protected virtual void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision)
{
if (writer == null)
{
throw new ArgumentNullException(nameof(writer));
}
string value;
switch (xacmlContextDecision)
{
case XacmlContextDecision.Deny:
value = "Deny";
break;
case XacmlContextDecision.Indeterminate:
value = "Indeterminate";
break;
case XacmlContextDecision.NotApplicable:
value = "NotApplicable";
break;
case XacmlContextDecision.Permit:
value = "Permit";
break;
default:
throw new InvalidOperationException("Wrong Decision value");
}
writer.WriteElementString(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Decision, this.Version.NamespaceContext, value);
}
private static void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision)
{
Guard.ArgumentNotNull(writer, nameof(writer));
string value;
switch (xacmlContextDecision)
{
case XacmlContextDecision.Deny:
value = "Deny";
break;
case XacmlContextDecision.Indeterminate:
value = "Indeterminate";
break;
case XacmlContextDecision.NotApplicable:
value = "NotApplicable";
break;
case XacmlContextDecision.Permit:
value = "Permit";
break;
default:
throw new InvalidOperationException("Not a valid value");
}
writer.WriteElementString(XacmlConstants.Prefixes.Xacml, XacmlConstants.ElementNames.Decision, Xacml30Constants.NameSpaces.Policy, value);
}
/// <summary>
/// Initializes a new instance of the <see cref="XacmlContextResult"/> class.
/// </summary>
/// <param name="decision">The authorization decision.</param>
/// <param name="status">The status.</param>
public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status)
{
if (status == null)
{
throw new ArgumentNullException(nameof(status));
}
this.decision = decision;
this.status = status;
}
/// <summary>
/// Initializes a new instance of the <see cref="XacmlContextResult"/> class.
/// </summary>
/// <param name="decision">The authorization decision.</param>
/// <remarks>
/// Used only from XACML 2.0/3.0
/// </remarks>
public XacmlContextResult(XacmlContextDecision decision) {
this.decision = decision;
}
/// <summary>
/// Initializes a new instance of the <see cref="XacmlContextResult"/> class.
/// </summary>
/// <param name="decision">The authorization decision.</param>
/// <param name="status">The status.</param>
public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status) {
Contract.Requires<ArgumentNullException>(status != null);
this.decision = decision;
this.status = status;
}
/// <summary>
/// Initializes a new instance of the <see cref="XacmlContextResult"/> class.
/// </summary>
/// <param name="decision">The authorization decision.</param>
/// <remarks>
/// Used only from XACML 2.0/3.0
/// </remarks>
public XacmlContextResult(XacmlContextDecision decision)
{
this.decision = decision;
}
/// <summary>
/// Method that validated if the subject is allwoed to perform the requested operation on a given resource.
/// </summary>
/// <param name="decisionRequest">The Xacml Context request.</param>
/// <param name="policy">The relevant policy.</param>
/// <returns>The decision reponse.</returns>
public XacmlContextResponse Authorize(XacmlContextRequest decisionRequest, XacmlPolicy policy)
{
XacmlContextResult contextResult;
ICollection <XacmlRule> matchingRules = this.GetMatchingRules(policy, decisionRequest, out bool requiredAttributesMissingFromContextRequest);
if (requiredAttributesMissingFromContextRequest)
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.MissingAttribute),
};
return(new XacmlContextResponse(contextResult));
}
if (matchingRules == null || matchingRules.Count == 0)
{
contextResult = new XacmlContextResult(XacmlContextDecision.NotApplicable)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
XacmlContextDecision overallDecision = XacmlContextDecision.NotApplicable;
foreach (XacmlRule rule in matchingRules)
{
XacmlContextDecision decision;
// Need to authorize based on the information in the Xacml context request
XacmlAttributeMatchResult subjectMatchResult = rule.MatchAttributes(decisionRequest, XacmlConstants.MatchAttributeCategory.Subject);
if (subjectMatchResult.Equals(XacmlAttributeMatchResult.Match))
{
if (rule.Effect.Equals(XacmlEffectType.Permit))
{
decision = XacmlContextDecision.Permit;
}
else
{
decision = XacmlContextDecision.Deny;
}
}
else if (subjectMatchResult.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else
{
decision = XacmlContextDecision.NotApplicable;
}
if ((decision.Equals(XacmlContextDecision.Deny) || decision.Equals(XacmlContextDecision.Permit)) && rule.Condition != null)
{
XacmlAttributeMatchResult conditionDidEvaluate = rule.EvaluateCondition(decisionRequest);
if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.NoMatch))
{
decision = XacmlContextDecision.NotApplicable;
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.RequiredAttributeMissing))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.BagSizeConditionFailed))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
return(new XacmlContextResponse(contextResult));
}
else if (conditionDidEvaluate.Equals(XacmlAttributeMatchResult.ToManyAttributes))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Indeterminate)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.ProcessingError),
};
return(new XacmlContextResponse(contextResult));
}
}
if (!decision.Equals(XacmlContextDecision.NotApplicable))
{
if (policy.RuleCombiningAlgId.Equals(XacmlConstants.CombiningAlgorithms.RuleDenyOverrides) &&
decision.Equals(XacmlContextDecision.Deny))
{
contextResult = new XacmlContextResult(XacmlContextDecision.Deny);
break;
}
else if (decision.Equals(XacmlContextDecision.Permit))
{
overallDecision = decision;
}
}
}
contextResult = new XacmlContextResult(overallDecision)
{
Status = new XacmlContextStatus(XacmlContextStatusCode.Success),
};
this.AddObligations(policy, contextResult);
this.AddRequestAttributes(decisionRequest, contextResult);
return(new XacmlContextResponse(contextResult));
}
protected virtual void WriteContextDecision(XmlWriter writer, XacmlContextDecision xacmlContextDecision) {
Contract.Requires<ArgumentNullException>(writer != null);
string value;
switch (xacmlContextDecision) {
case XacmlContextDecision.Deny:
value = "Deny";
break;
case XacmlContextDecision.Indeterminate:
value = "Indeterminate";
break;
case XacmlContextDecision.NotApplicable:
value = "NotApplicable";
break;
case XacmlContextDecision.Permit:
value = "Permit";
break;
default:
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlSerializationException("Wrong Decision value"));
}
writer.WriteElementString(XacmlConstants.Prefixes.Context, XacmlConstants.ElementNames.Decision, this.version.NamespaceContext, value);
}
/// <summary>
/// Initializes a new instance of the <see cref="XacmlContextResult"/> class.
/// </summary>
/// <param name="decision">The authorization decision.</param>
/// <param name="status">The status.</param>
public XacmlContextResult(XacmlContextDecision decision, XacmlContextStatus status)
{
Guard.ArgumentNotNull(status, nameof(status));
this.decision = decision;
this.status = status;
}
