/// <summary>
///
/// </summary>
/// <param name="obligations"></param>
public Obligations( pol.ObligationReadWriteCollection obligations )
{
// This call is required by the Windows.Forms Form Designer.
InitializeComponent();
LoadingData = true;
_obligations = obligations;
cmbEffect.Items.Add( pol.Effect.Deny );
cmbEffect.Items.Add( pol.Effect.Permit );
lstAttributeAssignments.DisplayMember = "AttributeId";
lstObligations.DisplayMember = "ObligationId";
foreach( pol.ObligationElementReadWrite obligation in obligations )
{
lstObligations.Items.Add( obligation );
}
if( obligations.Count != 0 )
{
lstObligations.SelectedIndex = 0;
}
LoadingData = false;
}
/// <summary>
///
/// </summary>
public Condition( pol.ConditionElementReadWrite condition )
{
// This call is required by the Windows.Forms Form Designer.
InitializeComponent();
_condition = condition;
tvwCondition.Nodes.Add( new FunctionExecution( condition ) );
tvwCondition.ExpandAll();
foreach( FieldInfo field in typeof(InternalDataTypes).GetFields() )
{
cmbDataType.Items.Add( field.GetValue( null ) );
}
foreach( FieldInfo field in typeof(InternalFunctions).GetFields() )
{
cmbInternalFunctions.Items.Add( field.GetValue( null ) );
}
}
/// <summary>
///
/// </summary>
/// <param name="targetItem"></param>
public TargetItem( pol.TargetItemBaseReadWrite targetItem )
{
// This call is required by the Windows.Forms Form Designer.
InitializeComponent();
LoadingData = true;
_targetItem = targetItem;
lstMatch.DisplayMember = "MatchId";
foreach( pol.TargetMatchBaseReadWrite match in targetItem.Match )
{
lstMatch.Items.Add( match );
}
if( lstMatch.Items.Count != 0 )
{
lstMatch.SelectedIndex = 0;
}
LoadingData = false;
}
/// <summary>
/// Creates a new Result using the provided information.
/// </summary>
/// <param name="resourceId">The resource id for this result.</param>
/// <param name="decision">The decission of the evaluation.</param>
/// <param name="status">The status with information about the execution.</param>
/// <param name="obligations">The list of obligations</param>
/// <param name="schemaVersion">The version of the schema that was used to validate.</param>
public ResultElement( string resourceId, rtm.Decision decision, StatusElement status, pol.ObligationCollection obligations, XacmlVersion schemaVersion )
: base( XacmlSchema.Context, schemaVersion )
{
_resourceId = resourceId;
_decision = decision;
// If the status is null, create an empty status
if( status == null )
{
_status = new StatusElement( null, null, null, schemaVersion );
}
else
{
_status = status;
}
// If the obligations are null, leave the empty ObligationCollection.
if( obligations != null )
{
_obligations = obligations;
}
}
/// <summary>
/// Resolve the attribute desingator that can't be found in the context document
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="designator">The attribute designator instance</param>
public static ctx.AttributeElement GetAttribute( EvaluationContext context, pol.AttributeDesignatorBase designator )
{
// Resolve internal attributes
switch( designator.AttributeId )
{
case EnvironmentAttributes.CurrentDate:
return new ctx.AttributeElement(
designator.AttributeId,
InternalDataTypes.XsdDate,
null,
null,
XmlConvert.ToString( DateTime.Now, "yyyy-MM-dd" ),
designator.SchemaVersion );
case EnvironmentAttributes.CurrentTime:
return new ctx.AttributeElement(
designator.AttributeId,
InternalDataTypes.XsdTime,
null,
null,
XmlConvert.ToString( DateTime.Now, "HH:mm:sszzzzzz" ),
designator.SchemaVersion );
case EnvironmentAttributes.CurrentDateTime:
return new ctx.AttributeElement(
designator.AttributeId,
InternalDataTypes.XsdDateTime,
null,
null,
XmlConvert.ToString( DateTime.Now, "yyyy-MM-ddTHH:mm:sszzzzzz" ),
designator.SchemaVersion );
default:
{
if( ConfigurationRoot.Config != null )
{
// Search for attributes in the configured repositories
foreach( inf.IAttributeRepository repository in ConfigurationRoot.Config.AttributeRepositories )
{
ctx.AttributeElement attribute = repository.GetAttribute( context, designator );
if( attribute != null )
{
return attribute;
}
}
}
return null;
}
}
}
/// <summary>
/// Resolves the attribute reference defined within the given match.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="match">The target item match.</param>
/// <param name="contextTargetItem">The context target item.</param>
/// <returns>The context attribute.</returns>
public static ctx.AttributeElement Resolve( EvaluationContext context, pol.TargetMatchBaseReadWrite match, ctx.TargetItemBase contextTargetItem )
{
ctx.AttributeElementReadWrite attribute = null;
if( match.AttributeReference is pol.AttributeDesignatorBase )
{
pol.AttributeDesignatorBase attrDesig = (pol.AttributeDesignatorBase)match.AttributeReference;
context.Trace( "Looking for attribute: {0}", attrDesig.AttributeId );
foreach( ctx.AttributeElementReadWrite tempAttribute in contextTargetItem.Attributes )
{
if( tempAttribute.Match( attrDesig ) )
{
attribute = tempAttribute;
break;
}
}
if( attribute == null )
{
context.Trace( "Attribute not found, loading searching an external repository" );
attribute = GetAttribute( context, attrDesig );
}
}
else if( match.AttributeReference is pol.AttributeSelectorElement )
{
pol.AttributeSelectorElement attrSelec = (pol.AttributeSelectorElement)match.AttributeReference;
ctx.ResourceContentElement content = (ctx.ResourceContentElement)((ctx.ResourceElement)contextTargetItem).ResourceContent;
if( content != null )
{
XmlDocument doc = context.ContextDocument.XmlDocument;
if( context.ContextDocument.XmlNamespaceManager == null )
{
context.ContextDocument.AddNamespaces( context.PolicyDocument.Namespaces );
}
string xpath = attrSelec.RequestContextPath;
try
{
XmlNode node = doc.DocumentElement.SelectSingleNode( xpath, context.ContextDocument.XmlNamespaceManager );
if( node != null )
{
attribute = new ctx.AttributeElement( null, attrSelec.DataType, null, null, node.InnerText, attrSelec.SchemaVersion );
}
}
catch( XPathException e )
{
context.Trace( Resource.TRACE_ERROR, e.Message );
context.ProcessingError = true;
}
}
}
if( attribute == null && match.AttributeReference.MustBePresent )
{
context.IsMissingAttribute = true;
context.AddMissingAttribute( match.AttributeReference );
}
if( attribute != null )
{
return new ctx.AttributeElement( attribute.AttributeId, attribute.DataType, attribute.Issuer, attribute.IssueInstant,
attribute.Value, attribute.SchemaVersion);
}
return null;
}
/// <summary>
/// Search for the attribute in the context target item using the attribute designator specified.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="attributeDesignator">The attribute designator instance.</param>
/// <param name="targetItem">The target item to search in.</param>
/// <returns>A bag value with the values of the attributes found.</returns>
public static BagValue FindAttribute( EvaluationContext context, pol.AttributeDesignatorBase attributeDesignator, ctx.TargetItemBase targetItem )
{
BagValue bag = new BagValue( GetDataType( attributeDesignator.DataType ) );
foreach( ctx.AttributeElement attribute in targetItem.Attributes )
{
if( attribute.Match( attributeDesignator ) )
{
context.Trace( "Adding target item attribute designator: {0}", attribute.ToString() );
bag.Add( attribute );
}
}
return bag;
}
/// <summary>
/// Solves the attribute designator in the context document using the attribute designator type
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="attributeDesignator">The attribute designator to resolve</param>
/// <returns>A bag value with the values found in the context document</returns>
public static BagValue Resolve( EvaluationContext context, pol.AttributeDesignatorBase attributeDesignator )
{
if( attributeDesignator is pol.SubjectAttributeDesignatorElement )
{
if( context.ContextDocument.Request != null && context.ContextDocument.Request.Subjects != null )
{
BagValue bag = new BagValue( GetDataType( attributeDesignator.DataType ) );
foreach( ctx.SubjectElement subject in context.ContextDocument.Request.Subjects )
{
if( ((pol.SubjectAttributeDesignatorElement)attributeDesignator).SubjectCategory == null ||
( (pol.SubjectAttributeDesignatorElement)attributeDesignator).SubjectCategory == subject.SubjectCategory )
{
foreach( ctx.AttributeElement attrib in FindAttribute( context, attributeDesignator, subject ).Elements )
{
bag.Add( attrib );
}
}
}
return bag;
}
}
else if( attributeDesignator is pol.ResourceAttributeDesignatorElement )
{
if( context.ContextDocument.Request != null && context.CurrentResource != null )
{
return FindAttribute( context, attributeDesignator, context.CurrentResource );
}
else
{
return BagValue.Empty;
}
}
else if( attributeDesignator is pol.ActionAttributeDesignatorElement )
{
if( context.ContextDocument.Request != null && context.ContextDocument.Request.Action != null )
{
return FindAttribute( context, attributeDesignator, context.ContextDocument.Request.Action );
}
else
{
return BagValue.Empty;
}
}
else if( attributeDesignator is pol.EnvironmentAttributeDesignatorElement )
{
if( context.ContextDocument.Request != null && context.ContextDocument.Request.Environment != null )
{
return FindAttribute( context, attributeDesignator, context.ContextDocument.Request.Environment );
}
else
{
return BagValue.Empty;
}
}
throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_invalid_attribute_designator ] );
}
/// <summary>
/// Resolves the PolicyReferenceId using the policy repository
/// </summary>
/// <param name="policyReference">The policy reference</param>
/// <returns>The policy found</returns>
public static pol.PolicyElement Resolve( pol.PolicyIdReferenceElement policyReference )
{
if( ConfigurationRoot.Config != null )
{
// Search for attributes in the configured repositories
foreach( inf.IPolicyRepository repository in ConfigurationRoot.Config.PolicyRepositories )
{
pol.PolicyElement policy = repository.GetPolicy( policyReference );
if( policy != null )
{
return policy;
}
}
}
return null;
}
/// <summary>
/// Resolves the AttributeSelector in the context document using the XPath sentence.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="attributeSelector">The attribute selector.</param>
/// <returns>A bag of values with the contents of the node.</returns>
public static BagValue Resolve( EvaluationContext context, pol.AttributeSelectorElement attributeSelector )
{
BagValue bagValue = new BagValue( GetDataType( attributeSelector.DataType ) );
ctx.ResourceContentElement content = (ctx.ResourceContentElement)context.CurrentResource.ResourceContent;
if( content != null )
{
XmlDocument doc = context.ContextDocument.XmlDocument;
if( context.ContextDocument.XmlNamespaceManager == null )
{
context.ContextDocument.AddNamespaces( context.PolicyDocument.Namespaces );
}
try
{
string xpath = attributeSelector.RequestContextPath;
XmlNodeList nodeList = doc.DocumentElement.SelectNodes( xpath, context.ContextDocument.XmlNamespaceManager );
if( nodeList != null )
{
foreach( XmlNode node in nodeList )
{
pol.AttributeValueElement ave =
new pol.AttributeValueElement(
attributeSelector.DataType,
node.InnerText,
attributeSelector.SchemaVersion );
bagValue.Add( ave );
}
}
}
catch( XPathException e )
{
context.Trace( Resource.TRACE_ERROR, e.Message );
bagValue = new BagValue( GetDataType( attributeSelector.DataType ) );
}
}
return bagValue;
}
/// <summary>
/// Evaluate the context document using a specified policy
/// </summary>
/// <param name="policyDocument">The policy instance</param>
/// <param name="contextDocument">The context document instance</param>
/// <returns>The response document</returns>
public ctx.ResponseElement Evaluate( pol.PolicyDocument policyDocument, ctx.ContextDocument contextDocument )
{
if (policyDocument == null) throw new ArgumentNullException("policyDocument");
if (contextDocument == null) throw new ArgumentNullException("contextDocument");
EvaluationContext context = new EvaluationContext( this, policyDocument, (ctx.ContextDocument)contextDocument ) ;
context.Trace( "Start evaluation" );
context.AddIndent();
if ( policyDocument == null || contextDocument == null )
{
// If a validation error was found a response is created with the syntax error message
ctx.ResponseElement response =
new ctx.ResponseElement(
new ctx.ResultElement[] {
new ctx.ResultElement(
null,
Decision.Indeterminate,
new ctx.StatusElement(
new ctx.StatusCodeElement( StatusCodes.ProcessingError, null, policyDocument.Version ),
null,
null, policyDocument.Version ),
null, policyDocument.Version ) },
policyDocument.Version );
return response;
}
// Check if both documents are valid
if( !policyDocument.IsValidDocument || !contextDocument.IsValidDocument )
{
// If a validation error was found a response is created with the syntax error message
ctx.ResponseElement response =
new ctx.ResponseElement(
new ctx.ResultElement[] {
new ctx.ResultElement(
null,
Decision.Indeterminate,
new ctx.StatusElement(
new ctx.StatusCodeElement( StatusCodes.SyntaxError, null, policyDocument.Version ),
null,
null, policyDocument.Version ),
null, policyDocument.Version ) },
policyDocument.Version );
return response;
}
// Create a new response
contextDocument.Response = new ctx.ResponseElement( (ctx.ResultElement[])null, policyDocument.Version );
try
{
// Create the evaluable policy intance
IMatchEvaluable policy = null;
if( policyDocument.PolicySet != null )
{
policy = new PolicySet( this, (pol.PolicySetElement)policyDocument.PolicySet );
}
else if( policyDocument.Policy != null )
{
policy = new Policy( (pol.PolicyElement)policyDocument.Policy );
}
// Evaluate the policy or policy set
if( policy != null )
{
// Creates the evaluable policy set
if( policy.AllResources.Count == 0 )
{
policy.AllResources.Add( "" );
}
string requestedResourceString = String.Empty;
Uri requestedResource = null;
foreach( ctx.ResourceElement resource in contextDocument.Request.Resources )
{
// Keep the requested resource
if( resource.IsHierarchical )
{
foreach( ctx.AttributeElement attribute in resource.Attributes )
{
if( attribute.AttributeId == ResourceElement.ResourceId )
{
if( context.PolicyDocument.Version == XacmlVersion.Version10 ||
context.PolicyDocument.Version == XacmlVersion.Version11 )
{
requestedResourceString = attribute.AttributeValues[0].Contents;
}
else
{
if( attribute.AttributeValues.Count > 1 )
{
throw new NotSupportedException( "resources contains a bag of values" );
}
requestedResourceString = attribute.AttributeValues[0].Contents;
}
}
}
if( !string.IsNullOrEmpty(requestedResourceString) )
{
requestedResource = new Uri( requestedResourceString );
}
}
// Iterate through the policy resources evaluating each resource in the context document request
foreach( string resourceName in policy.AllResources )
{
bool mustEvaluate;
if( resource.IsHierarchical )
{
//Validate if the resource is hierarchically desdendant or children
//of the requested resource
Uri policyResource = new Uri( resourceName );
if( !(mustEvaluate = requestedResource.Equals( policyResource ) ) )
{
// Perform the hierarchical evaluation
if( resource.ResourceScopeValue == ctx.ResourceScope.Children )
{
mustEvaluate = typ.AnyUri.IsChildrenOf( requestedResource, policyResource );
}
else if( resource.ResourceScopeValue == ctx.ResourceScope.Descendants )
{
mustEvaluate = typ.AnyUri.IsDescendantOf( requestedResource, policyResource );
}
}
if( mustEvaluate )
{
foreach( ctx.AttributeElementReadWrite attribute in context.CurrentResource.Attributes )
{
if( attribute.AttributeId == ResourceElement.ResourceId )
{
attribute.AttributeValues[0].Contents = resourceName;
break;
}
}
}
}
else
{
context.CurrentResource = resource;
mustEvaluate = true;
}
if( mustEvaluate )
{
// Evaluates the policy set
Decision decision = policy.Evaluate( context );
// Create a status code using the policy execution state
ctx.StatusCodeElement scode;
if( context.IsMissingAttribute )
{
scode = new ctx.StatusCodeElement(
StatusCodes.MissingAttribute, null, policyDocument.Version );
}
else if( context.ProcessingError )
{
scode = new ctx.StatusCodeElement(
StatusCodes.ProcessingError, null, policyDocument.Version );
}
else
{
scode = new ctx.StatusCodeElement(
StatusCodes.OK, null, policyDocument.Version );
}
//Stop the iteration if there is not a hierarchical request
if( !resource.IsHierarchical )
{
// Ussually when a single resource is requested the ResourceId is not specified in the result
IObligationsContainer oblig = policy as IObligationsContainer;
contextDocument.Response.Results.Add(
new ctx.ResultElement( "", decision,
new ctx.StatusElement( scode, "", "", policyDocument.Version ), oblig.Obligations, policyDocument.Version ) );
break;
}
else
{
// Adding a resource for each requested resource, using the resourceName as the resourceId of the result
IObligationsContainer oblig = policy as IObligationsContainer;
contextDocument.Response.Results.Add(
new ctx.ResultElement( resourceName, decision,
new ctx.StatusElement( scode, "", "", policyDocument.Version ), oblig.Obligations, policyDocument.Version ) );
}
} // if( mustEvaluate )
} // foreach( string resourceName in policy.AllResources )
}
} //if( policy != null )
}
catch( EvaluationException e )
{
// If a validation error was found a response is created with the syntax error message
contextDocument.Response =
new ctx.ResponseElement(
new ctx.ResultElement[] {
new ctx.ResultElement(
null,
Decision.Indeterminate,
new ctx.StatusElement(
new ctx.StatusCodeElement( StatusCodes.ProcessingError, null, policyDocument.Version ),
e.Message,
e.StackTrace, policyDocument.Version ),
null, policyDocument.Version ) },
policyDocument.Version );
}
return contextDocument.Response;
}
/// <summary>
/// Creates a new runtime policy set evaluation.
/// </summary>
/// <param name="engine">The evaluation engine.</param>
/// <param name="policySet">The policy set defined in the policy document.</param>
public PolicySet( EvaluationEngine engine, pol.PolicySetElement policySet )
{
if (engine == null) throw new ArgumentNullException("engine");
if (policySet == null) throw new ArgumentNullException("policySet");
_policySet = policySet;
// Create a runtime target of this policy set.
if( policySet.Target != null )
{
_target = new Target( (pol.TargetElement)policySet.Target );
foreach( pol.ResourceElement resource in policySet.Target.Resources.ItemsList )
{
foreach( pol.ResourceMatchElement rmatch in resource.Match )
{
if( !_allResources.Contains( rmatch.AttributeValue.Contents ) )
{
_allResources.Add( rmatch.AttributeValue.Contents );
}
}
}
}
// Add all the policies (or policy set) inside this policy set.
foreach( object child in policySet.Policies )
{
pol.PolicySetElement childPolicySet = child as pol.PolicySetElement;
pol.PolicyElement childPolicyElement = child as pol.PolicyElement;
pol.PolicySetIdReferenceElement childPolicySetIdReference = child as pol.PolicySetIdReferenceElement;
pol.PolicyIdReferenceElement childPolicyIdReferenceElement = child as pol.PolicyIdReferenceElement;
if (childPolicySet != null)
{
PolicySet policySetEv = new PolicySet(engine, childPolicySet);
foreach( string rName in policySetEv.AllResources )
{
if( !_allResources.Contains( rName ) )
{
_allResources.Add( rName );
}
}
_policies.Add( policySetEv );
}
else if (childPolicyElement!=null)
{
Policy policyEv = new Policy(childPolicyElement);
foreach( string rName in policyEv.AllResources )
{
if( !_allResources.Contains( rName ) )
{
_allResources.Add( rName );
}
}
_policies.Add( policyEv );
}
else if (childPolicySetIdReference!=null)
{
pol.PolicySetElement policySetDefinition = EvaluationEngine.Resolve(childPolicySetIdReference);
if( policySetDefinition != null )
{
PolicySet policySetEv = new PolicySet( engine, policySetDefinition );
foreach( string rName in policySetEv.AllResources )
{
if( !_allResources.Contains( rName ) )
{
_allResources.Add( rName );
}
}
_policies.Add( policySetEv );
}
else
{
throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_policyset_reference_not_resolved, ((pol.PolicySetIdReferenceElement)child).PolicySetId ] );
}
}
else if (childPolicyIdReferenceElement!=null)
{
pol.PolicyElement policyDefinition = EvaluationEngine.Resolve(childPolicyIdReferenceElement);
if( policyDefinition != null )
{
Policy policyEv = new Policy( policyDefinition );
foreach( string rName in policyEv.AllResources )
{
if( !_allResources.Contains( rName ) )
{
_allResources.Add( rName );
}
}
_policies.Add( policyEv );
}
else
{
throw new EvaluationException( Resource.ResourceManager[ Resource.MessageKey.exc_policy_reference_not_resolved, ((pol.PolicyIdReferenceElement)child).PolicyId ] );
}
}
}
}
/// <summary>
/// Returns a policy set document using the PolicySetRefereneId specified.
/// </summary>
/// <param name="policySetReference">The policy set reference with the Id of the policy set searched.</param>
/// <returns>The policy set document.</returns>
public pol.PolicySetElement GetPolicySet(pol.PolicySetIdReferenceElement policySetReference)
{
if (policySetReference == null) throw new ArgumentNullException("policySetReference");
pol.PolicyDocument doc = _policySets[ policySetReference.PolicySetId ] as pol.PolicyDocument;
if( doc != null )
{
return (pol.PolicySetElement)doc.PolicySet; //TODO: check if we have to return a read write or a read only policy here.
}
return null;
}
