private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await this._contextHandler.Enrich(decisionRequest); _logger.LogInformation($"// DecisionController // Authorize // Roles // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}."); XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest); XacmlContextResponse rolesContextResponse = _pdp.Authorize(decisionRequest, policy); _logger.LogInformation($"// DecisionController // Authorize // Roles // XACML ContextResponse: {JsonConvert.SerializeObject(rolesContextResponse)}."); XacmlContextResult roleResult = rolesContextResponse.Results.First(); if (roleResult.Decision.Equals(XacmlContextDecision.NotApplicable)) { try { XacmlContextResponse delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, policy); XacmlContextResult delegationResult = delegationContextResponse.Results.First(); if (delegationResult.Decision.Equals(XacmlContextDecision.Permit)) { return(delegationContextResponse); } } catch (Exception ex) { _logger.LogError(ex, "// DecisionController // Authorize // Delegation // Unexpected Exception"); } } return(rolesContextResponse); }
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model) { try { if (Request.ContentType.Contains("application/json")) { return(await AuthorizeJsonRequest(model)); // lgtm [cs/user-controlled-bypass] } else { return(await AuthorizeXmlRequest(model)); // lgtm [cs/user-controlled-bypass] } } catch { XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result); if (Request.ContentType.Contains("application/json")) { XacmlJsonResponse jsonResult = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse); return(Ok(jsonResult)); } else { return(CreateResponse(xacmlContextResponse)); } } }
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model) { try { if (Request.ContentType.Contains("application/json")) { return(await AuthorizeJsonRequest(model)); } else { return(await AuthorizeXmlRequest(model)); } } catch (Exception ex) { _logger.LogError(ex, "// DecisionController // Decision // Unexpected Exception"); XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result); if (Request.ContentType.Contains("application/json")) { XacmlJsonResponse jsonResult = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse); return(Ok(jsonResult)); } else { return(CreateResponse(xacmlContextResponse)); } } }
private void AddRequestAttributes(XacmlContextRequest decisionRequest, XacmlContextResult result) { foreach (XacmlContextAttributes attribute in decisionRequest.Attributes) { bool hasResponseAttributes = false; XacmlContextAttributes responseAttribute = new XacmlContextAttributes(attribute.Category) { Content = attribute.Content, Id = attribute.Id }; foreach (XacmlAttribute atr in attribute.Attributes) { if (atr.IncludeInResult) { hasResponseAttributes = true; responseAttribute.Attributes.Add(atr); } } if (hasResponseAttributes) { result.Attributes.Add(responseAttribute); } } }
private static void AssertEqual(XacmlContextResult expected, XacmlContextResult actual) { Assert.NotNull(actual); Assert.NotNull(expected); Assert.Equal(expected.Decision, actual.Decision); AssertEqual(expected.Status, actual.Status); Assert.Equal(expected.Obligations.Count, actual.Obligations.Count); if (expected.Obligations.Count > 0) { AssertEqual(expected.Obligations.First(), actual.Obligations.First()); } }
public ActionResult Post([FromBody] XacmlRequestApiModel model) { XacmlContextRequest request = null; XacmlContextResponse xacmlContextResponse = null; try { request = ParseApiBody(model); } catch (Exception) { XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; xacmlContextResponse = new XacmlContextResponse(result); } if (request != null) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp); xacmlContextResponse = pdp.Authorize(request); } string accept = HttpContext.Request.Headers["Accept"]; if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json")) { XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse); return(Ok(jsonReponse)); } StringBuilder builder = new StringBuilder(); using (XmlWriter writer = XmlWriter.Create(builder)) { XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse); } string xml = builder.ToString(); return(Content(xml)); }
protected virtual void WriteContextResult(XmlWriter writer, XacmlContextResult data) { if (writer == null) { throw new ArgumentNullException(nameof(writer)); } if (data == null) { throw new ArgumentNullException(nameof(data)); } writer.WriteStartElement(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Result, this.Version.NamespaceContext); if (!string.IsNullOrEmpty(data.ResourceId)) { writer.WriteAttributeString(XacmlConstants.AttributeNames.ResourceId, data.ResourceId); } this.WriteContextDecision(writer, data.Decision); if (data.Status == null) { throw new InvalidOperationException("status must be set for XACML 1.0/1.1"); } this.WriteContextStatus(writer, data.Status); if (data.Obligations.Count > 1) { throw new InvalidOperationException("Obligations should be < 2 until version 2.0"); } if (data.Obligations.Count > 0) { this.WriteObligation(writer, data.Obligations.First()); } writer.WriteEndElement(); }
protected virtual XacmlContextResult ReadContextResult(XmlReader reader) { if (reader == null) { throw new ArgumentNullException(nameof(reader)); } if (!reader.IsStartElement(XacmlConstants.ElementNames.Result, this.Version.NamespaceContext)) { throw ThrowHelperXml(reader, "XML message is not valid."); } // Read attributes string resourceId = this.ReadAttribute <string>(reader, XacmlConstants.AttributeNames.ResourceId, isRequered: false); reader.ReadStartElement(XacmlConstants.ElementNames.Result, this.Version.NamespaceContext); // Read elements XacmlContextResult result = new XacmlContextResult( this.ReadRequired(XacmlConstants.ElementNames.Decision, this.Version.NamespaceContext, ReadContextDecision, reader), this.ReadRequired(XacmlConstants.ElementNames.Status, this.Version.NamespaceContext, ReadContextStatus, reader)) { ResourceId = resourceId, }; if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy); this.ReadList <XacmlObligation>(result.Obligations, XacmlConstants.ElementNames.Obligation, this.Version.NamespacePolicy, ReadObligation, reader, isRequired: false); // end obligations reader.ReadEndElement(); } reader.ReadEndElement(); return(result); }
private void AddObligations(XacmlPolicy policy, XacmlContextResult result) { if (result.Decision.Equals(XacmlContextDecision.Permit)) { if (policy.ObligationExpressions.Count > 0) { IEnumerable <XacmlObligationExpression> obligationsWithPermit = policy.ObligationExpressions.Where(o => o.FulfillOn == XacmlEffectType.Permit); foreach (XacmlObligationExpression expression in obligationsWithPermit) { List <XacmlAttributeAssignment> attributeAssignments = new List <XacmlAttributeAssignment>(); foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) { Type applyElemType = ex.Property.GetType(); if (applyElemType == typeof(XacmlAttributeValue)) { XacmlAttributeValue attributeValue = ex.Property as XacmlAttributeValue; XacmlAttributeAssignment attributeAssignment = new XacmlAttributeAssignment(ex.AttributeId, attributeValue.DataType, attributeValue.Value) { Category = ex.Category, Issuer = ex.Issuer, }; attributeAssignments.Add(attributeAssignment); } } XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssignments) { FulfillOn = XacmlEffectType.Permit, }; result.Obligations.Add(obligation); } } } }
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model) { try { if (Request.ContentType.Contains("application/json")) { return(await AuthorizeJsonRequest(model)); } else { return(await AuthorizeXmlRequest(model)); } } catch (Exception ex) { XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result); return(CreateResponse(xacmlContextResponse)); } }
/// <summary> /// Method that validated if the subject is allwoed to perform the requested operation on a given resource. /// </summary> /// <param name="decisionRequest">The Xacml Context request.</param> /// <param name="policy">The relevant policy.</param> /// <returns>The decision reponse.</returns> public XacmlContextResponse Authorize(XacmlContextRequest decisionRequest, XacmlPolicy policy) { XacmlContextResult contextResult; ICollection <XacmlRule> matchingRules = this.GetMatchingRules(policy, decisionRequest, out bool requiredAttributesMissingFromContextRequest); if (requiredAttributesMissingFromContextRequest) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.MissingAttribute), }; return(new XacmlContextResponse(contextResult)); } if (matchingRules == null || matchingRules.Count == 0) { contextResult = new XacmlContextResult(XacmlContextDecision.NotApplicable) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } XacmlContextDecision overallDecision = XacmlContextDecision.NotApplicable; foreach (XacmlRule rule in matchingRules) { XacmlContextDecision decision; // Need to authorize based on the information in the Xacml context request XacmlAttributeMatchResult subjectMatchResult = rule.MatchAttributes(decisionRequest, XacmlConstants.MatchAttributeCategory.Subject); if (subjectMatchResult.Equals(XacmlAttributeMatchResult.Match)) { if (rule.Effect.Equals(XacmlEffectType.Permit)) { decision = XacmlContextDecision.Permit; } else { decision = XacmlContextDecision.Deny; } } else if (subjectMatchResult.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else { decision = XacmlContextDecision.NotApplicable; } if ((decision.Equals(XacmlContextDecision.Deny) || decision.Equals(XacmlContextDecision.Permit)) && rule.Condition != null) { XacmlAttributeMatchResult conditionDidEvaluate = rule.EvaluateCondition(decisionRequest); if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.NoMatch)) { decision = XacmlContextDecision.NotApplicable; } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.BagSizeConditionFailed)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; return(new XacmlContextResponse(contextResult)); } else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.ToManyAttributes)) { contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.ProcessingError), }; return(new XacmlContextResponse(contextResult)); } } if (!decision.Equals(XacmlContextDecision.NotApplicable)) { if (policy.RuleCombiningAlgId.Equals(XacmlConstants.CombiningAlgorithms.RuleDenyOverrides) && decision.Equals(XacmlContextDecision.Deny)) { contextResult = new XacmlContextResult(XacmlContextDecision.Deny); break; } else if (decision.Equals(XacmlContextDecision.Permit)) { overallDecision = decision; } } } contextResult = new XacmlContextResult(overallDecision) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success), }; this.AddObligations(policy, contextResult); this.AddRequestAttributes(decisionRequest, contextResult); return(new XacmlContextResponse(contextResult)); }
private static void WriteContextResult(XmlWriter writer, XacmlContextResult xacmlContextResult) { Guard.ArgumentNotNull(writer, nameof(writer)); Guard.ArgumentNotNull(xacmlContextResult, nameof(xacmlContextResult)); writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Result, Xacml30Constants.NameSpaces.Policy); WriteContextDecision(writer, xacmlContextResult.Decision); if (xacmlContextResult.Status != null) { WriteContextStatus(writer, xacmlContextResult.Status); } if (xacmlContextResult.Obligations.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Obligations, Xacml30Constants.NameSpaces.Policy); foreach (XacmlObligation val in xacmlContextResult.Obligations) { WriteObligation(writer, val); } writer.WriteEndElement(); } if (xacmlContextResult.Advices.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.AssociatedAdvice, Xacml30Constants.NameSpaces.Policy); foreach (XacmlAdvice val in xacmlContextResult.Advices) { WriteAdvice(writer, val); } writer.WriteEndElement(); } if (xacmlContextResult.Attributes.Count > 0) { foreach (XacmlContextAttributes attr in xacmlContextResult.Attributes) { WriteContextAttributes(writer, attr); } } if (xacmlContextResult.PolicyIdReferences.Count > 0 || xacmlContextResult.PolicySetIdReferences.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.PolicyIdentifierList, Xacml30Constants.NameSpaces.Policy); foreach (XacmlContextPolicyIdReference pref in xacmlContextResult.PolicyIdReferences) { WritePolicyIdReference(writer, pref); } foreach (XacmlContextPolicySetIdReference psref in xacmlContextResult.PolicySetIdReferences) { WritePolicySetIdReference(writer, psref); } writer.WriteEndElement(); } writer.WriteEndElement(); }