/// <summary>
/// Convert to policy instance
/// </summary>
public static SecurityPolicyInstance ToPolicyInstance(this IPolicyInstance me)
{
return(new SecurityPolicyInstance(
new SecurityPolicy()
{
CanOverride = me.Policy.CanOverride,
Oid = me.Policy.Oid,
Name = me.Policy.Name
},
(PolicyGrantType)(int)me.Rule
));
}
/// <summary>
/// Constructs this policy information object from an IMS policy instane
/// </summary>
public SecurityPolicyInfo(IPolicyInstance o)
{
this.Name = o.Policy.Name;
this.Oid = o.Policy.Oid;
this.CanOverride = o.Policy.CanOverride;
this.Grant = o.Rule;
this.Policy = new SecurityPolicy
{
Key = o.Policy.Key,
Oid = o.Policy.Oid,
CanOverride = o.Policy.CanOverride,
Name = o.Policy.Name
};
}
/// <summary>
/// Get a policy decision outcome (i.e. make a policy decision)
/// </summary>
public PolicyGrantType GetPolicyOutcome(IPrincipal principal, string policyId)
{
Dictionary <String, PolicyGrantType> grants = null;
PolicyGrantType rule;
if (principal == null)
{
throw new ArgumentNullException(nameof(principal));
}
else if (String.IsNullOrEmpty(policyId))
{
throw new ArgumentNullException(nameof(policyId));
}
else if (this.m_policyCache.TryGetValue(principal.Identity.Name, out grants) &&
grants.TryGetValue(policyId, out rule))
{
return(rule);
}
// Can we make this decision based on the claims?
if (principal is ClaimsPrincipal && (principal as ClaimsPrincipal).HasClaim(c => c.Type == ClaimTypes.OpenIzGrantedPolicyClaim && (c.Value == policyId || policyId.StartsWith(String.Format("{0}.", c.Value)))))
{
rule = PolicyGrantType.Grant;
}
else
{
// Get the user object from the principal
var pip = ApplicationContext.Current.PolicyInformationService;
// Policies
var activePolicies = pip.GetActivePolicies(principal).Where(o => policyId == o.Policy.Oid || policyId.StartsWith(String.Format("{0}.", o.Policy.Oid)));
// Most restrictive
IPolicyInstance policyInstance = null;
foreach (var pol in activePolicies)
{
if (policyInstance == null)
{
policyInstance = pol;
}
else if (pol.Rule < policyInstance.Rule)
{
policyInstance = pol;
}
}
if (policyInstance == null)
{
// TODO: Configure OptIn or OptOut
rule = PolicyGrantType.Deny;
}
else if (!policyInstance.Policy.CanOverride && policyInstance.Rule == PolicyGrantType.Elevate)
{
rule = PolicyGrantType.Deny;
}
else if (!policyInstance.Policy.IsActive)
{
rule = PolicyGrantType.Grant;
}
else
{
rule = policyInstance.Rule;
}
} // db lookup
// Add to local policy cache
lock (this.m_policyCache)
{
if (!this.m_policyCache.ContainsKey(principal.Identity.Name))
{
grants = new Dictionary <string, PolicyGrantType>();
this.m_policyCache.Add(principal.Identity.Name, grants);
}
else if (grants == null)
{
grants = this.m_policyCache[principal.Identity.Name];
}
if (!grants.ContainsKey(policyId))
{
grants.Add(policyId, rule);
}
}
return(rule);
}
/// <summary>
/// Get a policy outcome
/// </summary>
public PolicyDecisionOutcomeType GetPolicyOutcome(IPrincipal principal, string policyId)
{
if (principal == null)
{
throw new ArgumentNullException(nameof(principal));
}
else if (String.IsNullOrEmpty(policyId))
{
throw new ArgumentNullException(nameof(policyId));
}
// Can we make this decision based on the claims?
if (principal is ClaimsPrincipal && (principal as ClaimsPrincipal).HasClaim(c => c.Type == OpenIzClaimTypes.OpenIzGrantedPolicyClaim && policyId.StartsWith(c.Value)))
{
return(PolicyDecisionOutcomeType.Grant);
}
// Get the user object from the principal
var pip = ApplicationContext.Current.GetService <IPolicyInformationService>();
// Policies
var activePolicies = pip.GetActivePolicies(principal).Where(o => policyId.StartsWith(o.Policy.Oid));
// Most restrictive
IPolicyInstance policyInstance = null;
foreach (var pol in activePolicies)
{
if (policyInstance == null)
{
policyInstance = pol;
}
else if (pol.Rule < policyInstance.Rule)
{
policyInstance = pol;
}
}
if (policyInstance == null)
{
// TODO: Configure OptIn or OptOut
return(PolicyDecisionOutcomeType.Deny);
}
else if (!policyInstance.Policy.CanOverride && policyInstance.Rule == PolicyDecisionOutcomeType.Elevate)
{
return(PolicyDecisionOutcomeType.Deny);
}
else if (!policyInstance.Policy.IsActive)
{
return(PolicyDecisionOutcomeType.Grant);
}
else if ((policyInstance.Policy as ILocalPolicy)?.Handler != null)
{
IPolicyHandler handlerInstance = null;
var policy = policyInstance.Policy as ILocalPolicy;
if (policy != null)
{
return(policy.Handler.GetPolicyDecision(principal, policy, null).Outcome);
}
}
return(policyInstance.Rule);
}
