/// <summary> /// Creates a Result using an XmlReader instance provided. /// </summary> /// <param name="reader">The XmlReader positioned at the Result node.</param> /// <param name="schemaVersion">The version of the schema that was used to validate.</param> public ResultElement(XmlReader reader, XacmlVersion schemaVersion) : base(XacmlSchema.Context, schemaVersion) { if (reader == null) { throw new ArgumentNullException("reader"); } if (reader.LocalName == ContextSchema.ResultElement.Result) { while (reader.Read()) { switch (reader.LocalName) { case ContextSchema.ResultElement.Decision: // The parsing should be safe because the document was validated using a Xsd Shcema _decision = (rtm.Decision)Enum.Parse(typeof(rtm.Decision), reader.ReadElementString(), false); break; case ContextSchema.StatusElement.Status: _status = new StatusElement(reader, schemaVersion); break; case ObligationsElement.Obligations: while (reader.Read()) { switch (reader.LocalName) { case ObligationElement.Obligation: _obligations.Add(new pol.ObligationElement(reader, schemaVersion)); break; } // Trick to support multiple nodes of the same name. if (reader.LocalName == ObligationsElement.Obligations && reader.NodeType == XmlNodeType.EndElement) { reader.Read(); break; } } break; } if (reader.LocalName == ContextSchema.ResultElement.Result && reader.NodeType == XmlNodeType.EndElement) { break; } } } else { throw new Exception(Resource.ResourceManager[Resource.MessageKey.exc_invalid_node_name, reader.LocalName]); } }
/// <summary> /// Process the obligations for the policy. /// </summary> /// <param name="context">The evaluation context instance.</param> private void ProcessObligations(EvaluationContext context) { _obligations = new pol.ObligationCollection(); if (_evaluationValue != Decision.Indeterminate && _evaluationValue != Decision.NotApplicable && _policySet.Obligations != null && _policySet.Obligations.Count != 0) { foreach (pol.ObligationElement obl in _policySet.Obligations) { if ((obl.FulfillOn == pol.Effect.Deny && _evaluationValue == Decision.Deny) || (obl.FulfillOn == pol.Effect.Permit && _evaluationValue == Decision.Permit)) { context.Trace("Adding obligation: {0} ", obl.ObligationId); _obligations.Add(obl); } } // Get all obligations from child policies foreach (IMatchEvaluable child in _policies) { IObligationsContainer oblig = child as IObligationsContainer; if (oblig != null && oblig.Obligations != null) { foreach (pol.ObligationElement childObligation in oblig.Obligations) { if ((childObligation.FulfillOn == pol.Effect.Deny && _evaluationValue == Decision.Deny) || (childObligation.FulfillOn == pol.Effect.Permit && _evaluationValue == Decision.Permit)) { _obligations.Add(childObligation); } } } } } }
/// <summary> /// Evaluates the policy. /// </summary> /// <param name="context">The evaluation context instance.</param> /// <returns>The decission result for this policy.</returns> public Decision Evaluate( EvaluationContext context ) { if (context == null) throw new ArgumentNullException("context"); context.Trace( "Evaluating policy: {0}", _policy.Description ); context.AddIndent(); context.CurrentPolicy = this; try { // Evaluate the variables if( this._policy.SchemaVersion == XacmlVersion.Version20 ) { if( _variables == null ) { context.Trace( "Evaluating variables..." ); _variables = new Hashtable(); foreach( pol.VariableDefinitionElement variableDef in _policy.VariableDefinitions.Values ) { VariableDefinition variable = new VariableDefinition( variableDef ); _variables.Add( variableDef.Id, variable ); } } } // Matches the target. TargetEvaluationValue targetEvaluationValue = Match( context ); // If the target matches. if( targetEvaluationValue == TargetEvaluationValue.Match ) { context.Trace( "Rule combination algorithm: {0}", _policy.RuleCombiningAlgorithm ); // Evaluate all rules and apply rule combination inf.IRuleCombiningAlgorithm rca = EvaluationEngine.CreateRuleCombiningAlgorithm( _policy.RuleCombiningAlgorithm ); _evaluationValue = rca.Evaluate( context, _rules ); } else if( targetEvaluationValue == TargetEvaluationValue.NoMatch ) { _evaluationValue = Decision.NotApplicable; } else if( targetEvaluationValue == TargetEvaluationValue.Indeterminate ) { _evaluationValue = Decision.Indeterminate; } context.Trace( "Policy: {0}", _evaluationValue ); // Copy all the obligations. _obligations = new pol.ObligationCollection(); if( _evaluationValue != Decision.Indeterminate && _evaluationValue != Decision.NotApplicable && _policy.Obligations != null && _policy.Obligations.Count != 0 ) { foreach( pol.ObligationElement obl in _policy.Obligations ) { if( ( obl.FulfillOn == pol.Effect.Deny && _evaluationValue == Decision.Deny ) || ( obl.FulfillOn == pol.Effect.Permit && _evaluationValue == Decision.Permit ) ) { context.Trace( "Adding obligation: {0} ", obl.ObligationId ); _obligations.Add( obl ); } } } return _evaluationValue; } finally { context.RemoveIndent(); context.CurrentPolicy = null; } }
/// <summary> /// Evaluates the policy. /// </summary> /// <param name="context">The evaluation context instance.</param> /// <returns>The decission result for this policy.</returns> public Decision Evaluate(EvaluationContext context) { if (context == null) { throw new ArgumentNullException("context"); } context.Trace("Evaluating policy: {0}", _policy.Description); context.AddIndent(); context.CurrentPolicy = this; try { // Evaluate the variables if (this._policy.SchemaVersion == XacmlVersion.Version20) { if (_variables == null) { context.Trace("Evaluating variables..."); _variables = new Hashtable(); foreach (pol.VariableDefinitionElement variableDef in _policy.VariableDefinitions.Values) { VariableDefinition variable = new VariableDefinition(variableDef); _variables.Add(variableDef.Id, variable); } } } // Matches the target. TargetEvaluationValue targetEvaluationValue = Match(context); // If the target matches. if (targetEvaluationValue == TargetEvaluationValue.Match) { context.Trace("Rule combination algorithm: {0}", _policy.RuleCombiningAlgorithm); // Evaluate all rules and apply rule combination inf.IRuleCombiningAlgorithm rca = EvaluationEngine.CreateRuleCombiningAlgorithm(_policy.RuleCombiningAlgorithm); _evaluationValue = rca.Evaluate(context, _rules); } else if (targetEvaluationValue == TargetEvaluationValue.NoMatch) { _evaluationValue = Decision.NotApplicable; } else if (targetEvaluationValue == TargetEvaluationValue.Indeterminate) { _evaluationValue = Decision.Indeterminate; } context.Trace("Policy: {0}", _evaluationValue); // Copy all the obligations. _obligations = new pol.ObligationCollection(); if (_evaluationValue != Decision.Indeterminate && _evaluationValue != Decision.NotApplicable && _policy.Obligations != null && _policy.Obligations.Count != 0) { foreach (pol.ObligationElement obl in _policy.Obligations) { if ((obl.FulfillOn == pol.Effect.Deny && _evaluationValue == Decision.Deny) || (obl.FulfillOn == pol.Effect.Permit && _evaluationValue == Decision.Permit)) { context.Trace("Adding obligation: {0} ", obl.ObligationId); _obligations.Add(obl); } } } return(_evaluationValue); } finally { context.RemoveIndent(); context.CurrentPolicy = null; } }