Exemplo n.º 1
0
        public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds)
        {
            List <Rule>             rulesList         = new List <Rule>();
            List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds);

            foreach (DelegationChange change in delegationChanges)
            {
                if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByUserId == 20001336)
                {
                    rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "read", "SKD", "TaxReport"));
                    rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "write", "SKD", "TaxReport"));
                }

                if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001336)
                {
                    rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport"));
                }

                if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001337)
                {
                    rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport"));
                }
            }

            return(rulesList);
        }
Exemplo n.º 2
0
        /// <inheritdoc/>
        public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds)
        {
            List <Rule>             rules             = new List <Rule>();
            List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds);

            foreach (DelegationChange delegationChange in delegationChanges)
            {
                if (delegationChange.DelegationChangeType != DelegationChangeType.RevokeLast)
                {
                    XacmlPolicy policy = await _prp.GetPolicyVersionAsync(delegationChange.BlobStoragePolicyPath, delegationChange.BlobStorageVersionId);

                    rules.AddRange(GetRulesFromPolicyAndDelegationChange(policy.Rules, delegationChange));
                }
            }

            return(rules);
        }
Exemplo n.º 3
0
        private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy)
        {
            XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable)
            {
                Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
            });

            XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest);
            int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest);

            if (resourceAttributes == null ||
                string.IsNullOrEmpty(resourceAttributes.OrgValue) ||
                string.IsNullOrEmpty(resourceAttributes.AppValue) ||
                subjectUserId == 0 ||
                !int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId))
            {
                // Not able to continue authorization based on delegations because of incomplete decision request
                string request = JsonConvert.SerializeObject(decisionRequest);
                _logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request);
                return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate)
                {
                    Status = new XacmlContextStatus(XacmlContextStatusCode.Success)
                }));
            }

            List <string> appIds = new List <string> {
                $"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}"
            };
            List <int> offeredByPartyIds = new List <int> {
                reporteePartyId
            };
            List <int> coveredByUserIds = new List <int> {
                subjectUserId
            };

            // 1. Direct user delegations
            List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds);

            if (delegations.Any())
            {
                delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);

                if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
                {
                    return(delegationContextResponse);
                }
            }

            // 2. Direct user delegations from mainunit
            List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId);

            List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList();

            if (mainunitPartyIds.Any())
            {
                offeredByPartyIds.AddRange(mainunitPartyIds);
                delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds);

                if (delegations.Any())
                {
                    delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);

                    if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit))
                    {
                        return(delegationContextResponse);
                    }
                }
            }

            // 3. Direct party delegations to keyrole units
            List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId);

            if (keyrolePartyIds.Any())
            {
                delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds);

                if (delegations.Any())
                {
                    _delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds);
                    delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy);
                }
            }

            return(delegationContextResponse);
        }