/// <summary>
/// Validate the response from PDP
/// </summary>
/// <param name="result">The response to validate</param>
/// <param name="user">The <see cref="ClaimsPrincipal"/></param>
/// <returns>The result of the validation</returns>
public static EnforcementResult ValidateDecisionResultDetailed(XacmlJsonResult result, ClaimsPrincipal user)
{
// Checks that the result is nothing else than "permit"
if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString()))
{
return(new EnforcementResult()
{
Authorized = false
});
}
// Checks if the result contains obligation
if (result.Obligations != null)
{
List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations;
XacmlJsonAttributeAssignment attributeMinLvAuth = GetObligation(PolicyObligationMinAuthnLevel, obligationList);
// Checks if the obligation contains a minimum authentication level attribute
if (attributeMinLvAuth != null)
{
string minAuthenticationLevel = attributeMinLvAuth.Value;
string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value;
// Checks that the user meets the minimum authentication level
if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel))
{
if (user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:org")) != null)
{
XacmlJsonAttributeAssignment attributeMinLvAuthOrg = GetObligation(PolicyObligationMinAuthnLevelOrg, obligationList);
if (attributeMinLvAuthOrg != null)
{
if (Convert.ToInt32(usersAuthenticationLevel) >= Convert.ToInt32(attributeMinLvAuthOrg.Value))
{
return(new EnforcementResult()
{
Authorized = true
});
}
minAuthenticationLevel = attributeMinLvAuthOrg.Value;
}
}
return(new EnforcementResult()
{
Authorized = false,
FailedObligations = new Dictionary <string, string>()
{
{ AltinnObligations.RequiredAuthenticationLevel, minAuthenticationLevel }
}
});
}
}
}
return(new EnforcementResult()
{
Authorized = true
});
}
public static bool ValidateDecisionResult(XacmlJsonResult result, ClaimsPrincipal user)
{
// Checks that the result is nothing else than "permit"
if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString()))
{
return(false);
}
// Checks if the result contains obligation
if (result.Obligations != null)
{
List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations;
XacmlJsonAttributeAssignment attributeMinLvAuth = obligationList.Select(a => a.AttributeAssignment.Find(a => a.Category.Equals("urn:altinn:minimum-authenticationlevel"))).FirstOrDefault();
// Checks if the obligation contains a minimum authentication level attribute
if (attributeMinLvAuth != null)
{
string minAuthenticationLevel = attributeMinLvAuth.Value;
string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value;
// Checks that the user meets the minimum authentication level
if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel))
{
return(false);
}
}
}
return(true);
}
public void ValidateResponse_TC02()
{
// Arrange
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult xacmlJsonResult = new XacmlJsonResult();
xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(xacmlJsonResult);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = "2"
};
obligation.AttributeAssignment.Add(authenticationAttribute);
xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>();
xacmlJsonResult.Obligations.Add(obligation);
// Act
bool result = DecisionHelper.ValidateResponse(response.Response, CreateUserClaims(false));
// Assert
Assert.True(result);
}
public void ValidatePdpDecision_TC08()
{
// Arrange
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult xacmlJsonResult = new XacmlJsonResult();
xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(xacmlJsonResult);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevel = "3";
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = minAuthLevel
};
obligation.AttributeAssignment.Add(authenticationAttribute);
xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>();
xacmlJsonResult.Obligations.Add(obligation);
// Act
EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false));
// Assert
Assert.False(result.Authorized);
Assert.Contains(AltinnObligations.RequiredAuthenticationLevel, result.FailedObligations.Keys);
Assert.Equal(minAuthLevel, result.FailedObligations[AltinnObligations.RequiredAuthenticationLevel]);
}
private static void AssertEqual(XacmlJsonAttributeAssignment expected, XacmlJsonAttributeAssignment actual)
{
Assert.Equal(expected.AttributeId, actual.AttributeId);
Assert.Equal(expected.Category, actual.Category);
Assert.Equal(expected.DataType, actual.DataType);
Assert.Equal(expected.Issuer, actual.Issuer);
Assert.Equal(expected.Value, actual.Value, true);
}
private static XacmlJsonAttributeAssignment GetObligation(string category, List <XacmlJsonObligationOrAdvice> obligations)
{
foreach (XacmlJsonObligationOrAdvice obligation in obligations)
{
XacmlJsonAttributeAssignment assignment = obligation.AttributeAssignment.FirstOrDefault(a => a.Category.Equals(category));
if (assignment != null)
{
return(assignment);
}
}
return(null);
}
public void ValidatePdpDecision_TC10()
{
// Arrange
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult xacmlJsonResult = new XacmlJsonResult();
xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(xacmlJsonResult);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevel = "4";
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = minAuthLevel
};
obligation.AttributeAssignment.Add(authenticationAttribute);
XacmlJsonObligationOrAdvice obligationOrg = new XacmlJsonObligationOrAdvice();
obligationOrg.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevelOrg = "2";
XacmlJsonAttributeAssignment authenticationAttributeOrg = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel-org",
Value = minAuthLevelOrg
};
obligationOrg.AttributeAssignment.Add(authenticationAttributeOrg);
xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>();
xacmlJsonResult.Obligations.Add(obligationOrg);
xacmlJsonResult.Obligations.Add(obligation);
// Act
EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false, "ttd"));
// Assert
Assert.True(result.Authorized);
Assert.Null(result.FailedObligations);
}
private static XacmlJsonAttributeAssignment ConvertAttributeAssignment(XacmlAttributeAssignment attributeAssignment)
{
if (attributeAssignment == null)
{
return(null);
}
XacmlJsonAttributeAssignment xacmlJsonAttributeAssignment = new XacmlJsonAttributeAssignment()
{
AttributeId = attributeAssignment.AttributeId.OriginalString,
Category = attributeAssignment.Category.OriginalString,
DataType = attributeAssignment.DataType.OriginalString,
Issuer = attributeAssignment.Issuer,
Value = attributeAssignment.Value,
};
return(xacmlJsonAttributeAssignment);
}
private XacmlJsonResponse AddObligationWithMinAuthLv(XacmlJsonResponse response, string minAuthLv)
{
// Add obligation to result with a minimum authentication level attribute
XacmlJsonResult result = response.Response[0];
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = minAuthLv
};
obligation.AttributeAssignment.Add(authenticationAttribute);
result.Obligations = new List <XacmlJsonObligationOrAdvice>();
result.Obligations.Add(obligation);
return(response);
}
public Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
List <XacmlJsonCategory> resources = xacmlJsonRequest.Request.Resource;
XacmlJsonAttribute attribute = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("endring-av-navn"))).FirstOrDefault();
// Create response and result
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult result = new XacmlJsonResult();
if (attribute != null)
{
// Set decision to permit
result.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(result);
return(Task.FromResult(response));
}
XacmlJsonAttribute attribute2 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("multiple-results"))).FirstOrDefault();
if (attribute2 != null)
{
// Set decision to permit
result.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(result);
response.Response.Add(new XacmlJsonResult());
return(Task.FromResult(response));
}
XacmlJsonAttribute attribute3 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-2"))).FirstOrDefault();
if (attribute3 != null)
{
// Set decision to permit
result.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(result);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = "2"
};
obligation.AttributeAssignment.Add(authenticationAttribute);
result.Obligations = new List <XacmlJsonObligationOrAdvice>();
result.Obligations.Add(obligation);
return(Task.FromResult(response));
}
XacmlJsonAttribute attribute4 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-3"))).FirstOrDefault();
if (attribute4 != null)
{
// Set decision to permit
result.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(result);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = "3"
};
obligation.AttributeAssignment.Add(authenticationAttribute);
result.Obligations = new List <XacmlJsonObligationOrAdvice>();
result.Obligations.Add(obligation);
return(Task.FromResult(response));
}
// Set decision to deny
result.Decision = XacmlContextDecision.Deny.ToString();
response.Response.Add(result);
return(Task.FromResult(response));
}
