-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alowed to revoke rights given to system user #167
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -235,18 +235,37 @@ public async Task<ValidationProblemDetails> RevokeRightsDelegation(int authentic | |
} | ||
|
||
var fromAttribute = await _resolver.Resolve(delegation.From, [AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute], cancellationToken); | ||
var toAttribute = await _resolver.Resolve(delegation.To, BaseUrn.Altinn2InternalIds, cancellationToken); | ||
var toAttribute = await _resolver.Resolve(delegation.To, BaseUrn.RevokeInternalIds, cancellationToken); | ||
|
||
var to = toAttribute.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute) | ||
? new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, toAttribute.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute).Value) | ||
: new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, toAttribute.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute).Value); | ||
var to = GetAttributeMatchFromAttributeMatchList(toAttribute); | ||
|
||
var policiesToDelete = DelegationHelper.GetRequestToDeleteResource(authenticatedUserId, delegation.Rights[0].Resource, fromAttribute.GetRequiredInt(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute), to); | ||
|
||
await _pap.TryDeleteDelegationPolicies(policiesToDelete, cancellationToken); | ||
return assertion; | ||
} | ||
|
||
/// <summary> | ||
/// Fetch the actual internal id from the attribute match list | ||
/// </summary> | ||
/// <param name="attributeMatches">the list to fetch from</param> | ||
/// <returns>The identified internal id</returns> | ||
private AttributeMatch GetAttributeMatchFromAttributeMatchList(IEnumerable<AttributeMatch> attributeMatches) | ||
{ | ||
if (attributeMatches.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute)) | ||
{ | ||
return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute).Value); | ||
} | ||
else if (attributeMatches.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid)) | ||
{ | ||
return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid).Value); | ||
} | ||
else | ||
{ | ||
return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute).Value); | ||
} | ||
} | ||
|
||
/// <summary> | ||
/// Ensures that given input for revoking a delegations contains a combination of attributes that | ||
/// the service layer can process. If the method return null then input should be processable. | ||
|
@@ -256,10 +275,10 @@ private ValidationProblemDetails AssertRevokeDelegationInput(DelegationLookup de | |
_asserter.Join( | ||
_asserter.Evaluate( | ||
delegation.From, | ||
_asserter.Altinn2InternalIds), | ||
_asserter.RevokeInternalIds), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Å støtte SystemUser uuid i From gir ikke egentlig mening men.. |
||
_asserter.Evaluate( | ||
delegation.To, | ||
_asserter.Altinn2InternalIds), | ||
_asserter.RevokeInternalIds), | ||
_asserter.Evaluate( | ||
delegation.Rights?.FirstOrDefault()?.Resource ?? [], | ||
_asserter.DefaultResource)); | ||
|
Unchanged files with check annotations Beta
{ | ||
public abstract string Name { get; } | ||
public abstract new Task ExecuteAsync(ProgressTask task, CancellationToken cancellationToken); | ||
Check warning on line 9 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Tasks/StepTask.cs GitHub Actions / CI (DeployApi)
|
||
} | ||
public abstract class StepTask<T> |
namespace Altinn.Authorization.DeployApi.Pipelines; | ||
public sealed class PipelineContext | ||
: IServiceProvider | ||
, ISupportRequiredService | ||
, IKeyedServiceProvider | ||
catch (OperationCanceledException e) when (e.CancellationToken == ct) | ||
{ | ||
} | ||
catch (Exception e) | ||
{ | ||
} | ||
} | ||
_services = services; | ||
} | ||
object? IServiceProvider.GetService(Type serviceType) | ||
Check warning on line 164 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/PipelineContext.cs GitHub Actions / CI (DeployApi)
|
||
=> _services.GetService(serviceType); | ||
object ISupportRequiredService.GetRequiredService(Type serviceType) | ||
=> _services.GetRequiredService(serviceType); | ||
object? IKeyedServiceProvider.GetKeyedService(Type serviceType, object? serviceKey) | ||
Check warning on line 170 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/PipelineContext.cs GitHub Actions / CI (DeployApi)
Check warning on line 170 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/PipelineContext.cs GitHub Actions / CI (DeployApi)
|
||
=> _services.GetKeyedServices(serviceType, serviceKey); | ||
object IKeyedServiceProvider.GetRequiredKeyedService(Type serviceType, object? serviceKey) | ||
Check warning on line 173 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/PipelineContext.cs GitHub Actions / CI (DeployApi)
|
||
=> _services.GetRequiredKeyedService(serviceType, serviceKey); | ||
public Task<T> RunTask<T>(StepTask<T> task, CancellationToken cancellationToken) | ||
public Task RunTask(string description, Func<ProgressTask, CancellationToken, Task> task, CancellationToken cancellationToken) | ||
{ | ||
return RunTask<object?>( | ||
Check warning on line 188 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/PipelineContext.cs GitHub Actions / CI (DeployApi)
|
||
description, | ||
async (ctx, ct) => | ||
{ |
if (context.WebSockets.IsWebSocketRequest) | ||
{ | ||
using var webSocket = await context.WebSockets.AcceptWebSocketAsync("altinn.task-pipeline"); | ||
TPipeline? pipeline; | ||
Check warning on line 30 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/TaskPipeline.cs GitHub Actions / CI (DeployApi)
|
||
{ | ||
using var sequence = new Sequence<byte>(ArrayPool<byte>.Shared); | ||
} | ||
}); | ||
private static TPipeline? DeserializePipeline<TPipeline>(ReadOnlySequence<byte> sequence) | ||
Check warning on line 92 in src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Pipelines/TaskPipeline.cs GitHub Actions / CI (DeployApi)
|
||
where TPipeline : TaskPipeline | ||
{ | ||
var reader = new Utf8JsonReader(sequence); |
namespace Altinn.Common.PEP.Authorization | ||
{ | ||
public class AppAccessHandlerTest | ||
{ | ||
private readonly Mock<IHttpContextAccessor> _httpContextAccessorMock; | ||
private readonly Mock<IPDP> _pdpMock; | ||
private readonly IOptions<PepSettings> _generalSettings; | ||
private readonly AppAccessHandler _aah; | ||
public AppAccessHandlerTest() | ||
{ | ||
_httpContextAccessorMock = new Mock<IHttpContextAccessor>(); | ||
_pdpMock = new Mock<IPDP>(); | ||
if (!string.IsNullOrEmpty(xForwardedForHeader)) | ||
{ | ||
httpContext.Request.Headers.Add("x-forwarded-for", xForwardedForHeader); | ||
Check warning on line 306 in src/pkgs/Altinn.Authorization.PEP/tests/Altinn.Authorization.PEP.Tests/AppAccessHandlerTest.cs GitHub Actions / PR (PEP)
|
||
} | ||
return httpContext; |
namespace Altinn.Common.PEP.Authorization | ||
{ | ||
public class ResourceAccessHandlerTest | ||
{ | ||
private readonly Mock<IHttpContextAccessor> _httpContextAccessorMock; | ||
private readonly Mock<IPDP> _pdpMock; | ||
private readonly IOptions<PepSettings> _generalSettings; | ||
private readonly ResourceAccessHandler _rah; | ||
public ResourceAccessHandlerTest() | ||
Check warning on line 28 in src/pkgs/Altinn.Authorization.PEP/tests/Altinn.Authorization.PEP.Tests/ResourceAccessHandlerTest.cs GitHub Actions / PR (PEP)
|
||
{ | ||
_httpContextAccessorMock = new Mock<IHttpContextAccessor>(); | ||
_pdpMock = new Mock<IPDP>(); | ||
httpContext.Request.RouteValues.Add("party", party); | ||
if (!string.IsNullOrEmpty(orgHeader)) | ||
{ | ||
httpContext.Request.Headers.Add("Altinn-Party-OrganizationNumber", orgHeader); | ||
Check warning on line 211 in src/pkgs/Altinn.Authorization.PEP/tests/Altinn.Authorization.PEP.Tests/ResourceAccessHandlerTest.cs GitHub Actions / PR (PEP)
|
||
} | ||
if (!string.IsNullOrEmpty(ssnHeader)) | ||
{ | ||
httpContext.Request.Headers.Add("Altinn-Party-SocialSecurityNumber", ssnHeader); | ||
Check warning on line 216 in src/pkgs/Altinn.Authorization.PEP/tests/Altinn.Authorization.PEP.Tests/ResourceAccessHandlerTest.cs GitHub Actions / PR (PEP)
|
||
} | ||
if (!string.IsNullOrEmpty(xForwardedForHeader)) |
namespace UnitTests | ||
{ | ||
public class DecisionHelperTest | ||
{ | ||
private const string Org = "Altinn"; | ||
private const string App = "App"; |
namespace UnitTests | ||
{ | ||
public class ScopeAccessHandlerTest | ||
{ | ||
private readonly ScopeAccessHandler _sah; | ||
public ScopeAccessHandlerTest() | ||
{ | ||
_sah = new ScopeAccessHandler(); | ||
} |
/// <summary> | ||
/// Add serialization info. | ||
/// </summary> | ||
protected PlatformHttpException(SerializationInfo info, StreamingContext context) : base(info, context) | ||
Check warning on line 45 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Exceptions/PlatformHttpException.cs GitHub Actions / CI (Authorization)
|
||
{ | ||
} | ||
} |
_connectionString = string.Format( | ||
postgresSettings.Value.ConnectionString, | ||
postgresSettings.Value.AuthorizationDbPwd); | ||
NpgsqlConnection.GlobalTypeMapper.MapEnum<DelegationChangeType>("delegation.delegationchangetype"); | ||
Check warning on line 43 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Repositories/DelegationMetadataRepository.cs GitHub Actions / CI (Authorization)
|
||
} | ||
/// <inheritdoc/> |
/// <returns></returns> | ||
public static string GetClientIpAddress(HttpContext context) | ||
{ | ||
string[] clientIpList = context?.Request?.Headers?.GetCommaSeparatedValues("x-forwarded-for"); | ||
return clientIpList?.Length > 0 ? clientIpList[0] : null; | ||
} | ||
} | ||
} |
client.Timeout = new TimeSpan(0, 0, 30); | ||
Client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); | ||
} | ||
} | ||
Check warning on line 36 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Clients/AccessManagementClient.cs GitHub Actions / CI (Authorization)
|
return Task.FromResult(clientSecrets); | ||
} | ||
} | ||
} | ||
Check warning on line 36 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Clients/OedAuthzMaskinportenClientDefinition.cs GitHub Actions / CI (Authorization)
|
/// <inheritdoc/> | ||
public bool? OverwriteAuthorizationHeader { get; set; } | ||
} | ||
} | ||
Check warning on line 61 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Configuration/OedAuthzMaskinportenClientSettings.cs GitHub Actions / CI (Authorization)
|
return services; | ||
} | ||
} | ||
Check warning on line 36 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Extensions/PlatformAccessTokenDependencyInjectionExtensions.cs GitHub Actions / CI (Authorization)
|
/// Gets or sets an optional action value to authorize | ||
/// </summary> | ||
public UrnJsonTypeValue<ActionUrn> Action { get; set; } | ||
} | ||
Check warning on line 34 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Models/AccessListAuthorizationRequest.cs GitHub Actions / CI (Authorization)
|
/// Gets or sets the result of the access list authorization | ||
/// </summary> | ||
public AccessListAuthorizationResult Result { get; set; } | ||
} | ||
Check warning on line 51 in src/apps/Altinn.Authorization/src/Altinn.Authorization/Models/AccessListAuthorizationResponse.cs GitHub Actions / CI (Authorization)
|
_accessToken = _accessTokenGenerator.GenerateAccessToken( | ||
_oidcProviderSettings["altinn"].Issuer, | ||
"platform.authorization", | ||
new X509Certificate2(Convert.FromBase64String(certBase64), (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)); | ||
Check warning on line 58 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Integration/Services/PlatformAuthorizationTokenProvider.cs GitHub Actions / CI (AccessManagement)
|
||
_cacheTokenUntil = DateTime.UtcNow.AddSeconds(_accessTokenSettings.TokenLifetimeInSeconds - 2); // Add some slack to avoid tokens expiring in transit | ||
} |
{ | ||
if (activity?.Recorded ?? false) | ||
{ | ||
activity.RecordException(ex); | ||
Check warning on line 25 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Persistence/Extensions/ActivityExtensions.cs GitHub Actions / CI (AccessManagement)
|
||
activity.SetStatus(ActivityStatusCode.Error, statusDescription); | ||
} | ||
} |
{ | ||
var fs = new ManifestEmbeddedFileProvider(typeof(PersistenceDependencyInjectionExtensions).Assembly, "Migration"); | ||
builder.AddAltinnPostgresDataSource() | ||
Check warning on line 136 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Persistence/Extensions/PersistenceDependencyInjectionExtensions.cs GitHub Actions / CI (AccessManagement)
|
||
.MapEnum<DelegationChangeType>("delegation.delegationchangetype") | ||
.MapEnum<UuidType>("delegation.uuidtype") | ||
.MapEnum<InstanceDelegationMode>("delegation.instancedelegationmode") |
{ | ||
certPath = $"{issuer}-org.pfx"; | ||
X509Certificate2 certIssuer = new X509Certificate2(certPath); | ||
Check warning on line 47 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Utils/JwtTokenMock.cs GitHub Actions / CI (AccessManagement)
|
||
return new X509SigningCredentials(certIssuer, SecurityAlgorithms.RsaSha256); | ||
} | ||
X509Certificate2 cert = new X509Certificate2(certPath, "qwer1234"); | ||
Check warning on line 51 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Utils/JwtTokenMock.cs GitHub Actions / CI (AccessManagement)
|
||
return new X509SigningCredentials(cert, SecurityAlgorithms.RsaSha256); | ||
} | ||
} |
{ | ||
List<SecurityKey> signingKeys = new List<SecurityKey>(); | ||
X509Certificate2 cert = new X509Certificate2($"{issuer}-org.pem"); | ||
Check warning on line 30 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Mocks/SigningKeyResolverMock.cs GitHub Actions / CI (AccessManagement)
|
||
SecurityKey key = new X509SecurityKey(cert); | ||
signingKeys.Add(key); |
{ | ||
List<SecurityKey> signingKeys = new List<SecurityKey>(); | ||
X509Certificate2 cert = new X509Certificate2("selfSignedTestCertificatePublic.cer"); | ||
Check warning on line 41 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Mocks/ConfigurationManagerStub.cs GitHub Actions / CI (AccessManagement)
|
||
SecurityKey key = new X509SecurityKey(cert); | ||
signingKeys.Add(key); |
namespace Altinn.AccessManagement.Tests.Controllers; | ||
public class AppsInstanceDelegationControllerTest : IClassFixture<CustomWebApplicationFactory<AppsInstanceDelegationController>> | ||
Check warning on line 25 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Controllers/ResourceOwnerAPI/AppsInstanceDelegationControllerTest.cs GitHub Actions / CI (AccessManagement)
|
||
{ | ||
private readonly CustomWebApplicationFactory<AppsInstanceDelegationController> _factory; | ||
private readonly JsonSerializerOptions options = new JsonSerializerOptions { PropertyNameCaseInsensitive = true }; | ||
[Theory] | ||
[MemberData(nameof(TestDataAppsInstanceDelegation.RevokeAll), MemberType = typeof(TestDataAppsInstanceDelegation))] | ||
public async Task AppsInstanceDelegationController_ValidToken_RevokeAll_OK(string platformToken, string resourceId, string instanceId, Paginated<AppsInstanceRevokeResponseDto> expected) | ||
Check warning on line 114 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Controllers/ResourceOwnerAPI/AppsInstanceDelegationControllerTest.cs GitHub Actions / CI (AccessManagement)
|
||
{ | ||
var client = GetTestClient(platformToken); | ||
[Theory] | ||
[MemberData(nameof(TestDataAppsInstanceDelegation.RevokeAllUnathorized), MemberType = typeof(TestDataAppsInstanceDelegation))] | ||
public async Task AppsInstanceDelegationController_NoToken_RevokeAll_Unauthorized(string resourceId, string instanceId) | ||
Check warning on line 130 in src/apps/Altinn.AccessManagement/test/Altinn.AccessManagement.Tests/Controllers/ResourceOwnerAPI/AppsInstanceDelegationControllerTest.cs GitHub Actions / CI (AccessManagement)
|
||
{ | ||
var client = GetTestClient(null); | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Det må da vel en endring til også mot databasen? Eksisterende logikk forsøker vel å matche To mot CoveredBy kolonnene og ikke den nye ToUuid?