protected virtual void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision) { if (writer == null) { throw new ArgumentNullException(nameof(writer)); } string value; switch (xacmlContextDecision) { case XacmlContextDecision.Deny: value = "Deny"; break; case XacmlContextDecision.Indeterminate: value = "Indeterminate"; break; case XacmlContextDecision.NotApplicable: value = "NotApplicable"; break; case XacmlContextDecision.Permit: value = "Permit"; break; default: throw new InvalidOperationException("Wrong Decision value"); } writer.WriteElementString(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Decision, this.Version.NamespaceContext, value); }
private static void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision) { Guard.ArgumentNotNull(writer, nameof(writer)); string value; switch (xacmlContextDecision) { case XacmlContextDecision.Deny: value = "Deny"; break; case XacmlContextDecision.Indeterminate: value = "Indeterminate"; break; case XacmlContextDecision.NotApplicable: value = "NotApplicable"; break; case XacmlContextDecision.Permit: value = "Permit"; break; default: throw new InvalidOperationException("Not a valid value"); } writer.WriteElementString(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Decision, Xacml30Constants.NameSpaces.Policy, value); }
/// <summary> /// Initializes a new instance of the <see cref="XacmlContextResult"/> class. /// </summary> /// <param name="decision">The authorization decision.</param> /// <param name="status">The status.</param> public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status) { if (status == null) { throw new ArgumentNullException(nameof(status)); } this.decision = decision; this.status = status; }
/// <summary> /// Initializes a new instance of the <see cref="XacmlContextResult"/> class. /// </summary> /// <param name="decision">The authorization decision.</param> /// <remarks> /// Used only from XACML 2.0/3.0 /// </remarks> public XacmlContextResult(XacmlContextDecision decision) { this.decision = decision; }
/// <summary> /// Initializes a new instance of the <see cref="XacmlContextResult"/> class. /// </summary> /// <param name="decision">The authorization decision.</param> /// <param name="status">The status.</param> public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status) { Contract.Requires<ArgumentNullException>(status != null); this.decision = decision; this.status = status; }
/// <summary> /// Method that validated if the subject is allwoed to perform the requested operation on a given resource. /// </summary> /// <param name="decisionRequest">The Xacml Context request.</param> /// <param name="policy">The relevant policy.</param> /// <returns>The decision reponse.</returns> public XacmlContextResponse Authorize(XacmlContextRequest decisionRequest, XacmlPolicy policy) { XacmlContextResult contextResult; ICollection <XacmlRule> matchingRules = this.GetMatchingRules(policy, decisionRequest, out bool requiredAttributesMissingFromContextRequest); if (requiredAttributesMissingFromContextRequest) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.MissingAttribute), }; return(new XacmlContextResponse(contextResult)); } if (matchingRules == null || matchingRules.Count == 0) { contextResult = new XacmlContextResult(XacmlContextDecision.NotApplicable) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } XacmlContextDecision overallDecision = XacmlContextDecision.NotApplicable; foreach (XacmlRule rule in matchingRules) { XacmlContextDecision decision; // Need to authorize based on the information in the Xacml context request XacmlAttributeMatchResult subjectMatchResult = rule.MatchAttributes(decisionRequest, XacmlConstants.MatchAttributeCategory.Subject); if (subjectMatchResult.Equals(XacmlAttributeMatchResult.Match)) { if (rule.Effect.Equals(XacmlEffectType.Permit)) { decision = XacmlContextDecision.Permit; } else { decision = XacmlContextDecision.Deny; } } else if (subjectMatchResult.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else { decision = XacmlContextDecision.NotApplicable; } if ((decision.Equals(XacmlContextDecision.Deny) || decision.Equals(XacmlContextDecision.Permit)) && rule.Condition != null) { XacmlAttributeMatchResult conditionDidEvaluate = rule.EvaluateCondition(decisionRequest); if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.NoMatch)) { decision = XacmlContextDecision.NotApplicable; } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.BagSizeConditionFailed)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.ToManyAttributes)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.ProcessingError), }; return(new XacmlContextResponse(contextResult)); } } if (!decision.Equals(XacmlContextDecision.NotApplicable)) { if (policy.RuleCombiningAlgId.Equals(XacmlConstants.CombiningAlgorithms.RuleDenyOverrides) && decision.Equals(XacmlContextDecision.Deny)) { contextResult = new XacmlContextResult(XacmlContextDecision.Deny); break; } else if (decision.Equals(XacmlContextDecision.Permit)) { overallDecision = decision; } } } contextResult = new XacmlContextResult(overallDecision) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; this.AddObligations(policy, contextResult); this.AddRequestAttributes(decisionRequest, contextResult); return(new XacmlContextResponse(contextResult)); }
protected virtual void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision) { Contract.Requires<ArgumentNullException>(writer != null); string value; switch (xacmlContextDecision) { case XacmlContextDecision.Deny: value = "Deny"; break; case XacmlContextDecision.Indeterminate: value = "Indeterminate"; break; case XacmlContextDecision.NotApplicable: value = "NotApplicable"; break; case XacmlContextDecision.Permit: value = "Permit"; break; default: throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlSerializationException("Wrong Decision value")); } writer.WriteElementString(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Decision, this.version.NamespaceContext, value); }
/// <summary> /// Initializes a new instance of the <see cref="XacmlContextResult"/> class. /// </summary> /// <param name="decision">The authorization decision.</param> /// <param name="status">The status.</param> public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status) { Guard.ArgumentNotNull(status, nameof(status)); this.decision = decision; this.status = status; }