public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds) { List <Rule> rulesList = new List <Rule>(); List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds); foreach (DelegationChange change in delegationChanges) { if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByUserId == 20001336) { rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "read", "SKD", "TaxReport")); rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByUserId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, "write", "SKD", "TaxReport")); } if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001336) { rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport")); } if (change.AltinnAppId == "SKD/TaxReport" && change.OfferedByPartyId == 50001337 && change.CoveredByPartyId == 50001337) { rulesList.Add(TestDataHelper.GetRuleModel(change.PerformedByUserId, change.OfferedByPartyId, change.CoveredByPartyId.ToString(), AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, "sign", "SKD", "TaxReport")); } } return(rulesList); }
/// <inheritdoc/> public async Task <List <Rule> > GetRulesAsync(List <string> appIds, List <int> offeredByPartyIds, List <int> coveredByPartyIds, List <int> coveredByUserIds) { List <Rule> rules = new List <Rule>(); List <DelegationChange> delegationChanges = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds, coveredByUserIds); foreach (DelegationChange delegationChange in delegationChanges) { if (delegationChange.DelegationChangeType != DelegationChangeType.RevokeLast) { XacmlPolicy policy = await _prp.GetPolicyVersionAsync(delegationChange.BlobStoragePolicyPath, delegationChange.BlobStorageVersionId); rules.AddRange(GetRulesFromPolicyAndDelegationChange(policy.Rules, delegationChange)); } } return(rules); }
private async Task <XacmlContextResponse> AuthorizeBasedOnDelegations(XacmlContextRequest decisionRequest, XacmlPolicy appPolicy) { XacmlContextResponse delegationContextResponse = new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.NotApplicable) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success) }); XacmlResourceAttributes resourceAttributes = _delegationContextHandler.GetResourceAttributes(decisionRequest); int subjectUserId = _delegationContextHandler.GetSubjectUserId(decisionRequest); if (resourceAttributes == null || string.IsNullOrEmpty(resourceAttributes.OrgValue) || string.IsNullOrEmpty(resourceAttributes.AppValue) || subjectUserId == 0 || !int.TryParse(resourceAttributes.ResourcePartyValue, out int reporteePartyId)) { // Not able to continue authorization based on delegations because of incomplete decision request string request = JsonConvert.SerializeObject(decisionRequest); _logger.LogWarning("// DecisionController // Authorize // Delegations // Incomplete request: {request}", request); return(new XacmlContextResponse(new XacmlContextResult(XacmlContextDecision.Indeterminate) { Status = new XacmlContextStatus(XacmlContextStatusCode.Success) })); } List <string> appIds = new List <string> { $"{resourceAttributes.OrgValue}/{resourceAttributes.AppValue}" }; List <int> offeredByPartyIds = new List <int> { reporteePartyId }; List <int> coveredByUserIds = new List <int> { subjectUserId }; // 1. Direct user delegations List <DelegationChange> delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByUserIds : coveredByUserIds); if (delegations.Any()) { delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit)) { return(delegationContextResponse); } } // 2. Direct user delegations from mainunit List <MainUnit> mainunits = await _delegationContextHandler.GetMainUnits(reporteePartyId); List <int> mainunitPartyIds = mainunits.Where(m => m.PartyId.HasValue).Select(m => m.PartyId.Value).ToList(); if (mainunitPartyIds.Any()) { offeredByPartyIds.AddRange(mainunitPartyIds); delegations = await _delegationRepository.GetAllCurrentDelegationChanges(mainunitPartyIds, appIds, coveredByUserIds : coveredByUserIds); if (delegations.Any()) { delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); if (delegationContextResponse.Results.Any(r => r.Decision == XacmlContextDecision.Permit)) { return(delegationContextResponse); } } } // 3. Direct party delegations to keyrole units List <int> keyrolePartyIds = await _delegationContextHandler.GetKeyRolePartyIds(subjectUserId); if (keyrolePartyIds.Any()) { delegations = await _delegationRepository.GetAllCurrentDelegationChanges(offeredByPartyIds, appIds, coveredByPartyIds : keyrolePartyIds); if (delegations.Any()) { _delegationContextHandler.Enrich(decisionRequest, keyrolePartyIds); delegationContextResponse = await AuthorizeBasedOnDelegations(decisionRequest, delegations, appPolicy); } } return(delegationContextResponse); }