private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched) { XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetConformancePath()); XacmlContextRequest contextRequestEnriched = contextRequest; if (contextRequstIsEnriched) { contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetConformancePath()); } Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>(); moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched); Moq.Mock <IPolicyRetrievalPoint> moqPRP = new Mock <IPolicyRetrievalPoint>(); XacmlPolicy policy = null; try { policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetConformancePath()); moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).ReturnsAsync(policy); } catch (XmlException ex) { moqPRP.Setup(p => p.GetPolicyAsync(It.IsAny <XacmlContextRequest>())).Throws(ex); } PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy); return(xacmlResponse); }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PolicyRequirement requirement) { context.Succeed(requirement); var ctx = context.Resource as AuthorizationFilterContext; //Here we need to call the methods to work with our policies var authRequest = new AuthorizationRequest(); var claims = context.User.Claims; foreach (var claim in claims) { authRequest.SubjectAttributes.Add(claim.Type, claim.Value); } authRequest.ResourceAttributes.Add("resource", requirement.ResourceNamespace); authRequest.ActionAttributes.Add("action", requirement.ActionNamespace); PolicyDecisionPoint _pdp = new PolicyDecisionPoint(_policyRepository, _grouPermission); var authResponse = _pdp.Evaluate(authRequest); if (authResponse.Decision == AuthorizationDecision.Permit) { context.Succeed(requirement); } else { if (ctx.HttpContext.Request.ContentType == "application/json") { ctx.Result = new UnauthorizedResult(); } else { context.Fail(); } } return(Task.CompletedTask); }
protected override bool AuthorizeCore(HttpContextBase httpContext) { string user = httpContext.User.Identity.Name; string method = httpContext.Request.HttpMethod; string resource = httpContext.Request.Url.AbsoluteUri; return(PolicyDecisionPoint.IsAcesssible(user, method, resource)); }
/// <summary> /// Initializes a new instance of the <see cref="DecisionController"/> class. /// </summary> /// <param name="contextHandler">The Context handler</param> /// <param name="delegationContextHandler">The delegation context handler</param> /// <param name="policyRetrievalPoint">The policy Retrieval point</param> /// <param name="delegationRepository">The delegation repository</param> /// <param name="logger">the logger.</param> public DecisionController(IContextHandler contextHandler, IDelegationContextHandler delegationContextHandler, IPolicyRetrievalPoint policyRetrievalPoint, IDelegationMetadataRepository delegationRepository, ILogger <DecisionController> logger) { _pdp = new PolicyDecisionPoint(); _prp = policyRetrievalPoint; _contextHandler = contextHandler; _delegationContextHandler = delegationContextHandler; _delegationRepository = delegationRepository; _logger = logger; }
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await Enrich(decisionRequest); XacmlPolicy policy = await GetPolicyAsync(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy); return(xacmlContextResponse); }
private async Task <XacmlContextResponse> Authorize(XacmlContextRequest decisionRequest) { decisionRequest = await this._contextHandler.Enrich(decisionRequest); _logger.LogInformation($"// DecisionController // Authorize // Enriched request: {JsonConvert.SerializeObject(decisionRequest)}."); XacmlPolicy policy = await this._prp.GetPolicyAsync(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlContextResponse = pdp.Authorize(decisionRequest, policy); _logger.LogInformation($"// DecisionController // Authorize // XACML ContextResponse: {JsonConvert.SerializeObject(xacmlContextResponse)}."); return(xacmlContextResponse); }
public void PolicyDecisionPointShouldAllowReadForAllMedicalRecords() { var policyManagementPoint = new PolicyManagementPoint(); policyManagementPoint.Policies.Add( new Policy( id: "urn:oasis:names:tc:xacml:3.0:example:policyid:1", target: new Target( new AnyOf( new AllOf( new StringEqualMatch( new AttributeDesignator( Constants.Category.Resource, Resource.TargetNamespace, DataType.AnyUri), new AttributeValue( DataType.AnyUri, ""))))), combiningAlgorithm: new DenyOverridesCombiningAlgorithm(), rules: new IRule[] { })); var policyDecisionPoint = new PolicyDecisionPoint(policyManagementPoint); var authorizationResponse = policyDecisionPoint.Authorize( new AuthorizationRequest( new AuthorizationContext( new AttributeCategory( Constants.Category.AccessSubject, new Attribute( Constants.Attribute.SubjectId, new AttributeValue( dataType: DataType.Rfc822Name, value: "*****@*****.**"))), new AttributeCategory( Constants.Category.Resource, new Attribute( Constants.Attribute.ResourceId, new AttributeValue( dataType: DataType.AnyUri, value: "urn:simple:medical:record:12345"))), new AttributeCategory( Constants.Category.Action, new Attribute( Constants.Attribute.ActionId, new AttributeValue( dataType: DataType.String, value: "read")))))); Assert.IsNotNull(authorizationResponse); Assert.AreEqual(1, authorizationResponse.Results.Count()); Assert.AreEqual(authorizationResponse.Results.First().Decision, Decision.Permit); }
public ActionResult Post([FromBody] XacmlRequestApiModel model) { XacmlContextRequest request = null; XacmlContextResponse xacmlContextResponse = null; try { request = ParseApiBody(model); } catch (Exception) { XacmlContextResult result = new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.SyntaxError) }; xacmlContextResponse = new XacmlContextResponse(result); } if (request != null) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(_contextHandler, _prp); xacmlContextResponse = pdp.Authorize(request); } string accept = HttpContext.Request.Headers["Accept"]; if (!string.IsNullOrEmpty(accept) && accept.Equals("application/json")) { XacmlJsonResponse jsonReponse = XacmlJsonXmlConverter.ConvertResponse(xacmlContextResponse); return(Ok(jsonReponse)); } StringBuilder builder = new StringBuilder(); using (XmlWriter writer = XmlWriter.Create(builder)) { XacmlSerializer.WriteContextResponse(writer, xacmlContextResponse); } string xml = builder.ToString(); return(Content(xml)); }
private XacmlContextResponse SetuUpPolicyDecisionPoint(string testCase, bool contextRequstIsEnriched) { XacmlContextRequest contextRequest = XacmlTestDataParser.ParseRequest(testCase + "Request.xml", GetAltinnAppsPath()); XacmlContextRequest contextRequestEnriched = contextRequest; if (contextRequstIsEnriched) { contextRequestEnriched = XacmlTestDataParser.ParseRequest(testCase + "Request_Enriched.xml", GetAltinnAppsPath()); } XacmlPolicy policy = XacmlTestDataParser.ParsePolicy(testCase + "Policy.xml", GetAltinnAppsPath()); Moq.Mock <IContextHandler> moqContextHandler = new Mock <IContextHandler>(); moqContextHandler.Setup(c => c.Enrich(It.IsAny <XacmlContextRequest>())).ReturnsAsync(contextRequestEnriched); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlContextResponse xacmlResponse = pdp.Authorize(contextRequestEnriched, policy); return(xacmlResponse); }
public static bool IsValidUser(string username, string password) { return(PolicyDecisionPoint.GetUser(username, password) != null); }
public static bool IsAutorized(string user, string method, string resource) { return(PolicyDecisionPoint.IsAcesssible(user, method, resource)); }
public async Task <XacmlJsonResponse> GetDecisionForRequest(XacmlJsonRequestRoot xacmlJsonRequest) { string jsonResponse = string.Empty; if (xacmlJsonRequest.Request.MultiRequests != null) { try { Authorization.ABAC.PolicyDecisionPoint pdp = new Authorization.ABAC.PolicyDecisionPoint(); XacmlJsonResponse multiResponse = new XacmlJsonResponse(); foreach (XacmlJsonRequestReference xacmlJsonRequestReference in xacmlJsonRequest.Request.MultiRequests.RequestReference) { XacmlJsonRequest jsonMultiRequestPart = new XacmlJsonRequest(); foreach (string refer in xacmlJsonRequestReference.ReferenceId) { IEnumerable <XacmlJsonCategory> resourceCategoriesPart = xacmlJsonRequest.Request.Resource.Where(i => i.Id.Equals(refer)); if (resourceCategoriesPart != null && resourceCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.Resource == null) { jsonMultiRequestPart.Resource = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.Resource.AddRange(resourceCategoriesPart); } IEnumerable <XacmlJsonCategory> subjectCategoriesPart = xacmlJsonRequest.Request.AccessSubject.Where(i => i.Id.Equals(refer)); if (subjectCategoriesPart != null && subjectCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.AccessSubject == null) { jsonMultiRequestPart.AccessSubject = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.AccessSubject.AddRange(subjectCategoriesPart); } IEnumerable <XacmlJsonCategory> actionCategoriesPart = xacmlJsonRequest.Request.Action.Where(i => i.Id.Equals(refer)); if (actionCategoriesPart != null && actionCategoriesPart.Count() > 0) { if (jsonMultiRequestPart.Action == null) { jsonMultiRequestPart.Action = new List <XacmlJsonCategory>(); } jsonMultiRequestPart.Action.AddRange(actionCategoriesPart); } } XacmlContextResponse partResponse = await Authorize(XacmlJsonXmlConverter.ConvertRequest(jsonMultiRequestPart)); XacmlJsonResponse xacmlJsonResponsePart = XacmlJsonXmlConverter.ConvertResponse(partResponse); if (multiResponse.Response == null) { multiResponse.Response = new List <XacmlJsonResult>(); } multiResponse.Response.Add(xacmlJsonResponsePart.Response.First()); } return(multiResponse); } catch { } } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && int.Parse(a.Value) >= 3)) || xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org")) { XacmlContextRequest decisionRequest = XacmlJsonXmlConverter.ConvertRequest(xacmlJsonRequest.Request); decisionRequest = await Enrich(decisionRequest); PolicyDecisionPoint pdp = new PolicyDecisionPoint(); XacmlPolicy policy = await GetPolicyAsync(decisionRequest); XacmlContextResponse contextResponse = pdp.Authorize(decisionRequest, policy); return(XacmlJsonXmlConverter.ConvertResponse(contextResponse)); } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "1")) || xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => a.AttributeId == "urn:altinn:org")) { jsonResponse = File.ReadAllText("data/response_permit.json"); } else if (xacmlJsonRequest.Request.AccessSubject[0].Attribute.Exists(a => (a.AttributeId == "urn:altinn:userid" && a.Value == "-1"))) { jsonResponse = File.ReadAllText("data/response_deny.json"); } else { jsonResponse = File.ReadAllText("data/response_deny.json"); } XacmlJsonResponse response = JsonConvert.DeserializeObject <XacmlJsonResponse>(jsonResponse); return(response); }