private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest)
{
decisionRequest = await this._contextHandler.Enrich(decisionRequest);
_logger.LogInformation($"// DecisionController // Authorize // Roles // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}.");
XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest);
XacmlContextResponse rolesContextResponse = _pdp.Authorize(decisionRequest, policy);
_logger.LogInformation($"// DecisionController // Authorize // Roles // XACML ContextResponse: {JsonConvert.SerializeObject(rolesContextResponse)}.");
XacmlContextResult roleResult = rolesContextResponse.Results.First();
if (roleResult.Decision.Equals(XacmlContextDecision.NotApplicable))
{
try
{
XacmlContextResponse delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, policy);
XacmlContextResult delegationResult = delegationContextResponse.Results.First();
if (delegationResult.Decision.Equals(XacmlContextDecision.Permit))
{
return(delegationContextResponse);
}
}
catch (Exception ex)
{
_logger.LogError(ex, "// DecisionController // Authorize // Delegation // Unexpected Exception");
}
}
return(rolesContextResponse);
}
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model)
{
try
{
if (Request.ContentType.Contains("application/json"))
{
return(await AuthorizeJsonRequest(model)); // lgtm [cs/user-controlled-bypass]
}
else
{
return(await AuthorizeXmlRequest(model)); // lgtm [cs/user-controlled-bypass]
}
}
catch
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result);
if (Request.ContentType.Contains("application/json"))
{
XacmlJsonResponse jsonResult = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonResult));
}
else
{
return(CreateResponse(xacmlContextResponse));
}
}
}
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model)
{
try
{
if (Request.ContentType.Contains("application/json"))
{
return(await AuthorizeJsonRequest(model));
}
else
{
return(await AuthorizeXmlRequest(model));
}
}
catch (Exception ex)
{
_logger.LogError(ex, "// DecisionController // Decision // Unexpected Exception");
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result);
if (Request.ContentType.Contains("application/json"))
{
XacmlJsonResponse jsonResult = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonResult));
}
else
{
return(CreateResponse(xacmlContextResponse));
}
}
}
private void AddRequestAttributes(XacmlContextRequest decisionRequest, XacmlContextResult result)
{
foreach (XacmlContextAttributes attribute in decisionRequest.Attributes)
{
bool hasResponseAttributes = false;
XacmlContextAttributes responseAttribute = new XacmlContextAttributes(attribute.Category)
{
Content = attribute.Content, Id = attribute.Id
};
foreach (XacmlAttribute atr in attribute.Attributes)
{
if (atr.IncludeInResult)
{
hasResponseAttributes = true;
responseAttribute.Attributes.Add(atr);
}
}
if (hasResponseAttributes)
{
result.Attributes.Add(responseAttribute);
}
}
}
private static void AssertEqual(XacmlContextResult expected, XacmlContextResult actual)
{
Assert.NotNull(actual);
Assert.NotNull(expected);
Assert.Equal(expected.Decision, actual.Decision);
AssertEqual(expected.Status, actual.Status);
Assert.Equal(expected.Obligations.Count, actual.Obligations.Count);
if (expected.Obligations.Count > 0)
{
AssertEqual(expected.Obligations.First(), actual.Obligations.First());
}
}
public ActionResult Post([FromBody] XacmlRequestApiModel model)
{
XacmlContextRequest request = null;
XacmlContextResponse xacmlContextResponse = null;
try
{
request = ParseApiBody(model);
}
catch (Exception)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
xacmlContextResponse = new XacmlContextResponse(result);
}
if (request != null)
{
PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp);
xacmlContextResponse = pdp.Authorize(request);
}
string accept = HttpContext.Request.Headers["Accept"];
if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json"))
{
XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse);
return(Ok(jsonReponse));
}
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder))
{
XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse);
}
string xml = builder.ToString();
return(Content(xml));
}
protected virtual void WriteContextResult(XmlWriter writer, XacmlContextResult data)
{
if (writer == null)
{
throw new ArgumentNullException(nameof(writer));
}
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
writer.WriteStartElement(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Result, this.Version.NamespaceContext);
if (!string.IsNullOrEmpty(data.ResourceId))
{
writer.WriteAttributeString(XacmlConstants.AttributeNames.ResourceId, data.ResourceId);
}
this.WriteContextDecision(writer, data.Decision);
if (data.Status == null)
{
throw new InvalidOperationException("status must be set for XACML 1.0/1.1");
}
this.WriteContextStatus(writer, data.Status);
if (data.Obligations.Count > 1)
{
throw new InvalidOperationException("Obligations should be < 2 until version 2.0");
}
if (data.Obligations.Count > 0)
{
this.WriteObligation(writer, data.Obligations.First());
}
writer.WriteEndElement();
}
protected virtual XacmlContextResult ReadContextResult(XmlReader reader)
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
if (!reader.IsStartElement(XacmlConstants.ElementNames.Result, this.Version.NamespaceContext))
{
throw ThrowHelperXml(reader, "XML message is not valid.");
}
// Read attributes
string resourceId = this.ReadAttribute <string>(reader, XacmlConstants.AttributeNames.ResourceId, isRequered: false);
reader.ReadStartElement(XacmlConstants.ElementNames.Result, this.Version.NamespaceContext);
// Read elements
XacmlContextResult result = new XacmlContextResult(
this.ReadRequired(XacmlConstants.ElementNames.Decision, this.Version.NamespaceContext, ReadContextDecision, reader),
this.ReadRequired(XacmlConstants.ElementNames.Status, this.Version.NamespaceContext, ReadContextStatus, reader))
{
ResourceId = resourceId,
};
if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy))
{
reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy);
this.ReadList <XacmlObligation>(result.Obligations, XacmlConstants.ElementNames.Obligation, this.Version.NamespacePolicy, ReadObligation, reader, isRequired: false);
// end obligations
reader.ReadEndElement();
}
reader.ReadEndElement();
return(result);
}
private void AddObligations(XacmlPolicy policy, XacmlContextResult result)
{
if (result.Decision.Equals(XacmlContextDecision.Permit))
{
if (policy.ObligationExpressions.Count > 0)
{
IEnumerable <XacmlObligationExpression> obligationsWithPermit = policy.ObligationExpressions.Where(o => o.FulfillOn == XacmlEffectType.Permit);
foreach (XacmlObligationExpression expression in obligationsWithPermit)
{
List <XacmlAttributeAssignment> attributeAssignments = new List <XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions)
{
Type applyElemType = ex.Property.GetType();
if (applyElemType == typeof(XacmlAttributeValue))
{
XacmlAttributeValue attributeValue = ex.Property as XacmlAttributeValue;
XacmlAttributeAssignment attributeAssignment = new XacmlAttributeAssignment(ex.AttributeId, attributeValue.DataType, attributeValue.Value)
{
Category = ex.Category,
Issuer = ex.Issuer,
};
attributeAssignments.Add(attributeAssignment);
}
}
XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssignments)
{
FulfillOn = XacmlEffectType.Permit,
};
result.Obligations.Add(obligation);
}
}
}
}
public async Task <ActionResult> Post([FromBody] XacmlRequestApiModel model)
{
try
{
if (Request.ContentType.Contains("application/json"))
{
return(await AuthorizeJsonRequest(model));
}
else
{
return(await AuthorizeXmlRequest(model));
}
}
catch (Exception ex)
{
XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError)
};
XacmlContextResponse xacmlContextResponse = new XacmlContextResponse(result);
return(CreateResponse(xacmlContextResponse));
}
}
/// <summary>
/// Method that validated if the subject is allwoed to perform the requested operation on a given resource.
/// </summary>
/// <param name="decisionRequest">The Xacml Context request.</param>
/// <param name="policy">The relevant policy.</param>
/// <returns>The decision reponse.</returns>
public XacmlContextResponse Authorize(XacmlContextRequest decisionRequest, XacmlPolicy policy)
{
XacmlContextResult contextResult;
ICollection <XacmlRule> matchingRules = this.GetMatchingRules(policy, decisionRequest, out bool requiredAttributesMissingFromContextRequest);
if (requiredAttributesMissingFromContextRequest)
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.MissingAttribute),
};
return(new XacmlContextResponse(contextResult));
}
if (matchingRules == null || matchingRules.Count == 0)
{
contextResult = new XacmlContextResult(XacmlContextDecision.NotApplicable)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
XacmlContextDecision overallDecision = XacmlContextDecision.NotApplicable;
foreach (XacmlRule rule in matchingRules)
{
XacmlContextDecision decision;
// Need to authorize based on the information in the Xacml context request
XacmlAttributeMatchResult subjectMatchResult = rule.MatchAttributes(decisionRequest, XacmlConstants.MatchAttributeCategory.Subject);
if (subjectMatchResult.Equals(XacmlAttributeMatchResult.Match))
{
if (rule.Effect.Equals(XacmlEffectType.Permit))
{
decision = XacmlContextDecision.Permit;
}
else
{
decision = XacmlContextDecision.Deny;
}
}
else if (subjectMatchResult.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else
{
decision = XacmlContextDecision.NotApplicable;
}
if ((decision.Equals(XacmlContextDecision.Deny) || decision.Equals(XacmlContextDecision.Permit)) && rule.Condition != null)
{
XacmlAttributeMatchResult conditionDidEvaluate = rule.EvaluateCondition(decisionRequest);
if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.NoMatch))
{
decision = XacmlContextDecision.NotApplicable;
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.BagSizeConditionFailed))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.ToManyAttributes))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.ProcessingError),
};
return(new XacmlContextResponse(contextResult));
}
}
if (!decision.Equals(XacmlContextDecision.NotApplicable))
{
if (policy.RuleCombiningAlgId.Equals(XacmlConstants.CombiningAlgorithms.RuleDenyOverrides) &&
decision.Equals(XacmlContextDecision.Deny))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Deny);
break;
}
else if (decision.Equals(XacmlContextDecision.Permit))
{
overallDecision = decision;
}
}
}
contextResult = new XacmlContextResult(overallDecision)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
this.AddObligations(policy, contextResult);
this.AddRequestAttributes(decisionRequest, contextResult);
return(new XacmlContextResponse(contextResult));
}
private static void WriteContextResult(XmlWriter writer, XacmlContextResult xacmlContextResult)
{
Guard.ArgumentNotNull(writer, nameof(writer));
Guard.ArgumentNotNull(xacmlContextResult, nameof(xacmlContextResult));
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Result, Xacml30Constants.NameSpaces.Policy);
WriteContextDecision(writer, xacmlContextResult.Decision);
if (xacmlContextResult.Status != null)
{
WriteContextStatus(writer, xacmlContextResult.Status);
}
if (xacmlContextResult.Obligations.Count > 0)
{
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Obligations, Xacml30Constants.NameSpaces.Policy);
foreach (XacmlObligation val in xacmlContextResult.Obligations)
{
WriteObligation(writer, val);
}
writer.WriteEndElement();
}
if (xacmlContextResult.Advices.Count > 0)
{
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.AssociatedAdvice, Xacml30Constants.NameSpaces.Policy);
foreach (XacmlAdvice val in xacmlContextResult.Advices)
{
WriteAdvice(writer, val);
}
writer.WriteEndElement();
}
if (xacmlContextResult.Attributes.Count > 0)
{
foreach (XacmlContextAttributes attr in xacmlContextResult.Attributes)
{
WriteContextAttributes(writer, attr);
}
}
if (xacmlContextResult.PolicyIdReferences.Count > 0 || xacmlContextResult.PolicySetIdReferences.Count > 0)
{
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.PolicyIdentifierList, Xacml30Constants.NameSpaces.Policy);
foreach (XacmlContextPolicyIdReference pref in xacmlContextResult.PolicyIdReferences)
{
WritePolicyIdReference(writer, pref);
}
foreach (XacmlContextPolicySetIdReference psref in xacmlContextResult.PolicySetIdReferences)
{
WritePolicySetIdReference(writer, psref);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
