this.inputClaimType, "inputClaimValue");
ClaimType outputClaimType2 = new ClaimType("http://myOutputClaimType2");
OutputPolicyClaim outputPolicyClaim2 = new OutputPolicyClaim(outputClaimType2, string.Empty, CopyFromConstants.InputValue);
PolicyRule policyRule2 = new PolicyRule(AssertionsMatch.Any, new[] { inputPolicyClaim2 }, outputPolicyClaim2);
store.RetrieveScopesReturnValue = new List<PolicyScope>() { new PolicyScope(new Uri("http://myScope"), new[] { policyRule1, policyRule2 }) };
IEnumerable<Claim> evaluatedOutputClaims = evaluator.Evaluate(new Uri("http://myScope"), new[] { new Claim("http://myInputClaimType", "inputClaimValue", string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(2, evaluatedOutputClaims.Count());
var outputClaim1 = evaluatedOutputClaims.FirstOrDefault(c => c.ClaimType == "http://myOutputClaimType1");
Assert.IsNotNull(outputClaim1);
Assert.AreEqual("myOutputClaimValue", outputClaim1.Value);
var outputClaim2 = evaluatedOutputClaims.FirstOrDefault(c => c.ClaimType == "http://myOutputClaimType2");
Assert.IsNotNull(outputClaim2);
Assert.AreEqual("inputClaimValue", outputClaim2.Value);
}
public void ShouldMatchInputClaimValueInCaseInsensitiveFashion()
{
var store = new MockPolicyStore();
var scopeUri = new Uri("http://myScope");
var inputClaimValue = "myInputClaimValue";
var outputClaimValue = "myOutputClaimValue";
InputPolicyClaim inputClaim = new InputPolicyClaim(
new Issuer("http://myInputClaimIssuer", "myInputClaimIssuer"),
new ClaimType("http://myInputClaimType", "myInputClaimType"),
inputClaimValue);
OutputPolicyClaim outputClaim = new OutputPolicyClaim(
new ClaimType("http://myOutputClaimType", "myOutputClaimType"),
outputClaimValue);
PolicyRule rule = new PolicyRule(AssertionsMatch.Any, new[] { inputClaim }, outputClaim);
store.RetrieveScopesReturnValue = new List<PolicyScope> { new PolicyScope(scopeUri, new[] { rule }) };
var evaluator = new ClaimsPolicyEvaluator(store);
var evaluatedOutputClaims = evaluator.Evaluate(scopeUri, new[] { new Claim("http://myInputClaimType", inputClaimValue.ToUpperInvariant(), string.Empty, "http://myInputClaimIssuer") });
Assert.IsNotNull(evaluatedOutputClaims);
Assert.AreEqual(1, evaluatedOutputClaims.Count());
Assert.AreEqual(outputClaimValue, evaluatedOutputClaims.ElementAt(0).Value);
}
private static XElement SerializeOutputClaim(OutputPolicyClaim outputPolicyClaim)
{
XElement outputElement = new XElement("output");
outputElement.SetAttributeValue("type", outputPolicyClaim.ClaimType.DisplayName);
if (!string.IsNullOrEmpty(outputPolicyClaim.Value))
{
outputElement.SetAttributeValue("value", outputPolicyClaim.Value);
}
if (outputPolicyClaim.CopyFromInput)
{
outputElement.SetAttributeValue("copyFrom", outputPolicyClaim.CopyFrom);
}
return outputElement;
}
