public static bool ValidateDecisionResult(XacmlJsonResult result, ClaimsPrincipal user) { // Checks that the result is nothing else than "permit" if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString())) { return(false); } // Checks if the result contains obligation if (result.Obligations != null) { List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations; XacmlJsonAttributeAssignment attributeMinLvAuth = obligationList.Select(a => a.AttributeAssignment.Find(a => a.Category.Equals("urn:altinn:minimum-authenticationlevel"))).FirstOrDefault(); // Checks if the obligation contains a minimum authentication level attribute if (attributeMinLvAuth != null) { string minAuthenticationLevel = attributeMinLvAuth.Value; string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value; // Checks that the user meets the minimum authentication level if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel)) { return(false); } } } return(true); }
/// <summary> /// Validate the response from PDP /// </summary> /// <param name="result">The response to validate</param> /// <param name="user">The <see cref="ClaimsPrincipal"/></param> /// <returns>The result of the validation</returns> public static EnforcementResult ValidateDecisionResultDetailed(XacmlJsonResult result, ClaimsPrincipal user) { // Checks that the result is nothing else than "permit" if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString())) { return(new EnforcementResult() { Authorized = false }); } // Checks if the result contains obligation if (result.Obligations != null) { List <XacmlJsonObligationOrAdvice> obligationList = result.Obligations; XacmlJsonAttributeAssignment attributeMinLvAuth = GetObligation(PolicyObligationMinAuthnLevel, obligationList); // Checks if the obligation contains a minimum authentication level attribute if (attributeMinLvAuth != null) { string minAuthenticationLevel = attributeMinLvAuth.Value; string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value; // Checks that the user meets the minimum authentication level if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel)) { if (user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:org")) != null) { XacmlJsonAttributeAssignment attributeMinLvAuthOrg = GetObligation(PolicyObligationMinAuthnLevelOrg, obligationList); if (attributeMinLvAuthOrg != null) { if (Convert.ToInt32(usersAuthenticationLevel) >= Convert.ToInt32(attributeMinLvAuthOrg.Value)) { return(new EnforcementResult() { Authorized = true }); } minAuthenticationLevel = attributeMinLvAuthOrg.Value; } } return(new EnforcementResult() { Authorized = false, FailedObligations = new Dictionary <string, string>() { { AltinnObligations.RequiredAuthenticationLevel, minAuthenticationLevel } } }); } } } return(new EnforcementResult() { Authorized = true }); }
private static void AssertEqual(XacmlJsonResult expected, XacmlJsonResult actual) { Assert.Equal(expected.Decision, actual.Decision); Assert.Equal(expected.Status.StatusCode.Value, actual.Status.StatusCode.Value); AssertEqual(expected.Obligations, actual.Obligations); AssertEqual(expected.Category, actual.Category); }
public void ValidatePdpDecision_TC08() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "3"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false)); // Assert Assert.False(result.Authorized); Assert.Contains(AltinnObligations.RequiredAuthenticationLevel, result.FailedObligations.Keys); Assert.Equal(minAuthLevel, result.FailedObligations[AltinnObligations.RequiredAuthenticationLevel]); }
public void ValidateResponse_TC02() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "2" }; obligation.AttributeAssignment.Add(authenticationAttribute); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligation); // Act bool result = DecisionHelper.ValidateResponse(response.Response, CreateUserClaims(false)); // Assert Assert.True(result); }
private XacmlJsonResponse CreateResponse(string decision) { // Create response XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); // Set result to premit XacmlJsonResult result = new XacmlJsonResult(); result.Decision = decision; response.Response.Add(result); return(response); }
public void ValidatePdpDecision_TC10() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "4"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); XacmlJsonObligationOrAdvice obligationOrg = new XacmlJsonObligationOrAdvice(); obligationOrg.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevelOrg = "2"; XacmlJsonAttributeAssignment authenticationAttributeOrg = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel-org", Value = minAuthLevelOrg }; obligationOrg.AttributeAssignment.Add(authenticationAttributeOrg); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligationOrg); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false, "ttd")); // Assert Assert.True(result.Authorized); Assert.Null(result.FailedObligations); }
public void ValidateResponse_TC01() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Act bool result = DecisionHelper.ValidateResponse(response.Response, CreateUserClaims(false)); // Assert Assert.True(result); }
private XacmlJsonResponse AddObligationWithMinAuthLv(XacmlJsonResponse response, string minAuthLv) { // Add obligation to result with a minimum authentication level attribute XacmlJsonResult result = response.Response[0]; XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLv }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(response); }
/// <summary> /// Converts a Xacml XML response to a JSON object response. /// </summary> /// <param name="xacmlContextResponse">The context response.</param> /// <returns>The json response.</returns> public static XacmlJsonResponse ConvertResponse(XacmlContextResponse xacmlContextResponse) { XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); foreach (XacmlContextResult xacmlResult in xacmlContextResponse.Results) { XacmlJsonResult jsonResult = new XacmlJsonResult(); jsonResult.Decision = xacmlResult.Decision.ToString(); jsonResult.Status = new XacmlJsonStatus(); jsonResult.Status.StatusCode = new XacmlJsonStatusCode(); jsonResult.Status.StatusCode.Value = xacmlResult.Status.StatusCode.Value.OriginalString; jsonResult.Obligations = ConvertObligations(xacmlResult.Obligations); response.Response.Add(jsonResult); } return(response); }
public Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest) { List <XacmlJsonCategory> resources = xacmlJsonRequest.Request.Resource; XacmlJsonAttribute attribute = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("endring-av-navn"))).FirstOrDefault(); // Create response and result XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult result = new XacmlJsonResult(); if (attribute != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); return(Task.FromResult(response)); } XacmlJsonAttribute attribute2 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("multiple-results"))).FirstOrDefault(); if (attribute2 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); response.Response.Add(new XacmlJsonResult()); return(Task.FromResult(response)); } XacmlJsonAttribute attribute3 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-2"))).FirstOrDefault(); if (attribute3 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "2" }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(Task.FromResult(response)); } XacmlJsonAttribute attribute4 = resources.Select(r => r.Attribute.Find(a => a.Value.Equals("auth-level-3"))).FirstOrDefault(); if (attribute4 != null) { // Set decision to permit result.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(result); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = "3" }; obligation.AttributeAssignment.Add(authenticationAttribute); result.Obligations = new List <XacmlJsonObligationOrAdvice>(); result.Obligations.Add(obligation); return(Task.FromResult(response)); } // Set decision to deny result.Decision = XacmlContextDecision.Deny.ToString(); response.Response.Add(result); return(Task.FromResult(response)); }