/// <summary>
/// Initializes a new instance of the <see cref="EvaluationEngine"/> class.
/// </summary>
/// <param name="policySet">The XACML policy set.</param>
public EvaluationEngine(XacmlPolicySet policySet) {
Contract.Requires<ArgumentNullException>(policySet != null);
this.types = DataTypeProcessor.Instance;
this.functions = FunctionsProcessor.Instance;
this.algorithms = AlgorithmsProcessor.Instance;
this.policySet = policySet;
this.namespaces = policySet.Namespaces;
this.xpathVersion = policySet.XPathVersion;
}
/// <summary>
/// public void WritePolicySet
/// </summary>
/// <param name="writer">XmlWriter writer</param>
/// <param name="data">XacmlPolicySet data</param>
public virtual void WritePolicySet(XmlWriter writer, XacmlPolicySet data) {
Contract.Requires<ArgumentNullException>(writer != null);
Contract.Requires<ArgumentNullException>(data != null);
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetId, data.PolicySetId.OriginalString);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyCombiningAlgId, data.PolicyCombiningAlgId.OriginalString);
if (data.Description != null) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description);
}
// PolicySetDefaults
if (data.XPathVersion != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy);
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString());
writer.WriteEndElement();
}
// Target
this.WriteTarget(writer, data.Target);
// PolicySet
foreach (var policySet in data.PolicySets) {
this.WritePolicySet(writer, policySet);
}
// Policy
foreach (var policy in data.Policies) {
this.WritePolicy(writer, policy);
}
// PolicySetIdReference
foreach (var policySetIdReference in data.PolicySetIdReferences) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy, policySetIdReference.ToString());
}
// PolicyIdReference
foreach (var policyIdReference in data.PolicyIdReferences) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy, policyIdReference.ToString());
}
// Obligations
if (data.Obligations.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy);
foreach (var obligation in data.Obligations) {
this.WriteObligation(writer, obligation);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
public void WritePolicy_11() {
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www") })
});
var target = new XacmlTarget(subject, null, null);
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicySetId.www"), new Uri("http://www.PolicyCombiningAlgId.www"), target);
xacmlPolicySet.Description = "description string";
xacmlPolicySet.XPathVersion = Xacml10Constants.XPathVersions.Xpath10;
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), new XacmlTarget()) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) {
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml10ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, @"..\..\_Data\cs-xacml-schema-policy-01.xsd");
}
public void WritePolicy_20() {
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www")}
)
});
var resource = new XacmlResource(
new XacmlResourceMatch[]
{
new XacmlResourceMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www") /*, "xxxx" */),
new XacmlResourceAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false}
)
});
var action = new XacmlAction(
new XacmlActionMatch[]
{
new XacmlActionMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlActionAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false}
)
});
var target = new XacmlTarget(subject, resource, action, null);
// new Uri("http://www.PolicySetId.www")
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicyCombiningAlgId.www"), target) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
////#region Policy
XacmlEnvironment env = new XacmlEnvironment(
new XacmlEnvironmentMatch[]
{
new XacmlEnvironmentMatch(
new Uri("http://www.EnvironmentMatchIdId.www"),
new XacmlAttributeValue(new Uri("http://www.AttributValue.www")),
new XacmlEnvironmentAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false}
)
});
XacmlTarget targetWithEnvironment = new XacmlTarget(null, null, null, new XacmlEnvironment[] { env });
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), targetWithEnvironment) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) {
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml20ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, @"..\..\_Data\access_control-xacml-2.0-policy-schema-os.xsd");
}
/// <summary>
/// Writes the policy set.
/// </summary>
/// <param name="writer">The writer.</param>
/// <param name="data">The data.</param>
public override void WritePolicySet(XmlWriter writer, XacmlPolicySet data) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetId, data.PolicySetId.OriginalString);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyCombiningAlgId, data.PolicyCombiningAlgId.OriginalString);
if (!string.IsNullOrEmpty(data.Version)) {
writer.WriteAttributeString(XacmlConstants.AttributeNames.Version, data.Version);
}
if (data.MaxDelegationDepth.HasValue) {
writer.WriteAttributeString(XacmlConstants.AttributeNames.MaxDelegationDepth, data.MaxDelegationDepth.Value.ToString());
}
if (data.Description != null) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description);
}
if (data.PolicyIssuer != null) {
this.WritePolicyIssuer(writer, data.PolicyIssuer);
}
// PolicySetDefaults
if (data.XPathVersion != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy);
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString());
writer.WriteEndElement();
}
// Target
this.WriteTarget(writer, data.Target);
// PolicySet
foreach (var policySet in data.PolicySets) {
this.WritePolicySet(writer, policySet);
}
// Policy
foreach (var policy in data.Policies) {
this.WritePolicy(writer, policy);
}
// PolicySetIdReference
foreach (var policySetIdReference in data.PolicySetIdReferences_3_0) {
this.WritePolicySetIdReference(writer, policySetIdReference);
}
// PolicyIdReference
foreach (var policyIdReference in data.PolicyIdReferences_3_0) {
this.WritePolicyIdReference(writer, policyIdReference);
}
if (data.CombinerParameters.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
foreach (var combinerParameter in data.CombinerParameters) {
this.WriteCombinerParameter(writer, combinerParameter);
}
writer.WriteEndElement();
}
foreach (var policyCombinedParameters in data.PolicyCombinerParameters) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyCombinerParameters, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyIdRef, policyCombinedParameters.PolicyIdRef.OriginalString);
foreach (var combinedParameter in policyCombinedParameters.CombinerParameters) {
this.WriteCombinerParameter(writer, combinedParameter);
}
writer.WriteEndElement();
}
foreach (var policySetCombinedParameters in data.PolicySetCombinerParameters) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetCombinerParameters, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetIdRef, policySetCombinedParameters.PolicySetIdRef.OriginalString);
foreach (var combinedParameter in policySetCombinedParameters.CombinerParameters) {
this.WriteCombinerParameter(writer, combinedParameter);
}
writer.WriteEndElement();
}
if (data.Obligations_3_0.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy);
foreach (XacmlObligationExpression ex in data.Obligations_3_0) {
this.WriteObligationExpression(writer, ex);
}
writer.WriteEndElement();
}
if (data.Advices.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy);
foreach (XacmlAdviceExpression ex in data.Advices) {
this.WriteAdviceExpression(writer, ex);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
/// <summary>
/// Reads the policy set.
/// </summary>
/// <param name="reader">The reader.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException"></exception>
public override XacmlPolicySet ReadPolicySet(XmlReader reader) {
Contract.Requires<ArgumentNullException>(reader != null, "reader");
IDictionary<string, string> nsMgr = new Dictionary<string, string>();
for (int i = 0; i < reader.AttributeCount; i++) {
reader.MoveToAttribute(i);
if (reader.Prefix == "xmlns") {
nsMgr.Add(reader.LocalName, reader.Value);
}
}
if (!this.CanRead(reader, XacmlConstants.ElementNames.PolicySet)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException());
}
Uri gaPolicySetId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicySetId);
Uri gaPolicyCombiningAlgId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicyCombiningAlgId);
string version = this.ReadAttribute<string>(reader, XacmlConstants.AttributeNames.Version, isRequered: false);
int? maxDelegationDepth = this.ReadAttribute<int?>(reader, XacmlConstants.AttributeNames.MaxDelegationDepth, this.version.NamespacePolicy, isRequered: false);
reader.ReadStartElement(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy);
string description = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) {
description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy);
}
XacmlPolicyIssuer issuer = this.ReadOptional<XacmlPolicyIssuer>(XacmlConstants.ElementNames.PolicyIssuer, this.version.NamespacePolicy, this.ReadPolicyIssuer, reader);
// PolicySetDefault
string xpathVersion = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy);
if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement"));
}
xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy);
reader.ReadEndElement();
}
XacmlTarget target = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) {
target = ReadTarget(reader);
}
XacmlPolicySet policySet = new XacmlPolicySet(gaPolicySetId, gaPolicyCombiningAlgId, target) {
Description = description,
XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null,
MaxDelegationDepth = maxDelegationDepth,
PolicyIssuer = issuer,
Namespaces = nsMgr,
Version = version
};
IDictionary<Tuple<string, string>, Action> dicts = new Dictionary<Tuple<string, string>, Action>()
{
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy), () => policySet.PolicySets.Add(this.ReadPolicySet(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy), () => policySet.Policies.Add(this.ReadPolicy(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy), () => policySet.PolicySetIdReferences_3_0.Add(this.ReadPolicySetIdReference_3_0(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy), () => policySet.PolicyIdReferences_3_0.Add(this.ReadPolicyIdReference_3_0(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy), () => {
reader.ReadStartElement(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
this.ReadList(policySet.CombinerParameters, XacmlConstants.ElementNames.CombinerParameter, this.version.NamespacePolicy, this.ReadCombinerParameter, reader, isRequired: false);
reader.ReadEndElement();
}},
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicyCombinerParameters, this.version.NamespacePolicy), () => policySet.PolicyCombinerParameters.Add(this.ReadPolicyCombinerParameters(reader))},
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetCombinerParameters, this.version.NamespacePolicy), () => policySet.PolicySetCombinerParameters.Add(this.ReadPolicySetCombinerParameters(reader))},
};
this.ReadChoiceMultiply(reader, dicts);
if (reader.IsStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy);
this.ReadList(policySet.Obligations_3_0, XacmlConstants.ElementNames.ObligationExpression, this.version.NamespacePolicy, this.ReadObligationExpression, reader, isRequired: true);
reader.ReadEndElement();
}
if (reader.IsStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy);
this.ReadList(policySet.Advices, XacmlConstants.ElementNames.AdviceExpression, this.version.NamespacePolicy, this.ReadAdviceExpression, reader, isRequired: true);
reader.ReadEndElement();
}
return policySet;
}
/// <summary>
/// Apstrāda PolicySet objektu
/// </summary>
/// <param name="policySet">Izveidotājs PolicySet objekts</param>
/// <returns></returns>
public virtual XacmlDecisionResult PolicySetEvaluate(XacmlPolicySet policySet) {
Contract.Requires<ArgumentNullException>(policySet != null);
///// <Target> <Policy> <Policy Set>
///// "Match" At least one rule value is its Decision Specified by the policy combining algorithm
///// "Match" All rule values are “NotApplicable” “NotApplicable”
///// “Match” At least one rule value is “Indeterminate” Specified by the policy combining algorithm
///// “No-match” Don’t care “NotApplicable”
///// “Indeterminate” Don’t care “Indeterminate”
// Target
XacmlMatchResult targetResult;
targetResult = this.TargetEvaluate(policySet.Target);
if (targetResult == XacmlMatchResult.Indeterminate) {
return XacmlDecisionResult.Indeterminate;
}
if (targetResult == XacmlMatchResult.NoMatch) {
return XacmlDecisionResult.NotApplicable;
}
// Policy
List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> policyResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>();
bool atLeastOnePolicy = policySet.Policies.Any()
|| policySet.PolicySets.Any()
|| policySet.PolicyIdReferences.Any()
|| policySet.PolicySetIdReferences.Any();
// Policies
foreach (XacmlPolicy pol in policySet.Policies) {
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
// PolicySets
foreach (XacmlPolicySet pol in policySet.PolicySets) {
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate) {
return null;
}
if (policyTargetResult == XacmlMatchResult.Match) {
return true;
}
return false;
}
}
}));
}
// Policy References
foreach (Uri polRef in policySet.PolicyIdReferences) {
XacmlPolicy pol = this.ch.RequestPolicy(polRef);
if (pol == null) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown Policy reference: " + polRef.ToString()));
}
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate) {
return null;
}
if (policyTargetResult == XacmlMatchResult.Match) {
return true;
}
return false;
}
}
}));
}
// PolicySet References
foreach (Uri polRef in policySet.PolicySetIdReferences) {
XacmlPolicySet pol = this.ch.RequestPolicySet(polRef);
if (pol == null) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown PolicySet reference: " + polRef.ToString()));
}
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
if (!atLeastOnePolicy) {
return XacmlDecisionResult.NotApplicable;
}
XacmlDecisionResult algResult = this.algorithms[policySet.PolicyCombiningAlgId.ToString()].Invoke(policyResultsFunctions,
policySet.CombinerParameters);
if (algResult == XacmlDecisionResult.Permit) {
this.obligations[XacmlEffectType.Permit].AddRange(policySet.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Permit));
}
if (algResult == XacmlDecisionResult.Deny) {
this.obligations[XacmlEffectType.Deny].AddRange(policySet.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Deny));
}
return algResult;
}
public void IID030_30() {
XmlDocument request = new XmlDocument();
XmlDocument response = new XmlDocument();
XmlDocument policy1 = new XmlDocument();
XmlDocument policy2 = new XmlDocument();
request.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Request.xml"));
response.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Response.xml"));
policy1.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy1.xml"));
policy2.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy2.xml"));
var serialize = new Xacml30ProtocolSerializer();
XacmlContextRequest requestData;
XacmlContextResponse responseData;
XacmlPolicy policy1Data;
XacmlPolicy policy2Data;
using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) {
requestData = serialize.ReadContextRequest(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) {
responseData = serialize.ReadContextResponse(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) {
policy1Data = serialize.ReadPolicy(reader);
}
using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) {
policy2Data = serialize.ReadPolicy(reader);
}
var policySet = new XacmlPolicySet(Xacml10Constants.PolicyCombiningAlgorithms.OnlyOneApplicable, new XacmlTarget()); // TODO: PolicyCombiningAlgorithms
policySet.Policies.Add(policy1Data);
policySet.Policies.Add(policy2Data);
EvaluationEngine engine = new EvaluationEngine(policySet);
XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request);
XacmlResponseAssert(responseData, evaluatedResponse);
}
/// <summary>
/// Reads the policy set.
/// </summary>
/// <param name="reader">The reader.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException"></exception>
public virtual XacmlPolicySet ReadPolicySet(XmlReader reader) {
Contract.Requires<ArgumentNullException>(reader != null, "reader");
if (!this.CanRead(reader, XacmlConstants.ElementNames.PolicySet)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException());
}
// Collect namespaces
IDictionary<string, string> nsMgr = new Dictionary<string, string>();
for (int i = 0; i < reader.AttributeCount; i++) {
reader.MoveToAttribute(i);
if (reader.Prefix == "xmlns") {
nsMgr.Add(reader.LocalName, reader.Value);
}
}
Uri gaPolicySetId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicySetId);
Uri gaPolicyCombiningAlgId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicyCombiningAlgId);
reader.ReadStartElement(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy);
string description = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) {
description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy);
}
// PolicySetDefault
string xpathVersion = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy);
if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement"));
}
xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy);
reader.ReadEndElement();
}
XacmlTarget target = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) {
target = ReadTarget(reader);
}
XacmlPolicySet policySet = new XacmlPolicySet(gaPolicySetId, gaPolicyCombiningAlgId, target) {
Description = description,
XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null
};
policySet.Namespaces = nsMgr;
IDictionary<Tuple<string, string>, Action> dicts = new Dictionary<Tuple<string, string>, Action>()
{
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy), () => policySet.PolicySets.Add(this.ReadPolicySet(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy), () => policySet.Policies.Add(this.ReadPolicy(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy), () => policySet.PolicySetIdReferences.Add(this.ReadPolicySetIdReference(reader)) },
{ new Tuple<string, string>(XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy), () => policySet.PolicyIdReferences.Add(this.ReadPolicyIdReference(reader)) },
};
this.ReadChoiceMultiply(reader, dicts);
if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy);
this.ReadList(policySet.Obligations, XacmlConstants.ElementNames.Obligation, this.version.NamespacePolicy, ReadObligation, reader);
// end obligations
reader.ReadEndElement();
}
return policySet;
}
public EvaluationEngine30(XacmlPolicySet policySet)
: base(policySet) {
}
public override XacmlDecisionResult PolicySetEvaluate(XacmlPolicySet policySet) {
///// <Target> <Policy> <Policy Set>
///// "Match" Don’t care Specified by the rulecombining algorithm
///// “No-match” Don’t care “NotApplicable”
///// “Indeterminate” See Table 7 See Table 7
XacmlDecisionResult algResult = XacmlDecisionResult.Indeterminate;
// Wrap for Obligations and Advice, read more on AttributeAssignmentsWrapper class description
using (AttributeAssignmentsWrapper<XacmlObligation> obligationWrapper = new AttributeAssignmentsWrapper<XacmlObligation>(() => this.obligations, o => this.obligations = o, () => algResult)) {
using (AttributeAssignmentsWrapper<XacmlAdvice> adviceWrapper = new AttributeAssignmentsWrapper<XacmlAdvice>(() => this.advices, o => this.advices = o, () => algResult)) {
using (AttributeAssignmentsWrapper<XacmlContextPolicyIdReference> policyRefWrapper = new AttributeAssignmentsWrapper<XacmlContextPolicyIdReference>(() => this.applicablePolicies, o => this.applicablePolicies = o, () => algResult)) {
using (AttributeAssignmentsWrapper<XacmlContextPolicySetIdReference> policySetRefWrapper = new AttributeAssignmentsWrapper<XacmlContextPolicySetIdReference>(() => this.applicablePolicySets, o => this.applicablePolicySets = o, () => algResult)) {
// Target
XacmlMatchResult targetResult;
targetResult = this.TargetEvaluate(policySet.Target);
if (targetResult == XacmlMatchResult.NoMatch) {
return XacmlDecisionResult.NotApplicable;
}
// Policy
List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> policyResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>();
bool atLeastOnePolicy = policySet.Policies.Any()
|| policySet.PolicySets.Any()
|| policySet.PolicyIdReferences_3_0.Any()
|| policySet.PolicySetIdReferences_3_0.Any();
// Policies
foreach (XacmlPolicy pol in policySet.Policies) {
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
// PolicySets
foreach (XacmlPolicySet pol in policySet.PolicySets) {
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
// Policy References
foreach (XacmlContextPolicyIdReference polRef in policySet.PolicyIdReferences_3_0) {
Uri uri;
if (Uri.TryCreate(polRef.Value, UriKind.RelativeOrAbsolute, out uri)) {
XacmlPolicy pol = this.ch.RequestPolicy(uri);
if (pol == null) {
throw new XacmlIndeterminateException("Unknown Policy reference: " + polRef.ToString());
}
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
else {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperFatal("Policy reference not URI - Not implemented", new NotImplementedException("Policy reference not URI - Not implemented"));
}
}
// PolicySet References
foreach (XacmlContextPolicySetIdReference polRef in policySet.PolicySetIdReferences_3_0) {
Uri uri;
if (Uri.TryCreate(polRef.Value, UriKind.RelativeOrAbsolute, out uri)) {
XacmlPolicySet pol = this.ch.RequestPolicySet(uri);
if (pol == null) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown PolicySet reference: " + polRef.ToString()));
}
policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty)
},
{
"isApplicable",
() =>
{
XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target);
if(policyTargetResult == XacmlMatchResult.Indeterminate)
{
return null;
}
if (policyTargetResult == XacmlMatchResult.Match)
{
return true;
}
return false;
}
}
}));
}
else {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperFatal("PolicySet reference not URI - Not implemented", new NotImplementedException("PolicySet reference not URI - Not implemented"));
}
}
algResult = this.algorithms[policySet.PolicyCombiningAlgId.ToString()].Invoke(policyResultsFunctions,
policySet.CombinerParameters);
if (targetResult == XacmlMatchResult.Indeterminate) {
algResult = this.SpecifyCombiningAlgorithmResult(algResult);
}
// Permit
if (algResult == XacmlDecisionResult.Permit) {
if (policySet.Obligations_3_0.Count > 0) {
IEnumerable<XacmlObligationExpression> obligationsWithPermit = policySet.Obligations_3_0.Where(o => o.FulfillOn == XacmlEffectType.Permit);
foreach (XacmlObligationExpression expression in obligationsWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments);
this.obligations[expression.FulfillOn].Add(obligation);
}
}
if (policySet.Advices.Count > 0) {
IEnumerable<XacmlAdviceExpression> advicesWithPermit = policySet.Advices.Where(o => o.AppliesTo == XacmlEffectType.Permit);
foreach (XacmlAdviceExpression expression in advicesWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments);
this.advices[expression.AppliesTo].Add(advice);
}
}
this.applicablePolicySets[XacmlEffectType.Permit].Add(new XacmlContextPolicySetIdReference() {
Value = policySet.PolicySetId.OriginalString,
Version = new XacmlVersionMatchType(policySet.Version)
});
}
// Deny
if (algResult == XacmlDecisionResult.Deny) {
if (policySet.Obligations_3_0.Count > 0) {
IEnumerable<XacmlObligationExpression> obligationsWithPermit = policySet.Obligations_3_0.Where(o => o.FulfillOn == XacmlEffectType.Deny);
foreach (XacmlObligationExpression expression in obligationsWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments);
this.obligations[expression.FulfillOn].Add(obligation);
}
}
if (policySet.Advices.Count > 0) {
IEnumerable<XacmlAdviceExpression> advicesWithPermit = policySet.Advices.Where(o => o.AppliesTo == XacmlEffectType.Deny);
foreach (XacmlAdviceExpression expression in advicesWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments);
this.advices[expression.AppliesTo].Add(advice);
}
}
this.applicablePolicySets[XacmlEffectType.Deny].Add(new XacmlContextPolicySetIdReference() {
Value = policySet.PolicySetId.OriginalString,
Version = new XacmlVersionMatchType(policySet.Version)
});
}
}
}
}
}
return algResult;
}
