using BuildingBlock.Identity.Contracts.Requests;
using BuildingBlock.Identity.Contracts.Responses;
using BuildingBlock.Identity.Contracts.Conventions;
using Thalos.Domain.Contracts;
namespace Thalos.Domain.Decisions;
///
/// Default domain implementation for identity policy decision workflows.
///
public sealed class IdentityPolicyDecisionService : IIdentityPolicyDecisionService
{
///
public IdentityPolicyContextRequest BuildPolicyContextRequest(EvaluateIdentityPolicyRequest request)
{
return new IdentityPolicyContextRequest(
request.SubjectId,
request.TenantId,
request.PermissionCode,
request.Provider);
}
///
public EvaluateIdentityPolicyResponse Evaluate(
EvaluateIdentityPolicyRequest request,
IdentityPolicyContextData policyContextData)
{
var permissionMatched = policyContextData.GrantedPermissions.Any(permission =>
string.Equals(permission, request.PermissionCode, StringComparison.OrdinalIgnoreCase));
var providerSatisfied = IsProviderContextSatisfied(request.Provider, policyContextData);
return new EvaluateIdentityPolicyResponse(
request.SubjectId,
request.PermissionCode,
providerSatisfied && permissionMatched);
}
private static bool IsProviderContextSatisfied(
IdentityAuthProvider provider,
IdentityPolicyContextData policyContextData)
{
if (!policyContextData.ContextSatisfied)
{
return false;
}
return provider switch
{
IdentityAuthProvider.InternalJwt => true,
IdentityAuthProvider.AzureAd => policyContextData.PermissionCode.StartsWith(
"identity.",
StringComparison.OrdinalIgnoreCase),
IdentityAuthProvider.Google => policyContextData.PermissionCode.StartsWith(
"identity.",
StringComparison.OrdinalIgnoreCase),
_ => false
};
}
}