Exemple #1
0
        public void PDP_AuthorizeAccess_IIA002()
        {
            bool   contextRequstIsEnriched = true;
            string testCase = "IIA002";

            XacmlContextResponse contextResponeExpected = XacmlTestDataParser.ParseResponse(testCase + "Response.xml", GetConformancePath());
            XacmlContextResponse xacmlResponse          = SetuUpPolicyDecisionPoint(testCase, contextRequstIsEnriched);

            AssertionUtil.AssertEqual(contextResponeExpected, xacmlResponse);
        }
Exemple #2
0
        /// <summary>
        /// Assert that two <see cref="XacmlContextResponse"/> have the same property values.
        /// </summary>
        /// <param name="expected">An instance with the expected values.</param>
        /// <param name="actual">The instance to verify.</param>
        public static void AssertEqual(XacmlContextResponse expected, XacmlContextResponse actual)
        {
            Assert.NotNull(actual);
            Assert.NotNull(expected);
            Assert.Equal(expected.Results.Count, actual.Results.Count);

            if (expected.Results.Count > 0)
            {
                AssertEqual(expected.Results.First(), actual.Results.First());
            }
        }
        private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
        {
            decisionRequest = await Enrich(decisionRequest);

            XacmlPolicy policy = await GetPolicyAsync(decisionRequest);

            PolicyDecisionPoint  pdp = new PolicyDecisionPoint();
            XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);

            return(xacmlContextResponse);
        }
Exemple #4
0
        public async Task PDP_Decision_AltinnApps0005()
        {
            string               testCase           = "AltinnApps0005";
            HttpClient           client             = GetTestClient();
            HttpRequestMessage   httpRequestMessage = TestSetupUtil.CreateXacmlRequest(testCase);
            XacmlContextResponse expected           = TestSetupUtil.ReadExpectedResponse(testCase);

            // Act
            XacmlContextResponse contextResponse = await TestSetupUtil.GetXacmlContextResponseAsync(client, httpRequestMessage);

            // Assert
            AssertionUtil.AssertEqual(expected, contextResponse);
        }
Exemple #5
0
        private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
        {
            decisionRequest = await this._contextHandler.Enrich(decisionRequest);

            _logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
            XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);

            PolicyDecisionPoint  pdp = new PolicyDecisionPoint();
            XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy);

            _logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}.");
            return(xacmlContextResponse);
        }
Exemple #6
0
        private async Task <ActionResult> AuthorizeXmlRequest(XacmlRequestApiModel model)
        {
            XacmlContextRequest request;

            using (XmlReader reader = XmlReader.Create(new StringReader(model.BodyContent)))
            {
                request = XacmlParser.ReadContextRequest(reader);
            }

            XacmlContextResponse xacmlContextResponse = await Authorize(request);

            return(CreateResponse(xacmlContextResponse));
        }
Exemple #7
0
        private ActionResult CreateResponse(XacmlContextResponse xacmlContextResponse)
        {
            StringBuilder builder = new StringBuilder();

            using (XmlWriter writer = XmlWriter.Create(builder))
            {
                XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
            }

            string xml = builder.ToString();

            return(Content(xml));
        }
        public void IIE003_20()
        {
            XmlDocument policy   = new XmlDocument();
            XmlDocument request  = new XmlDocument();
            XmlDocument response = new XmlDocument();

            XmlDocument policy1 = new XmlDocument();
            XmlDocument policy2 = new XmlDocument();

            policy.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Policy.xml"));
            request.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Request.xml"));
            response.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003Response.xml"));
            policy1.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003PolicyId1.xml"));
            policy2.Load(Path.Combine(Xacml20TestsCases.TestCasePath, "IIE003PolicyId2.xml"));

            var serialize = new Xacml20ProtocolSerializer();
            XacmlContextRequest  requestData;
            XacmlContextResponse responseData;

            XacmlPolicy policy1Data;
            XacmlPolicy policy2Data;

            using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
                requestData = serialize.ReadContextRequest(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
                responseData = serialize.ReadContextResponse(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) {
                policy1Data = serialize.ReadPolicy(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) {
                policy2Data = serialize.ReadPolicy(reader);
            }

            var policyRepositoryMock = Substitute.For <IXacmlPolicyRepository>();

            policyRepositoryMock.RequestPolicy(Arg.Is(policy1Data.PolicyId)).Returns(policy1Data);
            policyRepositoryMock.RequestPolicy(Arg.Is(policy2Data.PolicyId)).Returns(policy2Data);
            policyRepositoryMock.RequestPolicySet(Arg.Any <Uri>()).Returns((XacmlPolicySet)null);

            EvaluationEngine engine = EvaluationEngineFactory.Create(policy, policyRepositoryMock);

            XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);

            XacmlResponseAssert(responseData, evaluatedResponse);
        }
        public void WriteResponse_11()
        {
            var response = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable, new XacmlContextStatus(XacmlContextStatusCode.Success)));

            StringBuilder builder = new StringBuilder();

            using (XmlWriter writer = XmlWriter.Create(builder))
            {
                var serializer = new Xacml11ProtocolSerializer();
                serializer.WriteContextResponse(writer, response);
            }

            string xml = builder.ToString();

            ValidateMessage(xml, Path.Combine(TestCasePath, "cs-xacml-schema-context-01.xsd"));
        }
        public void IID030_30()
        {
            XmlDocument request  = new XmlDocument();
            XmlDocument response = new XmlDocument();

            XmlDocument policy1 = new XmlDocument();
            XmlDocument policy2 = new XmlDocument();

            request.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Request.xml"));
            response.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Response.xml"));
            policy1.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy1.xml"));
            policy2.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy2.xml"));

            var serialize = new Xacml30ProtocolSerializer();
            XacmlContextRequest  requestData;
            XacmlContextResponse responseData;

            XacmlPolicy policy1Data;
            XacmlPolicy policy2Data;

            using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
                requestData = serialize.ReadContextRequest(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
                responseData = serialize.ReadContextResponse(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) {
                policy1Data = serialize.ReadPolicy(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) {
                policy2Data = serialize.ReadPolicy(reader);
            }

            var policySet = new XacmlPolicySet(Xacml10Constants.PolicyCombiningAlgorithms.OnlyOneApplicable, new XacmlTarget()); // TODO: PolicyCombiningAlgorithms

            policySet.Policies.Add(policy1Data);
            policySet.Policies.Add(policy2Data);

            EvaluationEngine engine = new EvaluationEngine30(policySet);

            XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);

            XacmlResponseAssert(responseData, evaluatedResponse);
        }
Exemple #11
0
        /// <summary>
        /// Method to serialize the XACML Response.
        /// </summary>
        /// <param name="writer">XML Writer.</param>
        /// <param name="xacmlContextResponse">The responze.</param>
        public static void WriteContextResponse(XmlWriter writer, XacmlContextResponse xacmlContextResponse)
        {
            Guard.ArgumentNotNull(writer, nameof(writer));
            Guard.ArgumentNotNull(xacmlContextResponse, nameof(xacmlContextResponse));

            writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Response, Xacml30Constants.NameSpaces.Policy);

            if (xacmlContextResponse.Results.Count == 0)
            {
                throw new InvalidOperationException("Empty result");
            }

            foreach (var result in xacmlContextResponse.Results)
            {
                WriteContextResult(writer, result);
            }

            writer.WriteEndElement();
        }
Exemple #12
0
        public ActionResult Post([FromBody] XacmlRequestApiModel model)
        {
            XacmlContextRequest  request = null;
            XacmlContextResponse xacmlContextResponse = null;

            try
            {
                request = ParseApiBody(model);
            }
            catch (Exception)
            {
                XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
                {
                    Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
                };
                xacmlContextResponse = new XacmlContextResponse(result);
            }

            if (request != null)
            {
                PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp);
                xacmlContextResponse = pdp.Authorize(request);
            }

            string accept = HttpContext.Request.Headers["Accept"];

            if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json"))
            {
                XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
                return(Ok(jsonReponse));
            }

            StringBuilder builder = new StringBuilder();

            using (XmlWriter writer = XmlWriter.Create(builder))
            {
                XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
            }

            string xml = builder.ToString();

            return(Content(xml));
        }
        public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
        {
            try
            {
                XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request);
                decisionRequest = await Enrich(decisionRequest);

                Altinn.Authorization.ABAC.PolicyDecisionPoint pdp = new Altinn.Authorization.ABAC.PolicyDecisionPoint();

                XacmlPolicy policy = await GetPolicyAsync(decisionRequest);

                XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy);

                return(XacmlJsonXmlConverter.ConvertResponse(contextResponse));
            }
            catch
            {
            }

            return(null);
        }
Exemple #14
0
        private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched)
        {
            XacmlContextRequest contextRequest         = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath());
            XacmlContextRequest contextRequestEnriched = contextRequest;

            if (contextRequstIsEnriched)
            {
                contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath());
            }

            XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath());

            Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>();
            moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched);

            PolicyDecisionPoint pdp = new PolicyDecisionPoint();

            XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy);

            return(xacmlResponse);
        }
Exemple #15
0
        /// <summary>
        ///  Converts a Xacml XML response to a JSON object response.
        /// </summary>
        /// <param name="xacmlContextResponse">The context response.</param>
        /// <returns>The json response.</returns>
        public static XacmlJsonResponse ConvertResponse(XacmlContextResponse xacmlContextResponse)
        {
            XacmlJsonResponse response = new XacmlJsonResponse();

            response.Response = new List <XacmlJsonResult>();

            foreach (XacmlContextResult xacmlResult in xacmlContextResponse.Results)
            {
                XacmlJsonResult jsonResult = new XacmlJsonResult();
                jsonResult.Decision                = xacmlResult.Decision.ToString();
                jsonResult.Status                  = new XacmlJsonStatus();
                jsonResult.Status.StatusCode       = new XacmlJsonStatusCode();
                jsonResult.Status.StatusCode.Value = xacmlResult.Status.StatusCode.Value.OriginalString;

                jsonResult.Obligations = ConvertObligations(xacmlResult.Obligations);

                response.Response.Add(jsonResult);
            }

            return(response);
        }
Exemple #16
0
        public void RunOfficialTestsCheckResult_Geo(XmlDocument policy, XmlDocument request, XmlDocument response)
        {
            var serialize = new Xacml30ProtocolSerializer();
            XacmlContextRequest  requestData;
            XacmlContextResponse responseData;

            using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
                requestData = serialize.ReadContextRequest(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
                responseData = serialize.ReadContextResponse(reader);
            }

            EvaluationEngine engine = EvaluationEngineFactory.Create(policy, null);

            XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);

            Assert.AreEqual(responseData.Results.First().Decision, evaluatedResponse.Results.First().Decision, evaluatedResponse.Results.First().Status.StatusMessage);
            Assert.True(evaluatedResponse.Results.First().Obligations.Count ==
                        responseData.Results.First().Obligations.Count);
        }
 public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model)
 {
     try
     {
         if (Request.ContentType.Contains("application/json"))
         {
             return(await AuthorizeJsonRequest(model));
         }
         else
         {
             return(await AuthorizeXmlRequest(model));
         }
     }
     catch (Exception ex)
     {
         XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
         {
             Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
         };
         XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result);
         return(CreateResponse(xacmlContextResponse));
     }
 }
        public void ConformanceTestsIIE_11(XmlDocument policy, XmlDocument request, XmlDocument response, XmlDocument aPolicy, XmlDocument aPolicySet)
        {
            var serialize = new Xacml11ProtocolSerializer();
            XacmlContextRequest  requestData;
            XacmlContextResponse responseData;

            XacmlPolicy    aPolicyData;
            XacmlPolicySet aPolicySetData;

            using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
                requestData = serialize.ReadContextRequest(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
                responseData = serialize.ReadContextResponse(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(aPolicy.OuterXml))) {
                aPolicyData = serialize.ReadPolicy(reader);
            }

            using (XmlReader reader = XmlReader.Create(new StringReader(aPolicySet.OuterXml))) {
                aPolicySetData = serialize.ReadPolicySet(reader);
            }

            var policyRepositoryMock = Substitute.For <IXacmlPolicyRepository>();

            policyRepositoryMock.RequestPolicy(Arg.Is(aPolicyData.PolicyId)).Returns(aPolicyData);
            policyRepositoryMock.RequestPolicySet(Arg.Is(aPolicySetData.PolicySetId)).Returns(aPolicySetData);

            EvaluationEngine engine = EvaluationEngineFactory.Create(policy, policyRepositoryMock);

            XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);

            XacmlResponseAssert(responseData, evaluatedResponse);
        }
        public virtual XacmlContextResponse ReadContextResponse(XmlReader reader)
        {
            if (reader == null)
            {
                throw new ArgumentNullException(nameof(reader));
            }

            if (!XacmlProtocolSerializer.CanReadContext(reader, XacmlConstants.ElementNames.Response, this.Version.NamespaceContext))
            {
                throw ThrowHelperXml(reader, "XML message is not valid.");
            }

            reader.ReadStartElement(XacmlConstants.ElementNames.Response, this.Version.NamespaceContext);

            List <XacmlContextResult> results = new List <XacmlContextResult>();

            this.ReadList(results, XacmlConstants.ElementNames.Result, this.Version.NamespaceContext, ReadContextResult, reader, isRequired: true);

            XacmlContextResponse result = new XacmlContextResponse(results);

            reader.ReadEndElement();

            return(result);
        }
        private async Task <XacmlJsonResponse> Authorize(XacmlJsonRequest decisionRequest)
        {
            if (decisionRequest.MultiRequests == null || decisionRequest.MultiRequests.RequestReference == null ||
                decisionRequest.MultiRequests.RequestReference.Count < 2)
            {
                XacmlContextRequest  request     = XacmlJsonXmlConverter.ConvertRequest(decisionRequest);
                XacmlContextResponse xmlResponse = await Authorize(request);

                return(XacmlJsonXmlConverter.ConvertResponse(xmlResponse));
            }
            else
            {
                XacmlJsonResponse multiResponse = new XacmlJsonResponse();
                foreach (XacmlJsonRequestReference xacmlJsonRequestReference in decisionRequest.MultiRequests.RequestReference)
                {
                    XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();

                    foreach (string refer in xacmlJsonRequestReference.ReferenceId)
                    {
                        List <XacmlJsonCategory> resourceCategoriesPart = decisionRequest.Resource.Where(i => i.Id.Equals(refer)).ToList();

                        if (resourceCategoriesPart.Count > 0)
                        {
                            if (jsonMultiRequestPart.Resource == null)
                            {
                                jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
                            }

                            jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
                        }

                        List <XacmlJsonCategory> subjectCategoriesPart = decisionRequest.AccessSubject.Where(i => i.Id.Equals(refer)).ToList();

                        if (subjectCategoriesPart.Count > 0)
                        {
                            if (jsonMultiRequestPart.AccessSubject == null)
                            {
                                jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
                            }

                            jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
                        }

                        List <XacmlJsonCategory> actionCategoriesPart = decisionRequest.Action.Where(i => i.Id.Equals(refer)).ToList();

                        if (actionCategoriesPart.Count > 0)
                        {
                            if (jsonMultiRequestPart.Action == null)
                            {
                                jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
                            }

                            jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
                        }
                    }

                    XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));

                    XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);

                    if (multiResponse.Response == null)
                    {
                        multiResponse.Response = new List <XacmlJsonResult>();
                    }

                    multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
                }

                return(multiResponse);
            }
        }
        public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
        {
            string jsonResponse = string.Empty;

            if (xacmlJsonRequest.Request.MultiRequests != null)
            {
                try
                {
                    Altinn.Authorization.ABAC.PolicyDecisionPoint pdp = new Altinn.Authorization.ABAC.PolicyDecisionPoint();
                    XacmlJsonResponse multiResponse = new XacmlJsonResponse();
                    foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference)
                    {
                        XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();

                        foreach (string refer in xacmlJsonRequestReference.ReferenceId)
                        {
                            IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer));

                            if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0)
                            {
                                if (jsonMultiRequestPart.Resource == null)
                                {
                                    jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
                                }

                                jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
                            }

                            IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer));

                            if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0)
                            {
                                if (jsonMultiRequestPart.AccessSubject == null)
                                {
                                    jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
                                }

                                jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
                            }

                            IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer));

                            if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0)
                            {
                                if (jsonMultiRequestPart.Action == null)
                                {
                                    jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
                                }

                                jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
                            }
                        }

                        XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));

                        XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);

                        if (multiResponse.Response == null)
                        {
                            multiResponse.Response = new List <XacmlJsonResult>();
                        }

                        multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
                    }

                    return(multiResponse);
                }
                catch
                {
                }
            }
            else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) ||
                     xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
            {
                jsonResponse = File.ReadAllText("data/response_permit.json");
            }
            else
            {
                jsonResponse = File.ReadAllText("data/response_deny.json");
            }

            XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse);

            return(response);
        }
Exemple #22
0
        private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy)
        {
            XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable)
            {
                Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
            });

            XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest);
            int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest);

            if (resourceAttributes == null ||
                string.IsNullOrEmpty(resourceAttributes.OrgValue) ||
                string.IsNullOrEmpty(resourceAttributes.AppValue) ||
                subjectUserId == 0 ||
                !int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId))
            {
                // Not able to continue authorization based on delegations because of incomplete decision request
                string request = JsonConvert.SerializeObject(decisionRequest);
                _logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request);
                return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate)
                {
                    Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
                }));
            }

            List <string> appIds = new List <string> {
                $"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}"
            };
            List <int> offeredByPartyIds = new List <int> {
                reporteePartyId
            };
            List <int> coveredByUserIds = new List <int> {
                subjectUserId
            };

            // 1. Direct user delegations
            List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds);

            if (delegations.Any())
            {
                delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);

                if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
                {
                    return(delegationContextResponse);
                }
            }

            // 2. Direct user delegations from mainunit
            List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId);

            List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList();

            if (mainunitPartyIds.Any())
            {
                offeredByPartyIds.AddRange(mainunitPartyIds);
                delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds);

                if (delegations.Any())
                {
                    delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);

                    if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
                    {
                        return(delegationContextResponse);
                    }
                }
            }

            // 3. Direct party delegations to keyrole units
            List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId);

            if (keyrolePartyIds.Any())
            {
                delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds);

                if (delegations.Any())
                {
                    _delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds);
                    delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
                }
            }

            return(delegationContextResponse);
        }