Skip to content

Commit

Permalink
ABAC XacmlPolicy attribute dictionary helper method
Browse files Browse the repository at this point in the history
#474

As part of the integration with OED/DD (Digitalt dødsbo) as a new external role provider, an easy way to analyse and extract all attributeIds and values from a XacmlPolicy is needed.
This will be used to evaluate whether or not the policy contains a subject attribute for an OED/DD role code, and since it's populated to the XacmlPolicy object it will be cached along side policy itself.

The logic can later be reused by the resource-registry which will need same logic for analysing the policy for building rolecode register and required validation logic when publishing a resource.
  • Loading branch information
Jon Kjetil Øye committed Sep 25, 2023
1 parent 008e3a3 commit a916361
Showing 1 changed file with 49 additions and 0 deletions.
49 changes: 49 additions & 0 deletions src/Altinn.Authorization.ABAC/Xacml/XacmlPolicy.cs
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Linq;
using Altinn.Authorization.ABAC.Constants;
using Altinn.Authorization.ABAC.Utils;

namespace Altinn.Authorization.ABAC.Xacml
Expand Down Expand Up @@ -96,6 +98,8 @@ public class XacmlPolicy

private readonly ICollection<XacmlVariableDefinition> variableDefinitions = new Collection<XacmlVariableDefinition>();

private readonly IDictionary<string, IDictionary<string, Collection<string>>> categoryAttributes = new Dictionary<string, IDictionary<string, Collection<string>>>();

private XacmlTarget target;
private Uri policyId;
private Uri ruleCombiningAlgId;
Expand Down Expand Up @@ -308,6 +312,51 @@ public ICollection<XacmlAdviceExpression> AdviceExpressions
}
}

/// <summary>
/// Returns a dictionary of all unique attribute ids and a collection of all their values, which exists across all rules in the policy, for a given match attribute category.
/// </summary>
/// <param name="matchAttributeCategory">The Xacml match attribute category to collect attributes values of</param>
/// <returns>Dictionary of attribute ids and list of values</returns>
public IDictionary<string, Collection<string>> GetAttributeDictionaryByCategory(string matchAttributeCategory)

Check warning on line 320 in src/Altinn.Authorization.ABAC/Xacml/XacmlPolicy.cs

View workflow job for this annotation

GitHub Actions / Analyze

Refactor this method to reduce its Cognitive Complexity from 30 to the 15 allowed. (https://rules.sonarsource.com/csharp/RSPEC-3776)
{
if (categoryAttributes.ContainsKey(matchAttributeCategory))
{
return categoryAttributes[matchAttributeCategory];
}

IDictionary<string, Collection<string>> categoryAttributeDict = new Dictionary<string, Collection<string>>();
categoryAttributes.Add(matchAttributeCategory, categoryAttributeDict);

foreach (XacmlRule rule in Rules)

Check warning on line 330 in src/Altinn.Authorization.ABAC/Xacml/XacmlPolicy.cs

View workflow job for this annotation

GitHub Actions / Analyze

Rename 'rule' which hides the field with the same name. (https://rules.sonarsource.com/csharp/RSPEC-1117)
{
// should we care about permit?
if (rule.Effect.Equals(XacmlEffectType.Permit) && rule.Target != null)
{
foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
{
foreach (XacmlAllOf allOf in anyOf.AllOf)
{
foreach (XacmlMatch xacmlMatch in allOf.Matches)

Check warning on line 339 in src/Altinn.Authorization.ABAC/Xacml/XacmlPolicy.cs

View workflow job for this annotation

GitHub Actions / Analyze

Loops should be simplified with "LINQ" expressions (https://rules.sonarsource.com/csharp/RSPEC-3267)
{
if (xacmlMatch.AttributeDesignator.Category.Equals(matchAttributeCategory))
{
string attributeId = xacmlMatch.AttributeDesignator.AttributeId.AbsoluteUri;
if (!categoryAttributeDict.ContainsKey(attributeId))
{
categoryAttributeDict.Add(attributeId, new Collection<string>());
}

categoryAttributeDict[attributeId].Add(xacmlMatch.AttributeValue.Value);
}
}
}
}
}
}

return categoryAttributes[matchAttributeCategory];
}

/// <summary>
/// The namespaces used in Policy
/// </summary>
Expand Down

0 comments on commit a916361

Please sign in to comment.