/// <summary> /// Initializes a new instance of the <see cref="EvaluationEngine"/> class. /// </summary> /// <param name="policySet">The XACML policy set.</param> public EvaluationEngine(XacmlPolicySet policySet) { Contract.Requires<ArgumentNullException>(policySet != null); this.types = DataTypeProcessor.Instance; this.functions = FunctionsProcessor.Instance; this.algorithms = AlgorithmsProcessor.Instance; this.policySet = policySet; this.namespaces = policySet.Namespaces; this.xpathVersion = policySet.XPathVersion; }
/// <summary> /// public void WritePolicySet /// </summary> /// <param name="writer">XmlWriter writer</param> /// <param name="data">XacmlPolicySet data</param> public virtual void WritePolicySet(XmlWriter writer, XacmlPolicySet data) { Contract.Requires<ArgumentNullException>(writer != null); Contract.Requires<ArgumentNullException>(data != null); writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetId, data.PolicySetId.OriginalString); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyCombiningAlgId, data.PolicyCombiningAlgId.OriginalString); if (data.Description != null) { writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description); } // PolicySetDefaults if (data.XPathVersion != null) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy); writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString()); writer.WriteEndElement(); } // Target this.WriteTarget(writer, data.Target); // PolicySet foreach (var policySet in data.PolicySets) { this.WritePolicySet(writer, policySet); } // Policy foreach (var policy in data.Policies) { this.WritePolicy(writer, policy); } // PolicySetIdReference foreach (var policySetIdReference in data.PolicySetIdReferences) { writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy, policySetIdReference.ToString()); } // PolicyIdReference foreach (var policyIdReference in data.PolicyIdReferences) { writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy, policyIdReference.ToString()); } // Obligations if (data.Obligations.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy); foreach (var obligation in data.Obligations) { this.WriteObligation(writer, obligation); } writer.WriteEndElement(); } writer.WriteEndElement(); }
public void WritePolicy_11() { var subject = new XacmlSubject( new XacmlSubjectMatch[] { new XacmlSubjectMatch( new Uri("http://www.MatchId.www"), new XacmlAttributeValue(new Uri("http://www.DataType.www")), new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www") }) }); var target = new XacmlTarget(subject, null, null); XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicySetId.www"), new Uri("http://www.PolicyCombiningAlgId.www"), target); xacmlPolicySet.Description = "description string"; xacmlPolicySet.XPathVersion = Xacml10Constants.XPathVersions.Xpath10; XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), new XacmlTarget()) { Description = "description string", XPathVersion = Xacml10Constants.XPathVersions.Xpath10, }; XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) { Description = "xacmlRule description" }; xacmlPolicy.Rules.Add(xacmlRule); XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")); XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment }); xacmlPolicy.Obligations.Add(xacmlObligation); xacmlPolicySet.Policies.Add(xacmlPolicy); StringBuilder builder = new StringBuilder(); using (XmlWriter writer = XmlWriter.Create(builder)) { var serializer = new Xacml10ProtocolSerializer(); serializer.WritePolicySet(writer, xacmlPolicySet); } string xml = builder.ToString(); ValidateMessage(xml, @"..\..\_Data\cs-xacml-schema-policy-01.xsd"); }
public void WritePolicy_20() { var subject = new XacmlSubject( new XacmlSubjectMatch[] { new XacmlSubjectMatch( new Uri("http://www.MatchId.www"), new XacmlAttributeValue(new Uri("http://www.DataType.www")), new XacmlSubjectAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false, Category = new Uri("http://www.subjectCategory.www")} ) }); var resource = new XacmlResource( new XacmlResourceMatch[] { new XacmlResourceMatch( new Uri("http://www.MatchId.www"), new XacmlAttributeValue(new Uri("http://www.DataType.www") /*, "xxxx" */), new XacmlResourceAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")) { Issuer = "String", MustBePresent = false} ) }); var action = new XacmlAction( new XacmlActionMatch[] { new XacmlActionMatch( new Uri("http://www.MatchId.www"), new XacmlAttributeValue(new Uri("http://www.DataType.www")), new XacmlActionAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false} ) }); var target = new XacmlTarget(subject, resource, action, null); // new Uri("http://www.PolicySetId.www") XacmlPolicySet xacmlPolicySet = new XacmlPolicySet(new Uri("http://www.PolicyCombiningAlgId.www"), target) { Description = "description string", XPathVersion = Xacml10Constants.XPathVersions.Xpath10, }; ////#region Policy XacmlEnvironment env = new XacmlEnvironment( new XacmlEnvironmentMatch[] { new XacmlEnvironmentMatch( new Uri("http://www.EnvironmentMatchIdId.www"), new XacmlAttributeValue(new Uri("http://www.AttributValue.www")), new XacmlEnvironmentAttributeDesignator(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")){ Issuer = "String", MustBePresent = false} ) }); XacmlTarget targetWithEnvironment = new XacmlTarget(null, null, null, new XacmlEnvironment[] { env }); XacmlPolicy xacmlPolicy = new XacmlPolicy(new Uri("http://www.PolicyId.www"), new Uri("http://www.RuleCombiningAlgId.www"), targetWithEnvironment) { Description = "description string", XPathVersion = Xacml10Constants.XPathVersions.Xpath10, }; XacmlRule xacmlRule = new XacmlRule("http://www.RuleId.www", XacmlEffectType.Permit) { Description = "xacmlRule description" }; xacmlPolicy.Rules.Add(xacmlRule); XacmlAttributeAssignment xacmlAttributeAssignment = new XacmlAttributeAssignment(new Uri("http://www.AttributeId.www"), new Uri("http://www.DataType.www")); XacmlObligation xacmlObligation = new XacmlObligation(new Uri("http://www.ObligationId.www"), XacmlEffectType.Permit, new XacmlAttributeAssignment[] { xacmlAttributeAssignment }); xacmlPolicy.Obligations.Add(xacmlObligation); xacmlPolicySet.Policies.Add(xacmlPolicy); StringBuilder builder = new StringBuilder(); using (XmlWriter writer = XmlWriter.Create(builder)) { var serializer = new Xacml20ProtocolSerializer(); serializer.WritePolicySet(writer, xacmlPolicySet); } string xml = builder.ToString(); ValidateMessage(xml, @"..\..\_Data\access_control-xacml-2.0-policy-schema-os.xsd"); }
/// <summary> /// Writes the policy set. /// </summary> /// <param name="writer">The writer.</param> /// <param name="data">The data.</param> public override void WritePolicySet(XmlWriter writer, XacmlPolicySet data) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetId, data.PolicySetId.OriginalString); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyCombiningAlgId, data.PolicyCombiningAlgId.OriginalString); if (!string.IsNullOrEmpty(data.Version)) { writer.WriteAttributeString(XacmlConstants.AttributeNames.Version, data.Version); } if (data.MaxDelegationDepth.HasValue) { writer.WriteAttributeString(XacmlConstants.AttributeNames.MaxDelegationDepth, data.MaxDelegationDepth.Value.ToString()); } if (data.Description != null) { writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.Description, this.version.NamespacePolicy, data.Description); } if (data.PolicyIssuer != null) { this.WritePolicyIssuer(writer, data.PolicyIssuer); } // PolicySetDefaults if (data.XPathVersion != null) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy); writer.WriteElementString(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy, data.XPathVersion.ToString()); writer.WriteEndElement(); } // Target this.WriteTarget(writer, data.Target); // PolicySet foreach (var policySet in data.PolicySets) { this.WritePolicySet(writer, policySet); } // Policy foreach (var policy in data.Policies) { this.WritePolicy(writer, policy); } // PolicySetIdReference foreach (var policySetIdReference in data.PolicySetIdReferences_3_0) { this.WritePolicySetIdReference(writer, policySetIdReference); } // PolicyIdReference foreach (var policyIdReference in data.PolicyIdReferences_3_0) { this.WritePolicyIdReference(writer, policyIdReference); } if (data.CombinerParameters.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy); foreach (var combinerParameter in data.CombinerParameters) { this.WriteCombinerParameter(writer, combinerParameter); } writer.WriteEndElement(); } foreach (var policyCombinedParameters in data.PolicyCombinerParameters) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicyCombinerParameters, this.version.NamespacePolicy); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicyIdRef, policyCombinedParameters.PolicyIdRef.OriginalString); foreach (var combinedParameter in policyCombinedParameters.CombinerParameters) { this.WriteCombinerParameter(writer, combinedParameter); } writer.WriteEndElement(); } foreach (var policySetCombinedParameters in data.PolicySetCombinerParameters) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.PolicySetCombinerParameters, this.version.NamespacePolicy); writer.WriteAttributeString(XacmlConstants.AttributeNames.PolicySetIdRef, policySetCombinedParameters.PolicySetIdRef.OriginalString); foreach (var combinedParameter in policySetCombinedParameters.CombinerParameters) { this.WriteCombinerParameter(writer, combinedParameter); } writer.WriteEndElement(); } if (data.Obligations_3_0.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy); foreach (XacmlObligationExpression ex in data.Obligations_3_0) { this.WriteObligationExpression(writer, ex); } writer.WriteEndElement(); } if (data.Advices.Count > 0) { writer.WriteStartElement(XacmlConstants.Prefixes.Policy, XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy); foreach (XacmlAdviceExpression ex in data.Advices) { this.WriteAdviceExpression(writer, ex); } writer.WriteEndElement(); } writer.WriteEndElement(); }
/// <summary> /// Reads the policy set. /// </summary> /// <param name="reader">The reader.</param> /// <returns></returns> /// <exception cref="System.InvalidOperationException"></exception> public override XacmlPolicySet ReadPolicySet(XmlReader reader) { Contract.Requires<ArgumentNullException>(reader != null, "reader"); IDictionary<string, string> nsMgr = new Dictionary<string, string>(); for (int i = 0; i < reader.AttributeCount; i++) { reader.MoveToAttribute(i); if (reader.Prefix == "xmlns") { nsMgr.Add(reader.LocalName, reader.Value); } } if (!this.CanRead(reader, XacmlConstants.ElementNames.PolicySet)) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException()); } Uri gaPolicySetId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicySetId); Uri gaPolicyCombiningAlgId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicyCombiningAlgId); string version = this.ReadAttribute<string>(reader, XacmlConstants.AttributeNames.Version, isRequered: false); int? maxDelegationDepth = this.ReadAttribute<int?>(reader, XacmlConstants.AttributeNames.MaxDelegationDepth, this.version.NamespacePolicy, isRequered: false); reader.ReadStartElement(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy); string description = null; if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) { description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy); } XacmlPolicyIssuer issuer = this.ReadOptional<XacmlPolicyIssuer>(XacmlConstants.ElementNames.PolicyIssuer, this.version.NamespacePolicy, this.ReadPolicyIssuer, reader); // PolicySetDefault string xpathVersion = null; if (reader.IsStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy); if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement")); } xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy); reader.ReadEndElement(); } XacmlTarget target = null; if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) { target = ReadTarget(reader); } XacmlPolicySet policySet = new XacmlPolicySet(gaPolicySetId, gaPolicyCombiningAlgId, target) { Description = description, XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null, MaxDelegationDepth = maxDelegationDepth, PolicyIssuer = issuer, Namespaces = nsMgr, Version = version }; IDictionary<Tuple<string, string>, Action> dicts = new Dictionary<Tuple<string, string>, Action>() { { new Tuple<string, string>(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy), () => policySet.PolicySets.Add(this.ReadPolicySet(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy), () => policySet.Policies.Add(this.ReadPolicy(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy), () => policySet.PolicySetIdReferences_3_0.Add(this.ReadPolicySetIdReference_3_0(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy), () => policySet.PolicyIdReferences_3_0.Add(this.ReadPolicyIdReference_3_0(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy), () => { reader.ReadStartElement(XacmlConstants.ElementNames.CombinerParameters, this.version.NamespacePolicy); this.ReadList(policySet.CombinerParameters, XacmlConstants.ElementNames.CombinerParameter, this.version.NamespacePolicy, this.ReadCombinerParameter, reader, isRequired: false); reader.ReadEndElement(); }}, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicyCombinerParameters, this.version.NamespacePolicy), () => policySet.PolicyCombinerParameters.Add(this.ReadPolicyCombinerParameters(reader))}, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetCombinerParameters, this.version.NamespacePolicy), () => policySet.PolicySetCombinerParameters.Add(this.ReadPolicySetCombinerParameters(reader))}, }; this.ReadChoiceMultiply(reader, dicts); if (reader.IsStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.ObligationExpressions, this.version.NamespacePolicy); this.ReadList(policySet.Obligations_3_0, XacmlConstants.ElementNames.ObligationExpression, this.version.NamespacePolicy, this.ReadObligationExpression, reader, isRequired: true); reader.ReadEndElement(); } if (reader.IsStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.AdviceExpressions, this.version.NamespacePolicy); this.ReadList(policySet.Advices, XacmlConstants.ElementNames.AdviceExpression, this.version.NamespacePolicy, this.ReadAdviceExpression, reader, isRequired: true); reader.ReadEndElement(); } return policySet; }
/// <summary> /// Apstrāda PolicySet objektu /// </summary> /// <param name="policySet">Izveidotājs PolicySet objekts</param> /// <returns></returns> public virtual XacmlDecisionResult PolicySetEvaluate(XacmlPolicySet policySet) { Contract.Requires<ArgumentNullException>(policySet != null); ///// <Target> <Policy> <Policy Set> ///// "Match" At least one rule value is its Decision Specified by the policy combining algorithm ///// "Match" All rule values are “NotApplicable” “NotApplicable” ///// “Match” At least one rule value is “Indeterminate” Specified by the policy combining algorithm ///// “No-match” Don’t care “NotApplicable” ///// “Indeterminate” Don’t care “Indeterminate” // Target XacmlMatchResult targetResult; targetResult = this.TargetEvaluate(policySet.Target); if (targetResult == XacmlMatchResult.Indeterminate) { return XacmlDecisionResult.Indeterminate; } if (targetResult == XacmlMatchResult.NoMatch) { return XacmlDecisionResult.NotApplicable; } // Policy List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> policyResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>(); bool atLeastOnePolicy = policySet.Policies.Any() || policySet.PolicySets.Any() || policySet.PolicyIdReferences.Any() || policySet.PolicySetIdReferences.Any(); // Policies foreach (XacmlPolicy pol in policySet.Policies) { policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } // PolicySets foreach (XacmlPolicySet pol in policySet.PolicySets) { policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } // Policy References foreach (Uri polRef in policySet.PolicyIdReferences) { XacmlPolicy pol = this.ch.RequestPolicy(polRef); if (pol == null) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown Policy reference: " + polRef.ToString())); } policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } // PolicySet References foreach (Uri polRef in policySet.PolicySetIdReferences) { XacmlPolicySet pol = this.ch.RequestPolicySet(polRef); if (pol == null) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown PolicySet reference: " + polRef.ToString())); } policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } if (!atLeastOnePolicy) { return XacmlDecisionResult.NotApplicable; } XacmlDecisionResult algResult = this.algorithms[policySet.PolicyCombiningAlgId.ToString()].Invoke(policyResultsFunctions, policySet.CombinerParameters); if (algResult == XacmlDecisionResult.Permit) { this.obligations[XacmlEffectType.Permit].AddRange(policySet.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Permit)); } if (algResult == XacmlDecisionResult.Deny) { this.obligations[XacmlEffectType.Deny].AddRange(policySet.Obligations.Where(o => o.FulfillOn == XacmlEffectType.Deny)); } return algResult; }
public void IID030_30() { XmlDocument request = new XmlDocument(); XmlDocument response = new XmlDocument(); XmlDocument policy1 = new XmlDocument(); XmlDocument policy2 = new XmlDocument(); request.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Request.xml")); response.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Response.xml")); policy1.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy1.xml")); policy2.Load(Path.Combine(Xacml30TestsCases.TestCasePath, "IID030Policy2.xml")); var serialize = new Xacml30ProtocolSerializer(); XacmlContextRequest requestData; XacmlContextResponse responseData; XacmlPolicy policy1Data; XacmlPolicy policy2Data; using (XmlReader reader = XmlReader.Create(new StringReader(request.OuterXml))) { requestData = serialize.ReadContextRequest(reader); } using (XmlReader reader = XmlReader.Create(new StringReader(response.OuterXml))) { responseData = serialize.ReadContextResponse(reader); } using (XmlReader reader = XmlReader.Create(new StringReader(policy1.OuterXml))) { policy1Data = serialize.ReadPolicy(reader); } using (XmlReader reader = XmlReader.Create(new StringReader(policy2.OuterXml))) { policy2Data = serialize.ReadPolicy(reader); } var policySet = new XacmlPolicySet(Xacml10Constants.PolicyCombiningAlgorithms.OnlyOneApplicable, new XacmlTarget()); // TODO: PolicyCombiningAlgorithms policySet.Policies.Add(policy1Data); policySet.Policies.Add(policy2Data); EvaluationEngine engine = new EvaluationEngine(policySet); XacmlContextResponse evaluatedResponse = engine.Evaluate(requestData, request); XacmlResponseAssert(responseData, evaluatedResponse); }
/// <summary> /// Reads the policy set. /// </summary> /// <param name="reader">The reader.</param> /// <returns></returns> /// <exception cref="System.InvalidOperationException"></exception> public virtual XacmlPolicySet ReadPolicySet(XmlReader reader) { Contract.Requires<ArgumentNullException>(reader != null, "reader"); if (!this.CanRead(reader, XacmlConstants.ElementNames.PolicySet)) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new InvalidOperationException()); } // Collect namespaces IDictionary<string, string> nsMgr = new Dictionary<string, string>(); for (int i = 0; i < reader.AttributeCount; i++) { reader.MoveToAttribute(i); if (reader.Prefix == "xmlns") { nsMgr.Add(reader.LocalName, reader.Value); } } Uri gaPolicySetId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicySetId); Uri gaPolicyCombiningAlgId = this.ReadAttribute<Uri>(reader, XacmlConstants.AttributeNames.PolicyCombiningAlgId); reader.ReadStartElement(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy); string description = null; if (reader.IsStartElement(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy)) { description = reader.ReadElementContentAsString(XacmlConstants.ElementNames.Description, this.version.NamespacePolicy); } // PolicySetDefault string xpathVersion = null; if (reader.IsStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.PolicySetDefaults, this.version.NamespacePolicy); if (!reader.IsStartElement(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy)) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XmlException("XPathVerison NotStartElement")); } xpathVersion = reader.ReadElementContentAsString(XacmlConstants.ElementNames.XPathVersion, this.version.NamespacePolicy); reader.ReadEndElement(); } XacmlTarget target = null; if (reader.IsStartElement(XacmlConstants.ElementNames.Target, this.version.NamespacePolicy)) { target = ReadTarget(reader); } XacmlPolicySet policySet = new XacmlPolicySet(gaPolicySetId, gaPolicyCombiningAlgId, target) { Description = description, XPathVersion = xpathVersion != null ? new Uri(xpathVersion) : null }; policySet.Namespaces = nsMgr; IDictionary<Tuple<string, string>, Action> dicts = new Dictionary<Tuple<string, string>, Action>() { { new Tuple<string, string>(XacmlConstants.ElementNames.PolicySet, this.version.NamespacePolicy), () => policySet.PolicySets.Add(this.ReadPolicySet(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.Policy, this.version.NamespacePolicy), () => policySet.Policies.Add(this.ReadPolicy(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicySetIdReference, this.version.NamespacePolicy), () => policySet.PolicySetIdReferences.Add(this.ReadPolicySetIdReference(reader)) }, { new Tuple<string, string>(XacmlConstants.ElementNames.PolicyIdReference, this.version.NamespacePolicy), () => policySet.PolicyIdReferences.Add(this.ReadPolicyIdReference(reader)) }, }; this.ReadChoiceMultiply(reader, dicts); if (reader.IsStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy)) { reader.ReadStartElement(XacmlConstants.ElementNames.Obligations, this.version.NamespacePolicy); this.ReadList(policySet.Obligations, XacmlConstants.ElementNames.Obligation, this.version.NamespacePolicy, ReadObligation, reader); // end obligations reader.ReadEndElement(); } return policySet; }
public EvaluationEngine30(XacmlPolicySet policySet) : base(policySet) { }
public override XacmlDecisionResult PolicySetEvaluate(XacmlPolicySet policySet) { ///// <Target> <Policy> <Policy Set> ///// "Match" Don’t care Specified by the rulecombining algorithm ///// “No-match” Don’t care “NotApplicable” ///// “Indeterminate” See Table 7 See Table 7 XacmlDecisionResult algResult = XacmlDecisionResult.Indeterminate; // Wrap for Obligations and Advice, read more on AttributeAssignmentsWrapper class description using (AttributeAssignmentsWrapper<XacmlObligation> obligationWrapper = new AttributeAssignmentsWrapper<XacmlObligation>(() => this.obligations, o => this.obligations = o, () => algResult)) { using (AttributeAssignmentsWrapper<XacmlAdvice> adviceWrapper = new AttributeAssignmentsWrapper<XacmlAdvice>(() => this.advices, o => this.advices = o, () => algResult)) { using (AttributeAssignmentsWrapper<XacmlContextPolicyIdReference> policyRefWrapper = new AttributeAssignmentsWrapper<XacmlContextPolicyIdReference>(() => this.applicablePolicies, o => this.applicablePolicies = o, () => algResult)) { using (AttributeAssignmentsWrapper<XacmlContextPolicySetIdReference> policySetRefWrapper = new AttributeAssignmentsWrapper<XacmlContextPolicySetIdReference>(() => this.applicablePolicySets, o => this.applicablePolicySets = o, () => algResult)) { // Target XacmlMatchResult targetResult; targetResult = this.TargetEvaluate(policySet.Target); if (targetResult == XacmlMatchResult.NoMatch) { return XacmlDecisionResult.NotApplicable; } // Policy List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>> policyResultsFunctions = new List<Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>>(); bool atLeastOnePolicy = policySet.Policies.Any() || policySet.PolicySets.Any() || policySet.PolicyIdReferences_3_0.Any() || policySet.PolicySetIdReferences_3_0.Any(); // Policies foreach (XacmlPolicy pol in policySet.Policies) { policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } // PolicySets foreach (XacmlPolicySet pol in policySet.PolicySets) { policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } // Policy References foreach (XacmlContextPolicyIdReference polRef in policySet.PolicyIdReferences_3_0) { Uri uri; if (Uri.TryCreate(polRef.Value, UriKind.RelativeOrAbsolute, out uri)) { XacmlPolicy pol = this.ch.RequestPolicy(uri); if (pol == null) { throw new XacmlIndeterminateException("Unknown Policy reference: " + polRef.ToString()); } policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicyCombinerParameters.Where(o => string.Equals(o.PolicyIdRef.OriginalString, pol.PolicyId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicyEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } else { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperFatal("Policy reference not URI - Not implemented", new NotImplementedException("Policy reference not URI - Not implemented")); } } // PolicySet References foreach (XacmlContextPolicySetIdReference polRef in policySet.PolicySetIdReferences_3_0) { Uri uri; if (Uri.TryCreate(polRef.Value, UriKind.RelativeOrAbsolute, out uri)) { XacmlPolicySet pol = this.ch.RequestPolicySet(uri); if (pol == null) { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperError(new XacmlIndeterminateException("Unknown PolicySet reference: " + polRef.ToString())); } policyResultsFunctions.Add(new Tuple<IEnumerable<XacmlCombinerParameter>, IDictionary<string, Func<object>>>( policySet.PolicySetCombinerParameters.Where(o => string.Equals(o.PolicySetIdRef.OriginalString, pol.PolicySetId.OriginalString)).SelectMany(o => o.CombinerParameters), new Dictionary<string, Func<object>>() { { "evaluate", () => new Tuple<XacmlDecisionResult, string>(this.PolicySetEvaluate(pol), string.Empty) }, { "isApplicable", () => { XacmlMatchResult policyTargetResult = this.TargetEvaluate(pol.Target); if(policyTargetResult == XacmlMatchResult.Indeterminate) { return null; } if (policyTargetResult == XacmlMatchResult.Match) { return true; } return false; } } })); } else { throw Diagnostic.DiagnosticTools.ExceptionUtil.ThrowHelperFatal("PolicySet reference not URI - Not implemented", new NotImplementedException("PolicySet reference not URI - Not implemented")); } } algResult = this.algorithms[policySet.PolicyCombiningAlgId.ToString()].Invoke(policyResultsFunctions, policySet.CombinerParameters); if (targetResult == XacmlMatchResult.Indeterminate) { algResult = this.SpecifyCombiningAlgorithmResult(algResult); } // Permit if (algResult == XacmlDecisionResult.Permit) { if (policySet.Obligations_3_0.Count > 0) { IEnumerable<XacmlObligationExpression> obligationsWithPermit = policySet.Obligations_3_0.Where(o => o.FulfillOn == XacmlEffectType.Permit); foreach (XacmlObligationExpression expression in obligationsWithPermit) { List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>(); foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) { IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex); // ja Indeterminate, tad rezultāts arī if (assignment == null) { return XacmlDecisionResult.Indeterminate; } attributeAssigments.AddRange(assignment); } XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments); this.obligations[expression.FulfillOn].Add(obligation); } } if (policySet.Advices.Count > 0) { IEnumerable<XacmlAdviceExpression> advicesWithPermit = policySet.Advices.Where(o => o.AppliesTo == XacmlEffectType.Permit); foreach (XacmlAdviceExpression expression in advicesWithPermit) { List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>(); foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) { IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex); // ja Indeterminate, tad rezultāts arī if (assignment == null) { return XacmlDecisionResult.Indeterminate; } attributeAssigments.AddRange(assignment); } XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments); this.advices[expression.AppliesTo].Add(advice); } } this.applicablePolicySets[XacmlEffectType.Permit].Add(new XacmlContextPolicySetIdReference() { Value = policySet.PolicySetId.OriginalString, Version = new XacmlVersionMatchType(policySet.Version) }); } // Deny if (algResult == XacmlDecisionResult.Deny) { if (policySet.Obligations_3_0.Count > 0) { IEnumerable<XacmlObligationExpression> obligationsWithPermit = policySet.Obligations_3_0.Where(o => o.FulfillOn == XacmlEffectType.Deny); foreach (XacmlObligationExpression expression in obligationsWithPermit) { List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>(); foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) { IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex); // ja Indeterminate, tad rezultāts arī if (assignment == null) { return XacmlDecisionResult.Indeterminate; } attributeAssigments.AddRange(assignment); } XacmlObligation obligation = new XacmlObligation(expression.ObligationId, attributeAssigments); this.obligations[expression.FulfillOn].Add(obligation); } } if (policySet.Advices.Count > 0) { IEnumerable<XacmlAdviceExpression> advicesWithPermit = policySet.Advices.Where(o => o.AppliesTo == XacmlEffectType.Deny); foreach (XacmlAdviceExpression expression in advicesWithPermit) { List<XacmlAttributeAssignment> attributeAssigments = new List<XacmlAttributeAssignment>(); foreach (XacmlAttributeAssignmentExpression ex in expression.AttributeAssignmentExpressions) { IEnumerable<XacmlAttributeAssignment> assignment = this.AttributeAssignmentExpressionEvaluate(ex); // ja Indeterminate, tad rezultāts arī if (assignment == null) { return XacmlDecisionResult.Indeterminate; } attributeAssigments.AddRange(assignment); } XacmlAdvice advice = new XacmlAdvice(expression.AdviceId, attributeAssigments); this.advices[expression.AppliesTo].Add(advice); } } this.applicablePolicySets[XacmlEffectType.Deny].Add(new XacmlContextPolicySetIdReference() { Value = policySet.PolicySetId.OriginalString, Version = new XacmlVersionMatchType(policySet.Version) }); } } } } } return algResult; }