public async Task <DelegationEvidence> GetDelegation(DelegationMask mask)
{
_logger.LogInformation("Get delegation for {policyIssuer} and {target}", mask?.DelegationRequest?.PolicyIssuer, mask?.DelegationRequest?.Target?.AccessSubject);
var jObjectMask = TransformToJObject(mask);
var accessToken = await GetAccessToken(new ClientAssertion(_partyDetailsOptions.ClientId,
_authorizationRegistryClientOptions.ClientId))
;
JObject response;
try
{
response = await _authorizationRegistryClientOptions.BaseUri
.AppendPathSegment("delegation")
.WithOAuthBearerToken(accessToken)
.PostJsonAsync(jObjectMask)
.ReceiveJson <JObject>()
;
return(GetDelegationEvidenceFromResponse(response));
}
catch (Exception ex)
{
_logger.LogInformation("Get delegation returns {delegationResponse}", ex.Message);
return(null);
}
}
private static JObject TransformToJObject(DelegationMask mask)
{
var serializedMask = JsonConvert.SerializeObject(mask, new JsonSerializerSettings
{
ContractResolver = new CamelCasePropertyNamesContractResolver(),
NullValueHandling = Newtonsoft.Json.NullValueHandling.Ignore
});
return(JsonConvert.DeserializeObject <JObject>(serializedMask));
}
public async Task <ActionResult <DelegationEvidence> > Translate([FromBody] DelegationMask delegation_mask)
{
var result = await TranslateDelegation(delegation_mask);
if (result.Value == null)
{
return(result.Result);
}
return(result.Value.DelegationEvidence);
}
public DelegationTranslationTestResponse Translate(DelegationMask delegationMask, string policy)
{
var delegationEvidence = JsonConvert.DeserializeObject <DelegationTranslationTestResponse>(policy);
var delegationResponse = PrepareResponse(delegationEvidence);
foreach (var maskPolicySet in delegationMask.DelegationRequest.PolicySets)
{
foreach (var evidencePolicySet in delegationEvidence.DelegationEvidence.PolicySets)
{
var responsePolicySet = GetResponsePolicySet(maskPolicySet, evidencePolicySet);
delegationResponse.DelegationEvidence.PolicySets.Add(responsePolicySet);
}
}
return(delegationResponse);
}
public ValidationResult Validate(DelegationMask delegationMask)
{
var policySets = delegationMask.DelegationRequest.PolicySets;
for (int i = 0; i < policySets.Count; i++)
{
var policies = policySets[i].Policies;
for (int j = 0; j < policies.Count; j++)
{
if (!policies[j].Rules.Any(r => r.Effect == PolicyRule.Permit().Effect))
{
return(ValidationResult.Invalid(
"delegationRequest.policySets[" + i + "].policies[" + j + "] does not contain a rule with the Effect 'Permit'"));
}
}
}
return(ValidationResult.Valid());
}
public async Task <IdentityResult> Validate(DelegationMask mask)
{
try
{
if (mask.PreviousSteps != null)
{
foreach (var step in mask.PreviousSteps)
{
var assertion = _assertionParser.Parse(step);
var result = await _assertionParser.ValidateAsync(assertion);
if (!result.Success || !_defaultJwtValidator.IsValid(step,
mask.DelegationRequest.Target.AccessSubject, // client id should be access subject
_context.HttpContext.User.GetRequestingClientId() // audience should be the requester id
))
{
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error"
}));
}
if (mask.DelegationRequest.Target.AccessSubject != assertion.JwtToken.Issuer)
{
return(IdentityResult.Failed(new IdentityError {
Code = "invalid_delegation_assertion_pair"
}));
}
}
}
return(IdentityResult.Success);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Exception while authorizing previous steps");
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error", Description = ex.Message
}));
}
}
public async Task <DelegationClientTranslationResponse> GetDelegation(DelegationMask mask)
{
var jObjectMask = TransformToJobject(mask);
var accessToken = await GetAccessToken(new ClientAssertion(_clientId, _clientId, $"{_authorizationRegistryBaseUrl}connect/token"))
.ConfigureAwait(false);
var response = await _authorizationRegistryBaseUrl
.AppendPathSegment("delegation")
.WithOAuthBearerToken(accessToken)
.PostJsonAsync(jObjectMask)
.ReceiveJson <JObject>()
.ConfigureAwait(false);
var delegationEvidence = GetDelegationEvidenceFromResponse(response);
if (!IsPermitRule(delegationEvidence))
{
return(DelegationClientTranslationResponse.Deny());
}
return(DelegationClientTranslationResponse.Permit(delegationEvidence));
}
public async Task <ActionResult <DelegationTranslationTestResponse> > TestDelegationTranslation([FromBody] DelegationMask delegationMask)
{
var validationResult = _delegationMaskValidationService.Validate(delegationMask);
if (!validationResult.Success)
{
return(BadRequest(new { error = validationResult.Error }));
}
var delegation = await _delegationService
.GetBySubject(delegationMask.DelegationRequest.Target.AccessSubject, delegationMask.DelegationRequest.PolicyIssuer)
.ConfigureAwait(false);
if (delegation == null)
{
return(NotFound());
}
var delegationResponse = _delegationTranslateService.Translate(delegationMask, delegation.Policy);
return(delegationResponse);
}
private async Task <ActionResult <DelegationTranslationTestResponse> > TranslateDelegation(DelegationMask delegationMask)
{
var stepsValidation = await _previousStepsValdiationService.Validate(delegationMask);
if (!stepsValidation.Succeeded)
{
return(BadRequest(stepsValidation.Errors));
}
var validationResult = _delegationMaskValidationService.Validate(delegationMask);
if (!validationResult.Success)
{
return(BadRequest(new { error = validationResult.Error }));
}
var delegation = await _delegationService
.GetBySubject(delegationMask.DelegationRequest.Target.AccessSubject, delegationMask.DelegationRequest.PolicyIssuer)
;
if (delegation == null)
{
return(NotFound());
}
var delegationResponse = _delegationTranslateService.Translate(delegationMask, delegation.Policy);
return(delegationResponse);
}
