public AccessControlResponseContext(AccessControlEffect effect, ICollection <JObject> data, IEnumerable <string> obligationAfterIds, IEnumerable <string> obligationBeforeIds) { Effect = effect; Data = data; ObligationAfterIds = obligationAfterIds; ObligationBeforeIds = obligationBeforeIds; }
public AccessControlResponseContext ExecuteProcess(Subject subject, Resource resource, string action, EnvironmentObject environment) { environment.Data.AddAnnotation(action); var permitPolicies = new List <AccessControlPolicy>(); var denyPolicies = new List <AccessControlPolicy>(); IEnumerable <string> afterObligationIds = null; IEnumerable <string> beforeObligationIds = null; AccessControlEffect decision = AccessControlProcess(subject, resource, action, environment, ref permitPolicies, ref denyPolicies); if (decision == AccessControlEffect.Permit) { afterObligationIds = permitPolicies.SelectMany(n => n.ObligationAfterIds); beforeObligationIds = permitPolicies.SelectMany(n => n.ObligationBeforeIds); } else if (decision == AccessControlEffect.Deny) { afterObligationIds = denyPolicies.SelectMany(n => n.ObligationAfterIds); beforeObligationIds = denyPolicies.SelectMany(n => n.ObligationBeforeIds); } return(new AccessControlResponseContext(decision, null, afterObligationIds, beforeObligationIds)); }
private AccessControlEffect CollectionAccessControlProcess( Subject subject, Resource resource, string action, EnvironmentObject environment, ref List <AccessControlPolicy> permitPolicies, ref List <AccessControlPolicy> denyPolicies) { AccessControlEffect result = AccessControlEffect.Deny; ICollection <AccessControlPolicy> collectionPolicies = _accessControlPolicyRepository.Get(resource.Name, action, false); string policyCombining = _policyCombiningRepository.GetRuleCombining(collectionPolicies); var targetPolicies = new List <AccessControlPolicy>(); foreach (var policy in collectionPolicies) { bool isTarget = _expressionService.Evaluate(policy.Target, subject.Data, null, environment.Data); if (isTarget) { targetPolicies.Add(policy); } } foreach (var policy in targetPolicies) { string policyEffect = String.Empty; foreach (var rule in policy.Rules) { bool isApplied = _expressionService.Evaluate(rule.Condition, subject.Data, null, environment.Data); if (isApplied && rule.Effect.Equals("Permit") && policy.RuleCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES)) { policyEffect = "Permit"; break; } if (isApplied && rule.Effect.Equals("Deny") && policy.RuleCombining.Equals(AlgorithmCombining.DENY_OVERRIDES)) { policyEffect = "Deny"; break; } } if (policyEffect.Equals("Permit") && policyCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES)) { result = AccessControlEffect.Permit; break; } else if (policyEffect.Equals("Deny") && policyCombining.Equals(AlgorithmCombining.DENY_OVERRIDES)) { result = AccessControlEffect.Deny; break; } // add retaive policy here } return(result); }
public AccessControlResponseContext ExecuteProcess(Subject subject, Resource resource, string action, EnvironmentObject environment) { environment.Data.AddAnnotation(action); AccessControlEffect collectionEffect = CollectionAccessControlProcess(subject, resource, action, environment); if (collectionEffect == AccessControlEffect.Deny) { return(new AccessControlResponseContext(AccessControlEffect.Deny, null)); } else if (collectionEffect == AccessControlEffect.Permit) { return(new AccessControlResponseContext(AccessControlEffect.Permit, resource.Data)); } var accessControlRecordPolicies = _accessControlPolicyRepository.Get(resource.Name, action, true); if (accessControlRecordPolicies.Count == 0) { return(new AccessControlResponseContext(AccessControlEffect.Deny, null)); } string policyCombining = _policyCombiningRepository.GetRuleCombining(accessControlRecordPolicies); ICollection <JObject> _resource = new List <JObject>(); if (resource.Data.Length > 1000) { Parallel.ForEach(resource.Data, record => { if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null) { lock (_resource) _resource.Add(record); } }); } else { foreach (var record in resource.Data) { if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null) { _resource.Add(record); } } } if (_resource.Count == 0) { return(new AccessControlResponseContext(AccessControlEffect.Deny, null)); } return(new AccessControlResponseContext(AccessControlEffect.Permit, _resource)); }
public AccessControlResponseContext(AccessControlEffect effect, ICollection <JObject> data) { Effect = effect; Data = data; }
public ResponseContext(AccessControlEffect effect, ICollection <JObject> data) { Effect = effect; JsonObjects = data; }
public ResponseContext(AccessControlEffect effect, JArray data, string message = null) { Effect = effect; Data = data; Message = message; }
private AccessControlEffect AccessControlProcess( Subject subject, Resource resource, string action, EnvironmentObject environment, ref List <AccessControlPolicy> permitPolicies, ref List <AccessControlPolicy> denyPolicies) { AccessControlEffect result = AccessControlEffect.NotApplicable; ICollection <AccessControlPolicy> collectionPolicies = _accessControlPolicyRepository.Get(resource.Name, action, null); string policyCombining = _policyCombiningRepository.GetRuleCombining(collectionPolicies); var resourceData = resource.Data[0]; var targetPolicies = new List <AccessControlPolicy>(); foreach (var policy in collectionPolicies) { bool isTarget = _expressionService.Evaluate(policy.Target, subject.Data, resourceData, environment.Data); if (isTarget) { targetPolicies.Add(policy); } } foreach (var policy in targetPolicies) { var policyEffect = AccessControlEffect.NotApplicable; foreach (var rule in policy.Rules) { bool isApplied = _expressionService.Evaluate(rule.Condition, subject.Data, resourceData, environment.Data); if (isApplied && rule.Effect.Equals(RuleEffect.PERMIT) && policy.RuleCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES)) { policyEffect = AccessControlEffect.Permit; break; } if (isApplied && rule.Effect.Equals(RuleEffect.DENY) && policy.RuleCombining.Equals(AlgorithmCombining.DENY_OVERRIDES)) { policyEffect = AccessControlEffect.Deny; break; } } if (policyEffect == AccessControlEffect.Permit) { permitPolicies.Add(policy); if (policyCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES)) { result = AccessControlEffect.Permit; break; } } else if (policyEffect == AccessControlEffect.Deny) { denyPolicies.Add(policy); if (policyCombining.Equals(AlgorithmCombining.DENY_OVERRIDES)) { result = AccessControlEffect.Deny; break; } } } return(result); }