/// <summary>
/// Authorizes a single-item request using the claims, resource, action and entity instance supplied in the <see cref="EdFiAuthorizationContext"/>.
/// </summary>
/// <param name="authorizationContext">The authorization context to be used in making the authorization decision.</param>
public Task AuthorizeSingleItemAsync(
EdFiAuthorizationContext authorizationContext,
CancellationToken cancellationToken)
{
throw new NotImplementedException();
}
private bool IsCreateUpdateOrDelete(EdFiAuthorizationContext authorizationContext)
{
return((_bitValuesByAction.Value[authorizationContext.Action.Single()
.Value] & 13) != 0);
}
/// <summary>
/// Performs authorization appropriate to the claims, resource, action and context data supplied in the <see cref="EdFiAuthorizationContextData"/>.
/// </summary>
/// <param name="authorizationContext">The authorization context to be used in making the authorization decision.</param>
private AuthorizationDetails GetAuthorizationDetails(EdFiAuthorizationContext authorizationContext)
{
var claimCheckResponse = PerformClaimCheck(authorizationContext);
if (!claimCheckResponse.Success)
{
throw new EdFiSecurityException(claimCheckResponse.SecurityExceptionMessage);
}
var relevantPrincipalClaims = claimCheckResponse.RelevantClaims;
// Only use the caller's first matching going up the hierarchy
var relevantPrincipalClaim = relevantPrincipalClaims.First();
// Look for an authorization strategy override on the caller's claims (flow the overrides down, even if they aren't the first claim encountered going up the hierarchy)
string authorizationStrategyOverrideName =
(from rpc in relevantPrincipalClaims
select rpc.ToEdFiResourceClaimValue()
.GetAuthorizationStrategyNameOverride(claimCheckResponse.RequestedAction))
.FirstOrDefault(x => !string.IsNullOrWhiteSpace(x));
string metadataAuthorizationStrategyName =
claimCheckResponse.AuthorizationMetadata
.SkipWhile(s => string.IsNullOrWhiteSpace(s.AuthorizationStrategy))
.Select(s => s.AuthorizationStrategy)
.FirstOrDefault();
// TODO: GKM - When claimset-specific override support is added, use this logic
//string claimSpecificOverrideAuthorizationStrategyName =
// resourceClaimAuthorizationStrategies
// // Find the resource claim that matches the relevant principal claim
// .SkipWhile(s => !s.ClaimName.EqualsIgnoreCase(relevantPrincipalClaim.Type))
// .Select(s => s.AuthorizationStrategyOverride)
// .FirstOrDefault();
// Use the claim's override, if present
//string authorizationStrategyName =
// claimSpecificAuthorizationStrategyName ?? metadataAuthorizationStrategyName;
string authorizationStrategyName =
authorizationStrategyOverrideName
?? metadataAuthorizationStrategyName;
// Make sure an authorization strategy is defined for this request
if (string.IsNullOrWhiteSpace(authorizationStrategyName))
{
throw new Exception(
string.Format(
"No authorization strategy was defined for the requested action '{0}' against resource URIs ['{1}'] matched by the caller's claim '{2}'.",
claimCheckResponse.RequestedAction,
string.Join("', '", claimCheckResponse.RequestedResourceUris),
relevantPrincipalClaim.Type));
}
_logger.DebugFormat(
"Authorization strategy '{0}' selected for request against resource '{1}'.",
authorizationStrategyName,
authorizationContext.Resource.First()
.Value);
// Look for an authorization validation rule set name override on the caller's claims (flow the overrides down, even if they aren't the first claim encountered going up the hierarchy)
string ruleSetNameOverride =
(from rpc in relevantPrincipalClaims
select rpc.ToEdFiResourceClaimValue()
.GetAuthorizationValidationRuleSetNameOverride(claimCheckResponse.RequestedAction))
.FirstOrDefault(x => !string.IsNullOrWhiteSpace(x));
var metadataRuleSetName =
(from rcas in claimCheckResponse.AuthorizationMetadata
select rcas.ValidationRuleSetName)
.FirstOrDefault(x => !string.IsNullOrWhiteSpace(x));
string ruleSetName =
ruleSetNameOverride
?? metadataRuleSetName;
// Set outbound authorization details
return(new AuthorizationDetails(
GetAuthorizationStrategy(authorizationStrategyName),
relevantPrincipalClaim,
ruleSetName));
}
/// <summary>
/// Authorizes a multiple-item read request using the claims, resource, and action supplied in the <see cref="EdFiAuthorizationContext"/>.
/// </summary>
/// <param name="authorizationContext">The authorization context to be used in making the authorization decision.</param>
/// <returns>The list of filters to be applied to the query for authorization.</returns>
public IReadOnlyList <AuthorizationFilterDetails> GetAuthorizationFilters(EdFiAuthorizationContext authorizationContext)
{
var details = GetAuthorizationDetails(authorizationContext);
return(details.AuthorizationStrategy.GetAuthorizationFilters(new[] { details.RelevantClaim }, authorizationContext));
}
