public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds)
{
List <Rule> rulesList = new List <Rule>();
List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds);
foreach (DelegationChange change in delegationChanges)
{
if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByUserId == 20001336)
{
rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "read", "SKD", "TaxReport"));
rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "write", "SKD", "TaxReport"));
}
if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001336)
{
rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport"));
}
if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001337)
{
rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport"));
}
}
return(rulesList);
}
/// <inheritdoc/>
public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds)
{
List <Rule> rules = new List <Rule>();
List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds);
foreach (DelegationChange delegationChange in delegationChanges)
{
if (delegationChange.DelegationChangeType != DelegationChangeType.RevokeLast)
{
XacmlPolicy policy = await _prp.GetPolicyVersionAsync(delegationChange.BlobStoragePolicyPath, delegationChange.BlobStorageVersionId);
rules.AddRange(GetRulesFromPolicyAndDelegationChange(policy.Rules, delegationChange));
}
}
return(rules);
}
private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy)
{
XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
});
XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest);
int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest);
if (resourceAttributes == null ||
string.IsNullOrEmpty(resourceAttributes.OrgValue) ||
string.IsNullOrEmpty(resourceAttributes.AppValue) ||
subjectUserId == 0 ||
!int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId))
{
// Not able to continue authorization based on delegations because of incomplete decision request
string request = JsonConvert.SerializeObject(decisionRequest);
_logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request);
return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
}));
}
List <string> appIds = new List <string> {
$"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}"
};
List <int> offeredByPartyIds = new List <int> {
reporteePartyId
};
List <int> coveredByUserIds = new List <int> {
subjectUserId
};
// 1. Direct user delegations
List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
// 2. Direct user delegations from mainunit
List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId);
List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList();
if (mainunitPartyIds.Any())
{
offeredByPartyIds.AddRange(mainunitPartyIds);
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds);
if (delegations.Any())
{
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
}
// 3. Direct party delegations to keyrole units
List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId);
if (keyrolePartyIds.Any())
{
delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds);
if (delegations.Any())
{
_delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds);
delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
}
}
return(delegationContextResponse);
}
