Public/OAuth2/Get-Evaluate.ps1
|
<# .SYNOPSIS Evaluate policies based on the resource access requested. .DESCRIPTION Evaluates all types of policies that are applicable to the resource(s) requested with respect to the subject specified. Before evaluating the policies, the subject token will be validated to make sure the subject is authenticated. Once the validation is successful, the subject permissions will be evaluated against the resource policies to see what actions the subject can do on the resource. Any client with auth_iam_policy_evaluation scope will be able to do this operation. Condition based evaluation If evaluation need to be done based on certain circumstances under which the policy must be allowed, environment attribute can be used to achieve that. For example, verify if the subject has the requested permission under a specific organization or not. Supported environment condition key is - organizationId. Given an organization ID, evaluation will filter the policy decision check with respect to the specified organization. Requested permission based evaluation A resource can be evaluated with a specific request permission. This allows client to evaluate whether a specific permission is available for the subject to access the requested resource. For example, a resource attribute value of https://my-service.example.com/patient/Observation?requestedPermission=OBSERVATION.READ means that while evaluating this resource check whether the subject has OBSERVATION.READ permission. .OUTPUTS Returns an EvalResponse as a PSObject .PARAMETER Application The application otherwise known as the policySetId .PARAMETER Resources An array of resource urls to evaulate .PARAMETER Token An optional token to use to evaulate. If not supplied then the current configured user's bearer token will be used. .PARAMETER TokenType One of the following token types: "ACCESS_TOKEN","SSO_TOKEN". The default is access. .PARAMETER Environment An optional hashtable containing environment configuration. .PARAMETER V2 A switch to use version 2 of the /authorize/policy/$evaluate API. .EXAMPLE $eval = Get-Evaluate -application $policySetId -Resources @($resource) -Environment @{"organizationId" = $Org.Id} .LINK https://www.hsdp.io/documentation/identity-and-access-management-iam/api-documents/resource-reference-api/policy-api-v3#/Policy%20evaluation/post_authorize_policy__evaluate .NOTES POST: /authorize/policy/$evaluate v3 (optional v2 usage) #> function Get-Evaluate { [CmdletBinding()] [OutputType([PSObject])] param( [Parameter(Position = 0, Mandatory = $true)] [String]$Application, [Parameter(Position = 1, Mandatory = $true)] [Array]$Resources, [Parameter(Position = 2, Mandatory = $false)] [String]$Token = $null, [Parameter(Position = 3, Mandatory = $false)] [ValidateSet("ACCESS_TOKEN","SSO_TOKEN")] [String]$TokenType = "ACCESS_TOKEN", [Parameter(Position = 4, Mandatory = $false)] [Hashtable]$Environment, [Parameter(Position = 5, Mandatory = $false)] [Switch]$V2 ) begin { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Function started" } process { Write-Debug "[$($MyInvocation.MyCommand.Name)] PSBoundParameters: $($PSBoundParameters | Out-String)" # Use the current user token if not specified if (-not $Token) { $Token = Get-Token } $body = @{ "application" = $Application; "resources" = $Resources; "subject" = @{ "type"= $TokenType; "value" = $Token; }; } if ($Environment) { $body.Add("environment", $Environment); } $config = Get-Config if ($V2) { Write-Output (Invoke-ApiRequest -Path "/authorize/policy/`$evaluate" -Version 2 -AddHsdpApiSignature -Method Post -Base $config.IamUrl -Body $body -ValidStatusCodes @(200)) } else { $OAuth2ClientId = $config.ClientCredentials.GetNetworkCredential().username $OAuth2ClientPassword = $config.ClientCredentials.GetNetworkCredential().password $auth = "Basic " + [convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($OAuth2ClientId):$($OAuth2ClientPassword)")) Write-Output (Invoke-ApiRequest -Path "/authorize/policy/`$evaluate" -Version 3 -Method Post -Base $config.IamUrl -Body $body -ValidStatusCodes @(200) -Authorization $auth) } } end { Write-Verbose "[$($MyInvocation.MyCommand.Name)] Complete" } } |