public async Task <AuthorizationPolicyResult> Execute(TicketLineParameter ticketLineParameter, Policy authorizationPolicy, ClaimTokenParameter claimTokenParameter)
{
if (ticketLineParameter == null)
{
throw new ArgumentNullException(nameof(ticketLineParameter));
}
if (authorizationPolicy == null)
{
throw new ArgumentNullException(nameof(authorizationPolicy));
}
if (authorizationPolicy.Rules == null ||
!authorizationPolicy.Rules.Any())
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
AuthorizationPolicyResult result = null;
foreach (var rule in authorizationPolicy.Rules)
{
result = await ExecuteAuthorizationPolicyRule(ticketLineParameter, rule, claimTokenParameter);
if (result.Type == AuthorizationPolicyResultEnum.Authorized)
{
return(result);
}
}
return(result);
}
private async Task <AuthorizationPolicyResult> Validate(TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter)
{
if (resource.Policies == null || !resource.Policies.Any())
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
foreach (var authorizationPolicy in resource.Policies)
{
var result = await _basicAuthorizationPolicy.Execute(ticketLineParameter, authorizationPolicy, claimTokenParameter);
if (result.Type == AuthorizationPolicyResultEnum.Authorized)
{
return(result);
}
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
public async Task <AuthorizationPolicyResult> IsAuthorized(Ticket validTicket, string clientId, ClaimTokenParameter claimTokenParameter)
{
if (validTicket == null)
{
throw new ArgumentNullException(nameof(validTicket));
}
if (string.IsNullOrWhiteSpace(clientId))
{
throw new ArgumentNullException(nameof(clientId));
}
if (validTicket.Lines == null || !validTicket.Lines.Any())
{
throw new ArgumentNullException(nameof(validTicket.Lines));
}
var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId);
var resources = await _resourceSetRepository.Get(resourceIds);
if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count())
{
throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist);
}
AuthorizationPolicyResult validationResult = null;
foreach (var ticketLine in validTicket.Lines)
{
var ticketLineParameter = new TicketLineParameter(clientId, ticketLine.Scopes, validTicket.IsAuthorizedByRo);
var resource = resources.First(r => r.Id == ticketLine.ResourceSetId);
validationResult = await Validate(ticketLineParameter, resource, claimTokenParameter);
if (validationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
_umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id);
return(validationResult);
}
}
return(validationResult);
}
private async Task <AuthorizationPolicyResult> ExecuteAuthorizationPolicyRule(TicketLineParameter ticketLineParameter, PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter)
{
// 1. Check can access to the scope
if (ticketLineParameter.Scopes.Any(s => !authorizationPolicy.Scopes.Contains(s)))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
// 2. Check clients are correct
var clientAuthorizationResult = CheckClients(authorizationPolicy, ticketLineParameter);
if (clientAuthorizationResult != null &&
clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
return(clientAuthorizationResult);
}
// 3. Check claims are correct
var claimAuthorizationResult = await CheckClaims(authorizationPolicy, claimTokenParameter).ConfigureAwait(false);
if (claimAuthorizationResult != null && claimAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized)
{
return(claimAuthorizationResult);
}
// 4. Check the resource owner consent is needed
if (authorizationPolicy.IsResourceOwnerConsentNeeded && !ticketLineParameter.IsAuthorizedByRo)
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.RequestSubmitted
});
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
private AuthorizationPolicyResult CheckClients(PolicyRule authorizationPolicy, TicketLineParameter ticketLineParameter)
{
if (authorizationPolicy.ClientIdsAllowed == null ||
!authorizationPolicy.ClientIdsAllowed.Any())
{
return(null);
}
if (!authorizationPolicy.ClientIdsAllowed.Contains(ticketLineParameter.ClientId))
{
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.NotAuthorized
});
}
return(new AuthorizationPolicyResult
{
Type = AuthorizationPolicyResultEnum.Authorized
});
}
