/// <summary> /// /// </summary> /// <param name="obligations"></param> public Obligations( pol.ObligationReadWriteCollection obligations ) { // This call is required by the Windows.Forms Form Designer. InitializeComponent(); LoadingData = true; _obligations = obligations; cmbEffect.Items.Add( pol.Effect.Deny ); cmbEffect.Items.Add( pol.Effect.Permit ); lstAttributeAssignments.DisplayMember = "AttributeId"; lstObligations.DisplayMember = "ObligationId"; foreach( pol.ObligationElementReadWrite obligation in obligations ) { lstObligations.Items.Add( obligation ); } if( obligations.Count != 0 ) { lstObligations.SelectedIndex = 0; } LoadingData = false; }
/// <summary> /// /// </summary> public Condition( pol.ConditionElementReadWrite condition ) { // This call is required by the Windows.Forms Form Designer. InitializeComponent(); _condition = condition; tvwCondition.Nodes.Add( new FunctionExecution( condition ) ); tvwCondition.ExpandAll(); foreach( FieldInfo field in typeof(InternalDataTypes).GetFields() ) { cmbDataType.Items.Add( field.GetValue( null ) ); } foreach( FieldInfo field in typeof(InternalFunctions).GetFields() ) { cmbInternalFunctions.Items.Add( field.GetValue( null ) ); } }
/// <summary> /// /// </summary> /// <param name="targetItem"></param> public TargetItem( pol.TargetItemBaseReadWrite targetItem ) { // This call is required by the Windows.Forms Form Designer. InitializeComponent(); LoadingData = true; _targetItem = targetItem; lstMatch.DisplayMember = "MatchId"; foreach( pol.TargetMatchBaseReadWrite match in targetItem.Match ) { lstMatch.Items.Add( match ); } if( lstMatch.Items.Count != 0 ) { lstMatch.SelectedIndex = 0; } LoadingData = false; }
/// <summary> /// Creates a new Result using the provided information. /// </summary> /// <param name="resourceId">The resource id for this result.</param> /// <param name="decision">The decission of the evaluation.</param> /// <param name="status">The status with information about the execution.</param> /// <param name="obligations">The list of obligations</param> /// <param name="schemaVersion">The version of the schema that was used to validate.</param> public ResultElement( string resourceId, rtm.Decision decision, StatusElement status, pol.ObligationCollection obligations, XacmlVersion schemaVersion ) : base( XacmlSchema.Context, schemaVersion ) { _resourceId = resourceId; _decision = decision; // If the status is null, create an empty status if( status == null ) { _status = new StatusElement( null, null, null, schemaVersion ); } else { _status = status; } // If the obligations are null, leave the empty ObligationCollection. if( obligations != null ) { _obligations = obligations; } }
/// <summary> /// Resolve the attribute desingator that can't be found in the context document /// </summary> /// <param name="context">The evaluation context instance.</param> /// <param name="designator">The attribute designator instance</param> public static ctx.AttributeElement GetAttribute( EvaluationContext context, pol.AttributeDesignatorBase designator ) { // Resolve internal attributes switch( designator.AttributeId ) { case EnvironmentAttributes.CurrentDate: return new ctx.AttributeElement( designator.AttributeId, InternalDataTypes.XsdDate, null, null, XmlConvert.ToString( DateTime.Now, "yyyy-MM-dd" ), designator.SchemaVersion ); case EnvironmentAttributes.CurrentTime: return new ctx.AttributeElement( designator.AttributeId, InternalDataTypes.XsdTime, null, null, XmlConvert.ToString( DateTime.Now, "HH:mm:sszzzzzz" ), designator.SchemaVersion ); case EnvironmentAttributes.CurrentDateTime: return new ctx.AttributeElement( designator.AttributeId, InternalDataTypes.XsdDateTime, null, null, XmlConvert.ToString( DateTime.Now, "yyyy-MM-ddTHH:mm:sszzzzzz" ), designator.SchemaVersion ); default: { if( ConfigurationRoot.Config != null ) { // Search for attributes in the configured repositories foreach( inf.IAttributeRepository repository in ConfigurationRoot.Config.AttributeRepositories ) { ctx.AttributeElement attribute = repository.GetAttribute( context, designator ); if( attribute != null ) { return attribute; } } } return null; } } }
/// <summary> /// Resolves the attribute reference defined within the given match. /// </summary> /// <param name="context">The evaluation context instance.</param> /// <param name="match">The target item match.</param> /// <param name="contextTargetItem">The context target item.</param> /// <returns>The context attribute.</returns> public static ctx.AttributeElement Resolve( EvaluationContext context, pol.TargetMatchBaseReadWrite match, ctx.TargetItemBase contextTargetItem ) { ctx.AttributeElementReadWrite attribute = null; if( match.AttributeReference is pol.AttributeDesignatorBase ) { pol.AttributeDesignatorBase attrDesig = (pol.AttributeDesignatorBase)match.AttributeReference; context.Trace( "Looking for attribute: {0}", attrDesig.AttributeId ); foreach( ctx.AttributeElementReadWrite tempAttribute in contextTargetItem.Attributes ) { if( tempAttribute.Match( attrDesig ) ) { attribute = tempAttribute; break; } } if( attribute == null ) { context.Trace( "Attribute not found, loading searching an external repository" ); attribute = GetAttribute( context, attrDesig ); } } else if( match.AttributeReference is pol.AttributeSelectorElement ) { pol.AttributeSelectorElement attrSelec = (pol.AttributeSelectorElement)match.AttributeReference; ctx.ResourceContentElement content = (ctx.ResourceContentElement)((ctx.ResourceElement)contextTargetItem).ResourceContent; if( content != null ) { XmlDocument doc = context.ContextDocument.XmlDocument; if( context.ContextDocument.XmlNamespaceManager == null ) { context.ContextDocument.AddNamespaces( context.PolicyDocument.Namespaces ); } string xpath = attrSelec.RequestContextPath; try { XmlNode node = doc.DocumentElement.SelectSingleNode( xpath, context.ContextDocument.XmlNamespaceManager ); if( node != null ) { attribute = new ctx.AttributeElement( null, attrSelec.DataType, null, null, node.InnerText, attrSelec.SchemaVersion ); } } catch( XPathException e ) { context.Trace( Resource.TRACE_ERROR, e.Message ); context.ProcessingError = true; } } } if( attribute == null && match.AttributeReference.MustBePresent ) { context.IsMissingAttribute = true; context.AddMissingAttribute( match.AttributeReference ); } if( attribute != null ) { return new ctx.AttributeElement( attribute.AttributeId, attribute.DataType, attribute.Issuer, attribute.IssueInstant, attribute.Value, attribute.SchemaVersion); } return null; }
/// <summary> /// Search for the attribute in the context target item using the attribute designator specified. /// </summary> /// <param name="context">The evaluation context instance.</param> /// <param name="attributeDesignator">The attribute designator instance.</param> /// <param name="targetItem">The target item to search in.</param> /// <returns>A bag value with the values of the attributes found.</returns> public static BagValue FindAttribute( EvaluationContext context, pol.AttributeDesignatorBase attributeDesignator, ctx.TargetItemBase targetItem ) { BagValue bag = new BagValue( GetDataType( attributeDesignator.DataType ) ); foreach( ctx.AttributeElement attribute in targetItem.Attributes ) { if( attribute.Match( attributeDesignator ) ) { context.Trace( "Adding target item attribute designator: {0}", attribute.ToString() ); bag.Add( attribute ); } } return bag; }
/// <summary> /// Solves the attribute designator in the context document using the attribute designator type /// </summary> /// <param name="context">The evaluation context instance.</param> /// <param name="attributeDesignator">The attribute designator to resolve</param> /// <returns>A bag value with the values found in the context document</returns> public static BagValue Resolve( EvaluationContext context, pol.AttributeDesignatorBase attributeDesignator ) { if( attributeDesignator is pol.SubjectAttributeDesignatorElement ) { if( context.ContextDocument.Request != null && context.ContextDocument.Request.Subjects != null ) { BagValue bag = new BagValue( GetDataType( attributeDesignator.DataType ) ); foreach( ctx.SubjectElement subject in context.ContextDocument.Request.Subjects ) { if( ((pol.SubjectAttributeDesignatorElement)attributeDesignator).SubjectCategory == null || ( (pol.SubjectAttributeDesignatorElement)attributeDesignator).SubjectCategory == subject.SubjectCategory ) { foreach( ctx.AttributeElement attrib in FindAttribute( context, attributeDesignator, subject ).Elements ) { bag.Add( attrib ); } } } return bag; } } else if( attributeDesignator is pol.ResourceAttributeDesignatorElement ) { if( context.ContextDocument.Request != null && context.CurrentResource != null ) { return FindAttribute( context, attributeDesignator, context.CurrentResource ); } else { return BagValue.Empty; } } else if( attributeDesignator is pol.ActionAttributeDesignatorElement ) { if( context.ContextDocument.Request != null && context.ContextDocument.Request.Action != null ) { return FindAttribute( context, attributeDesignator, context.ContextDocument.Request.Action ); } else { return BagValue.Empty; } } else if( attributeDesignator is pol.EnvironmentAttributeDesignatorElement ) { if( context.ContextDocument.Request != null && context.ContextDocument.Request.Environment != null ) { return FindAttribute( context, attributeDesignator, context.ContextDocument.Request.Environment ); } else { return BagValue.Empty; } } throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_invalid_attribute_designator ] ); }
/// <summary> /// Resolves the PolicyReferenceId using the policy repository /// </summary> /// <param name="policyReference">The policy reference</param> /// <returns>The policy found</returns> public static pol.PolicyElement Resolve( pol.PolicyIdReferenceElement policyReference ) { if( ConfigurationRoot.Config != null ) { // Search for attributes in the configured repositories foreach( inf.IPolicyRepository repository in ConfigurationRoot.Config.PolicyRepositories ) { pol.PolicyElement policy = repository.GetPolicy( policyReference ); if( policy != null ) { return policy; } } } return null; }
/// <summary> /// Resolves the AttributeSelector in the context document using the XPath sentence. /// </summary> /// <param name="context">The evaluation context instance.</param> /// <param name="attributeSelector">The attribute selector.</param> /// <returns>A bag of values with the contents of the node.</returns> public static BagValue Resolve( EvaluationContext context, pol.AttributeSelectorElement attributeSelector ) { BagValue bagValue = new BagValue( GetDataType( attributeSelector.DataType ) ); ctx.ResourceContentElement content = (ctx.ResourceContentElement)context.CurrentResource.ResourceContent; if( content != null ) { XmlDocument doc = context.ContextDocument.XmlDocument; if( context.ContextDocument.XmlNamespaceManager == null ) { context.ContextDocument.AddNamespaces( context.PolicyDocument.Namespaces ); } try { string xpath = attributeSelector.RequestContextPath; XmlNodeList nodeList = doc.DocumentElement.SelectNodes( xpath, context.ContextDocument.XmlNamespaceManager ); if( nodeList != null ) { foreach( XmlNode node in nodeList ) { pol.AttributeValueElement ave = new pol.AttributeValueElement( attributeSelector.DataType, node.InnerText, attributeSelector.SchemaVersion ); bagValue.Add( ave ); } } } catch( XPathException e ) { context.Trace( Resource.TRACE_ERROR, e.Message ); bagValue = new BagValue( GetDataType( attributeSelector.DataType ) ); } } return bagValue; }
/// <summary> /// Evaluate the context document using a specified policy /// </summary> /// <param name="policyDocument">The policy instance</param> /// <param name="contextDocument">The context document instance</param> /// <returns>The response document</returns> public ctx.ResponseElement Evaluate( pol.PolicyDocument policyDocument, ctx.ContextDocument contextDocument ) { if (policyDocument == null) throw new ArgumentNullException("policyDocument"); if (contextDocument == null) throw new ArgumentNullException("contextDocument"); EvaluationContext context = new EvaluationContext( this, policyDocument, (ctx.ContextDocument)contextDocument ) ; context.Trace( "Start evaluation" ); context.AddIndent(); if ( policyDocument == null || contextDocument == null ) { // If a validation error was found a response is created with the syntax error message ctx.ResponseElement response = new ctx.ResponseElement( new ctx.ResultElement[] { new ctx.ResultElement( null, Decision.Indeterminate, new ctx.StatusElement( new ctx.StatusCodeElement( StatusCodes.ProcessingError, null, policyDocument.Version ), null, null, policyDocument.Version ), null, policyDocument.Version ) }, policyDocument.Version ); return response; } // Check if both documents are valid if( !policyDocument.IsValidDocument || !contextDocument.IsValidDocument ) { // If a validation error was found a response is created with the syntax error message ctx.ResponseElement response = new ctx.ResponseElement( new ctx.ResultElement[] { new ctx.ResultElement( null, Decision.Indeterminate, new ctx.StatusElement( new ctx.StatusCodeElement( StatusCodes.SyntaxError, null, policyDocument.Version ), null, null, policyDocument.Version ), null, policyDocument.Version ) }, policyDocument.Version ); return response; } // Create a new response contextDocument.Response = new ctx.ResponseElement( (ctx.ResultElement[])null, policyDocument.Version ); try { // Create the evaluable policy intance IMatchEvaluable policy = null; if( policyDocument.PolicySet != null ) { policy = new PolicySet( this, (pol.PolicySetElement)policyDocument.PolicySet ); } else if( policyDocument.Policy != null ) { policy = new Policy( (pol.PolicyElement)policyDocument.Policy ); } // Evaluate the policy or policy set if( policy != null ) { // Creates the evaluable policy set if( policy.AllResources.Count == 0 ) { policy.AllResources.Add( "" ); } string requestedResourceString = String.Empty; Uri requestedResource = null; foreach( ctx.ResourceElement resource in contextDocument.Request.Resources ) { // Keep the requested resource if( resource.IsHierarchical ) { foreach( ctx.AttributeElement attribute in resource.Attributes ) { if( attribute.AttributeId == ResourceElement.ResourceId ) { if( context.PolicyDocument.Version == XacmlVersion.Version10 || context.PolicyDocument.Version == XacmlVersion.Version11 ) { requestedResourceString = attribute.AttributeValues[0].Contents; } else { if( attribute.AttributeValues.Count > 1 ) { throw new NotSupportedException( "resources contains a bag of values" ); } requestedResourceString = attribute.AttributeValues[0].Contents; } } } if( !string.IsNullOrEmpty(requestedResourceString) ) { requestedResource = new Uri( requestedResourceString ); } } // Iterate through the policy resources evaluating each resource in the context document request foreach( string resourceName in policy.AllResources ) { bool mustEvaluate; if( resource.IsHierarchical ) { //Validate if the resource is hierarchically desdendant or children //of the requested resource Uri policyResource = new Uri( resourceName ); if( !(mustEvaluate = requestedResource.Equals( policyResource ) ) ) { // Perform the hierarchical evaluation if( resource.ResourceScopeValue == ctx.ResourceScope.Children ) { mustEvaluate = typ.AnyUri.IsChildrenOf( requestedResource, policyResource ); } else if( resource.ResourceScopeValue == ctx.ResourceScope.Descendants ) { mustEvaluate = typ.AnyUri.IsDescendantOf( requestedResource, policyResource ); } } if( mustEvaluate ) { foreach( ctx.AttributeElementReadWrite attribute in context.CurrentResource.Attributes ) { if( attribute.AttributeId == ResourceElement.ResourceId ) { attribute.AttributeValues[0].Contents = resourceName; break; } } } } else { context.CurrentResource = resource; mustEvaluate = true; } if( mustEvaluate ) { // Evaluates the policy set Decision decision = policy.Evaluate( context ); // Create a status code using the policy execution state ctx.StatusCodeElement scode; if( context.IsMissingAttribute ) { scode = new ctx.StatusCodeElement( StatusCodes.MissingAttribute, null, policyDocument.Version ); } else if( context.ProcessingError ) { scode = new ctx.StatusCodeElement( StatusCodes.ProcessingError, null, policyDocument.Version ); } else { scode = new ctx.StatusCodeElement( StatusCodes.OK, null, policyDocument.Version ); } //Stop the iteration if there is not a hierarchical request if( !resource.IsHierarchical ) { // Ussually when a single resource is requested the ResourceId is not specified in the result IObligationsContainer oblig = policy as IObligationsContainer; contextDocument.Response.Results.Add( new ctx.ResultElement( "", decision, new ctx.StatusElement( scode, "", "", policyDocument.Version ), oblig.Obligations, policyDocument.Version ) ); break; } else { // Adding a resource for each requested resource, using the resourceName as the resourceId of the result IObligationsContainer oblig = policy as IObligationsContainer; contextDocument.Response.Results.Add( new ctx.ResultElement( resourceName, decision, new ctx.StatusElement( scode, "", "", policyDocument.Version ), oblig.Obligations, policyDocument.Version ) ); } } // if( mustEvaluate ) } // foreach( string resourceName in policy.AllResources ) } } //if( policy != null ) } catch( EvaluationException e ) { // If a validation error was found a response is created with the syntax error message contextDocument.Response = new ctx.ResponseElement( new ctx.ResultElement[] { new ctx.ResultElement( null, Decision.Indeterminate, new ctx.StatusElement( new ctx.StatusCodeElement( StatusCodes.ProcessingError, null, policyDocument.Version ), e.Message, e.StackTrace, policyDocument.Version ), null, policyDocument.Version ) }, policyDocument.Version ); } return contextDocument.Response; }
/// <summary> /// Creates a new runtime policy set evaluation. /// </summary> /// <param name="engine">The evaluation engine.</param> /// <param name="policySet">The policy set defined in the policy document.</param> public PolicySet( EvaluationEngine engine, pol.PolicySetElement policySet ) { if (engine == null) throw new ArgumentNullException("engine"); if (policySet == null) throw new ArgumentNullException("policySet"); _policySet = policySet; // Create a runtime target of this policy set. if( policySet.Target != null ) { _target = new Target( (pol.TargetElement)policySet.Target ); foreach( pol.ResourceElement resource in policySet.Target.Resources.ItemsList ) { foreach( pol.ResourceMatchElement rmatch in resource.Match ) { if( !_allResources.Contains( rmatch.AttributeValue.Contents ) ) { _allResources.Add( rmatch.AttributeValue.Contents ); } } } } // Add all the policies (or policy set) inside this policy set. foreach( object child in policySet.Policies ) { pol.PolicySetElement childPolicySet = child as pol.PolicySetElement; pol.PolicyElement childPolicyElement = child as pol.PolicyElement; pol.PolicySetIdReferenceElement childPolicySetIdReference = child as pol.PolicySetIdReferenceElement; pol.PolicyIdReferenceElement childPolicyIdReferenceElement = child as pol.PolicyIdReferenceElement; if (childPolicySet != null) { PolicySet policySetEv = new PolicySet(engine, childPolicySet); foreach( string rName in policySetEv.AllResources ) { if( !_allResources.Contains( rName ) ) { _allResources.Add( rName ); } } _policies.Add( policySetEv ); } else if (childPolicyElement!=null) { Policy policyEv = new Policy(childPolicyElement); foreach( string rName in policyEv.AllResources ) { if( !_allResources.Contains( rName ) ) { _allResources.Add( rName ); } } _policies.Add( policyEv ); } else if (childPolicySetIdReference!=null) { pol.PolicySetElement policySetDefinition = EvaluationEngine.Resolve(childPolicySetIdReference); if( policySetDefinition != null ) { PolicySet policySetEv = new PolicySet( engine, policySetDefinition ); foreach( string rName in policySetEv.AllResources ) { if( !_allResources.Contains( rName ) ) { _allResources.Add( rName ); } } _policies.Add( policySetEv ); } else { throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_policyset_reference_not_resolved, ((pol.PolicySetIdReferenceElement)child).PolicySetId ] ); } } else if (childPolicyIdReferenceElement!=null) { pol.PolicyElement policyDefinition = EvaluationEngine.Resolve(childPolicyIdReferenceElement); if( policyDefinition != null ) { Policy policyEv = new Policy( policyDefinition ); foreach( string rName in policyEv.AllResources ) { if( !_allResources.Contains( rName ) ) { _allResources.Add( rName ); } } _policies.Add( policyEv ); } else { throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_policy_reference_not_resolved, ((pol.PolicyIdReferenceElement)child).PolicyId ] ); } } } }
/// <summary> /// Returns a policy set document using the PolicySetRefereneId specified. /// </summary> /// <param name="policySetReference">The policy set reference with the Id of the policy set searched.</param> /// <returns>The policy set document.</returns> public pol.PolicySetElement GetPolicySet(pol.PolicySetIdReferenceElement policySetReference) { if (policySetReference == null) throw new ArgumentNullException("policySetReference"); pol.PolicyDocument doc = _policySets[ policySetReference.PolicySetId ] as pol.PolicyDocument; if( doc != null ) { return (pol.PolicySetElement)doc.PolicySet; //TODO: check if we have to return a read write or a read only policy here. } return null; }