-
Notifications
You must be signed in to change notification settings - Fork 3
/
DecisionHelper.cs
487 lines (420 loc) · 21.9 KB
/
DecisionHelper.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Text.RegularExpressions;
using Altinn.Authorization.ABAC.Xacml;
using Altinn.Authorization.ABAC.Xacml.JsonProfile;
using Altinn.Common.PEP.Authorization;
using Altinn.Common.PEP.Constants;
using Altinn.Common.PEP.Models;
using Altinn.Common.PEP.Utils;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing;
using static Altinn.Authorization.ABAC.Constants.XacmlConstants;
namespace Altinn.Common.PEP.Helpers
{
/// <summary>
/// Represents a collection of helper methods for creating a decision request
/// </summary>
public static class DecisionHelper
{
private const string ParamInstanceOwnerPartyId = "instanceOwnerPartyId";
private const string ParamInstanceGuid = "instanceGuid";
private const string ParamApp = "app";
private const string ParamOrg = "org";
private const string ParamAppId = "appId";
private const string ParamParty = "party";
private const string DefaultIssuer = "Altinn";
private const string DefaultType = "string";
private const string PersonHeaderTrigger = "person";
private const string OrganizationHeaderTrigger = "organization";
private const string PersonHeader = "Altinn-Party-SocialSecurityNumber";
private const string OrganizationNumberHeader = "Altinn-Party-OrganizationNumber";
private const string PolicyObligationMinAuthnLevel = "urn:altinn:minimum-authenticationlevel";
private const string PolicyObligationMinAuthnLevelOrg = "urn:altinn:minimum-authenticationlevel-org";
/// <summary>
/// Create decision request based for policy decision point.
/// </summary>
/// <param name="org">Unique identifier of the organisation responsible for the app.</param>
/// <param name="app">Application identifier which is unique within an organisation.</param>
/// <param name="user">Claims principal user.</param>
/// <param name="actionType">Policy action type i.e. read, write, delete, instantiate.</param>
/// <param name="instanceOwnerPartyId">Unique id of the party that is the owner of the instance.</param>
/// <param name="instanceGuid">Unique id to identify the instance.</param>
/// <param name="taskid">The taskid. Will override contexthandler if present</param>
/// <returns>The decision request.</returns>
public static XacmlJsonRequestRoot CreateDecisionRequest(string org, string app, ClaimsPrincipal user, string actionType, int instanceOwnerPartyId, Guid? instanceGuid, string taskid = null)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List<XacmlJsonCategory>();
request.Action = new List<XacmlJsonCategory>();
request.Resource = new List<XacmlJsonCategory>();
request.AccessSubject.Add(CreateSubjectCategory(user.Claims));
request.Action.Add(CreateActionCategory(actionType));
request.Resource.Add(CreateResourceCategory(org, app, instanceOwnerPartyId.ToString(), instanceGuid.ToString(), taskid));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot() { Request = request };
return jsonRequest;
}
/// <summary>
/// Create a new <see cref="XacmlJsonRequestRoot"/> to represent a decision request.
/// </summary>
/// <param name="context">The current <see cref="AuthorizationHandlerContext"/></param>
/// <param name="requirement">The access requirements</param>
/// <param name="routeData">The route data from a request.</param>
/// <returns>A decision request</returns>
public static XacmlJsonRequestRoot CreateDecisionRequest(AuthorizationHandlerContext context, AppAccessRequirement requirement, RouteData routeData)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List<XacmlJsonCategory>();
request.Action = new List<XacmlJsonCategory>();
request.Resource = new List<XacmlJsonCategory>();
string instanceGuid = routeData.Values[ParamInstanceGuid] as string;
string app = routeData.Values[ParamApp] as string;
string org = routeData.Values[ParamOrg] as string;
string instanceOwnerPartyId = routeData.Values[ParamInstanceOwnerPartyId] as string;
if (string.IsNullOrWhiteSpace(app) && string.IsNullOrWhiteSpace(org))
{
string appId = routeData.Values[ParamAppId] as string;
if (appId != null)
{
org = appId.Split("/")[0];
app = appId.Split("/")[1];
}
}
request.AccessSubject.Add(CreateSubjectCategory(context.User.Claims));
request.Action.Add(CreateActionCategory(requirement.ActionType));
request.Resource.Add(CreateResourceCategory(org, app, instanceOwnerPartyId, instanceGuid, null));
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot() { Request = request };
return jsonRequest;
}
/// <summary>
/// Creates a decision request based on input
/// </summary>
/// <returns></returns>
public static XacmlJsonRequestRoot CreateDecisionRequest(AuthorizationHandlerContext context, ResourceAccessRequirement requirement, RouteData routeData, IHeaderDictionary headers)
{
XacmlJsonRequest request = new XacmlJsonRequest();
request.AccessSubject = new List<XacmlJsonCategory>();
request.Action = new List<XacmlJsonCategory>();
request.Resource = new List<XacmlJsonCategory>();
string party = routeData.Values[ParamParty] as string;
request.AccessSubject.Add(CreateSubjectCategory(context.User.Claims));
request.Action.Add(CreateActionCategory(requirement.ActionType));
int? partyIid = TryParsePartyId(party);
if (partyIid.HasValue)
{
request.Resource.Add(CreateResourceCategoryForResource(requirement.ResourceId, partyIid, null, null));
}
else if (party.Equals(OrganizationHeaderTrigger) && headers.ContainsKey(OrganizationNumberHeader) && IDFormatDeterminator.IsValidOrganizationNumber(headers[OrganizationNumberHeader]))
{
request.Resource.Add(CreateResourceCategoryForResource(requirement.ResourceId, null, headers[OrganizationNumberHeader], null));
}
else if (party.Equals(PersonHeaderTrigger) && headers.ContainsKey(PersonHeader) && IDFormatDeterminator.IsValidSSN(headers[PersonHeader]))
{
request.Resource.Add(CreateResourceCategoryForResource(requirement.ResourceId, null, null, headers[PersonHeader]));
}
else
{
throw new ArgumentException("invalid party " + party);
}
XacmlJsonRequestRoot jsonRequest = new XacmlJsonRequestRoot() { Request = request };
return jsonRequest;
}
/// <summary>
/// Create a new <see cref="XacmlJsonCategory"/> with a list of subject attributes based on the given claims.
/// </summary>
/// <param name="claims">The list of claims</param>
/// <returns>A populated subject category</returns>
public static XacmlJsonCategory CreateSubjectCategory(IEnumerable<Claim> claims)
{
XacmlJsonCategory subjectAttributes = new XacmlJsonCategory();
subjectAttributes.Attribute = CreateSubjectAttributes(claims);
return subjectAttributes;
}
/// <summary>
/// Create a new <see cref="XacmlJsonCategory"/> attribute of type Action with the given action type
/// </summary>
/// <param name="actionType">The action type</param>
/// <param name="includeResult">A value indicating whether the value should be included in the result.</param>
/// <returns>The created category</returns>
public static XacmlJsonCategory CreateActionCategory(string actionType, bool includeResult = false)
{
XacmlJsonCategory actionAttributes = new XacmlJsonCategory();
actionAttributes.Attribute = new List<XacmlJsonAttribute>();
actionAttributes.Attribute.Add(CreateXacmlJsonAttribute(MatchAttributeIdentifiers.ActionId, actionType, DefaultType, DefaultIssuer, includeResult));
return actionAttributes;
}
private static List<XacmlJsonAttribute> CreateSubjectAttributes(IEnumerable<Claim> claims)
{
List<XacmlJsonAttribute> attributes = new List<XacmlJsonAttribute>();
// Mapping all claims on user to attributes
foreach (Claim claim in claims)
{
if (IsCamelCaseOrgnumberClaim(claim.Type))
{
attributes.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.OrganizationNumber, claim.Value, DefaultType, claim.Issuer));
}
else if (IsScopeClaim(claim.Type))
{
attributes.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.Scope, claim.Value, DefaultType, claim.Issuer));
}
else if (IsJtiClaim(claim.Type))
{
attributes.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.SessionId, claim.Value, DefaultType, claim.Issuer));
}
else if (IsValidUrn(claim.Type))
{
attributes.Add(CreateXacmlJsonAttribute(claim.Type, claim.Value, DefaultType, claim.Issuer));
}
}
return attributes;
}
private static XacmlJsonCategory CreateResourceCategory(string org, string app, string instanceOwnerPartyId, string instanceGuid, string task, bool includeResult = false)
{
XacmlJsonCategory resourceCategory = new XacmlJsonCategory();
resourceCategory.Attribute = new List<XacmlJsonAttribute>();
if (!string.IsNullOrWhiteSpace(instanceOwnerPartyId))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.PartyId, instanceOwnerPartyId, DefaultType, DefaultIssuer, includeResult));
}
if (!string.IsNullOrWhiteSpace(instanceGuid) && !string.IsNullOrWhiteSpace(instanceOwnerPartyId))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.InstanceId, instanceOwnerPartyId + "/" + instanceGuid, DefaultType, DefaultIssuer, includeResult));
}
if (!string.IsNullOrWhiteSpace(org))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.OrgId, org, DefaultType, DefaultIssuer));
}
if (!string.IsNullOrWhiteSpace(app))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.AppId, app, DefaultType, DefaultIssuer));
}
if (!string.IsNullOrWhiteSpace(task))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.TaskId, task, DefaultType, DefaultIssuer));
}
return resourceCategory;
}
private static XacmlJsonCategory CreateResourceCategoryForResource(string resourceid, int? partyId, string organizationnumber, string ssn, bool includeResult = false)
{
XacmlJsonCategory resourceCategory = new XacmlJsonCategory();
resourceCategory.Attribute = new List<XacmlJsonAttribute>();
if (partyId.HasValue)
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.PartyId, partyId.Value.ToString(), DefaultType, DefaultIssuer, includeResult));
}
else if (!string.IsNullOrEmpty(organizationnumber))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.OrganizationNumber, organizationnumber, DefaultType, DefaultIssuer, includeResult));
}
else if (!string.IsNullOrEmpty(ssn))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.Ssn, ssn, DefaultType, DefaultIssuer, includeResult));
}
if (!string.IsNullOrWhiteSpace(resourceid))
{
resourceCategory.Attribute.Add(CreateXacmlJsonAttribute(AltinnXacmlUrns.ResourceId, resourceid, DefaultType, DefaultIssuer));
}
return resourceCategory;
}
/// <summary>
/// Create a new <see cref="XacmlJsonAttribute"/> with the given values.
/// </summary>
/// <param name="attributeId">The attribute id</param>
/// <param name="value">The attribute value</param>
/// <param name="dataType">The datatype for the attribute value</param>
/// <param name="issuer">The issuer</param>
/// <param name="includeResult">A value indicating whether the value should be included in the result.</param>
/// <returns>A new created attribute</returns>
public static XacmlJsonAttribute CreateXacmlJsonAttribute(string attributeId, string value, string dataType, string issuer, bool includeResult = false)
{
XacmlJsonAttribute xacmlJsonAttribute = new XacmlJsonAttribute();
xacmlJsonAttribute.AttributeId = attributeId;
xacmlJsonAttribute.Value = value;
xacmlJsonAttribute.DataType = dataType;
xacmlJsonAttribute.Issuer = issuer;
xacmlJsonAttribute.IncludeInResult = includeResult;
return xacmlJsonAttribute;
}
private static bool IsValidUrn(string value)
{
Regex regex = new Regex("^urn*");
return regex.Match(value).Success;
}
private static bool IsCamelCaseOrgnumberClaim(string value)
{
return value.Equals("urn:altinn:orgNumber");
}
private static bool IsScopeClaim(string value)
{
return value.Equals("scope");
}
private static bool IsJtiClaim(string value)
{
return value.Equals("jti");
}
/// <summary>
/// Validate the response from PDP
/// </summary>
/// <param name="results">The response to validate</param>
/// <param name="user">The <see cref="ClaimsPrincipal"/></param>
/// <returns>true or false, valid or not</returns>
public static bool ValidatePdpDecision(List<XacmlJsonResult> results, ClaimsPrincipal user)
{
if (results == null)
{
throw new ArgumentNullException("results");
}
if (user == null)
{
throw new ArgumentNullException("user");
}
// We request one thing and then only want one result
if (results.Count != 1)
{
return false;
}
return ValidateDecisionResult(results.First(), user);
}
/// <summary>
/// Validate the response from PDP
/// </summary>
/// <param name="results">The response to validate</param>
/// <param name="user">The <see cref="ClaimsPrincipal"/></param>
/// <returns>The result of the validation</returns>
public static EnforcementResult ValidatePdpDecisionDetailed(List<XacmlJsonResult> results, ClaimsPrincipal user)
{
if (results == null)
{
throw new ArgumentNullException("results");
}
if (user == null)
{
throw new ArgumentNullException("user");
}
// We request one thing and then only want one result
if (results.Count != 1)
{
return new EnforcementResult() { Authorized = false };
}
return ValidateDecisionResultDetailed(results.First(), user);
}
/// <summary>
/// Validate the response from PDP
/// </summary>
/// <param name="result">The response to validate</param>
/// <param name="user">The <see cref="ClaimsPrincipal"/></param>
/// <returns>true or false, valid or not</returns>
public static bool ValidateDecisionResult(XacmlJsonResult result, ClaimsPrincipal user)
{
// Checks that the result is nothing else than "permit"
if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString()))
{
return false;
}
// Checks if the result contains obligation
if (result.Obligations != null)
{
List<XacmlJsonObligationOrAdvice> obligationList = result.Obligations;
XacmlJsonAttributeAssignment attributeMinLvAuth = GetObligation(PolicyObligationMinAuthnLevel, obligationList);
// Checks if the obligation contains a minimum authentication level attribute
if (attributeMinLvAuth != null)
{
string minAuthenticationLevel = attributeMinLvAuth.Value;
string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value;
// Checks that the user meets the minimum authentication level
if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel))
{
if (user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:org")) != null)
{
XacmlJsonAttributeAssignment attributeMinLvAuthOrg = GetObligation(PolicyObligationMinAuthnLevelOrg, obligationList);
if (attributeMinLvAuthOrg != null)
{
if (Convert.ToInt32(usersAuthenticationLevel) >= Convert.ToInt32(attributeMinLvAuthOrg.Value))
{
return true;
}
}
}
return false;
}
}
}
return true;
}
/// <summary>
/// Validate the response from PDP
/// </summary>
/// <param name="result">The response to validate</param>
/// <param name="user">The <see cref="ClaimsPrincipal"/></param>
/// <returns>The result of the validation</returns>
public static EnforcementResult ValidateDecisionResultDetailed(XacmlJsonResult result, ClaimsPrincipal user)
{
// Checks that the result is nothing else than "permit"
if (!result.Decision.Equals(XacmlContextDecision.Permit.ToString()))
{
return new EnforcementResult() { Authorized = false };
}
// Checks if the result contains obligation
if (result.Obligations != null)
{
List<XacmlJsonObligationOrAdvice> obligationList = result.Obligations;
XacmlJsonAttributeAssignment attributeMinLvAuth = GetObligation(PolicyObligationMinAuthnLevel, obligationList);
// Checks if the obligation contains a minimum authentication level attribute
if (attributeMinLvAuth != null)
{
string minAuthenticationLevel = attributeMinLvAuth.Value;
string usersAuthenticationLevel = user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:authlevel")).Value;
// Checks that the user meets the minimum authentication level
if (Convert.ToInt32(usersAuthenticationLevel) < Convert.ToInt32(minAuthenticationLevel))
{
if (user.Claims.FirstOrDefault(c => c.Type.Equals("urn:altinn:org")) != null)
{
XacmlJsonAttributeAssignment attributeMinLvAuthOrg = GetObligation(PolicyObligationMinAuthnLevelOrg, obligationList);
if (attributeMinLvAuthOrg != null)
{
if (Convert.ToInt32(usersAuthenticationLevel) >= Convert.ToInt32(attributeMinLvAuthOrg.Value))
{
return new EnforcementResult() { Authorized = true };
}
minAuthenticationLevel = attributeMinLvAuthOrg.Value;
}
}
return new EnforcementResult()
{
Authorized = false,
FailedObligations = new Dictionary<string, string>()
{
{ AltinnObligations.RequiredAuthenticationLevel, minAuthenticationLevel }
}
};
}
}
}
return new EnforcementResult() { Authorized = true };
}
private static XacmlJsonAttributeAssignment GetObligation(string category, List<XacmlJsonObligationOrAdvice> obligations)
{
foreach (XacmlJsonObligationOrAdvice obligation in obligations)
{
XacmlJsonAttributeAssignment assignment = obligation.AttributeAssignment.FirstOrDefault(a => a.Category.Equals(category));
if (assignment != null)
{
return assignment;
}
}
return null;
}
private static int? TryParsePartyId(string party)
{
int partyId;
if (!int.TryParse(party, out partyId))
{
return null;
}
return partyId;
}
}
}