public void ParseXACMLPolicy_IIIA030Policy()
{
XmlDocument policyDocument = new XmlDocument();
policyDocument.Load(Path.Combine(GetConformanceTestPath(), "IIIA030Policy.xml"));
XacmlPolicy result;
using (XmlReader reader = XmlReader.Create(new StringReader(policyDocument.OuterXml)))
{
result = XacmlParser.ParseXacmlPolicy(reader);
}
Assert.NotNull(result);
Assert.Equal(2, result.Rules.Count);
XacmlRule firstRule = result.Rules.Where(r => r.RuleId.Equals("urn:oasis:names:tc:xacml:2.0:conformance-test:IIIA030:rule1")).FirstOrDefault();
Assert.NotNull(firstRule);
Assert.Equal(XacmlEffectType.Deny, firstRule.Effect);
Assert.Equal("A subject whose name is J. Hibbert may not\n read Bart Simpson's medical record. NOTAPPLICABLE", firstRule.Description.Trim());
Assert.NotNull(firstRule.Target);
Assert.Equal(1, firstRule.Target.AnyOf.Count);
XacmlRule secondRule = result.Rules.Where(r => r.RuleId.Equals("urn:oasis:names:tc:xacml:2.0:conformance-test:IIIA030:rule2")).FirstOrDefault();
Assert.NotNull(secondRule);
Assert.Equal(XacmlEffectType.Permit, secondRule.Effect);
Assert.Equal("A subject who is at least 5 years older than Bart\n Simpson may read Bart Simpson's medical record. PERMIT.", secondRule.Description.Trim());
Assert.Null(secondRule.Target);
}
public void ParseXACMLPolicy_Rule1()
{
XmlDocument policyDocument = new XmlDocument();
policyDocument.Load(Path.Combine(GetSpecExamplesTestPath(), "Rule1.xml"));
XacmlPolicy result;
using (XmlReader reader = XmlReader.Create(new StringReader(policyDocument.OuterXml)))
{
result = XacmlParser.ParseXacmlPolicy(reader);
}
Assert.NotNull(result);
Assert.Null(result.Description);
Assert.Equal(1, result.Rules.Count);
XacmlRule firstRule = result.Rules.Where(r => r.RuleId.Equals("urn:oasis:names:tc:xacml:3.0:example:ruleid:1")).FirstOrDefault();
Assert.NotNull(firstRule);
Assert.Equal(XacmlEffectType.Permit, firstRule.Effect);
Assert.Equal("A person may read any medical record in the\n http://www.med.example.com/schemas/record.xsd namespace\n for which he or she is the designated patient", firstRule.Description.Trim());
Assert.NotNull(firstRule.Target);
Assert.Equal(2, firstRule.Target.AnyOf.Count);
}
public void ParseXACMLPolicy_IIA001Policy()
{
XmlDocument policyDocument = new XmlDocument();
policyDocument.Load(Path.Combine(GetConformanceTestPath(), "IIA001Policy.xml"));
XacmlPolicy result;
using (XmlReader reader = XmlReader.Create(new StringReader(policyDocument.OuterXml)))
{
result = XacmlParser.ParseXacmlPolicy(reader);
}
Assert.NotNull(result);
Assert.Equal("Policy for Conformance Test IIA001.", result.Description.Trim());
Assert.Equal(1, result.Rules.Count);
XacmlRule firstRule = result.Rules.Where(r => r.RuleId.Equals("urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:rule")).FirstOrDefault();
Assert.NotNull(firstRule);
Assert.Equal(XacmlEffectType.Permit, firstRule.Effect);
Assert.Equal("Julius Hibbert can read or write Bart Simpson's medical record.", firstRule.Description.Trim());
Assert.NotNull(firstRule.Target);
Assert.Equal(3, firstRule.Target.AnyOf.Count);
}
private static List <ResourceAction> GetActionsFromRule(XacmlRule rule, List <RoleGrant> roles)
{
List <ResourceAction> actions = new List <ResourceAction>();
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
AttributeMatch actionAttributeMatch = new AttributeMatch();
foreach (XacmlMatch xacmlMatch in allOf.Matches)
{
if (xacmlMatch.AttributeDesignator.Category.Equals(XacmlConstants.MatchAttributeCategory.Action))
{
actionAttributeMatch.Id = xacmlMatch.AttributeDesignator.AttributeId.OriginalString;
actionAttributeMatch.Value = xacmlMatch.AttributeValue.Value;
ResourceAction resourceAction = new ResourceAction
{
Match = actionAttributeMatch,
RoleGrants = new List <RoleGrant>(),
Title = xacmlMatch.AttributeValue.Value
};
resourceAction.RoleGrants.AddRange(roles);
if (!actions.Contains(resourceAction))
{
actions.Add(resourceAction);
}
}
}
}
}
return(actions);
}
/// <summary>
/// protected virtual void WriteRule
/// </summary>
/// <param name="writer">XmlWriter writer</param>
/// <param name="data">XacmlRule data</param>
protected virtual void WriteRule(XmlWriter writer, XacmlRule data)
{
if (writer == null)
{
throw new ArgumentNullException(nameof(writer));
}
if (data == null)
{
throw new ArgumentNullException(nameof(data));
}
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Rule, this.Version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleId, data.RuleId);
writer.WriteAttributeString(XacmlConstants.AttributeNames.Effect, data.Effect.ToString());
if (data.Description != null)
{
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.Version.NamespacePolicy, data.Description);
}
if (data.Target != null)
{
this.WriteTarget(writer, data.Target);
}
if (data.Condition != null)
{
this.WriteCondition(writer, data.Condition);
}
writer.WriteEndElement();
}
private static void AssertRuleEqual(XacmlRule expected, XacmlRule actual)
{
Assert.NotNull(actual);
Assert.NotNull(expected);
Assert.Equal(expected.RuleId, actual.RuleId);
AssertTargetEqual(expected.Target, actual.Target);
AssertCollections(expected.Obligations, actual.Obligations, AssertObligationExpressionEqual);
}
/// <summary>
/// Builds a XacmlRule <see cref="XacmlRule"/> representation based on the Rule input
/// </summary>
/// <param name="org">Unique identifier of the organisation responsible for the app.</param>
/// <param name="app">Application identifier which is unique within an organisation.</param>
/// <param name="offeredByPartyId">The party id of the entity offering the delegated the policy</param>
/// <param name="coveredByPartyId">The party of the entity having received the delegated policy, if the receiving entity is an organization</param>
/// <param name="coveredByUserId">The user id of the entity having received the delegated policy, if the receiving entity is a user</param>
/// <param name="rule">The rule to be delegated</param>
public static XacmlRule BuildDelegationRule(string org, string app, int offeredByPartyId, int?coveredByPartyId, int?coveredByUserId, Rule rule)
{
rule.RuleId = Guid.NewGuid().ToString();
string coveredBy = coveredByPartyId.HasValue ? coveredByPartyId.Value.ToString() : coveredByUserId.Value.ToString();
XacmlRule delegationRule = new XacmlRule(rule.RuleId, XacmlEffectType.Permit)
{
Description = $"Delegation of a right/action from {offeredByPartyId} to {coveredBy}, for a resource on the app; {org}/{app}, by user; {rule.DelegatedByUserId}",
Target = BuildDelegationRuleTarget(coveredByPartyId, coveredByUserId, rule)
};
return(delegationRule);
}
public void WritePolicy_11()
{
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"))
{
Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www")
})
});
var target = new XacmlTarget(subject, null, null);
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicySetId.www"), new Uri("http://www.PolicyCombiningAlgId.www"), target);
xacmlPolicySet.Description = "description string";
xacmlPolicySet.XPathVersion = Xacml10Constants.XPathVersions.Xpath10;
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), new XacmlTarget())
{
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit)
{
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml10ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, Path.Combine(TestCasePath, "cs-xacml-schema-context-01.xsd"));
}
/// <summary>
/// Creates a Rule representation based on a search and a xacmlRule found in a XacmlPolicyFile based on the search
/// </summary>
/// <param name="search">The search used to find the correct rule</param>
/// <param name="xacmlRule">XacmlRule found by the search param to enrich the result with Action and Resource</param>
/// <returns>The created Rule</returns>
public static Rule CreateRuleFromPolicyAndRuleMatch(RequestToDelete search, XacmlRule xacmlRule)
{
Rule rule = new Rule
{
RuleId = xacmlRule.RuleId,
CreatedSuccessfully = true,
DelegatedByUserId = search.DeletedByUserId,
OfferedByPartyId = search.PolicyMatch.OfferedByPartyId,
CoveredBy = search.PolicyMatch.CoveredBy,
Resource = GetResourceFromXcamlRule(xacmlRule),
Action = GetActionValueFromRule(xacmlRule)
};
return(rule);
}
private static List <AttributeMatch> GetResourceFromXcamlRule(XacmlRule rule)
{
List <AttributeMatch> result = new List <AttributeMatch>();
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
foreach (XacmlMatch xacmlMatch in allOf.Matches.Where(m => m.AttributeDesignator.Category.Equals(XacmlConstants.MatchAttributeCategory.Resource)))
{
result.Add(new AttributeMatch {
Id = xacmlMatch.AttributeDesignator.AttributeId.OriginalString, Value = xacmlMatch.AttributeValue.Value
});
}
}
}
return(result);
}
private static AttributeMatch GetActionValueFromRule(XacmlRule rule)
{
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
XacmlMatch action = allOf.Matches.FirstOrDefault(m => m.AttributeDesignator.Category.Equals(XacmlConstants.MatchAttributeCategory.Action));
if (action != null)
{
return(new AttributeMatch {
Id = action.AttributeDesignator.AttributeId.OriginalString, Value = action.AttributeValue.Value
});
}
}
}
return(null);
}
private static List <RoleGrant> GetRolesFromRule(XacmlRule rule)
{
List <RoleGrant> roles = new List <RoleGrant>();
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
foreach (XacmlMatch xacmlMatch in allOf.Matches)
{
if (xacmlMatch.AttributeDesignator.Category.Equals(XacmlConstants.MatchAttributeCategory.Subject) && xacmlMatch.AttributeDesignator.AttributeId.Equals(XacmlRequestAttribute.RoleAttribute))
{
roles.Add(new RoleGrant {
RoleTypeCode = xacmlMatch.AttributeValue.Value, IsDelegable = true
});
}
}
}
}
return(roles);
}
private static void WriteRule(XmlWriter writer, XacmlRule xacmlRule)
{
Guard.ArgumentNotNull(writer, nameof(writer));
Guard.ArgumentNotNull(xacmlRule, nameof(xacmlRule));
writer.WriteStartElement(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Rule, Xacml30Constants.NameSpaces.Policy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleId, xacmlRule.RuleId);
writer.WriteAttributeString(XacmlConstants.AttributeNames.Effect, xacmlRule.Effect.ToString());
if (xacmlRule.Description != null)
{
WriteDescription(writer, xacmlRule.Description);
}
if (xacmlRule.Target != null)
{
WriteTarget(writer, xacmlRule.Target);
}
if (xacmlRule.Condition != null)
{
throw new NotImplementedException($"XacmlSerializer: Serialization of type {xacmlRule.Condition.GetType().Name} currently not supported");
}
if (xacmlRule.Obligations != null && xacmlRule.Obligations.Count > 0)
{
WriteObligationExpressions(writer, xacmlRule.Obligations);
}
if (xacmlRule.Advices != null && xacmlRule.Advices.Count > 0)
{
WriteAdviceExpressions(writer, xacmlRule.Advices);
}
writer.WriteEndElement();
}
/// <summary>
/// Reads the policy.
/// </summary>
/// <param name="reader">The reader.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException"></exception>
/// <exception cref="System.Xml.XmlException">
/// PolicyId IsNullOrEmpty
/// or
/// RuleCombiningAlgId IsNullOrEmpty
/// </exception>
public virtual XacmlPolicy ReadPolicy(XmlReader reader)
{
if (reader == null)
{
throw new ArgumentNullException(nameof(reader));
}
IDictionary <string, string> nsMgr = new Dictionary <string, string>();
for (int i = 0; i < reader.AttributeCount; i++)
{
reader.MoveToAttribute(i);
if (reader.Prefix == "xmlns")
{
nsMgr.Add(reader.LocalName, reader.Value);
}
}
if (!this.CanRead(reader, XacmlConstants.ElementNames.Policy))
{
throw ThrowHelperXml(reader, "XML message is not valid.");
}
var gaPolicyId = reader.GetAttribute("PolicyId");
if (string.IsNullOrEmpty(gaPolicyId))
{
throw ThrowHelperXml(reader, "PolicyId IsNullOrEmpty");
}
var gaRuleCombiningAlgId = reader.GetAttribute("RuleCombiningAlgId");
if (string.IsNullOrEmpty(gaRuleCombiningAlgId))
{
throw ThrowHelperXml(reader, "RuleCombiningAlgId IsNullOrEmpty");
}
reader.ReadStartElement(XacmlConstants.ElementNames.Policy, this.Version.NamespacePolicy);
string description = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.Version.NamespacePolicy))
{
description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.Version.NamespacePolicy);
}
// PolicySetDefault
string xpathVersion = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.Version.NamespacePolicy))
{
reader.ReadStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.Version.NamespacePolicy);
if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.Version.NamespacePolicy))
{
throw ThrowHelperXml(reader, "XPathVerison NotStartElement");
}
xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.Version.NamespacePolicy);
reader.ReadEndElement();
}
XacmlTarget target = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.Version.NamespacePolicy))
{
target = ReadTarget(reader);
}
XacmlPolicy policy = new XacmlPolicy(new Uri(gaPolicyId, UriKind.RelativeOrAbsolute), new Uri(gaRuleCombiningAlgId, UriKind.RelativeOrAbsolute), target)
{
Description = description,
XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null,
};
policy.Namespaces = nsMgr;
XacmlRule rule = null;
while (reader.IsStartElement(XacmlConstants.ElementNames.Rule, this.Version.NamespacePolicy))
{
rule = ReadRule(reader);
policy.Rules.Add(rule);
}
if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy))
{
reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.Version.NamespacePolicy);
this.ReadList(policy.Obligations, XacmlConstants.ElementNames.Obligation, this.Version.NamespacePolicy, ReadObligation, reader, isRequired: true);
// end obligations
reader.ReadEndElement();
}
// end policy
reader.ReadEndElement();
return(policy);
}
public void WritePolicy_20()
{
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"))
{
Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www")
}
)
});
var resource = new XacmlResource(
new XacmlResourceMatch[]
{
new XacmlResourceMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www") /*, "xxxx" */),
new XacmlResourceAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"))
{
Issuer = "String", MustBePresent = false
}
)
});
var action = new XacmlAction(
new XacmlActionMatch[]
{
new XacmlActionMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlActionAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"))
{
Issuer = "String", MustBePresent = false
}
)
});
var target = new XacmlTarget(subject, resource, action, null);
// new Uri("http://www.PolicySetId.www")
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicyCombiningAlgId.www"), target)
{
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
////#region Policy
XacmlEnvironment env = new XacmlEnvironment(
new XacmlEnvironmentMatch[]
{
new XacmlEnvironmentMatch(
new Uri("http://www.EnvironmentMatchIdId.www"),
new XacmlAttributeValue(new Uri("http://www.AttributValue.www")),
new XacmlEnvironmentAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"))
{
Issuer = "String", MustBePresent = false
}
)
});
XacmlTarget targetWithEnvironment = new XacmlTarget(null, null, null, new XacmlEnvironment[] { env });
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), targetWithEnvironment)
{
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit)
{
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml20ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, Path.Combine(TestCasePath, "access_control-xacml-2.0-policy-schema-os.xsd"));
}
private static List <string> GetResourcePoliciesFromRule(Dictionary <string, ResourcePolicy> resourcePolicies, XacmlRule rule)
{
List <string> policyKeys = new List <string>();
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
StringBuilder bld = new StringBuilder();
string resourceKey = string.Empty;
List <AttributeMatch> resourceMatches = new List <AttributeMatch>();
foreach (XacmlMatch xacmlMatch in allOf.Matches)
{
if (xacmlMatch.AttributeDesignator.Category.Equals(XacmlConstants.MatchAttributeCategory.Resource))
{
bld.Append(xacmlMatch.AttributeDesignator.AttributeId);
bld.Append(xacmlMatch.AttributeValue.Value);
resourceKey = bld.ToString();
resourceMatches.Add(new AttributeMatch {
Id = xacmlMatch.AttributeDesignator.AttributeId.OriginalString, Value = xacmlMatch.AttributeValue.Value
});
}
}
CreateUniqueResourcePolicy(resourceKey, policyKeys, resourcePolicies, resourceMatches);
}
}
return(policyKeys);
}
private async Task <List <Rule> > ProcessPolicyFile(string policyPath, string org, string app, RequestToDelete deleteRequest)
{
List <Rule> currentRules = new List <Rule>();
string leaseId = await _policyRepository.TryAcquireBlobLease(policyPath);
if (leaseId == null)
{
_logger.LogError("Could not acquire blob lease lock on delegation policy at path: {policyPath}", policyPath);
return(null);
}
try
{
bool isAllRulesDeleted = false;
string coveredBy = DelegationHelper.GetCoveredByFromMatch(deleteRequest.PolicyMatch.CoveredBy, out int?coveredByUserId, out int?coveredByPartyId);
string offeredBy = deleteRequest.PolicyMatch.OfferedByPartyId.ToString();
DelegationChange currentChange = await _delegationRepository.GetCurrentDelegationChange($"{org}/{app}", deleteRequest.PolicyMatch.OfferedByPartyId, coveredByPartyId, coveredByUserId);
XacmlPolicy existingDelegationPolicy = null;
if (currentChange.DelegationChangeType == DelegationChangeType.RevokeLast)
{
_logger.LogWarning("The policy is already deleted for App: {org}/{app} CoveredBy: {coveredBy} OfferedBy: {offeredBy}", org, app, coveredBy, offeredBy);
return(null);
}
existingDelegationPolicy = await _prp.GetPolicyVersionAsync(currentChange.BlobStoragePolicyPath, currentChange.BlobStorageVersionId);
foreach (string ruleId in deleteRequest.RuleIds)
{
XacmlRule xacmlRuleToRemove = existingDelegationPolicy.Rules.FirstOrDefault(r => r.RuleId == ruleId);
if (xacmlRuleToRemove == null)
{
_logger.LogWarning("The rule with id: {ruleId} does not exist in policy with path: {policyPath}", ruleId, policyPath);
continue;
}
existingDelegationPolicy.Rules.Remove(xacmlRuleToRemove);
Rule currentRule = PolicyHelper.CreateRuleFromPolicyAndRuleMatch(deleteRequest, xacmlRuleToRemove);
currentRules.Add(currentRule);
}
isAllRulesDeleted = existingDelegationPolicy.Rules.Count == 0;
// if nothing is deleted no update has been done and policy and postgree update can be skipped
if (currentRules.Count > 0)
{
Response <BlobContentInfo> response;
try
{
// Write delegation policy to blob storage
MemoryStream dataStream = PolicyHelper.GetXmlMemoryStreamFromXacmlPolicy(existingDelegationPolicy);
response = await _policyRepository.WritePolicyConditionallyAsync(policyPath, dataStream, leaseId);
}
catch (Exception ex)
{
_logger.LogError(ex, "Writing of delegation policy at path: {policyPath} failed. Is delegation blob storage account alive and well?", policyPath);
return(null);
}
// Write delegation change to postgresql
DelegationChange change = new DelegationChange
{
DelegationChangeType = isAllRulesDeleted ? DelegationChangeType.RevokeLast : DelegationChangeType.Revoke,
AltinnAppId = $"{org}/{app}",
OfferedByPartyId = deleteRequest.PolicyMatch.OfferedByPartyId,
CoveredByPartyId = coveredByPartyId,
CoveredByUserId = coveredByUserId,
PerformedByUserId = deleteRequest.DeletedByUserId,
BlobStoragePolicyPath = policyPath,
BlobStorageVersionId = response.Value.VersionId
};
change = await _delegationRepository.InsertDelegation(change);
if (change == null || change.DelegationChangeId <= 0)
{
// Comment:
// This means that the current version of the root blob is no longer in sync with changes in authorization postgresql delegation.delegatedpolicy table.
// The root blob is in effect orphaned/ignored as the delegation policies are always to be read by version, and will be overritten by the next delegation change.
_logger.LogError("Writing of delegation change to authorization postgresql database failed for changes to delegation policy at path: {policyPath}. is authorization postgresql database alive and well?", policyPath);
return(null);
}
try
{
await _eventQueue.Push(change);
}
catch (Exception ex)
{
_logger.LogCritical(new EventId(delegationChangeEventQueueErrorId, "DelegationChangeEventQueue.Push.Error"), ex, "DeleteRules could not push DelegationChangeEvent to DelegationChangeEventQueue. DelegationChangeEvent must be retried for successful sync with SBL Authorization. DelegationChange: {change}", change);
}
}
}
catch (Exception ex)
{
_logger.LogError(ex, "An exception occured while processing rules to delete in policy: {policyPath}", policyPath);
return(null);
}
finally
{
_policyRepository.ReleaseBlobLease(policyPath, leaseId);
}
return(currentRules);
}
