public async Task <AuthorizationPolicyResult> Execute(TicketLineParameter ticketLineParameter, Policy authorizationPolicy, ClaimTokenParameter claimTokenParameter) { if (ticketLineParameter == null) { throw new ArgumentNullException(nameof(ticketLineParameter)); } if (authorizationPolicy == null) { throw new ArgumentNullException(nameof(authorizationPolicy)); } if (authorizationPolicy.Rules == null || !authorizationPolicy.Rules.Any()) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); } AuthorizationPolicyResult result = null; foreach (var rule in authorizationPolicy.Rules) { result = await ExecuteAuthorizationPolicyRule(ticketLineParameter, rule, claimTokenParameter); if (result.Type == AuthorizationPolicyResultEnum.Authorized) { return(result); } } return(result); }
private async Task <AuthorizationPolicyResult> Validate(TicketLineParameter ticketLineParameter, ResourceSet resource, ClaimTokenParameter claimTokenParameter) { if (resource.Policies == null || !resource.Policies.Any()) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); } foreach (var authorizationPolicy in resource.Policies) { var result = await _basicAuthorizationPolicy.Execute(ticketLineParameter, authorizationPolicy, claimTokenParameter); if (result.Type == AuthorizationPolicyResultEnum.Authorized) { return(result); } } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); }
public async Task <AuthorizationPolicyResult> IsAuthorized(Ticket validTicket, string clientId, ClaimTokenParameter claimTokenParameter) { if (validTicket == null) { throw new ArgumentNullException(nameof(validTicket)); } if (string.IsNullOrWhiteSpace(clientId)) { throw new ArgumentNullException(nameof(clientId)); } if (validTicket.Lines == null || !validTicket.Lines.Any()) { throw new ArgumentNullException(nameof(validTicket.Lines)); } var resourceIds = validTicket.Lines.Select(l => l.ResourceSetId); var resources = await _resourceSetRepository.Get(resourceIds); if (resources == null || !resources.Any() || resources.Count() != resourceIds.Count()) { throw new BaseUmaException(ErrorCodes.InternalError, ErrorDescriptions.SomeResourcesDontExist); } AuthorizationPolicyResult validationResult = null; foreach (var ticketLine in validTicket.Lines) { var ticketLineParameter = new TicketLineParameter(clientId, ticketLine.Scopes, validTicket.IsAuthorizedByRo); var resource = resources.First(r => r.Id == ticketLine.ResourceSetId); validationResult = await Validate(ticketLineParameter, resource, claimTokenParameter); if (validationResult.Type != AuthorizationPolicyResultEnum.Authorized) { _umaServerEventSource.AuthorizationPoliciesFailed(validTicket.Id); return(validationResult); } } return(validationResult); }
private async Task <AuthorizationPolicyResult> ExecuteAuthorizationPolicyRule(TicketLineParameter ticketLineParameter, PolicyRule authorizationPolicy, ClaimTokenParameter claimTokenParameter) { // 1. Check can access to the scope if (ticketLineParameter.Scopes.Any(s => !authorizationPolicy.Scopes.Contains(s))) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } // 2. Check clients are correct var clientAuthorizationResult = CheckClients(authorizationPolicy, ticketLineParameter); if (clientAuthorizationResult != null && clientAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { return(clientAuthorizationResult); } // 3. Check claims are correct var claimAuthorizationResult = await CheckClaims(authorizationPolicy, claimTokenParameter).ConfigureAwait(false); if (claimAuthorizationResult != null && claimAuthorizationResult.Type != AuthorizationPolicyResultEnum.Authorized) { return(claimAuthorizationResult); } // 4. Check the resource owner consent is needed if (authorizationPolicy.IsResourceOwnerConsentNeeded && !ticketLineParameter.IsAuthorizedByRo) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.RequestSubmitted }); } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); }
private AuthorizationPolicyResult CheckClients(PolicyRule authorizationPolicy, TicketLineParameter ticketLineParameter) { if (authorizationPolicy.ClientIdsAllowed == null || !authorizationPolicy.ClientIdsAllowed.Any()) { return(null); } if (!authorizationPolicy.ClientIdsAllowed.Contains(ticketLineParameter.ClientId)) { return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.NotAuthorized }); } return(new AuthorizationPolicyResult { Type = AuthorizationPolicyResultEnum.Authorized }); }