private XacmlResourceAttributes GetResourceAttributeValues(XacmlContextAttributes resourceContextAttributes) { XacmlResourceAttributes resourceAttributes = new XacmlResourceAttributes(); foreach (XacmlAttribute attribute in resourceContextAttributes.Attributes) { if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.OrgAttribute)) { resourceAttributes.OrgValue = attribute.AttributeValues.First().Value; } if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.AppAttribute)) { resourceAttributes.AppValue = attribute.AttributeValues.First().Value; } if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.InstanceAttribute)) { resourceAttributes.InstanceValue = attribute.AttributeValues.First().Value; } if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.PartyAttribute)) { resourceAttributes.ResourcePartyValue = attribute.AttributeValues.First().Value; } if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.TaskAttribute)) { resourceAttributes.TaskValue = attribute.AttributeValues.First().Value; } } return(resourceAttributes); }
private async Task EnrichResourceAttributes(XacmlContextRequest request) { XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes(); XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes); await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue); }
private async Task EnrichResourceAttributes(XacmlContextRequest request) { XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes(); XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes); bool resourceAttributeComplete = false; if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && !string.IsNullOrEmpty(resourceAttributes.AppValue) && !string.IsNullOrEmpty(resourceAttributes.InstanceValue) && !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) && !string.IsNullOrEmpty(resourceAttributes.TaskValue)) { // The resource attributes are complete resourceAttributeComplete = true; } else if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && !string.IsNullOrEmpty(resourceAttributes.AppValue) && string.IsNullOrEmpty(resourceAttributes.InstanceValue) && !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) && string.IsNullOrEmpty(resourceAttributes.TaskValue)) { // The resource attributes are complete resourceAttributeComplete = true; } if (!resourceAttributeComplete) { Instance instanceData = await _instanceService.GetInstance(resourceAttributes.AppValue, resourceAttributes.OrgValue, Convert.ToInt32(resourceAttributes.InstanceValue.Split('/')[0]), new Guid(resourceAttributes.InstanceValue.Split('/')[1])); if (instanceData != null) { AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org); string app = instanceData.AppId.Split("/")[1]; AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app); if (instanceData.Process?.CurrentTask != null) { AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId); } else if (instanceData.Process?.EndEvent != null) { AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.EndEventAttribute, null, instanceData.Process.EndEvent); } AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId); resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId; } } await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue); }
private async Task EnrichResourceAttributes(XacmlContextRequest request) { XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes(); XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes); bool resourceAttributeComplete = false; if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && !string.IsNullOrEmpty(resourceAttributes.AppValue) && !string.IsNullOrEmpty(resourceAttributes.InstanceValue) && !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) && !string.IsNullOrEmpty(resourceAttributes.TaskValue)) { // The resource attributes are complete resourceAttributeComplete = true; } else if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && !string.IsNullOrEmpty(resourceAttributes.AppValue) && string.IsNullOrEmpty(resourceAttributes.InstanceValue) && !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) && string.IsNullOrEmpty(resourceAttributes.TaskValue)) { // The resource attributes are complete resourceAttributeComplete = true; } if (!resourceAttributeComplete && !string.IsNullOrEmpty(resourceAttributes.InstanceValue)) { Instance instanceData = await _policyInformationRepository.GetInstance(resourceAttributes.InstanceValue); if (instanceData != null) { AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org); string app = instanceData.AppId.Split("/")[1]; AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app); if (instanceData.Process?.CurrentTask != null) { AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId); } AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId); resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId; } } await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue); }
private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy) { XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success) }); XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest); int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest); if (resourceAttributes == null || string.IsNullOrEmpty(resourceAttributes.OrgValue) || string.IsNullOrEmpty(resourceAttributes.AppValue) || subjectUserId == 0 || !int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId)) { // Not able to continue authorization based on delegations because of incomplete decision request string request = JsonConvert.SerializeObject(decisionRequest); _logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request); return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success) })); } List <string> appIds = new List <string> { $"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}" }; List <int> offeredByPartyIds = new List <int> { reporteePartyId }; List <int> coveredByUserIds = new List <int> { subjectUserId }; // 1. Direct user delegations List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds); if (delegations.Any()) { delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit)) { return(delegationContextResponse); } } // 2. Direct user delegations from mainunit List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId); List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList(); if (mainunitPartyIds.Any()) { offeredByPartyIds.AddRange(mainunitPartyIds); delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds); if (delegations.Any()) { delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit)) { return(delegationContextResponse); } } } // 3. Direct party delegations to keyrole units List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId); if (keyrolePartyIds.Any()) { delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds); if (delegations.Any()) { _delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds); delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); } } return(delegationContextResponse); }