Add Bruno test and fix max limit in revoke all (#157)

* Bruno test revoke all instance delegation single instance Fix and negative test for revoke 11 delegations * Fix test name * Revrote all test to have a descriptive name for each test step and use assert instead of axpect Revrote all test testing multiple iterations of delegations to use for loop Revrote al test to expect to to be in alist to not be vulnerable to difrent sorting from server and not using sorting on client as this would only fix it for one environment but could be difrent in other environment based on the uuid of that user. * Fixed expected path according to code change as it is instanceId that will make the number of policies handled not ResourceId * Fix expected after change in code
Altinn · Dec 11, 2024 · b28dc08 · b28dc08
1 parent 0ef5e6a
commit b28dc08
Show file tree

Hide file tree

Showing 54 changed files with 2,965 additions and 45 deletions.
diff --git a/...nagement/src/Altinn.AccessManagement.Core/Configuration/AppsInstanceDelegationSettings.cs b/...nagement/src/Altinn.AccessManagement.Core/Configuration/AppsInstanceDelegationSettings.cs
@@ -0,0 +1,13 @@
+namespace Altinn.AccessManagement.Core.Configuration
+{
+    /// <summary>
+    /// AppsInstanceDelegationSettings
+    /// </summary>
+    public class AppsInstanceDelegationSettings
+    {
+        /// <summary>
+        /// Sets the maximum policy files to handle under revoke all calls
+        /// </summary>
+        public int MaxPolicyFilesToRevoke { get; set; } 
+    }
+}
diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Errors/ValidationErrors.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Errors/ValidationErrors.cs
@@ -40,5 +40,5 @@ private static readonly ValidationErrorDescriptorFactory _factory
     /// Gets a validation error descriptor for when a Resource not has any delegable rights for the app
     /// </summary>
     public static ValidationErrorDescriptor ToManyDelegationsToRevoke { get; }
-        = _factory.Create(5, $"There must be 10 or less policy files to update.");
+        = _factory.Create(5, $"There is to many policy files to update. Must delete individual delegations.");
 }
diff --git a/...cessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs b/...cessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs
@@ -1,6 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using System.Formats.Asn1;
 using Altinn.AccessManagement.Core.Clients.Interfaces;
+using Altinn.AccessManagement.Core.Configuration;
 using Altinn.AccessManagement.Core.Constants;
 using Altinn.AccessManagement.Core.Enums;
 using Altinn.AccessManagement.Core.Errors;
@@ -16,7 +17,7 @@
 using Altinn.Platform.Register.Models;
 using Altinn.Urn;
 using Altinn.Urn.Json;
-using static System.Runtime.InteropServices.JavaScript.JSType;
+using Microsoft.Extensions.Options;
 
 namespace Altinn.AccessManagement.Core.Services.Implementation;
 
@@ -29,17 +30,19 @@ public class AppsInstanceDelegationService : IAppsInstanceDelegationService
     private readonly IPolicyInformationPoint _pip;
     private readonly IPolicyAdministrationPoint _pap;
     private readonly IResourceRegistryClient _resourceRegistryClient;
+    private readonly AppsInstanceDelegationSettings _appsInstanceDelegationSettings;
     private readonly string appInstanceResourcePath = "appInstanceDelegationRequest.Resource";
 
     /// <summary>
     /// Initializes a new instance of the <see cref="AppsInstanceDelegationService"/> class.
     /// </summary>
-    public AppsInstanceDelegationService(IPartiesClient partiesClient, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap)
+    public AppsInstanceDelegationService(IPartiesClient partiesClient, IOptions<AppsInstanceDelegationSettings> appsInstanceDelegationSettings, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap)
     {
         _partiesClient = partiesClient;
         _pip = pip;
         _resourceRegistryClient = resourceRegistryClient;
         _pap = pap;
+        _appsInstanceDelegationSettings = appsInstanceDelegationSettings.Value;
     }
 
     private async Task<(UuidType DelegationType, Guid? Uuid)> TranslatePartyUuidToPersonOrganizationUuid(PartyUrn partyId)
@@ -306,6 +309,17 @@ public async Task<Result<List<AppsInstanceRevokeResponse>>> RevokeAll(AppsInstan
             }
         }
 
+        int limit = _appsInstanceDelegationSettings.MaxPolicyFilesToRevoke;
+        if (rightsToRevoke.Count > limit)
+        {
+            errors.Add(ValidationErrors.ToManyDelegationsToRevoke, "InstanceId");
+
+            if (errors.TryBuild(out errorResult))
+            {
+                return errorResult;
+            }
+        }
+
         // Perform Revoke
         List<InstanceRight> revokedResult = await _pap.TryWriteInstanceRevokeAllPolicyRules(rightsToRevoke, cancellationToken);
         List<AppsInstanceRevokeResponse> result = TransformInstanceRightListToAppsInstanceDelegationResponseList(revokedResult);

diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/AccessManagementHost.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/AccessManagementHost.cs
@@ -124,6 +124,7 @@ private static void ConfigureAppsettings(this WebApplicationBuilder builder)
         builder.Services.Configure<KeyVaultSettings>(config.GetSection("kvSetting"));
         builder.Services.Configure<OidcProviderSettings>(config.GetSection("OidcProviders"));
         builder.Services.Configure<UserProfileLookupSettings>(config.GetSection("UserProfileLookupSettings"));
+        builder.Services.Configure<AppsInstanceDelegationSettings>(config.GetSection("AppsInstanceDelegationSettings"));
     }
 
     private static void ConfigureAuthorization(this WebApplicationBuilder builder)

diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/appsettings.json b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/appsettings.json
@@ -65,5 +65,8 @@
     "RightsDelegationApi": false,
     "OpenTelementry": false,
     "UseNewQueryRepo": true
+  },
+  "AppsInstanceDelegationSettings": {
+    "MaxPolicyFilesToRevoke": 10
   }
 }
diff --git a/...cessManagement.Tests/Controllers/ResourceOwnerAPI/AppsInstanceDelegationControllerTest.cs b/...cessManagement.Tests/Controllers/ResourceOwnerAPI/AppsInstanceDelegationControllerTest.cs
@@ -125,6 +125,22 @@ public async Task AppsInstanceDelegationController_ValidToken_RevokeAll_OK(strin
         AssertionUtil.AssertPagination(expected, actual, AssertionUtil.AssertAppsInstanceRevokeResponseDto);        
     }
 
+    [Theory]
+    [MemberData(nameof(TestDataAppsInstanceDelegation.RevokeAllToManyPolicyFiles), MemberType = typeof(TestDataAppsInstanceDelegation))]
+    public async Task AppsInstanceDelegationController_ValidToken_RevokeAll_ToManyPolicyFilesToUpdate(string platformToken, string resourceId, string instanceId, AltinnProblemDetails expected)
+    {
+        var client = GetTestClient(platformToken);
+
+        // Act
+        HttpResponseMessage response = await client.DeleteAsync($"accessmanagement/api/v1/app/delegationrevoke/resource/{resourceId}/instance/{instanceId}");
+
+        // Assert
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+
+        AltinnProblemDetails actual = JsonSerializer.Deserialize<AltinnProblemDetails>(await response.Content.ReadAsStringAsync(), options);
+        TestDataAppsInstanceDelegation.AssertAltinnProblemDetailsEqual(expected, actual);
+    }
+
     [Theory]
     [MemberData(nameof(TestDataAppsInstanceDelegation.RevokeAllUnathorized), MemberType = typeof(TestDataAppsInstanceDelegation))]
     public async Task AppsInstanceDelegationController_NoToken_RevokeAll_Unauthorized(string resourceId, string instanceId)

diff --git a/...st/Altinn.AccessManagement.Tests/Data/AuthorizedParties/TestDataAppsInstanceDelegation.cs b/...st/Altinn.AccessManagement.Tests/Data/AuthorizedParties/TestDataAppsInstanceDelegation.cs
@@ -33,6 +33,8 @@ public static class TestDataAppsInstanceDelegation
 
     private static readonly string RevokeAllInstance = "00000000-0000-0000-0000-000000000010";
 
+    private static readonly string RevokeAllInstanceToManyPolicyFiles = "00000000-0000-0000-0000-000000000011";
+
     /// <summary>
     /// Test case:  GET v1/apps/instancedelegation/{resourceId}/{instanceId}/delegationcheck
     ///             with: 
@@ -129,6 +131,16 @@ public static class TestDataAppsInstanceDelegation
         }
     };
 
+    public static TheoryData<string, string, string, AltinnProblemDetails> RevokeAllToManyPolicyFiles() => new()
+    {
+        {
+            PrincipalUtil.GetAccessToken("ttd", "am-devtest-instancedelegation"),
+            AppId,
+            RevokeAllInstanceToManyPolicyFiles,
+            GetExpectedResponse<AltinnProblemDetails>("Revoke", AppId, RevokeAllInstanceToManyPolicyFiles)
+        }
+    };
+
     public static TheoryData<string, string> RevokeAllUnathorized() => new()
     {
         {

diff --git a/.../app_ttd_am-devtest-instancedelegation/00000000-0000-0000-0000-000000000011/response.json b/.../app_ttd_am-devtest-instancedelegation/00000000-0000-0000-0000-000000000011/response.json
@@ -0,0 +1,16 @@
+{
+	"type": "https://tools.ietf.org/html/rfc9110#section-15.5.1",
+	"title": "Bad Request",
+	"status": 400,
+	"detail": "One or more validation errors occurred.",
+	"code": "STD-00000",
+	"validationErrors": [
+		{
+			"code": "AM.VLD-00005",
+			"detail": "There is to many policy files to update. Must delete individual delegations.",
+			"paths": [
+				"InstanceId"
+			]
+		}
+	]
+}
diff --git a/...ce/app_ttd_am-devtest-instancedelegation/000000000011/N/000000000010/delegationpolicy.xml b/...ce/app_ttd_am-devtest-instancedelegation/000000000011/N/000000000010/delegationpolicy.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xacml:Policy PolicyId="urn:altinn:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
+	<xacml:Description>Delegation policy containing all delegated rights/actions from urn:altinn:organization:uuid:0268b99a-5817-4bbf-9b62-d90b16d527ea to urn:altinn:person:uuid:ce4ba72b-d111-404f-95b5-313fb3847fa1, for the resource; app_ttd_am-devtest-instancedelegation</xacml:Description>
+	<xacml:Target />
+	<xacml:Rule RuleId="96b20b71-06fb-4d59-9538-38bfa72774fb" Effect="Permit">
+		<xacml:Description>Delegation of a right/action from urn:altinn:organization:uuid:0268b99a-5817-4bbf-9b62-d90b16d527ea to urn:altinn:person:uuid:ce4ba72b-d111-404f-95b5-313fb3847fa1, for the resource: app_ttd_am-devtest-instancedelegation, by: urn:altinn:resource:app_ttd_am-devtest-instancedelegation</xacml:Description>
+		<xacml:Target>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CE4BA72B-D111-404F-95B5-313FB3847FA1</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:person:uuid" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">app_ttd_am-devtest-instancedelegation</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">task_1</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:task" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00000000-0000-0000-0000-000000000011</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource:instance-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+		</xacml:Target>
+	</xacml:Rule>
+</xacml:Policy>
diff --git a/...ce/app_ttd_am-devtest-instancedelegation/000000000011/N/000000000012/delegationpolicy.xml b/...ce/app_ttd_am-devtest-instancedelegation/000000000011/N/000000000012/delegationpolicy.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xacml:Policy PolicyId="urn:altinn:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
+	<xacml:Description>Delegation policy containing all delegated rights/actions from urn:altinn:organization:uuid:0268b99a-5817-4bbf-9b62-d90b16d527ea to urn:altinn:person:uuid:ce4ba72b-d111-404f-95b5-313fb3847fa1, for the resource; app_ttd_am-devtest-instancedelegation</xacml:Description>
+	<xacml:Target />
+	<xacml:Rule RuleId="96b20b71-06fb-4d59-9538-38bfa72774fb" Effect="Permit">
+		<xacml:Description>Delegation of a right/action from urn:altinn:organization:uuid:0268b99a-5817-4bbf-9b62-d90b16d527ea to urn:altinn:person:uuid:ce4ba72b-d111-404f-95b5-313fb3847fa1, for the resource: app_ttd_am-devtest-instancedelegation, by: urn:altinn:resource:app_ttd_am-devtest-instancedelegation</xacml:Description>
+		<xacml:Target>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0268B99A-5817-4BBF-9B62-D90B16D527EA</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:person:uuid" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">app_ttd_am-devtest-instancedelegation</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">task_1</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:task" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00000000-0000-0000-0000-000000000011</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource:instance-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+		</xacml:Target>
+	</xacml:Rule>
+	<xacml:Rule RuleId="96b20b71-06fb-4d59-9538-38bfa72774fb" Effect="Permit">
+		<xacml:Description>Delegation of a right/action from urn:altinn:organization:uuid:0268b99a-5817-4bbf-9b62-d90b16d527ea to urn:altinn:person:uuid:ce4ba72b-d111-404f-95b5-313fb3847fa1, for the resource: app_ttd_am-devtest-instancedelegation, by: urn:altinn:resource:app_ttd_am-devtest-instancedelegation</xacml:Description>
+		<xacml:Target>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">0268B99A-5817-4BBF-9B62-D90B16D527EA</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:person:uuid" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">app_ttd_am-devtest-instancedelegation</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">task_1</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:task" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">00000000-0000-0000-0000-000000000011</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:altinn:resource:instance-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+			<xacml:AnyOf>
+				<xacml:AllOf>
+					<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+						<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sign</xacml:AttributeValue>
+						<xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
+					</xacml:Match>
+				</xacml:AllOf>
+			</xacml:AnyOf>
+		</xacml:Target>
+	</xacml:Rule>
+</xacml:Policy>