/// <summary>
/// Evaluates the policy set.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The decission result for this policy set.</returns>
public Decision Evaluate(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
context.Trace("Evaluating policySet: {0}", _policySet.Description);
context.CurrentPolicySet = this;
try
{
context.Trace("Evaluating Target...");
context.AddIndent();
// Evaluate the policy target
TargetEvaluationValue targetEvaluationValue = Match(context);
context.RemoveIndent();
context.Trace("Target: {0}", targetEvaluationValue);
ProcessTargetEvaluationValue(context, targetEvaluationValue);
context.Trace("PolicySet: {0}", _evaluationValue);
// If the policy evaluated to Deny or Permit add the obligations depending on its fulfill value.
ProcessObligations(context);
return(_evaluationValue);
}
finally
{
context.CurrentPolicySet = null;
}
}
/// <summary>
/// Match the target of this policy.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The retult evaluation of the policy target.</returns>
public TargetEvaluationValue Match(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
TargetEvaluationValue targetEvaluationValue = TargetEvaluationValue.Indeterminate;
context.Trace("Evaluating Target...");
context.AddIndent();
try
{
// Evaluate the policy target
targetEvaluationValue = TargetEvaluationValue.Match;
if (_target != null)
{
targetEvaluationValue = _target.Evaluate(context);
}
return(targetEvaluationValue);
}
finally
{
context.TraceContextValues();
context.RemoveIndent();
context.Trace("Target: {0}", targetEvaluationValue);
}
}
/// <summary>
/// Evaluates the rule contents.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>A decission for this evalauation.</returns>
public Decision Evaluate(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
context.Trace("Evaluating rule: {0}", _rule.Description);
context.AddIndent();
context.CurrentRule = this;
try
{
// Validate the Target element
TargetEvaluationValue targetEvaluation = Match(context);
// If the target matches the conditions ar evaluated
EvaluationValue conditionEvaluation = EvaluationValue.True;
if (_rule.HasCondition)
{
// Evaluate the condition
conditionEvaluation = _condition.Evaluate(context);
}
else
{
context.Trace("Rule does not have a condition");
}
// Decite the final rule evaluation value
if (targetEvaluation == TargetEvaluationValue.Indeterminate || conditionEvaluation.IsIndeterminate)
{
_evaluationValue = Decision.Indeterminate;
}
else if (targetEvaluation == TargetEvaluationValue.Match && conditionEvaluation.BoolValue)
{
_evaluationValue = ((_rule.Effect == pol.Effect.Permit) ? Decision.Permit : Decision.Deny);
}
else if ((targetEvaluation == TargetEvaluationValue.NoMatch) ||
(targetEvaluation == TargetEvaluationValue.Match && !conditionEvaluation.BoolValue))
{
_evaluationValue = Decision.NotApplicable;
}
// Return the value
context.Trace("Rule: {0}", _evaluationValue);
return(_evaluationValue);
}
finally
{
context.RemoveIndent();
context.CurrentRule = null;
}
}
/// <summary>
/// Match the target of this policy set.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The retult evaluation of the policy set target.</returns>
public TargetEvaluationValue Match(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
// Evaluate the policy target
TargetEvaluationValue targetEvaluationValue = TargetEvaluationValue.Match;
if (_target != null)
{
targetEvaluationValue = _target.Evaluate(context);
context.TraceContextValues();
}
return(targetEvaluationValue);
}
/// <summary>
/// Process the match result.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="targetEvaluationValue">The match evaluation result.</param>
private void ProcessTargetEvaluationValue(EvaluationContext context, TargetEvaluationValue targetEvaluationValue)
{
if (targetEvaluationValue == TargetEvaluationValue.Match)
{
try
{
context.Trace("Evaluating policies...");
context.AddIndent();
context.Trace("Policy combination algorithm: {0}", _policySet.PolicyCombiningAlgorithm);
// Evaluate all policies and apply rule combination
IPolicyCombiningAlgorithm pca = EvaluationEngine.CreatePolicyCombiningAlgorithm(_policySet.PolicyCombiningAlgorithm);
if (pca == null)
{
throw new EvaluationException("the policy combining algorithm does not exists."); //TODO: resources
}
_evaluationValue = pca.Evaluate(context, _policies);
// Update the flags for general evaluation status.
context.TraceContextValues();
context.Trace("Policy combination algorithm: {0}", _evaluationValue.ToString());
}
finally
{
context.RemoveIndent();
}
}
else if (targetEvaluationValue == TargetEvaluationValue.NoMatch)
{
_evaluationValue = Decision.NotApplicable;
}
else if (targetEvaluationValue == TargetEvaluationValue.Indeterminate)
{
_evaluationValue = Decision.Indeterminate;
}
}
/// <summary>
/// Matches this target instance using the context document.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The results of the evaluation of this target.</returns>
public TargetEvaluationValue Evaluate(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
// Set the default value.
_evaluationValue = TargetEvaluationValue.NoMatch;
// Resource
context.Trace("Evaluating Resource...");
context.AddIndent();
TargetEvaluationValue resourceEval = _resources.Evaluate(context, context.CurrentResource);
context.TraceContextValues();
context.Trace("Target item result: {0}", resourceEval);
context.RemoveIndent();
// Action
context.Trace("Evaluating Action...");
context.AddIndent();
TargetEvaluationValue actionEval = _actions.Evaluate(context, context.ContextDocument.Request.Action);
context.TraceContextValues();
context.Trace("Target item result: {0}", actionEval);
context.RemoveIndent();
context.Trace("Evaluating Subjects...");
context.AddIndent();
if (actionEval == TargetEvaluationValue.Match && resourceEval == TargetEvaluationValue.Match)
{
// Subjects
foreach (ctx.SubjectElement ctxSubject in context.ContextDocument.Request.Subjects)
{
context.Trace("Evaluating Subject: {0}", ctxSubject.SubjectCategory);
// Subject
TargetEvaluationValue subjectEval = _subjects.Evaluate(context, ctxSubject);
context.TraceContextValues();
if (subjectEval == TargetEvaluationValue.Indeterminate)
{
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
else if (subjectEval == TargetEvaluationValue.Match)
{
_evaluationValue = TargetEvaluationValue.Match;
context.RemoveIndent();
context.Trace("Target item result: {0}", _evaluationValue);
return(_evaluationValue);
}
}
context.RemoveIndent();
context.Trace("Target item result: {0}", _evaluationValue);
return(_evaluationValue);
}
else
{
context.Trace("Actions or Resources does not Match so Subjects will not be evaluated");
if (resourceEval == TargetEvaluationValue.Indeterminate || actionEval == TargetEvaluationValue.Indeterminate)
{
context.RemoveIndent();
return(TargetEvaluationValue.Indeterminate);
}
else
{
context.RemoveIndent();
return(TargetEvaluationValue.NoMatch);
}
}
}
/// <summary>
/// Evaluates the policy.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The decission result for this policy.</returns>
public Decision Evaluate(EvaluationContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
context.Trace("Evaluating policy: {0}", _policy.Description);
context.AddIndent();
context.CurrentPolicy = this;
try
{
// Evaluate the variables
if (this._policy.SchemaVersion == XacmlVersion.Version20)
{
if (_variables == null)
{
context.Trace("Evaluating variables...");
_variables = new Hashtable();
foreach (pol.VariableDefinitionElement variableDef in _policy.VariableDefinitions.Values)
{
VariableDefinition variable = new VariableDefinition(variableDef);
_variables.Add(variableDef.Id, variable);
}
}
}
// Matches the target.
TargetEvaluationValue targetEvaluationValue = Match(context);
// If the target matches.
if (targetEvaluationValue == TargetEvaluationValue.Match)
{
context.Trace("Rule combination algorithm: {0}", _policy.RuleCombiningAlgorithm);
// Evaluate all rules and apply rule combination
inf.IRuleCombiningAlgorithm rca = EvaluationEngine.CreateRuleCombiningAlgorithm(_policy.RuleCombiningAlgorithm);
_evaluationValue = rca.Evaluate(context, _rules);
}
else if (targetEvaluationValue == TargetEvaluationValue.NoMatch)
{
_evaluationValue = Decision.NotApplicable;
}
else if (targetEvaluationValue == TargetEvaluationValue.Indeterminate)
{
_evaluationValue = Decision.Indeterminate;
}
context.Trace("Policy: {0}", _evaluationValue);
// Copy all the obligations.
_obligations = new pol.ObligationCollection();
if (_evaluationValue != Decision.Indeterminate &&
_evaluationValue != Decision.NotApplicable &&
_policy.Obligations != null && _policy.Obligations.Count != 0)
{
foreach (pol.ObligationElement obl in _policy.Obligations)
{
if ((obl.FulfillOn == pol.Effect.Deny && _evaluationValue == Decision.Deny) ||
(obl.FulfillOn == pol.Effect.Permit && _evaluationValue == Decision.Permit))
{
context.Trace("Adding obligation: {0} ", obl.ObligationId);
_obligations.Add(obl);
}
}
}
return(_evaluationValue);
}
finally
{
context.RemoveIndent();
context.CurrentPolicy = null;
}
}
/// <summary>
/// Matches this target instance using the context document.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <returns>The results of the evaluation of this target.</returns>
public TargetEvaluationValue Evaluate( EvaluationContext context )
{
if (context == null) throw new ArgumentNullException("context");
// Set the default value.
_evaluationValue = TargetEvaluationValue.NoMatch;
// Resource
context.Trace( "Evaluating Resource..." );
context.AddIndent();
TargetEvaluationValue resourceEval = _resources.Evaluate( context, context.CurrentResource );
context.TraceContextValues();
context.Trace( "Target item result: {0}", resourceEval );
context.RemoveIndent();
// Action
context.Trace( "Evaluating Action..." );
context.AddIndent();
TargetEvaluationValue actionEval = _actions.Evaluate( context, context.ContextDocument.Request.Action );
context.TraceContextValues();
context.Trace( "Target item result: {0}", actionEval );
context.RemoveIndent();
context.Trace( "Evaluating Subjects..." );
context.AddIndent();
if( actionEval == TargetEvaluationValue.Match && resourceEval == TargetEvaluationValue.Match )
{
// Subjects
foreach( ctx.SubjectElement ctxSubject in context.ContextDocument.Request.Subjects )
{
context.Trace( "Evaluating Subject: {0}", ctxSubject.SubjectCategory );
// Subject
TargetEvaluationValue subjectEval = _subjects.Evaluate( context, ctxSubject );
context.TraceContextValues();
if( subjectEval == TargetEvaluationValue.Indeterminate )
{
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
else if( subjectEval == TargetEvaluationValue.Match )
{
_evaluationValue = TargetEvaluationValue.Match;
context.RemoveIndent();
context.Trace( "Target item result: {0}", _evaluationValue );
return _evaluationValue;
}
}
context.RemoveIndent();
context.Trace( "Target item result: {0}", _evaluationValue );
return _evaluationValue;
}
else
{
context.Trace( "Actions or Resources does not Match so Subjects will not be evaluated" );
if( resourceEval == TargetEvaluationValue.Indeterminate || actionEval == TargetEvaluationValue.Indeterminate )
{
context.RemoveIndent();
return TargetEvaluationValue.Indeterminate;
}
else
{
context.RemoveIndent();
return TargetEvaluationValue.NoMatch;
}
}
}
/// <summary>
/// Evaluates the target items and return wether the target applies to the context or not.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="targetItem">The target item in the context document.</param>
/// <returns></returns>
public TargetEvaluationValue Evaluate( EvaluationContext context, ctx.TargetItemBase targetItem )
{
if (context == null) throw new ArgumentNullException(nameof(context));
if (_targetItems.IsAny)
{
context.Trace("IsAny");
return TargetEvaluationValue.Match;
}
_evaluationValue = TargetEvaluationValue.NoMatch;
//Match TargetItem
foreach( pol.TargetItemBase polItem in _targetItems.ItemsList )
{
foreach( pol.TargetMatchBase match in polItem.Match )
{
_evaluationValue = TargetEvaluationValue.NoMatch;
context.Trace( "Using function: {0}", match.MatchId );
inf.IFunction matchFunction = EvaluationEngine.GetFunction( match.MatchId );
if( matchFunction == null )
{
context.Trace( "ERR: function not found {0}", match.MatchId );
context.ProcessingError = true;
return TargetEvaluationValue.Indeterminate;
}
if( matchFunction.Returns == null )
{
// Validates the function return value
context.Trace( "ERR: The function '{0}' does not defines it's return value", match.MatchId );
context.ProcessingError = true;
return TargetEvaluationValue.Indeterminate;
}
if( matchFunction.Returns != DataTypeDescriptor.Boolean )
{
context.Trace( "ERR: Function does not return Boolean a value" );
context.ProcessingError = true;
return TargetEvaluationValue.Indeterminate;
}
ctx.AttributeElement attribute = EvaluationEngine.Resolve( context, match, targetItem );
if( attribute != null )
{
context.Trace( "Attribute found, evaluating match function" );
try
{
EvaluationValue returnValue = EvaluationEngine.EvaluateFunction( context, matchFunction, match.AttributeValue, attribute );
_evaluationValue = returnValue.BoolValue ? TargetEvaluationValue.Match : TargetEvaluationValue.NoMatch;
}
catch( EvaluationException e )
{
context.Trace( Resource.TRACE_ERROR, e.Message );
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
}
// Validate MustBePresent
if( match.AttributeReference.MustBePresent )
{
if( context.IsMissingAttribute )
{
context.Trace( "Attribute not found and must be present" );
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
}
// Do not iterate if the value was found
if( _evaluationValue != TargetEvaluationValue.Match )
{
break;
}
}
// Do not iterate if the value was found
if( _evaluationValue == TargetEvaluationValue.Match )
{
return _evaluationValue;
}
}
return _evaluationValue;
}
/// <summary>
/// Evaluates the target items and return wether the target applies to the context or not.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="targetItem">The target item in the context document.</param>
/// <returns></returns>
public virtual TargetEvaluationValue Evaluate(EvaluationContext context, ctx.TargetItemBase targetItem)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
if (_targetItems.IsAny)
{
context.Trace("IsAny");
return(TargetEvaluationValue.Match);
}
_evaluationValue = TargetEvaluationValue.NoMatch;
//Match TargetItem
foreach (TargetItemBase polItem in _targetItems.ItemsList)
{
foreach (TargetMatchBase match in polItem.Match)
{
_evaluationValue = TargetEvaluationValue.NoMatch;
context.Trace("Using function: {0}", match.MatchId);
IFunction matchFunction = EvaluationEngine.GetFunction(match.MatchId);
if (matchFunction == null)
{
context.Trace("ERR: function not found {0}", match.MatchId);
context.ProcessingError = true;
return(TargetEvaluationValue.Indeterminate);
}
else if (matchFunction.Returns == null)
{
// Validates the function return value
context.Trace("ERR: The function '{0}' does not defines it's return value", match.MatchId);
context.ProcessingError = true;
return(TargetEvaluationValue.Indeterminate);
}
else if (matchFunction.Returns != DataTypeDescriptor.Boolean)
{
context.Trace("ERR: Function does not return Boolean a value");
context.ProcessingError = true;
return(TargetEvaluationValue.Indeterminate);
}
else
{
Context.AttributeElement attribute = EvaluationEngine.Resolve(context, match, targetItem);
if (attribute != null)
{
context.Trace("Attribute found, evaluating match function");
try
{
EvaluationValue returnValue = EvaluationEngine.EvaluateFunction(context, matchFunction, match.AttributeValue, attribute);
_evaluationValue = returnValue.BoolValue ? TargetEvaluationValue.Match : TargetEvaluationValue.NoMatch;
}
catch (EvaluationException e)
{
context.Trace("ERR: {0}", e.Message);
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
}
// Validate MustBePresent
if (match.AttributeReference.MustBePresent)
{
if (context.IsMissingAttribute)
{
context.Trace("Attribute not found and must be present");
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
}
if (context.ProcessingError)
{
_evaluationValue = TargetEvaluationValue.Indeterminate;
}
// Do not iterate if the value was found
if (_evaluationValue != TargetEvaluationValue.Match)
{
break;
}
}
}
// Do not iterate if the value was found
if (_evaluationValue == TargetEvaluationValue.Match)
{
return(_evaluationValue);
}
}
return(_evaluationValue);
}
/// <summary>
/// Process the match result.
/// </summary>
/// <param name="context">The evaluation context instance.</param>
/// <param name="targetEvaluationValue">The match evaluation result.</param>
private void ProcessTargetEvaluationValue(EvaluationContext context, TargetEvaluationValue targetEvaluationValue)
{
if (targetEvaluationValue == TargetEvaluationValue.Match)
{
try
{
context.Trace("Evaluating policies...");
context.AddIndent();
context.Trace("Policy combination algorithm: {0}", _policySet.PolicyCombiningAlgorithm);
// Evaluate all policies and apply rule combination
inf.IPolicyCombiningAlgorithm pca = EvaluationEngine.CreatePolicyCombiningAlgorithm(_policySet.PolicyCombiningAlgorithm);
if (pca == null)
{
throw new EvaluationException("the policy combining algorithm does not exists."); //TODO: resources
}
_evaluationValue = pca.Evaluate(context, _policies);
// Update the flags for general evaluation status.
context.TraceContextValues();
context.Trace("Policy combination algorithm: {0}", _evaluationValue.ToString());
}
finally
{
context.RemoveIndent();
}
}
else if (targetEvaluationValue == TargetEvaluationValue.NoMatch)
{
_evaluationValue = Decision.NotApplicable;
}
else if (targetEvaluationValue == TargetEvaluationValue.Indeterminate)
{
_evaluationValue = Decision.Indeterminate;
}
}