/// <summary>
/// Initializes a new instance of the <see cref="EvaluationEngine"/> class.
/// </summary>
/// <param name="policy">The XACML policy.</param>
public EvaluationEngine(XacmlPolicy policy) {
Contract.Requires<ArgumentNullException>(policy != null);
this.types = DataTypeProcessor.Instance;
this.functions = FunctionsProcessor.Instance;
this.algorithms = AlgorithmsProcessor.Instance;
this.policy = policy;
this.namespaces = policy.Namespaces;
this.xpathVersion = policy.XPathVersion;
}
public void WritePolicy_11() {
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www") })
});
var target = new XacmlTarget(subject, null, null);
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicySetId.www"), new Uri("http://www.PolicyCombiningAlgId.www"), target);
xacmlPolicySet.Description = "description string";
xacmlPolicySet.XPathVersion = Xacml10Constants.XPathVersions.Xpath10;
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), new XacmlTarget()) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) {
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml10ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, @"..\..\_Data\cs-xacml-schema-policy-01.xsd");
}
public void WritePolicy_20() {
var subject = new XacmlSubject(
new XacmlSubjectMatch[]
{
new XacmlSubjectMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www")}
)
});
var resource = new XacmlResource(
new XacmlResourceMatch[]
{
new XacmlResourceMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www") /*, "xxxx" */),
new XacmlResourceAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false}
)
});
var action = new XacmlAction(
new XacmlActionMatch[]
{
new XacmlActionMatch(
new Uri("http://www.MatchId.www"),
new XacmlAttributeValue(new Uri("http://www.DataType.www")),
new XacmlActionAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false}
)
});
var target = new XacmlTarget(subject, resource, action, null);
// new Uri("http://www.PolicySetId.www")
XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicyCombiningAlgId.www"), target) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
////#region Policy
XacmlEnvironment env = new XacmlEnvironment(
new XacmlEnvironmentMatch[]
{
new XacmlEnvironmentMatch(
new Uri("http://www.EnvironmentMatchIdId.www"),
new XacmlAttributeValue(new Uri("http://www.AttributValue.www")),
new XacmlEnvironmentAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false}
)
});
XacmlTarget targetWithEnvironment = new XacmlTarget(null, null, null, new XacmlEnvironment[] { env });
XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), targetWithEnvironment) {
Description = "description string",
XPathVersion = Xacml10Constants.XPathVersions.Xpath10,
};
XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) {
Description = "xacmlRule description"
};
xacmlPolicy.Rules.Add(xacmlRule);
XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www"));
XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment });
xacmlPolicy.Obligations.Add(xacmlObligation);
xacmlPolicySet.Policies.Add(xacmlPolicy);
StringBuilder builder = new StringBuilder();
using (XmlWriter writer = XmlWriter.Create(builder)) {
var serializer = new Xacml20ProtocolSerializer();
serializer.WritePolicySet(writer, xacmlPolicySet);
}
string xml = builder.ToString();
ValidateMessage(xml, @"..\..\_Data\access_control-xacml-2.0-policy-schema-os.xsd");
}
/// <summary>
/// Writes the policy.
/// </summary>
/// <param name="writer">The writer.</param>
/// <param name="data">The data.</param>
public override void WritePolicy(XmlWriter writer, XacmlPolicy data) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyId, data.PolicyId.OriginalString);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleCombiningAlgId, data.RuleCombiningAlgId.OriginalString);
if (!string.IsNullOrEmpty(data.Version)) {
writer.WriteAttributeString(XacmlConstants.AttributeNames.Version, data.Version);
}
if (data.MaxDelegationDepth.HasValue) {
writer.WriteAttributeString(XacmlConstants.AttributeNames.MaxDelegationDepth, data.MaxDelegationDepth.Value.ToString());
}
// ?Description
if (data.Description != null) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description);
}
if (data.PolicyIssuer != null) {
this.WritePolicyIssuer(writer, data.PolicyIssuer);
}
// PolicyDefaults
if (data.XPathVersion != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy);
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString());
writer.WriteEndElement();
}
// Target
this.WriteTarget(writer, data.Target);
if (data.CombinerParameters.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
foreach (var combinerParameter in data.ChoiceCombinerParameters) {
this.WriteCombinerParameter(writer, combinerParameter);
}
writer.WriteEndElement();
}
foreach (var ruleCombinedParameters in data.RuleCombinerParameters) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.RuleCombinerParameters, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleIdRef, ruleCombinedParameters.RuleIdRef);
foreach (var combinedParameter in ruleCombinedParameters.CombinerParameters) {
this.WriteCombinerParameter(writer, combinedParameter);
}
writer.WriteEndElement();
}
foreach (var variableDefinition in data.VariableDefinitions) {
this.WriteVariableDefinition(writer, variableDefinition);
}
// Rule
foreach (var rule in data.Rules) {
this.WriteRule(writer, rule);
}
if (data.ObligationExpressions.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy);
foreach (XacmlObligationExpression ex in data.ObligationExpressions) {
this.WriteObligationExpression(writer, ex);
}
writer.WriteEndElement();
}
if (data.AdviceExpressions.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy);
foreach (XacmlAdviceExpression ex in data.AdviceExpressions) {
this.WriteAdviceExpression(writer, ex);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
/// <summary>
/// Reads the policy.
/// </summary>
/// <param name="reader">The reader.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException"></exception>
/// <exception cref="System.Xml.XmlException">
/// PolicyId IsNullOrEmpty
/// or
/// RuleCombiningAlgId IsNullOrEmpty
/// or
/// Target IsNullOrEmpty
/// </exception>
/// <exception cref="XacmlSerializationException">
/// VariableDefinition or Rule are required
/// or
/// CombinerParameterc count > 1
/// or
/// RuleCombinerParameters count > 1
/// </exception>
public override XacmlPolicy ReadPolicy(XmlReader reader) {
Contract.Requires<ArgumentNullException>(reader != null, "reader");
IDictionary<string, string> nsMgr = new Dictionary<string, string>();
for (int i = 0; i < reader.AttributeCount; i++) {
reader.MoveToAttribute(i);
if (reader.Prefix == "xmlns") {
nsMgr.Add(reader.LocalName, reader.Value);
}
}
if (!this.CanRead(reader, XacmlConstants.ElementNames.Policy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException());
}
var gaPolicyId = reader.GetAttribute("PolicyId");
if (string.IsNullOrEmpty(gaPolicyId)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("PolicyId IsNullOrEmpty"));
}
var gaRuleCombiningAlgId = reader.GetAttribute("RuleCombiningAlgId");
if (string.IsNullOrEmpty(gaRuleCombiningAlgId)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("RuleCombiningAlgId IsNullOrEmpty"));
}
string version = this.ReadAttribute<string>(reader, XacmlConstants.AttributeNames.Version, isRequered: false);
int? maxDelegationDepth = this.ReadAttribute<int?>(reader, XacmlConstants.AttributeNames.MaxDelegationDepth, this.version.NamespacePolicy, isRequered: false);
reader.ReadStartElement(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy);
string description = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) {
description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy);
}
XacmlPolicyIssuer issuer = this.ReadOptional<XacmlPolicyIssuer>(XacmlConstants.ElementNames.PolicyIssuer, this.version.NamespacePolicy, this.ReadPolicyIssuer, reader);
// PolicyDefault
string xpathVersion = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy);
if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement"));
}
xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy);
reader.ReadEndElement();
}
XacmlTarget target = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) {
target = ReadTarget(reader);
}
else {
throw new XmlException("Target IsNullOrEmpty");
}
XacmlPolicy policy = new XacmlPolicy(new Uri(gaPolicyId, UriKind.RelativeOrAbsolute), new Uri(gaRuleCombiningAlgId, UriKind.RelativeOrAbsolute), target) {
Description = description,
XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null,
PolicyIssuer = issuer,
MaxDelegationDepth = maxDelegationDepth,
Namespaces = nsMgr,
Version = version
};
IDictionary<Tuple<string, string>, Action> dicts = new Dictionary<Tuple<string, string>, Action>()
{
{ new Tuple<string, string>(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy), () => {
reader.ReadStartElement(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
this.ReadList(policy.ChoiceCombinerParameters, XacmlConstants.ElementNames.CombinerParameter, this.version.NamespacePolicy, this.ReadCombinerParameter, reader, isRequired: false);
reader.ReadEndElement();
}},
{ new Tuple<string, string>(XacmlConstants.ElementNames.RuleCombinerParameters, this.version.NamespacePolicy), () => policy.RuleCombinerParameters.Add(this.ReadRuleCombinerParameters(reader))},
{ new Tuple<string, string>(XacmlConstants.ElementNames.VariableDefinition, this.version.NamespacePolicy), () => policy.VariableDefinitions.Add(this.ReadVariableDefinition(reader))},
{ new Tuple<string, string>(XacmlConstants.ElementNames.Rule, this.version.NamespacePolicy), () => policy.Rules.Add(this.ReadRule(reader))},
};
this.ReadChoiceMultiply(reader, dicts);
// choice [1 .. *]
if (policy.VariableDefinitions.Count == 0 && policy.Rules.Count == 0) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlSerializationException("VariableDefinition or Rule are required"));
}
if (policy.CombinerParameters.Count > 1) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlSerializationException("CombinerParameterc count > 1"));
}
if (policy.RuleCombinerParameters.Count > 1) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlSerializationException("RuleCombinerParameters count > 1"));
}
if (reader.IsStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy);
this.ReadList(policy.ObligationExpressions, XacmlConstants.ElementNames.ObligationExpression, this.version.NamespacePolicy, this.ReadObligationExpression, reader, isRequired: true);
reader.ReadEndElement();
}
if (reader.IsStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy);
this.ReadList(policy.AdviceExpressions, XacmlConstants.ElementNames.AdviceExpression, this.version.NamespacePolicy, this.ReadAdviceExpression, reader, isRequired: true);
reader.ReadEndElement();
}
// end policy
reader.ReadEndElement();
return policy;
}
public virtual XacmlDecisionResult PolicyEvaluate(XacmlPolicy policy) {
Contract.Requires<ArgumentNullException>(policy != null);
XacmlPolicy previousPolicy = this.currentEvaluatingPolicy;
this.currentEvaluatingPolicy = policy;
///// <Target> <Rule> <Policy>
///// "Match" At least one rule value is its Effect Specified by the rulecombining algorithm
///// "Match" All rule values are “NotApplicable” “NotApplicable”
///// “Match” At least one rule value is “Indeterminate” Specified by the rulecombining algorithm
///// “No-match” Don’t care “NotApplicable”
///// “Indeterminate” Don’t care “Indeterminate”
// Target
XacmlMatchResult targetResult;
targetResult = this.TargetEvaluate(policy.Target);
if (targetResult == XacmlMatchResult.Indeterminate) {
return XacmlDecisionResult.Indeterminate;
}
if (targetResult == XacmlMatchResult.NoMatch) {
return XacmlDecisionResult.NotApplicable;
}
// Rules
List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> ruleResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>();
bool allRulesNotApplicable = true;
foreach (XacmlRule rule in policy.Rules) {
ruleResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policy.RuleCombinerParameters.Where(o => string.Equals(o.RuleIdRef, rule.RuleId)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() =>
{
Tuple<XacmlDecisionResult, string> res = this.RuleEvaluate(rule);
if (res.Item1 != XacmlDecisionResult.NotApplicable)
allRulesNotApplicable = false;
return res;
}
}
}));
}
XacmlDecisionResult algResult = this.algorithms[policy.RuleCombiningAlgId.ToString()].Invoke(ruleResultsFunctions,
policy.CombinerParameters.Concat(policy.ChoiceCombinerParameters));
this.currentEvaluatingPolicy = previousPolicy;
if (allRulesNotApplicable) {
return XacmlDecisionResult.NotApplicable;
}
else {
if (algResult == XacmlDecisionResult.Permit) {
this.obligations[XacmlEffectType.Permit].AddRange(policy.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Permit));
}
if (algResult == XacmlDecisionResult.Deny) {
this.obligations[XacmlEffectType.Deny].AddRange(policy.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Deny));
}
return algResult;
}
}
/// <summary>
/// Reads the policy.
/// </summary>
/// <param name="reader">The reader.</param>
/// <returns></returns>
/// <exception cref="System.InvalidOperationException"></exception>
/// <exception cref="System.Xml.XmlException">
/// PolicyId IsNullOrEmpty
/// or
/// RuleCombiningAlgId IsNullOrEmpty
/// </exception>
public virtual XacmlPolicy ReadPolicy(XmlReader reader) {
Contract.Requires<ArgumentNullException>(reader != null, "reader");
IDictionary<string, string> nsMgr = new Dictionary<string, string>();
for (int i = 0; i < reader.AttributeCount; i++) {
reader.MoveToAttribute(i);
if (reader.Prefix == "xmlns") {
nsMgr.Add(reader.LocalName, reader.Value);
}
}
if (!this.CanRead(reader, XacmlConstants.ElementNames.Policy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException());
}
var gaPolicyId = reader.GetAttribute("PolicyId");
if (string.IsNullOrEmpty(gaPolicyId)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("PolicyId IsNullOrEmpty"));
}
var gaRuleCombiningAlgId = reader.GetAttribute("RuleCombiningAlgId");
if (string.IsNullOrEmpty(gaRuleCombiningAlgId)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("RuleCombiningAlgId IsNullOrEmpty"));
}
reader.ReadStartElement(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy);
string description = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) {
description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy);
}
// PolicySetDefault
string xpathVersion = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy);
if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) {
throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement"));
}
xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy);
reader.ReadEndElement();
}
XacmlTarget target = null;
if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) {
target = ReadTarget(reader);
}
XacmlPolicy policy = new XacmlPolicy(new Uri(gaPolicyId, UriKind.RelativeOrAbsolute), new Uri(gaRuleCombiningAlgId, UriKind.RelativeOrAbsolute), target) {
Description = description,
XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null
};
policy.Namespaces = nsMgr;
XacmlRule rule = null;
while (reader.IsStartElement(XacmlConstants.ElementNames.Rule, this.version.NamespacePolicy)) {
rule = ReadRule(reader);
policy.Rules.Add(rule);
}
if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy)) {
reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy);
this.ReadList(policy.Obligations, XacmlConstants.ElementNames.Obligation, this.version.NamespacePolicy, ReadObligation, reader, isRequired: true);
// end obligations
reader.ReadEndElement();
}
// end policy
reader.ReadEndElement();
return policy;
}
public override XacmlDecisionResult PolicyEvaluate(XacmlPolicy policy) {
XacmlPolicy previousPolicy = this.currentEvaluatingPolicy;
this.currentEvaluatingPolicy = policy;
///// <Target> <Rule> <Policy>
///// "Match" Don’t care Specified by the rulecombining algorithm
///// “No-match” Don’t care “NotApplicable”
///// “Indeterminate” See Table 7 See Table 7
XacmlDecisionResult algResult = XacmlDecisionResult.Indeterminate;
// Wrap for Obligations and Advice, read more on AttributeAssignmentsWrapper class description
using (AttributeAssignmentsWrapper<XacmlObligation> obligationWrapper = new AttributeAssignmentsWrapper<XacmlObligation>(() => this.obligations, o => this.obligations = o, () => algResult)) {
using (AttributeAssignmentsWrapper<XacmlAdvice> adviceWrapper = new AttributeAssignmentsWrapper<XacmlAdvice>(() => this.advices, o => this.advices = o, () => algResult)) {
// Target
XacmlMatchResult targetResult;
targetResult = this.TargetEvaluate(policy.Target);
if (targetResult == XacmlMatchResult.NoMatch) {
return XacmlDecisionResult.NotApplicable;
}
// Rules
List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> ruleResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>();
foreach (XacmlRule rule in policy.Rules) {
ruleResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>(
policy.RuleCombinerParameters.Where(o => string.Equals(o.RuleIdRef, rule.RuleId)).SelectMany(o => o.CombinerParameters),
new Dictionary<string, Func<object>>()
{
{
"evaluate",
() => this.RuleEvaluate(rule)
}
}));
}
algResult = this.algorithms[policy.RuleCombiningAlgId.ToString()].Invoke(ruleResultsFunctions,
policy.CombinerParameters.Concat(policy.ChoiceCombinerParameters));
this.currentEvaluatingPolicy = previousPolicy;
if (targetResult == XacmlMatchResult.Indeterminate) {
algResult = this.SpecifyCombiningAlgorithmResult(algResult);
}
// Permit
if (algResult == XacmlDecisionResult.Permit) {
if (policy.ObligationExpressions.Count > 0) {
IEnumerable<XacmlObligationExpression> obligationsWithPermit = policy.ObligationExpressions.Where(o => o.FulfillOn == XacmlEffectType.Permit);
foreach (XacmlObligationExpression expression in obligationsWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments);
this.obligations[expression.FulfillOn].Add(obligation);
}
}
if (policy.AdviceExpressions.Count > 0) {
IEnumerable<XacmlAdviceExpression> advicesWithPermit = policy.AdviceExpressions.Where(o => o.AppliesTo == XacmlEffectType.Permit);
foreach (XacmlAdviceExpression expression in advicesWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments);
this.advices[expression.AppliesTo].Add(advice);
}
}
}
// Deny
if (algResult == XacmlDecisionResult.Deny) {
if (policy.ObligationExpressions.Count > 0) {
IEnumerable<XacmlObligationExpression> obligationsWithPermit = policy.ObligationExpressions.Where(o => o.FulfillOn == XacmlEffectType.Deny);
foreach (XacmlObligationExpression expression in obligationsWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments);
this.obligations[expression.FulfillOn].Add(obligation);
}
}
if (policy.AdviceExpressions.Count > 0) {
IEnumerable<XacmlAdviceExpression> advicesWithPermit = policy.AdviceExpressions.Where(o => o.AppliesTo == XacmlEffectType.Deny);
foreach (XacmlAdviceExpression expression in advicesWithPermit) {
List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>();
foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) {
IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex);
// ja Indeterminate, tad rezultāts arī
if (assignment == null) {
return XacmlDecisionResult.Indeterminate;
}
attributeAssigments.AddRange(assignment);
}
XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments);
this.advices[expression.AppliesTo].Add(advice);
}
}
}
}
}
// add applicaple policies for PolicyIdentifierList in response
if (algResult == XacmlDecisionResult.Permit) {
this.applicablePolicies[XacmlEffectType.Permit].Add(new XacmlContextPolicyIdReference() {
Value = policy.PolicyId.OriginalString,
Version = new XacmlVersionMatchType(policy.Version)
});
}
if (algResult == XacmlDecisionResult.Deny) {
this.applicablePolicies[XacmlEffectType.Deny].Add(new XacmlContextPolicyIdReference() {
Value = policy.PolicyId.OriginalString,
Version = new XacmlVersionMatchType(policy.Version)
});
}
return algResult;
}
public EvaluationEngine30(XacmlPolicy policy)
: base(policy) {
}
/// <summary>
/// public void WritePolicy
/// </summary>
/// <param name="writer">XmlWriter writer</param>
/// <param name="data">XacmlPolicy data</param>
public virtual void WritePolicy(XmlWriter writer, XacmlPolicy data) {
Contract.Requires<ArgumentNullException>(writer != null);
Contract.Requires<ArgumentNullException>(data != null);
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyId, data.PolicyId.OriginalString);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleCombiningAlgId, data.RuleCombiningAlgId.OriginalString);
// ?Description
if (data.Description != null) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description);
}
// PolicyDefaults
if (data.XPathVersion != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy);
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString());
writer.WriteEndElement();
}
// Target
this.WriteTarget(writer, data.Target);
// Rule
foreach (var rule in data.Rules) {
this.WriteRule(writer, rule);
}
// Obligatoins
if (data.Obligations.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy);
foreach (var obligation in data.Obligations) {
this.WriteObligation(writer, obligation);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}
/// <summary>
/// Writes the policy.
/// </summary>
/// <param name="writer">The writer.</param>
/// <param name="data">The data.</param>
public override void WritePolicy(XmlWriter writer, XacmlPolicy data) {
Contract.Requires<ArgumentNullException>(writer != null);
Contract.Requires<ArgumentNullException>(data != null);
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyId, data.PolicyId.OriginalString);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleCombiningAlgId, data.RuleCombiningAlgId.OriginalString);
if (!string.IsNullOrEmpty(data.Version)) {
writer.WriteAttributeString(XacmlConstants.AttributeNames.Version, data.Version);
}
// ?Description
if (data.Description != null) {
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description);
}
// PolicyDefaults
if (data.XPathVersion != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyDefaults, this.version.NamespacePolicy);
writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString());
writer.WriteEndElement();
}
// Combined parameters
if (data.CombinerParameters != null) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
foreach (var combinerParameter in data.CombinerParameters) {
this.WriteCombinerParameter(writer, combinerParameter);
}
writer.WriteEndElement();
}
// Target
this.WriteTarget(writer, data.Target);
if (data.CombinerParameters.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy);
foreach (var combinerParameter in data.ChoiceCombinerParameters) {
this.WriteCombinerParameter(writer, combinerParameter);
}
writer.WriteEndElement();
}
foreach (var ruleCombinedParameters in data.RuleCombinerParameters) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.RuleCombinerParameters, this.version.NamespacePolicy);
writer.WriteAttributeString(XacmlConstants.AttributeNames.RuleIdRef, ruleCombinedParameters.RuleIdRef);
foreach (var combinedParameter in ruleCombinedParameters.CombinerParameters) {
this.WriteCombinerParameter(writer, combinedParameter);
}
writer.WriteEndElement();
}
foreach (var variableDefinition in data.VariableDefinitions) {
this.WriteVariableDefinition(writer, variableDefinition);
}
// Rule
foreach (var rule in data.Rules) {
this.WriteRule(writer, rule);
}
// Obligatoins
if (data.Obligations.Count > 0) {
writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy);
foreach (var obligation in data.Obligations) {
this.WriteObligation(writer, obligation);
}
writer.WriteEndElement();
}
writer.WriteEndElement();
}