chores/add authorization #117

andreasisnes · 2024-11-29T12:23:47Z

Verification

Your code builds clean without any errors or warnings
Manual testing done (required)
Relevant automated test added (if you find this hard, leave it and we'll help out)
All tests run green

Documentation

User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

src/apps/Altinn.Authorization/src/Altinn.Authorization/Controllers/DecisionController.cs

+        {
+            try
+            {
+                if (Request.ContentType.Contains("application/json"))


To fix the problem, we need to ensure that the decision to call AuthorizeJsonRequest or AuthorizeXmlRequest is not based solely on user-controlled data. Instead, we should validate the ContentType header securely before making the decision. One way to achieve this is to use a whitelist of allowed content types and ensure that the content type is valid before proceeding.

We will add a method to validate the content type and use this method in the Post action to decide which authorization method to call. This ensures that only valid content types are processed, reducing the risk of user-controlled bypass.

src/apps/Altinn.Authorization/src/Altinn.Authorization/Controllers/DecisionController.cs

+        private async Task<ActionResult> AuthorizeXmlRequest(XacmlRequestApiModel model, CancellationToken cancellationToken = default)
+        {
+            XacmlContextRequest request;
+            using (XmlReader reader = XmlReader.Create(new StringReader(model.BodyContent)))


To fix the problem, we need to ensure that the user-provided XML content is validated against a known schema before processing it. This can be achieved by using XmlReaderSettings with the appropriate validation settings.

Create an instance of XmlReaderSettings.

Set the ValidationType to Schema.

Add the known schema to the XmlSchemaSet of the XmlReaderSettings.

Use the configured XmlReaderSettings when creating the XmlReader.

src/apps/Altinn.Authorization/src/Altinn.Authorization/Controllers/PartiesController.cs

+        [Authorize]
+        public async Task<ActionResult> ValidateSelectedParty(int userId, int partyId, CancellationToken cancellationToken = default)
+        {
+            if (userId == 0 || partyId == 0)


To fix the problem, we need to ensure that the userId parameter is validated against the authenticated user's ID before performing any sensitive actions. This can be done by moving the validation of userId before the condition userId == 0 || partyId == 0. This way, we ensure that the userId is properly authenticated before proceeding with any further checks.

src/apps/Altinn.Authorization/src/Altinn.Authorization/Controllers/PartiesController.cs

+        [Authorize]
+        public async Task<ActionResult> ValidateSelectedParty(int userId, int partyId, CancellationToken cancellationToken = default)
+        {
+            if (userId == 0 || partyId == 0)


To fix the problem, we need to ensure that the validation logic is not bypassed based on user-controlled input. Instead of checking if userId is zero, we should validate the userId against the authenticated user's ID at the beginning of the method. This way, we can ensure that the user is authorized to perform the action without relying on user-controlled values.

Remove the check if (userId == 0 || partyId == 0) and replace it with a validation against the authenticated user's ID.

Ensure that the method proceeds with the validation logic only if the userId matches the authenticated user's ID.

src/apps/Altinn.Authorization/src/Altinn.Authorization/Controllers/PartiesController.cs

+        [Authorize]
+        public async Task<ActionResult> ValidateSelectedParty(int userId, int partyId, CancellationToken cancellationToken = default)
+        {
+            if (userId == 0 || partyId == 0)


To fix this issue, we need to ensure that the validation logic is not bypassed based on user-controlled data. Instead of returning NotFound when partyId is 0, we should handle this case more securely. One way to do this is to validate the partyId before proceeding with the rest of the logic and ensure that it is a valid, non-zero value.

We will:

Add a method to validate the partyId and ensure it is a valid, non-zero value.

Use this method to validate the partyId before proceeding with the rest of the logic in the ValidateSelectedParty method.

src/apps/Altinn.Authorization/src/Altinn.Authorization/Helpers/PolicyHelper.cs

+        {
+            stream.Position = 0;
+            XacmlPolicy policy;
+            using (XmlReader reader = XmlReader.Create(stream))


To fix the problem, we need to ensure that the XML data is validated against a known schema before processing it. This involves creating an XmlReaderSettings instance with the ValidationType set to Schema and specifying the schema to validate against. We also need to ensure that the ValidationFlags do not include ProcessInlineSchema or ProcessSchemaLocation to prevent users from providing their own schemas.

Steps to fix:

Create an XmlReaderSettings instance.

Set the ValidationType to Schema.

Add the known schema to the Schemas property of the XmlReaderSettings instance.

Ensure that ValidationFlags do not include ProcessInlineSchema or ProcessSchemaLocation.

Use this XmlReaderSettings instance when creating the XmlReader.

....Authorization/src/Altinn.Authorization/Services/Implementation/PolicyAdministrationPoint.cs

+            {
+                if (!DelegationHelper.PolicyContainsMatchingRule(appPolicy, rule))
+                {
+                    _logger.LogWarning("Matching rule not found in app policy. Action might not exist for Resource, or Resource itself might not exist. Delegation policy path: {policyPath}. Rule: {rule}", policyPath, rule);


To fix the problem, we need to sanitize the rule object before logging it. Since the log entries are plain text, we should remove any new line characters from the rule object to prevent log forging. This can be done using the String.Replace method or a similar approach.

The best way to fix the problem without changing existing functionality is to sanitize the rule object right before it is logged. We will replace new line characters in the rule object with an empty string to ensure that no new lines are introduced into the log.

...apps/Altinn.Authorization/test/Altinn.Authorization.Tests/MockServices/ContextHandlerMock.cs

+            XmlDocument requestDocument = new XmlDocument();
+            requestDocument.Load(Path.Combine(requestPath, requestDocumentTitle));
+            XacmlContextRequest contextRequest;
+            using (XmlReader reader = XmlReader.Create(new StringReader(requestDocument.OuterXml)))


To fix the problem, we need to ensure that the XML data is validated against a known schema before it is processed. This involves creating an instance of XmlReaderSettings with the appropriate validation settings and using it when creating the XmlReader.

Create an instance of XmlReaderSettings.

Set the ValidationType property to Schema.

Add the known schema to the Schemas property of the XmlReaderSettings instance.

Use the XmlReaderSettings instance when creating the XmlReader.

...ltinn.Authorization/test/Altinn.Authorization.Tests/MockServices/PolicyRetrievalPointMock.cs

+
+            policyDocument.Load(Path.Combine(policyPath, policyDocumentTitle));
+            XacmlPolicy policy;
+            using (XmlReader reader = XmlReader.Create(new StringReader(policyDocument.OuterXml)))


To fix the problem, we need to validate the XML data against a known schema using XmlReaderSettings. This involves:

Creating an instance of XmlReaderSettings.

Setting the ValidationType to Schema.

Adding the known schema to the Schemas property of XmlReaderSettings.

Using this XmlReaderSettings instance when creating the XmlReader.

We will modify the ParsePolicy method to include these changes.

src/apps/Altinn.Authorization/test/Altinn.Authorization.Tests/Util/JwtTokenMock.cs

+                return new X509SigningCredentials(certIssuer, SecurityAlgorithms.RsaSha256);
+            }
+
+            X509Certificate2 cert = new X509Certificate2("selfSignedTestCertificate.pfx", "qwer1234");


andreasisnes added 4 commits November 29, 2024 13:08

add authorization repository

bd99cad

update dockerfile for Authorization

b6d979a

add conf json to authorization

99c2891

add authorization

05238b4

github-advanced-security bot found potential problems Nov 29, 2024

View reviewed changes

remove issue template

d717842

andreasisnes merged commit 7667e30 into main Nov 29, 2024
10 of 11 checks passed

andreasisnes deleted the chores/add-authorization branch November 29, 2024 12:58

@@ -39,2 +39,7 @@
             {
+                private bool IsValidContentType(string contentType)
+                {
+                    var allowedContentTypes = new List<string> { "application/json", "application/xml" };
+                    return allowedContentTypes.Any(contentType.Contains);
+                }
                 /// <summary>
@@ -119,5 +124,12 @@
                         {
-                            if (Request.ContentType.Contains("application/json"))
+                            if (IsValidContentType(Request.ContentType))
                             {
-                                return await AuthorizeJsonRequest(model, cancellationToken);
+                                if (Request.ContentType.Contains("application/json"))
+                                {
+                                    return await AuthorizeJsonRequest(model, cancellationToken);
+                                }
+                                else
+                                {
+                                    return await AuthorizeXmlRequest(model, cancellationToken);
+                                }
                             }
@@ -125,3 +137,3 @@
                             {
-                                return await AuthorizeXmlRequest(model, cancellationToken);
+                                return BadRequest("Unsupported content type");
                             }

@@ -262,3 +262,6 @@
                         XacmlContextRequest request;
-                        using (XmlReader reader = XmlReader.Create(new StringReader(model.BodyContent)))
+                        XmlReaderSettings settings = new XmlReaderSettings();
+                        settings.ValidationType = ValidationType.Schema;
+                        settings.Schemas.Add("urn:my-schema", "path/to/your/schema.xsd");
+                        using (XmlReader reader = XmlReader.Create(new StringReader(model.BodyContent), settings))
                         {

@@ -86,2 +86,8 @@
                     {
+                        int? authnUserId = User.GetUserIdAsInt();
+                        if (userId != authnUserId)
+                        {
+                            return Forbid();
+                        }
                         if (userId == 0 || partyId == 0)
@@ -93,8 +99,2 @@
                         {
-                            int? authnUserId = User.GetUserIdAsInt();
-                            if (userId != authnUserId)
-                            {
-                                return Forbid();
-                            }
                             return Ok(await ValidateSelectedAuthorizedParty(partyId, cancellationToken));

@@ -86,5 +86,6 @@
                     {
-                        if (userId == 0 || partyId == 0)
+                        int? authnUserId = User.GetUserIdAsInt();
+                        if (userId != authnUserId || partyId == 0)
                         {
-                            return NotFound();
+                            return Forbid();
                         }
@@ -93,8 +94,2 @@
                         {
-                            int? authnUserId = User.GetUserIdAsInt();
-                            if (userId != authnUserId)
-                            {
-                                return Forbid();
-                            }
                             return Ok(await ValidateSelectedAuthorizedParty(partyId, cancellationToken));

@@ -86,3 +86,3 @@
                     {
-                        if (userId == 0 || partyId == 0)
+                        if (userId == 0 || !IsValidPartyId(partyId))
                         {
@@ -118,2 +118,8 @@
                     }
+                    private bool IsValidPartyId(int partyId)
+                    {
+                        // Add logic to validate the partyId, e.g., check if it is non-zero and exists in the database
+                        return partyId > 0;
+                    }
                 }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chores/add authorization #117

chores/add authorization #117

andreasisnes commented Nov 29, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Steps to fix:

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

@@ -262,3 +262,8 @@
                         XacmlPolicy policy;
-                        using (XmlReader reader = XmlReader.Create(stream))
+                        XmlReaderSettings settings = new XmlReaderSettings();
+                        settings.ValidationType = ValidationType.Schema;
+                        settings.Schemas.Add("urn:my-schema", "my.xsd"); // Replace with actual schema details
+                        settings.ValidationFlags &= ~XmlSchemaValidationFlags.ProcessInlineSchema;
+                        settings.ValidationFlags &= ~XmlSchemaValidationFlags.ProcessSchemaLocation;
+                        using (XmlReader reader = XmlReader.Create(stream, settings))
                         {

@@ -192,3 +192,4 @@
                             {
-                                _logger.LogWarning("Matching rule not found in app policy. Action might not exist for Resource, or Resource itself might not exist. Delegation policy path: {policyPath}. Rule: {rule}", policyPath, rule);
+                                string sanitizedRule = rule.ToString().Replace(Environment.NewLine, "").Replace("\n", "").Replace("\r", "");
+                                _logger.LogWarning("Matching rule not found in app policy. Action might not exist for Resource, or Resource itself might not exist. Delegation policy path: {policyPath}. Rule: {sanitizedRule}", policyPath, sanitizedRule);
                                 return false;

chores/add authorization #117

chores/add authorization #117

Conversation

andreasisnes commented Nov 29, 2024

Verification

Documentation

Steps to fix: