private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await this._contextHandler.Enrich(decisionRequest); _logger.LogInformation($"// DecisionController // Authorize // Roles // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}."); XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest); XacmlContextResponse rolesContextResponse = _pdp.Authorize(decisionRequest, policy); _logger.LogInformation($"// DecisionController // Authorize // Roles // XACML ContextResponse: {JsonConvert.SerializeObject(rolesContextResponse)}."); XacmlContextResult roleResult = rolesContextResponse.Results.First(); if (roleResult.Decision.Equals(XacmlContextDecision.NotApplicable)) { try { XacmlContextResponse delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, policy); XacmlContextResult delegationResult = delegationContextResponse.Results.First(); if (delegationResult.Decision.Equals(XacmlContextDecision.Permit)) { return(delegationContextResponse); } } catch (Exception ex) { _logger.LogError(ex, "// DecisionController // Authorize // Delegation // Unexpected Exception"); } } return(rolesContextResponse); }
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched) { XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetConformancePath()); XacmlContextRequest contextRequestEnriched = contextRequest; if (contextRequstIsEnriched) { contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetConformancePath()); } Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>(); moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched); Moq.Mock <IPolicyRetrievalPoint> moqPRP = new Mock <IPolicyRetrievalPoint>(); XacmlPolicy policy = null; try { policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetConformancePath()); moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).ReturnsAsync(policy); } catch (XmlException ex) { moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).Throws(ex); } PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy); return(xacmlResponse); }
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await Enrich(decisionRequest); XacmlPolicy policy = await GetPolicyAsync(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy); return(xacmlContextResponse); }
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await this._contextHandler.Enrich(decisionRequest); _logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}."); XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy); _logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}."); return(xacmlContextResponse); }
public void PolicyDecisionPointShouldAllowReadForAllMedicalRecords() { var policyManagementPoint = new PolicyManagementPoint(); policyManagementPoint.Policies.Add( new Policy( id: "urn:oasis:names:tc:xacml:3.0:example:policyid:1", target: new Target( new AnyOf( new AllOf( new StringEqualMatch( new AttributeDesignator( Constants.Category.Resource, Resource.TargetNamespace, DataType.AnyUri), new AttributeValue( DataType.AnyUri, ""))))), combiningAlgorithm: new DenyOverridesCombiningAlgorithm(), rules: new IRule[] { })); var policyDecisionPoint = new PolicyDecisionPoint(policyManagementPoint); var authorizationResponse = policyDecisionPoint.Authorize( new AuthorizationRequest( new AuthorizationContext( new AttributeCategory( Constants.Category.AccessSubject, new Attribute( Constants.Attribute.SubjectId, new AttributeValue( dataType: DataType.Rfc822Name, value: "*****@*****.**"))), new AttributeCategory( Constants.Category.Resource, new Attribute( Constants.Attribute.ResourceId, new AttributeValue( dataType: DataType.AnyUri, value: "urn:simple:medical:record:12345"))), new AttributeCategory( Constants.Category.Action, new Attribute( Constants.Attribute.ActionId, new AttributeValue( dataType: DataType.String, value: "read")))))); Assert.IsNotNull(authorizationResponse); Assert.AreEqual(1, authorizationResponse.Results.Count()); Assert.AreEqual(authorizationResponse.Results.First().Decision, Decision.Permit); }
public ActionResult Post([FromBody] XacmlRequestApiModel model) { XacmlContextRequest request = null; XacmlContextResponse xacmlContextResponse = null; try { request = ParseApiBody(model); } catch (Exception) { XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; xacmlContextResponse = new XacmlContextResponse(result); } if (request != null) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp); xacmlContextResponse = pdp.Authorize(request); } string accept = HttpContext.Request.Headers["Accept"]; if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json")) { XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse); return(Ok(jsonReponse)); } StringBuilder builder = new StringBuilder(); using (XmlWriter writer = XmlWriter.Create(builder)) { XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse); } string xml = builder.ToString(); return(Content(xml)); }
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched) { XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath()); XacmlContextRequest contextRequestEnriched = contextRequest; if (contextRequstIsEnriched) { contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath()); } XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath()); Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>(); moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy); return(xacmlResponse); }
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest) { string jsonResponse = string.Empty; if (xacmlJsonRequest.Request.MultiRequests != null) { try { Authorization.ABAC.PolicyDecisionPoint pdp = new Authorization.ABAC.PolicyDecisionPoint(); XacmlJsonResponse multiResponse = new XacmlJsonResponse(); foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference) { XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest(); foreach (string refer in xacmlJsonRequestReference.ReferenceId) { IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer)); if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.Resource == null) { jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart); } IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer)); if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.AccessSubject == null) { jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart); } IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer)); if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.Action == null) { jsonMultiRequestPart.Action = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.Action.AddRange(actionCategoriesPart); } } XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart)); XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse); if (multiResponse.Response == null) { multiResponse.Response = new List <XacmlJsonResult>(); } multiResponse.Response.Add(xacmlJsonResponsePart.Response.First()); } return(multiResponse); } catch { } } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && int.Parse(a.Value) >= 3)) || xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org")) { XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request); decisionRequest = await Enrich(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlPolicy policy = await GetPolicyAsync(decisionRequest); XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy); return(XacmlJsonXmlConverter.ConvertResponse(contextResponse)); } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) || xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org")) { jsonResponse = File.ReadAllText("data/response_permit.json"); } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "-1"))) { jsonResponse = File.ReadAllText("data/response_deny.json"); } else { jsonResponse = File.ReadAllText("data/response_deny.json"); } XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse); return(response); }