/// <summary>
/// Authorizes a given action on an instance.
/// </summary>
/// <returns></returns>
public async Task <bool> AuthorizeInstanceAction(ClaimsPrincipal user, Instance instance, string action)
{
string org = instance.Org;
string app = instance.AppId.Split('/')[1];
int instanceOwnerPartyId = int.Parse(instance.InstanceOwner.PartyId);
XacmlJsonRequestRoot request;
if (instance.Id == null)
{
request = DecisionHelper.CreateDecisionRequest(org, app, user, action, instanceOwnerPartyId, null);
}
else
{
Guid instanceGuid = Guid.Parse(instance.Id.Split('/')[1]);
request = DecisionHelper.CreateDecisionRequest(org, app, user, action, instanceOwnerPartyId, instanceGuid);
}
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Authorization Helper // Authorize instance action failed for request: {JsonConvert.SerializeObject(request)}.");
return(false);
}
bool authorized = DecisionHelper.ValidatePdpDecision(response.Response, user);
return(authorized);
}
private async Task <bool> AuthorizeAction(string currentTaskType, string org, string app, int instanceOwnerPartyId, Guid instanceGuid)
{
string actionType;
switch (currentTaskType)
{
case "data":
case "feedback":
actionType = "write";
break;
case "confirmation":
actionType = "confirm";
break;
default:
actionType = currentTaskType;
break;
}
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, actionType, instanceOwnerPartyId, instanceGuid);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Process Controller // Authorization of moving process forward failed with request: {JsonConvert.SerializeObject(request)}.");
return(false);
}
bool authorized = DecisionHelper.ValidatePdpDecision(response.Response, HttpContext.User);
return(authorized);
}
/// <summary>
/// This method authorize access bases on context and requirement
/// Is triggered by annotation on MVC action and setup in startup.
/// </summary>
/// <param name="context">The context</param>
/// <param name="requirement">The requirement</param>
/// <returns>A Task</returns>
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, AppAccessRequirement requirement)
{
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(context, requirement, _httpContextAccessor.HttpContext.GetRouteData());
_logger.LogInformation($"// Storage PEP // AppAccessHandler // Request sent: {JsonConvert.SerializeObject(request)}");
XacmlJsonResponse response;
// Get The instance to enrich the request
Instance instance = await GetInstance(request);
if (instance != null)
{
AuthorizationHelper.EnrichXacmlJsonRequest(request, instance);
response = await GetDecisionForRequest(request);
}
else
{
response = await _pdp.GetDecisionForRequest(request);
}
if (response?.Response == null)
{
throw new Exception("Response is null from PDP");
}
if (!DecisionHelper.ValidatePdpDecision(response.Response, context.User))
{
context.Fail();
}
context.Succeed(requirement);
await Task.CompletedTask;
}
public async Task <ActionResult <Instance> > Post(string appId, [FromBody] Instance instance)
{
(Application appInfo, ActionResult appInfoError) = await GetApplicationOrErrorAsync(appId);
int instanceOwnerPartyId = int.Parse(instance.InstanceOwner.PartyId);
if (appInfoError != null)
{
return(appInfoError);
}
if (string.IsNullOrWhiteSpace(instance.InstanceOwner.PartyId))
{
return(BadRequest("Cannot create an instance without an instanceOwner.PartyId."));
}
// Checking that user is authorized to instantiate.
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(appInfo.Org, appInfo.Id.Split('/')[1], HttpContext.User, "instantiate", instanceOwnerPartyId, null);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Instances Controller // Authorization of instantiation failed with request: {JsonConvert.SerializeObject(request)}.");
return(Forbid());
}
bool authorized = DecisionHelper.ValidatePdpDecision(response.Response, HttpContext.User);
if (!authorized)
{
return(Forbid());
}
Instance storedInstance = new Instance();
try
{
DateTime creationTime = DateTime.UtcNow;
string userId = GetUserId();
Instance instanceToCreate = CreateInstanceFromTemplate(appInfo, instance, creationTime, userId);
storedInstance = await _instanceRepository.Create(instanceToCreate);
await DispatchEvent(InstanceEventType.Created, storedInstance);
_logger.LogInformation($"Created instance: {storedInstance.Id}");
storedInstance.SetPlatformSelflink(_storageBaseAndHost);
return(Created(storedInstance.SelfLinks.Platform, storedInstance));
}
catch (Exception storageException)
{
_logger.LogError($"Unable to create {appId} instance for {instance.InstanceOwner.PartyId} due to {storageException}");
// compensating action - delete instance
await _instanceRepository.Delete(storedInstance);
_logger.LogError($"Deleted instance {storedInstance.Id}");
return(StatusCode(500, $"Unable to create {appId} instance for {instance.InstanceOwner.PartyId} due to {storageException.Message}"));
}
}
/// <summary>
/// This method authorize access bases on context and requirement
/// Is triggered by annotation on MVC action and setup in startup.
/// </summary>
/// <param name="context">The context</param>
/// <param name="requirement">The requirement</param>
/// <returns>A Task</returns>
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, AppAccessRequirement requirement)
{
if (_pepSettings.DisablePEP)
{
context.Succeed(requirement);
return;
}
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(context, requirement, _httpContextAccessor.HttpContext.GetRouteData());
_logger.LogInformation($"// Altinn PEP // AppAccessHandler // Request sent: {JsonConvert.SerializeObject(request)}");
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
throw new ArgumentNullException("response");
}
if (!DecisionHelper.ValidatePdpDecision(response.Response, context.User))
{
context.Fail();
}
context.Succeed(requirement);
await Task.CompletedTask;
}
private async Task <bool> Authorize(string currentTaskType, Instance instance)
{
string actionType;
if (string.IsNullOrEmpty(currentTaskType) || currentTaskType.Equals("data"))
{
actionType = "write";
}
else
{
actionType = currentTaskType;
}
string org = instance.Org;
string app = instance.AppId.Split("/")[1];
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, actionType, null, instance.Id);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Instance Controller // Authorization to update Process failed: {JsonConvert.SerializeObject(request)}.");
return(false);
}
bool authorized = DecisionHelper.ValidatePdpDecision(response.Response, HttpContext.User);
return(authorized);
}
public void CreateXacmlJsonRequest_TC02()
{
// Arrange & Act
XacmlJsonRequestRoot requestRoot = DecisionHelper.CreateDecisionRequest(Org, App, CreateUserClaims(true), ActionType, PartyId, null);
XacmlJsonRequest request = requestRoot.Request;
// Assert
Assert.Equal(2, request.AccessSubject[0].Attribute.Count);
Assert.Single(request.Action[0].Attribute);
Assert.Equal(3, request.Resource[0].Attribute.Count);
}
private async Task <EnforcementResult> AuthorizeAction(string org, string app, int partyId, string action)
{
EnforcementResult enforcementResult = new EnforcementResult();
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, action, partyId, null);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Instances Controller // Authorization of action {action} failed with request: {JsonConvert.SerializeObject(request)}.");
return(enforcementResult);
}
enforcementResult = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, HttpContext.User);
return(enforcementResult);
}
private async Task <bool> AuthorizeAction(string currenTaskType, string org, string app, string instanceId)
{
string actionType = currenTaskType.Equals("data") ? "write" : null;
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, actionType, null, instanceId);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Process Controller // Authorization of moving process forward failed with request: {JsonConvert.SerializeObject(request)}.");
return(false);
}
bool authorized = DecisionHelper.ValidatePdpDecision(response.Response, HttpContext.User);
return(authorized);
}
private async Task <bool> AuthorizeInstatiation(string org, string app, Party party)
{
bool authorized = false;
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, "instantiate", party.PartyId.ToString(), null);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Instances Controller // Authorization of instantiation failed with request: {JsonConvert.SerializeObject(request)}.");
return(authorized);
}
authorized = DecisionHelper.ValidatePdpDecision(response.Response, HttpContext.User);
return(authorized);
}