private AccessControlEffect CollectionAccessControlProcess(
Subject subject,
Resource resource,
string action,
EnvironmentObject environment,
ref List <AccessControlPolicy> permitPolicies,
ref List <AccessControlPolicy> denyPolicies)
{
AccessControlEffect result = AccessControlEffect.Deny;
ICollection <AccessControlPolicy> collectionPolicies = _accessControlPolicyRepository.Get(resource.Name, action, false);
string policyCombining = _policyCombiningRepository.GetRuleCombining(collectionPolicies);
var targetPolicies = new List <AccessControlPolicy>();
foreach (var policy in collectionPolicies)
{
bool isTarget = _expressionService.Evaluate(policy.Target, subject.Data, null, environment.Data);
if (isTarget)
{
targetPolicies.Add(policy);
}
}
foreach (var policy in targetPolicies)
{
string policyEffect = String.Empty;
foreach (var rule in policy.Rules)
{
bool isApplied = _expressionService.Evaluate(rule.Condition, subject.Data, null, environment.Data);
if (isApplied && rule.Effect.Equals("Permit") && policy.RuleCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
policyEffect = "Permit";
break;
}
if (isApplied && rule.Effect.Equals("Deny") && policy.RuleCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
policyEffect = "Deny";
break;
}
}
if (policyEffect.Equals("Permit") && policyCombining.Equals(AlgorithmCombining.PERMIT_OVERRIDES))
{
result = AccessControlEffect.Permit;
break;
}
else if (policyEffect.Equals("Deny") && policyCombining.Equals(AlgorithmCombining.DENY_OVERRIDES))
{
result = AccessControlEffect.Deny;
break;
}
// add retaive policy here
}
return(result);
}
public AccessControlResponseContext ExecuteProcess(Subject subject, Resource resource, string action, EnvironmentObject environment)
{
environment.Data.AddAnnotation(action);
AccessControlEffect collectionEffect = CollectionAccessControlProcess(subject, resource, action, environment);
if (collectionEffect == AccessControlEffect.Deny)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
else if (collectionEffect == AccessControlEffect.Permit)
{
return(new AccessControlResponseContext(AccessControlEffect.Permit, resource.Data));
}
var accessControlRecordPolicies = _accessControlPolicyRepository.Get(resource.Name, action, true);
if (accessControlRecordPolicies.Count == 0)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
string policyCombining = _policyCombiningRepository.GetRuleCombining(accessControlRecordPolicies);
ICollection <JObject> _resource = new List <JObject>();
if (resource.Data.Length > 1000)
{
Parallel.ForEach(resource.Data, record =>
{
if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null)
{
lock (_resource)
_resource.Add(record);
}
});
}
else
{
foreach (var record in resource.Data)
{
if (RowAccessControlProcess(subject, record, environment, policyCombining, accessControlRecordPolicies) != null)
{
_resource.Add(record);
}
}
}
if (_resource.Count == 0)
{
return(new AccessControlResponseContext(AccessControlEffect.Deny, null));
}
return(new AccessControlResponseContext(AccessControlEffect.Permit, _resource));
}