public void PDP_AuthorizeAccess_IIA002()
{
bool contextRequstIsEnriched = true;
string testCase = "IIA002";
XacmlContextResponse contextResponeExpected = XacmlTestDataParser.ParseResponse(testCase + "Response.xml", GetConformancePath());
XacmlContextResponse xacmlResponse = SetuUpPolicyDecisionPoint(testCase, contextRequstIsEnriched);
AssertionUtil.AssertEqual(contextResponeExpected, xacmlResponse);
}
/// <summary>
/// Assert that two <see cref="XacmlContextResponse"/> have the same property values.
/// </summary>
/// <param name="expected">An instance with the expected values.</param>
/// <param name="actual">The instance to verify.</param>
public static void AssertEqual(XacmlContextResponse expected, XacmlContextResponse actual)
{
Assert.NotNull(actual);
Assert.NotNull(expected);
Assert.Equal(expected.Results.Count, actual.Results.Count);
if (expected.Results.Count > 0)
{
AssertEqual(expected.Results.First(), actual.Results.First());
}
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await Enrich(decisionRequest);
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
return(xacmlContextResponse);
}
public async Task PDP_Decision_AltinnApps0005()
{
string testCase = "AltinnApps0005";
HttpClient client = GetTestClient();
HttpRequestMessage httpRequestMessage = TestSetupUtil.CreateXacmlRequest(testCase);
XacmlContextResponse expected = TestSetupUtil.ReadExpectedResponse(testCase);
// Act
XacmlContextResponse contextResponse = await TestSetupUtil.GetXacmlContextResponseAsync(client, httpRequestMessage);
// Assert
AssertionUtil.AssertEqual(expected, contextResponse);
}
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await this._contextHandler.Enrich(decisionRequest);
_logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);
_logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}.");
return(xacmlContextResponse);
}
private async Task <ActionResult> AuthorizeXmlRequest(XacmlRequestApiModel model)
{
XacmlContextRequest request;
using (XmlReader reader = XmlReader.Create(new StringReader(model.BodyContent)))
{
request = XacmlParser.ReadContextRequest(reader);
}
XacmlContextResponse xacmlContextResponse = await Authorize(request);
return(CreateResponse(xacmlContextResponse));
}
private ActionResult CreateResponse(XacmlContextResponse xacmlContextResponse)
{
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
}
string xml = builder.ToString();
return(Content(xml));
}
public void IIE003_20()
{
XmlDocument policy = new XmlDocument();
XmlDocument request = new XmlDocument();
XmlDocument response = new XmlDocument();
XmlDocument policy1 = new XmlDocument();
XmlDocument policy2 = new XmlDocument();
policy.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Policy.xml"));
request.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Request.xml"));
response.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Response.xml"));
policy1.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003PolicyId1.xml"));
policy2.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003PolicyId2.xml"));
var serialize = new Xacml20ProtocolSerializer();
XacmlContextRequest requestData;
XacmlContextResponse responseData;
XacmlPolicy policy1Data;
XacmlPolicy policy2Data;
using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
requestData = serialize.ReadContextRequest(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
responseData = serialize.ReadContextResponse(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) {
policy1Data = serialize.ReadPolicy(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) {
policy2Data = serialize.ReadPolicy(reader);
}
var policyRepositoryMock = Substitute.For <IXacmlPolicyRepository>();
policyRepositoryMock.RequestPolicy(Arg.Is(policy1Data.PolicyId)).Returns(policy1Data);
policyRepositoryMock.RequestPolicy(Arg.Is(policy2Data.PolicyId)).Returns(policy2Data);
policyRepositoryMock.RequestPolicySet(Arg.Any <Uri>()).Returns((XacmlPolicySet)null);
EvaluationEngine engine = EvaluationEngineFactory.Create(policy, policyRepositoryMock);
XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);
XacmlResponseAssert(responseData, evaluatedResponse);
}
public void WriteResponse_11()
{
var response = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable, new XacmlContextStatus(XacmlContextStatusCode.Success)));
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
var serializer = new Xacml11ProtocolSerializer();
serializer.WriteContextResponse(writer, response);
}
string xml = builder.ToString();
ValidateMessage(xml, Path.Combine(TestCasePath, "cs-xacml-schema-context-01.xsd"));
}
public void IID030_30()
{
XmlDocument request = new XmlDocument();
XmlDocument response = new XmlDocument();
XmlDocument policy1 = new XmlDocument();
XmlDocument policy2 = new XmlDocument();
request.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Request.xml"));
response.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Response.xml"));
policy1.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy1.xml"));
policy2.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy2.xml"));
var serialize = new Xacml30ProtocolSerializer();
XacmlContextRequest requestData;
XacmlContextResponse responseData;
XacmlPolicy policy1Data;
XacmlPolicy policy2Data;
using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
requestData = serialize.ReadContextRequest(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
responseData = serialize.ReadContextResponse(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) {
policy1Data = serialize.ReadPolicy(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) {
policy2Data = serialize.ReadPolicy(reader);
}
var policySet = new XacmlPolicySet(Xacml10Constants.PolicyCombiningAlgorithms.OnlyOneApplicable, new XacmlTarget()); // TODO: PolicyCombiningAlgorithms
policySet.Policies.Add(policy1Data);
policySet.Policies.Add(policy2Data);
EvaluationEngine engine = new EvaluationEngine30(policySet);
XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);
XacmlResponseAssert(responseData, evaluatedResponse);
}
/// <summary>
/// Method to serialize the XACML Response.
/// </summary>
/// <param name="writer">XML Writer.</param>
/// <param name="xacmlContextResponse">The responze.</param>
public static void WriteContextResponse(XmlWriter writer, XacmlContextResponse xacmlContextResponse)
{
Guard.ArgumentNotNull(writer, nameof(writer));
Guard.ArgumentNotNull(xacmlContextResponse, nameof(xacmlContextResponse));
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Response, Xacml30Constants.NameSpaces.Policy);
if (xacmlContextResponse.Results.Count == 0)
{
throw new InvalidOperationException("Empty result");
}
foreach (var result in xacmlContextResponse.Results)
{
WriteContextResult(writer, result);
}
writer.WriteEndElement();
}
public ActionResult Post([FromBody] XacmlRequestApiModel model)
{
XacmlContextRequest request = null;
XacmlContextResponse xacmlContextResponse = null;
try
{
request = ParseApiBody(model);
}
catch (Exception)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
xacmlContextResponse = new XacmlContextResponse(result);
}
if (request != null)
{
PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp);
xacmlContextResponse = pdp.Authorize(request);
}
string accept = HttpContext.Request.Headers["Accept"];
if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json"))
{
XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonReponse));
}
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
}
string xml = builder.ToString();
return(Content(xml));
}
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
try
{
XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request);
decisionRequest = await Enrich(decisionRequest);
Altinn.Authorization.ABAC.PolicyDecisionPoint pdp = new Altinn.Authorization.ABAC.PolicyDecisionPoint();
XacmlPolicy policy = await GetPolicyAsync(decisionRequest);
XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy);
return(XacmlJsonXmlConverter.ConvertResponse(contextResponse));
}
catch
{
}
return(null);
}
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
{
XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath());
XacmlContextRequest contextRequestEnriched = contextRequest;
if (contextRequstIsEnriched)
{
contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath());
}
XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath());
Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);
PolicyDecisionPoint pdp = new PolicyDecisionPoint();
XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);
return(xacmlResponse);
}
/// <summary>
/// Converts a Xacml XML response to a JSON object response.
/// </summary>
/// <param name="xacmlContextResponse">The context response.</param>
/// <returns>The json response.</returns>
public static XacmlJsonResponse ConvertResponse(XacmlContextResponse xacmlContextResponse)
{
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
foreach (XacmlContextResult xacmlResult in xacmlContextResponse.Results)
{
XacmlJsonResult jsonResult = new XacmlJsonResult();
jsonResult.Decision = xacmlResult.Decision.ToString();
jsonResult.Status = new XacmlJsonStatus();
jsonResult.Status.StatusCode = new XacmlJsonStatusCode();
jsonResult.Status.StatusCode.Value = xacmlResult.Status.StatusCode.Value.OriginalString;
jsonResult.Obligations = ConvertObligations(xacmlResult.Obligations);
response.Response.Add(jsonResult);
}
return(response);
}
public void RunOfficialTestsCheckResult_Geo(XmlDocument policy, XmlDocument request, XmlDocument response)
{
var serialize = new Xacml30ProtocolSerializer();
XacmlContextRequest requestData;
XacmlContextResponse responseData;
using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
requestData = serialize.ReadContextRequest(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
responseData = serialize.ReadContextResponse(reader);
}
EvaluationEngine engine = EvaluationEngineFactory.Create(policy, null);
XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);
Assert.AreEqual(responseData.Results.First().Decision, evaluatedResponse.Results.First().Decision, evaluatedResponse.Results.First().Status.StatusMessage);
Assert.True(evaluatedResponse.Results.First().Obligations.Count ==
responseData.Results.First().Obligations.Count);
}
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model)
{
try
{
if (Request.ContentType.Contains("application/json"))
{
return(await AuthorizeJsonRequest(model));
}
else
{
return(await AuthorizeXmlRequest(model));
}
}
catch (Exception ex)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result);
return(CreateResponse(xacmlContextResponse));
}
}
public void ConformanceTestsIIE_11(XmlDocument policy, XmlDocument request, XmlDocument response, XmlDocument aPolicy, XmlDocument aPolicySet)
{
var serialize = new Xacml11ProtocolSerializer();
XacmlContextRequest requestData;
XacmlContextResponse responseData;
XacmlPolicy aPolicyData;
XacmlPolicySet aPolicySetData;
using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
requestData = serialize.ReadContextRequest(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
responseData = serialize.ReadContextResponse(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(aPolicy.OuterXml))) {
aPolicyData = serialize.ReadPolicy(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(aPolicySet.OuterXml))) {
aPolicySetData = serialize.ReadPolicySet(reader);
}
var policyRepositoryMock = Substitute.For <IXacmlPolicyRepository>();
policyRepositoryMock.RequestPolicy(Arg.Is(aPolicyData.PolicyId)).Returns(aPolicyData);
policyRepositoryMock.RequestPolicySet(Arg.Is(aPolicySetData.PolicySetId)).Returns(aPolicySetData);
EvaluationEngine engine = EvaluationEngineFactory.Create(policy, policyRepositoryMock);
XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);
XacmlResponseAssert(responseData, evaluatedResponse);
}
public virtual XacmlContextResponse ReadContextResponse(XmlReader reader)
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
if (!XacmlProtocolSerializer.CanReadContext(reader, XacmlConstants.ElementNames.Response, this.Version.NamespaceContext))
{
throw ThrowHelperXml(reader, "XML message is not valid.");
}
reader.ReadStartElement(XacmlConstants.ElementNames.Response, this.Version.NamespaceContext);
List <XacmlContextResult> results = new List <XacmlContextResult>();
this.ReadList(results, XacmlConstants.ElementNames.Result, this.Version.NamespaceContext, ReadContextResult, reader, isRequired: true);
XacmlContextResponse result = new XacmlContextResponse(results);
reader.ReadEndElement();
return(result);
}
private async Task <XacmlJsonResponse> Authorize(XacmlJsonRequest decisionRequest)
{
if (decisionRequest.MultiRequests == null || decisionRequest.MultiRequests.RequestReference == null ||
decisionRequest.MultiRequests.RequestReference.Count < 2)
{
XacmlContextRequest request = XacmlJsonXmlConverter.ConvertRequest(decisionRequest);
XacmlContextResponse xmlResponse = await Authorize(request);
return(XacmlJsonXmlConverter.ConvertResponse(xmlResponse));
}
else
{
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in decisionRequest.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
List <XacmlJsonCategory> resourceCategoriesPart = decisionRequest.Resource.Where(i => i.Id.Equals(refer)).ToList();
if (resourceCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
List <XacmlJsonCategory> subjectCategoriesPart = decisionRequest.AccessSubject.Where(i => i.Id.Equals(refer)).ToList();
if (subjectCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
List <XacmlJsonCategory> actionCategoriesPart = decisionRequest.Action.Where(i => i.Id.Equals(refer)).ToList();
if (actionCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
}
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
string jsonResponse = string.Empty;
if (xacmlJsonRequest.Request.MultiRequests != null)
{
try
{
Altinn.Authorization.ABAC.PolicyDecisionPoint pdp = new Altinn.Authorization.ABAC.PolicyDecisionPoint();
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer));
if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer));
if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer));
if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
catch
{
}
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
jsonResponse = File.ReadAllText("data/response_permit.json");
}
else
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse);
return(response);
}
private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy)
{
XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
});
XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest);
int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest);
if (resourceAttributes == null ||
string.IsNullOrEmpty(resourceAttributes.OrgValue) ||
string.IsNullOrEmpty(resourceAttributes.AppValue) ||
subjectUserId == 0 ||
!int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId))
{
// Not able to continue authorization based on delegations because of incomplete decision request
string request = JsonConvert.SerializeObject(decisionRequest);
_logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request);
return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
}));
}
List <string> appIds = new List <string> {
$"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}"
};
List <int> offeredByPartyIds = new List <int> {
reporteePartyId
};
List <int> coveredByUserIds = new List <int> {
subjectUserId
};
// 1. Direct user delegations
List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
// 2. Direct user delegations from mainunit
List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId);
List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList();
if (mainunitPartyIds.Any())
{
offeredByPartyIds.AddRange(mainunitPartyIds);
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
}
// 3. Direct party delegations to keyrole units
List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId);
if (keyrolePartyIds.Any())
{
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds);
if (delegations.Any())
{
_delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds);
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
}
}
return(delegationContextResponse);
}
