/// <summary> /// Validate the response from PDP /// </summary> /// <param name="result">The response to validate</param> /// <param name="user">The <see cref="ClaimsPrincipal"/></param> /// <returns>The result of the validation</returns> public static EnforcementResult ValidateDecisionResultDetailed(XacmlJsonResult result, ClaimsPrincipal user) { // Checks that the result is nothing else than "permit" if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString())) { return(new EnforcementResult() { Authorized = false }); } // Checks if the result contains obligation if (result.Obligations != null) { List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations; XacmlJsonAttributeAssignment attributeMinLvAuth = GetObligation(PolicyObligationMinAuthnLevel, obligationList); // Checks if the obligation contains a minimum authentication level attribute if (attributeMinLvAuth != null) { string minAuthenticationLevel = attributeMinLvAuth.Value; string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value; // Checks that the user meets the minimum authentication level if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel)) { if (user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:org")) != null) { XacmlJsonAttributeAssignment attributeMinLvAuthOrg = GetObligation(PolicyObligationMinAuthnLevelOrg, obligationList); if (attributeMinLvAuthOrg != null) { if (Convert.ToInt32(usersAuthenticationLevel) >= Convert.ToInt32(attributeMinLvAuthOrg.Value)) { return(new EnforcementResult() { Authorized = true }); } minAuthenticationLevel = attributeMinLvAuthOrg.Value; } } return(new EnforcementResult() { Authorized = false, FailedObligations = new Dictionary <string, string>() { { AltinnObligations.RequiredAuthenticationLevel, minAuthenticationLevel } } }); } } } return(new EnforcementResult() { Authorized = true }); }
public static bool ValidateDecisionResult(XacmlJsonResult result, ClaimsPrincipal user) { // Checks that the result is nothing else than "permit" if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString())) { return(false); } // Checks if the result contains obligation if (result.Obligations != null) { List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations; XacmlJsonAttributeAssignment attributeMinLvAuth = obligationList.Select(a => a.AttributeAssignment.Find(a => a.Category.Equals("urn:altinn:minimum-authenticationlevel"))).FirstOrDefault(); // Checks if the obligation contains a minimum authentication level attribute if (attributeMinLvAuth != null) { string minAuthenticationLevel = attributeMinLvAuth.Value; string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value; // Checks that the user meets the minimum authentication level if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel)) { return(false); } } } return(true); }
public void ValidateResponse_TC02() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "2" }; obligation.AttributeAssignment.Add(authenticationAttribute); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligation); // Act bool result = DecisionHelper.ValidateResponse(response.Response, CreateUserClaims(false)); // Assert Assert.True(result); }
public void ValidatePdpDecision_TC08() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "3"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false)); // Assert Assert.False(result.Authorized); Assert.Contains(AltinnObligations.RequiredAuthenticationLevel, result.FailedObligations.Keys); Assert.Equal(minAuthLevel, result.FailedObligations[AltinnObligations.RequiredAuthenticationLevel]); }
private static void AssertEqual(XacmlJsonAttributeAssignment expected, XacmlJsonAttributeAssignment actual) { Assert.Equal(expected.AttributeId, actual.AttributeId); Assert.Equal(expected.Category, actual.Category); Assert.Equal(expected.DataType, actual.DataType); Assert.Equal(expected.Issuer, actual.Issuer); Assert.Equal(expected.Value, actual.Value, true); }
private static XacmlJsonAttributeAssignment GetObligation(string category, List <XacmlJsonObligationOrAdvice> obligations) { foreach (XacmlJsonObligationOrAdvice obligation in obligations) { XacmlJsonAttributeAssignment assignment = obligation.AttributeAssignment.FirstOrDefault(a => a.Category.Equals(category)); if (assignment != null) { return(assignment); } } return(null); }
public void ValidatePdpDecision_TC10() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "4"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); XacmlJsonObligationOrAdvice obligationOrg = new XacmlJsonObligationOrAdvice(); obligationOrg.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevelOrg = "2"; XacmlJsonAttributeAssignment authenticationAttributeOrg = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel-org", Value = minAuthLevelOrg }; obligationOrg.AttributeAssignment.Add(authenticationAttributeOrg); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligationOrg); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false, "ttd")); // Assert Assert.True(result.Authorized); Assert.Null(result.FailedObligations); }
private static XacmlJsonAttributeAssignment ConvertAttributeAssignment(XacmlAttributeAssignment attributeAssignment) { if (attributeAssignment == null) { return(null); } XacmlJsonAttributeAssignment xacmlJsonAttributeAssignment = new XacmlJsonAttributeAssignment() { AttributeId = attributeAssignment.AttributeId.OriginalString, Category = attributeAssignment.Category.OriginalString, DataType = attributeAssignment.DataType.OriginalString, Issuer = attributeAssignment.Issuer, Value = attributeAssignment.Value, }; return(xacmlJsonAttributeAssignment); }
private XacmlJsonResponse AddObligationWithMinAuthLv(XacmlJsonResponse response, string minAuthLv) { // Add obligation to result with a minimum authentication level attribute XacmlJsonResult result = response.Response[0]; XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLv }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(response); }
public Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest) { List <XacmlJsonCategory> resources = xacmlJsonRequest.Request.Resource; XacmlJsonAttribute attribute = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("endring-av-navn"))).FirstOrDefault(); // Create response and result XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult result = new XacmlJsonResult(); if (attribute != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); return(Task.FromResult(response)); } XacmlJsonAttribute attribute2 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("multiple-results"))).FirstOrDefault(); if (attribute2 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); response.Response.Add(new XacmlJsonResult()); return(Task.FromResult(response)); } XacmlJsonAttribute attribute3 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-2"))).FirstOrDefault(); if (attribute3 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "2" }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(Task.FromResult(response)); } XacmlJsonAttribute attribute4 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-3"))).FirstOrDefault(); if (attribute4 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "3" }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(Task.FromResult(response)); } // Set decision to deny result.Decision = XacmlContextDecision.Deny.ToString(); response.Response.Add(result); return(Task.FromResult(response)); }