public AccessControlResponseContext(AccessControlEffect effect, ICollection <JObject> data, IEnumerable <string> obligationAfterIds, IEnumerable <string> obligationBeforeIds)
{
Effect = effect;
Data = data;
ObligationAfterIds = obligationAfterIds;
ObligationBeforeIds = obligationBeforeIds;
}
public AccessControlResponseContext ExecuteProcess(Subject subject, Resource resource, string action, EnvironmentObject environment)
{
environment.Data.AddAnnotation(action);
var permitPolicies = new List <AccessControlPolicy>();
var denyPolicies = new List <AccessControlPolicy>();
IEnumerable <string> afterObligationIds = null;
IEnumerable <string> beforeObligationIds = null;
AccessControlEffect decision = AccessControlProcess(subject, resource, action, environment, ref permitPolicies, ref denyPolicies);
if (decision == AccessControlEffect.Permit)
{
afterObligationIds = permitPolicies.SelectMany(n => n.ObligationAfterIds);
beforeObligationIds = permitPolicies.SelectMany(n => n.ObligationBeforeIds);
}
else if (decision == AccessControlEffect.Deny)
{
afterObligationIds = denyPolicies.SelectMany(n => n.ObligationAfterIds);
beforeObligationIds = denyPolicies.SelectMany(n => n.ObligationBeforeIds);
}
return(new AccessControlResponseContext(decision, null, afterObligationIds, beforeObligationIds));
}
private AccessControlEffect CollectionAccessControlProcess(
Subject subject,
Resource resource,
string action,
EnvironmentObject environment,
ref List <AccessControlPolicy> permitPolicies,
ref List <AccessControlPolicy> denyPolicies)
{
AccessControlEffect result = AccessControlEffect.Deny;
ICollection <AccessControlPolicy> collectionPolicies = _accessControlPolicyRepository.Get(resource.Name, action, false);
string policyCombining = _policyCombiningRepository.GetRuleCombining(collectionPolicies);
var targetPolicies = new List <AccessControlPolicy>();
foreach (var policy in collectionPolicies)
{
bool isTarget = _expressionService.Evaluate(policy.Target, subject.Data, null, environment.Data);
if (isTarget)
{
targetPolicies.Add(policy);
}
}
foreach (var policy in targetPolicies)
{
string policyEffect = String.Empty;
foreach (var rule in policy.Rules)
{
bool isApplied = _expressionService.Evaluate(rule.Condition, subject.Data, null, environment.Data);
if (isApplied && rule.Effect.Equals("Permit") && policy.RuleCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
policyEffect = "Permit";
break;
}
if (isApplied && rule.Effect.Equals("Deny") && policy.RuleCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
policyEffect = "Deny";
break;
}
}
if (policyEffect.Equals("Permit") && policyCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
result = AccessControlEffect.Permit;
break;
}
else if (policyEffect.Equals("Deny") && policyCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
result = AccessControlEffect.Deny;
break;
}
// add retaive policy here
}
return(result);
}
public AccessControlResponseContext ExecuteProcess(Subject subject, Resource resource, string action, EnvironmentObject environment)
{
environment.Data.AddAnnotation(action);
AccessControlEffect collectionEffect = CollectionAccessControlProcess(subject, resource, action, environment);
if (collectionEffect == AccessControlEffect.Deny)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
else if (collectionEffect == AccessControlEffect.Permit)
{
return(new AccessControlResponseContext(AccessControlEffect.Permit, resource.Data));
}
var accessControlRecordPolicies = _accessControlPolicyRepository.Get(resource.Name, action, true);
if (accessControlRecordPolicies.Count == 0)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
string policyCombining = _policyCombiningRepository.GetRuleCombining(accessControlRecordPolicies);
ICollection <JObject> _resource = new List <JObject>();
if (resource.Data.Length > 1000)
{
Parallel.ForEach(resource.Data, record =>
{
if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null)
{
lock (_resource)
_resource.Add(record);
}
});
}
else
{
foreach (var record in resource.Data)
{
if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null)
{
_resource.Add(record);
}
}
}
if (_resource.Count == 0)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
return(new AccessControlResponseContext(AccessControlEffect.Permit, _resource));
}
public AccessControlResponseContext(AccessControlEffect effect, ICollection <JObject> data)
{
Effect = effect;
Data = data;
}
public ResponseContext(AccessControlEffect effect, ICollection <JObject> data)
{
Effect = effect;
JsonObjects = data;
}
public ResponseContext(AccessControlEffect effect, JArray data, string message = null)
{
Effect = effect;
Data = data;
Message = message;
}
private AccessControlEffect AccessControlProcess(
Subject subject,
Resource resource,
string action,
EnvironmentObject environment,
ref List <AccessControlPolicy> permitPolicies,
ref List <AccessControlPolicy> denyPolicies)
{
AccessControlEffect result = AccessControlEffect.NotApplicable;
ICollection <AccessControlPolicy> collectionPolicies = _accessControlPolicyRepository.Get(resource.Name, action, null);
string policyCombining = _policyCombiningRepository.GetRuleCombining(collectionPolicies);
var resourceData = resource.Data[0];
var targetPolicies = new List <AccessControlPolicy>();
foreach (var policy in collectionPolicies)
{
bool isTarget = _expressionService.Evaluate(policy.Target, subject.Data, resourceData, environment.Data);
if (isTarget)
{
targetPolicies.Add(policy);
}
}
foreach (var policy in targetPolicies)
{
var policyEffect = AccessControlEffect.NotApplicable;
foreach (var rule in policy.Rules)
{
bool isApplied = _expressionService.Evaluate(rule.Condition, subject.Data, resourceData, environment.Data);
if (isApplied && rule.Effect.Equals(RuleEffect.PERMIT) && policy.RuleCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
policyEffect = AccessControlEffect.Permit;
break;
}
if (isApplied && rule.Effect.Equals(RuleEffect.DENY) && policy.RuleCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
policyEffect = AccessControlEffect.Deny;
break;
}
}
if (policyEffect == AccessControlEffect.Permit)
{
permitPolicies.Add(policy);
if (policyCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
result = AccessControlEffect.Permit;
break;
}
}
else if (policyEffect == AccessControlEffect.Deny)
{
denyPolicies.Add(policy);
if (policyCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
result = AccessControlEffect.Deny;
break;
}
}
}
return(result);
}
