First sample

.gitignore

@@ -5,9 +5,7 @@ riderModule.iml
 /_ReSharper.Caches/
 **/.DS_Store
 
-src/CSharp/.idea/.idea.Rsk.AuthZen/.idea/
-
+.idea
+*.DotSettings.user
 src/Typescript/dist/
 src/Typescript/node_modules
-
-src/CSharp/.idea/

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/AuthZenPolicyServer.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Rsk.Enforcer.AuthZen" Version="6.1.1"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <None Remove="Policies\global.alfa" />
+      <EmbeddedResource Include="Policies\global.alfa" />
+      <None Remove="Policies\expenses.alfa" />
+      <EmbeddedResource Include="Policies\expenses.alfa" />
+    </ItemGroup>
+</Project>

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml

@@ -0,0 +1,27 @@
+@page
+@model AuthZenPolicyServer.Pages.HomeModel
+@{
+    ViewData["Title"] = "Home";
+}
+
+<style>
+.alfa-keyword { color: #005cc5; font-weight: bold; }
+.alfa-literal { color: #032f62; }
+.alfa-number { color: #22863a; }
+.alfa-comment { color: #6a737d; font-style: italic; }
+.alfa-brace { color: #d73a49; font-weight: bold; }
+</style>
+
+<div class="container mt-5">
+    <h1 class="mb-4">Welcome to the AuthZen Policy Server</h1>
+    <p>This server is responsible for serving and managing the expense claim authorization decisions.</p>
+    @foreach (var policy in Model.PolicyFiles)
+    {
+        <h3 class="mt-5">Policy: <span class="text-primary">@policy.Name</span></h3>
+        <div class="card bg-light border-primary mt-3 mb-5">
+            <div class="card-body">
+                <pre class="mb-0 text-dark" style="white-space: pre-wrap; background: #f8f9fa; border-left: 5px solid #0d6efd; padding: 1em;"><code>@Html.Raw(Model.PolicyHtml(policy.Content))</code></pre>
+            </div>
+        </div>
+    }
+</div>

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/Home.cshtml.cs

@@ -0,0 +1,59 @@
+using Microsoft.AspNetCore.Html;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using System.Text.RegularExpressions;
+using System.Reflection;
+
+namespace AuthZenPolicyServer.Pages
+{
+    public class HomeModel : PageModel
+    {
+        public string PolicyText { get; set; } = string.Empty;
+        public List<(string Name, string Content)> PolicyFiles { get; set; } = new();
+
+        public void OnGet()
+        {
+            var assembly = Assembly.GetExecutingAssembly();
+            var resources = assembly.GetManifestResourceNames()
+                .Where(r => r.Contains(".Policies.") && r.EndsWith(".alfa"));
+            foreach (var resource in resources)
+            {
+                using var stream = assembly.GetManifestResourceStream(resource);
+                using var reader = new StreamReader(stream!);
+                var content = reader.ReadToEnd();
+                var name = resource.Substring(resource.LastIndexOf(".Policies.") + 10);
+                PolicyFiles.Add((name, content));
+            }
+        }
+
+        public static string ColorizePolicy(string policy)
+        {
+            // Colorize comments first
+            string result = Regex.Replace(policy, "//.*", "<span class='alfa-comment'>$0</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Colorize strings
+            result = Regex.Replace(result, "\"([^\"]*)\"", "<span class='alfa-literal'>\"$1\"</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Keywords
+            string[] keywords = new[] { "namespace", "import", "attribute", "policyset", "policy", "apply", "firstApplicable", "denyUnlessPermit", "permitUnlessDeny", "target", "clause", "rule", "condition", "permit", "deny", "on", "advice" , "money" , "int" , "double" , "time" , "obligation" , "string" , "date" , "let"};
+            foreach (var keyword in keywords)
+            {
+                result = Regex.Replace(result, $@"\b{keyword}\b", $"<span class='alfa-keyword'>{keyword}</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            }
+            // Numbers
+            result = Regex.Replace(result, "(?<=\\s|^)([0-9]+(\\.[0-9]+)?)(?=\\s|$)", "<span class='alfa-number'>$1</span>", RegexOptions.None, TimeSpan.FromSeconds(1));
+            // Braces
+            result = result.Replace("{", "<span class='alfa-brace'>{</span>");
+            result = result.Replace("}", "<span class='alfa-brace'>}</span>");
+            // HTML encode everything except our tags
+            result = Regex.Replace(result, "(<[^>]+>|[^<]+)", match =>
+            {
+                if (match.Value.StartsWith("<"))
+                    return match.Value; // leave tags alone
+                return System.Net.WebUtility.HtmlEncode(match.Value);
+            });
+            // Fix double-encoding of quotes inside attributes
+            result = result.Replace("&#39;", "'").Replace("&quot;", "\"");
+            return result;
+        }
+
+        public HtmlString PolicyHtml(string policy) => new HtmlString(ColorizePolicy(policy));
+    }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Pages/_ViewImports.cshtml

@@ -0,0 +1,2 @@
+@namespace AuthZenPolicyServer.Pages
+

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/expenses.alfa

@@ -0,0 +1,102 @@
+namespace acmeCorp
+{
+
+    import Oasis.Functions.*
+    import Oasis.Attributes.*
+    import Enforcer.AuthZen.*
+
+    attribute ExpenseTotal { id ="total" type=money category=resourceCat}
+    attribute ApproverId { id ="approver" type=string category=resourceCat}
+
+    //
+    // Policies for handling the creation, and approval of expense claims
+    //
+    policyset expenses
+    {
+       target clause ResourceType == "expenses"
+       apply denyUnlessPermit
+
+       policy CreateExpenseClaim
+       policy SubmitExpenseClaim
+       policy ViewClaimsToApprove
+       policy ApproveAndRejectClaims
+    }
+
+    policy CreateExpenseClaim {
+      target clause Action == "CreateClaim"
+      apply denyUnlessPermit
+
+      rule CanCreateExpenseClaim { 
+          condition Role == "employee"
+          permit 
+      }
+
+      on deny 
+      {
+          advice authZenContext
+          {
+              error = "Must be an employee to create a claim"
+          }
+      }
+    }
+
+    policy SubmitExpenseClaim 
+    {
+      apply permitUnlessDeny
+
+      target clause Action == "SubmitClaim"
+      rule {
+          condition ExpenseTotal > 1000:money and Role == "employee"
+          deny
+          on deny 
+          {
+              advice authZenContext
+              {
+                  error = "Claim must be less than 1000 GBP"
+              }
+          }
+      }
+      rule { 
+            condition Role != "employee" 
+            deny
+
+          on deny 
+          {
+              advice authZenContext
+              {
+                  error = "Must be an employee to submit a claim"
+              }
+          }
+      }
+    }
+
+    policy ViewClaimsToApprove
+     {
+         target clause Action == "ListClaimsToApprove"
+         apply denyUnlessPermit
+
+         rule CanListClaims { 
+             condition Role == "manager"
+             permit 
+         }
+
+         on deny 
+         {
+             advice authZenContext
+             {
+                 error = "Must be a manager to approve claims"
+             }
+         }
+    }
+
+    policy ApproveAndRejectClaims
+    {
+       target clause Action == "AcceptClaim" or Action == "RejectClaim"
+       apply permitUnlessDeny
+
+       rule {
+           condition Subject.Identifier != ApproverId and Role == "manager"
+           deny
+       }
+    }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Policies/global.alfa

@@ -0,0 +1,9 @@
+namespace acmeCorp
+{
+     policyset global
+     {    
+         apply firstApplicable
+         policy expenses
+     }  
+}
+

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Program.cs

@@ -0,0 +1,39 @@
+using AuthZenPolicyServer;
+using Rsk.Enforcer;
+using Rsk.Enforcer.AuthZen;
+using Rsk.Enforcer.PAP.Store;
+using Rsk.Enforcer.PEP;
+
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        var builder = WebApplication.CreateBuilder(args);
+
+        builder.Services.AddRazorPages();
+        builder.Services
+            .AddEnforcer("acmeCorp.global",options =>
+            {
+                options.Licensee = "DEMO";
+                options.LicenseKey = "Get a free license from https://www.identityserver.com/products/enforcer";
+            })
+            .AddPolicyEnforcementPoint(o => o.Bias = PepBias.Deny)
+            .AddAuthZen()
+            .AddAuthZenAdvice()
+            .AddPolicyAttributeProvider<SubjectAttributeProvider>()
+            .AddEmbeddedPolicyStore(typeof(Program).Assembly, "AuthZenPolicyServer.Policies");
+
+        var app = builder.Build();
+
+        app.UseEnforcerAuthZen();
+        app.UseStaticFiles();
+        app.UseRouting();
+        app.MapRazorPages();
+        app.MapGet("/", context =>
+        {
+            context.Response.Redirect("/Home");
+            return Task.CompletedTask;
+        });
+        app.Run();
+    }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/Properties/launchSettings.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5208",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:7064;http://localhost:5208",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/SubjectAttributeProvider.cs

@@ -0,0 +1,37 @@
+using Rsk.Enforcer.Oasis.PolicyModel;
+using Rsk.Enforcer.PIP;
+using Rsk.Enforcer.PolicyModels;
+
+namespace AuthZenPolicyServer;
+
+public class AcmeCorpPerson()
+{
+    [PolicyAttributeValue(PolicyAttributeCategories.Subject, "role")]
+    public IEnumerable<string> Roles { get; init; } = [];
+}
+
+public class SubjectAttributeProvider : RecordAttributeValueProvider<AcmeCorpPerson>
+{
+    private static readonly Dictionary<string, AcmeCorpPerson> people = new()
+    {
+        ["bob"] = new AcmeCorpPerson() { Roles = ["employee"]},
+        ["alice"] = new AcmeCorpPerson() { Roles = ["employee","manager"]},
+    };
+
+    protected override async Task<AcmeCorpPerson> GetRecordValue(IAttributeResolver attributeResolver,
+        CancellationToken ct)
+    {
+        IReadOnlyCollection<string>? identifiers = await attributeResolver
+            .Resolve<string>(Rsk.Enforcer.Oasis.Attributes.Subject.Identifier, ct);
+
+        string? identifier = identifiers.SingleOrDefault();
+        if (identifier == null) return null!;
+
+        if (people.TryGetValue(identifier, out AcmeCorpPerson? person))
+        {
+            return person;
+        }
+
+        return null!;
+    }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

Samples/CSharp/PolicyDrivenExpenses/AuthZenPolicyServer/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

Samples/CSharp/PolicyDrivenExpenses/PolicyDrivenExpenses.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebApp", "WebApp\WebApp.csproj", "{10B37E26-0292-47E2-AFF8-37C074922F77}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AuthZenPolicyServer", "AuthZenPolicyServer\AuthZenPolicyServer.csproj", "{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{10B37E26-0292-47E2-AFF8-37C074922F77}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EF708F15-E567-4151-8BE4-A1FB5BD56EEA}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+EndGlobal

Samples/CSharp/PolicyDrivenExpenses/WebApp/ApplicationDbContext.cs

@@ -0,0 +1,11 @@
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
+
+namespace WebApp;
+
+public sealed class ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
+    : IdentityDbContext<IdentityUser>(options)
+{
+}
+