public static XacmlJsonRequestRoot CreateDecisionRequest(AuthorizationHandlerContext context, AppAccessRequirement requirement, RouteData routeData)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List <XacmlJsonCategory>();
request.Action = new List <XacmlJsonCategory>();
request.Resource = new List <XacmlJsonCategory>();
string instanceGuid = routeData.Values[ParamInstanceGuid] as string;
string app = routeData.Values[ParamApp] as string;
string org = routeData.Values[ParamOrg] as string;
string instanceOwnerPartyId = routeData.Values[ParamInstanceOwnerPartyId] as string;
if (string.IsNullOrWhiteSpace(app) && string.IsNullOrWhiteSpace(org))
{
string appId = routeData.Values[ParamAppId] as string;
if (appId != null)
{
org = appId.Split("/")[0];
app = appId.Split("/")[1];
}
}
request.AccessSubject.Add(CreateSubjectCategory(context.User.Claims));
request.Action.Add(CreateActionCategory(requirement.ActionType));
request.Resource.Add(CreateResourceCategory(org, app, instanceOwnerPartyId, instanceGuid));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot()
{
Request = request
};
return(jsonRequest);
}
/// <summary>
/// Create XACML request for multiple
/// </summary>
/// <param name="user">The user</param>
/// <param name="events">The list of events</param>
/// <returns></returns>
public static XacmlJsonRequestRoot CreateMultiDecisionRequest(ClaimsPrincipal user, List <CloudEvent> events)
{
List <string> actionTypes = new List <string> {
"read"
};
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
XacmlJsonRequest request = new XacmlJsonRequest
{
AccessSubject = new List <XacmlJsonCategory>()
};
request.AccessSubject.Add(CreateMultipleSubjectCategory(user.Claims));
request.Action = CreateMultipleActionCategory(actionTypes);
request.Resource = CreateMultipleResourceCategory(events);
request.MultiRequests = CreateMultiRequestsCategory(request.AccessSubject, request.Action, request.Resource);
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot()
{
Request = request
};
return(jsonRequest);
}
/// <summary>
/// Create a decision Request based on a cloud event and subject
/// </summary>
public static XacmlJsonRequestRoot CreateDecisionRequest(CloudEvent cloudEvent, string subject)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List <XacmlJsonCategory>();
request.Action = new List <XacmlJsonCategory>();
request.Resource = new List <XacmlJsonCategory>();
string org = null;
string app = null;
string instanceOwnerPartyId = null;
string instanceGuid = null;
string[] pathParams = cloudEvent.Source.AbsolutePath.Split("/");
if (pathParams.Length > 5)
{
org = pathParams[1];
app = pathParams[2];
instanceOwnerPartyId = pathParams[4];
instanceGuid = pathParams[5];
}
request.AccessSubject.Add(CreateSubjectCategory(subject));
request.Action.Add(CreateActionCategory("read"));
request.Resource.Add(CreateEventsResourceCategory(org, app, instanceOwnerPartyId, instanceGuid));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot()
{
Request = request
};
return(jsonRequest);
}
public void CreateXacmlJsonRequest_TC02()
{
// Arrange & Act
XacmlJsonRequestRoot requestRoot = DecisionHelper.CreateXacmlJsonRequest(org, app, CreateUserClaims(true), actionType, partyId, null);
XacmlJsonRequest request = requestRoot.Request;
// Assert
Assert.Equal(2, request.AccessSubject[0].Attribute.Count);
Assert.Single(request.Action[0].Attribute);
Assert.Equal(3, request.Resource[0].Attribute.Count);
}
/// <summary>
/// Converts JSON request.
/// </summary>
/// <param name="xacmlJsonRequest">The JSON Request.</param>
/// <returns></returns>
public static XacmlContextRequest ConvertRequest(XacmlJsonRequest xacmlJsonRequest)
{
Guard.ArgumentNotNull(xacmlJsonRequest, nameof(xacmlJsonRequest));
ICollection <XacmlContextAttributes> contextAttributes = new Collection <XacmlContextAttributes>();
ConvertCategoryAttributes(xacmlJsonRequest.AccessSubject, XacmlConstants.MatchAttributeCategory.Subject, contextAttributes);
ConvertCategoryAttributes(xacmlJsonRequest.Action, XacmlConstants.MatchAttributeCategory.Action, contextAttributes);
ConvertCategoryAttributes(xacmlJsonRequest.Resource, XacmlConstants.MatchAttributeCategory.Resource, contextAttributes);
ConvertCategoryAttributes(xacmlJsonRequest.Category, null, contextAttributes);
XacmlContextRequest xacmlContextRequest = new XacmlContextRequest(false, false, contextAttributes);
return(xacmlContextRequest);
}
/// <summary>
/// Create decision request based for policy decision point.
/// </summary>
/// <param name="org">Unique identifier of the organisation responsible for the app.</param>
/// <param name="app">Application identifier which is unique within an organisation.</param>
/// <param name="user">Claims principal user.</param>
/// <param name="actionType">Policy action type i.e. read, write, delete, instantiate.</param>
/// <param name="instanceOwnerPartyId">Unique id of the party that is the owner of the instance.</param>
/// <param name="instanceGuid">Unique id to identify the instance.</param>
/// <returns>The decision request.</returns>
public static XacmlJsonRequestRoot CreateDecisionRequest(string org, string app, ClaimsPrincipal user, string actionType, int instanceOwnerPartyId, Guid?instanceGuid)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List <XacmlJsonCategory>();
request.Action = new List <XacmlJsonCategory>();
request.Resource = new List <XacmlJsonCategory>();
request.AccessSubject.Add(CreateSubjectCategory(user.Claims));
request.Action.Add(CreateActionCategory(actionType));
request.Resource.Add(CreateResourceCategory(org, app, instanceOwnerPartyId.ToString(), instanceGuid.ToString()));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot()
{
Request = request
};
return(jsonRequest);
}
public static XacmlJsonRequestRoot CreateXacmlJsonRequestRoot(AuthorizationHandlerContext context, AppAccessRequirement requirement, RouteData routeData)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List <XacmlJsonCategory>();
request.Action = new List <XacmlJsonCategory>();
request.Resource = new List <XacmlJsonCategory>();
string instanceGuid = routeData.Values[ParamInstanceGuid] as string;
string app = routeData.Values[ParamApp] as string;
string org = routeData.Values[ParamOrg] as string;
string instanceOwnerPartyId = routeData.Values[ParamInstanceOwnerPartyId] as string;
request.AccessSubject.Add(CreateSubjectCategory(context.User.Claims));
request.Action.Add(CreateActionCategory(requirement.ActionType));
request.Resource.Add(CreateResourceCategory(org, app, instanceOwnerPartyId, instanceGuid));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot()
{
Request = request
};
return(jsonRequest);
}
private async Task <XacmlJsonResponse> Authorize(XacmlJsonRequest decisionRequest)
{
if (decisionRequest.MultiRequests == null || decisionRequest.MultiRequests.RequestReference == null ||
decisionRequest.MultiRequests.RequestReference.Count < 2)
{
XacmlContextRequest request = XacmlJsonXmlConverter.ConvertRequest(decisionRequest);
XacmlContextResponse xmlResponse = await Authorize(request);
return(XacmlJsonXmlConverter.ConvertResponse(xmlResponse));
}
else
{
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in decisionRequest.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
List <XacmlJsonCategory> resourceCategoriesPart = decisionRequest.Resource.Where(i => i.Id.Equals(refer)).ToList();
if (resourceCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
List <XacmlJsonCategory> subjectCategoriesPart = decisionRequest.AccessSubject.Where(i => i.Id.Equals(refer)).ToList();
if (subjectCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
List <XacmlJsonCategory> actionCategoriesPart = decisionRequest.Action.Where(i => i.Id.Equals(refer)).ToList();
if (actionCategoriesPart.Count > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
}
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest)
{
string jsonResponse = string.Empty;
if (xacmlJsonRequest.Request.MultiRequests != null)
{
try
{
Altinn.Authorization.ABAC.PolicyDecisionPoint pdp = new Altinn.Authorization.ABAC.PolicyDecisionPoint();
XacmlJsonResponse multiResponse = new XacmlJsonResponse();
foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference)
{
XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest();
foreach (string refer in xacmlJsonRequestReference.ReferenceId)
{
IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer));
if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Resource == null)
{
jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart);
}
IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer));
if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.AccessSubject == null)
{
jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart);
}
IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer));
if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0)
{
if (jsonMultiRequestPart.Action == null)
{
jsonMultiRequestPart.Action = new List <XacmlJsonCategory>();
}
jsonMultiRequestPart.Action.AddRange(actionCategoriesPart);
}
}
XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart));
XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse);
if (multiResponse.Response == null)
{
multiResponse.Response = new List <XacmlJsonResult>();
}
multiResponse.Response.Add(xacmlJsonResponsePart.Response.First());
}
return(multiResponse);
}
catch
{
}
}
else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) ||
xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org"))
{
jsonResponse = File.ReadAllText("data/response_permit.json");
}
else
{
jsonResponse = File.ReadAllText("data/response_deny.json");
}
XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse);
return(response);
}
