public PermissionValidationResponse Validate(PermissionValidationRequest request)
{
var allowedResources = new List <CRN>();
var deniedResources = new List <CRN>();
var requestedResources = this.resourceFinder.Find(request.Resource).ToList();
if (!Validator.TryValidate(() => ValidateResources(requestedResources, request), out var resourceValidationResult))
{
return(PermissionValidationResponse.InvalidFromResourceValidation(request, resourceValidationResult));
}
var issuedGrants = this.permissionGrantFinder.Find(request.Principal, request.Schema);
foreach (var g in issuedGrants)
{
// apply policy at ticket issue time
if (!this.policyApplicator.IsGrantValid(g))
{
continue;
}
var grantedResources = this.resourceFinder.Find(g.Resource);
var intersection = grantedResources.Intersect(requestedResources);
var preValidationDeniedResources = requestedResources.Where(r => !intersection.Contains(r)).Select(r => r.Identifier).ToList();
foreach (var validResource in intersection)
{
Validator.TryValidate(
() => this.resourceValidator.Validate(validResource.Identifier, request.Action),
out var result);
var resourceActionAllowed = g.Actions.Contains(request.Action);
if (!resourceActionAllowed || !result.IsValid)
{
deniedResources.Add(validResource.Identifier);
continue;
}
allowedResources.Add(validResource.Identifier);
}
if (preValidationDeniedResources.Any())
{
deniedResources.AddRange(preValidationDeniedResources);
}
}
allowedResources = allowedResources.Distinct().ToList();
deniedResources = deniedResources.Distinct().ToList();
return(PermissionValidationResponse.From(request, allowedResources, deniedResources));
}
public PermissionTicket Request(params PermissionTicketRequest[] request)
{
if (request == null || request.Length == 0)
{
return(PermissionTicket.Invalid());
}
var requestHash = string.Join(".", request.Select(r => r.GetHash()));
var ticket = this.storage.Find(requestHash);
var existingTicketExpired = ticket != null && ticket.IsExpired(DateTimeOffset.UtcNow);
if (!existingTicketExpired && ticket != null)
{
return(ticket);
}
this.storage.Remove(requestHash);
var responses = new PermissionValidationResponse[request.Length];
for (var i = 0; i < request.Length; i++)
{
responses[i] = this.validator.Validate(request[i]);
}
ticket = PermissionTicket.FromValidation(responses);
ticket.WithExpiry(DateTimeOffset.UtcNow.AddMinutes(DefaultTicketDurationMinutes));
if (ticket.IsValid)
{
this.storage.Add(requestHash, ticket);
}
return(ticket);
}
