60 lines
2.0 KiB
C#
60 lines
2.0 KiB
C#
using BuildingBlock.Identity.Contracts.Requests;
|
|
using BuildingBlock.Identity.Contracts.Responses;
|
|
using BuildingBlock.Identity.Contracts.Conventions;
|
|
using Thalos.Domain.Contracts;
|
|
|
|
namespace Thalos.Domain.Decisions;
|
|
|
|
/// <summary>
|
|
/// Default domain implementation for identity policy decision workflows.
|
|
/// </summary>
|
|
public sealed class IdentityPolicyDecisionService : IIdentityPolicyDecisionService
|
|
{
|
|
/// <inheritdoc />
|
|
public IdentityPolicyContextRequest BuildPolicyContextRequest(EvaluateIdentityPolicyRequest request)
|
|
{
|
|
return new IdentityPolicyContextRequest(
|
|
request.SubjectId,
|
|
request.TenantId,
|
|
request.PermissionCode,
|
|
request.Provider);
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public EvaluateIdentityPolicyResponse Evaluate(
|
|
EvaluateIdentityPolicyRequest request,
|
|
IdentityPolicyContextData policyContextData)
|
|
{
|
|
var permissionMatched = policyContextData.GrantedPermissions.Any(permission =>
|
|
string.Equals(permission, request.PermissionCode, StringComparison.OrdinalIgnoreCase));
|
|
var providerSatisfied = IsProviderContextSatisfied(request.Provider, policyContextData);
|
|
|
|
return new EvaluateIdentityPolicyResponse(
|
|
request.SubjectId,
|
|
request.PermissionCode,
|
|
providerSatisfied && permissionMatched);
|
|
}
|
|
|
|
private static bool IsProviderContextSatisfied(
|
|
IdentityAuthProvider provider,
|
|
IdentityPolicyContextData policyContextData)
|
|
{
|
|
if (!policyContextData.ContextSatisfied)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
return provider switch
|
|
{
|
|
IdentityAuthProvider.InternalJwt => true,
|
|
IdentityAuthProvider.AzureAd => policyContextData.PermissionCode.StartsWith(
|
|
"identity.",
|
|
StringComparison.OrdinalIgnoreCase),
|
|
IdentityAuthProvider.Google => policyContextData.PermissionCode.StartsWith(
|
|
"identity.",
|
|
StringComparison.OrdinalIgnoreCase),
|
|
_ => false
|
|
};
|
|
}
|
|
}
|