Feature/xacmlvalidation

src/Altinn.ResourceRegistry.Core/Helpers/PolicyHelper.cs

@@ -30,12 +30,12 @@
             {
                 List<AttributeMatch> xacmlResources = GetResourceFromXacmlRule(policyRule);
 
                 if (xacmlResources.Any(r => r.Id.Equals(MatchAttributeIdentifiers.ResourceRegistryAttribute) && !r.Value.Equals(serviceResources.Identifier)))
                 {
                     throw new ArgumentException("Policy not accepted: Contains rules for a different registry resource");
                 }
 
                 if (!xacmlResources.Any(r => r.Id.Equals(MatchAttributeIdentifiers.ResourceRegistryAttribute) && r.Value.Equals(serviceResources.Identifier)))
                 {
                     throw new ArgumentException("Policy not accepted: Contains rule without reference to registry resource id");
                 }
@@ -47,7 +47,7 @@
         /// </summary>
         /// <param name="policy">The policy</param>
         /// <returns>List of role codes</returns>
         public static List<string> GetRolesWithAccess(XacmlPolicy policy)
         {
             HashSet<string> roleCodes = new HashSet<string>();
 
@@ -59,7 +59,7 @@
                     {
                         foreach (XacmlAllOf allOf in anyOf.AllOf)
                         {
                             foreach (XacmlMatch xacmlMatch in allOf.Matches)
                             {
                                 if (xacmlMatch.AttributeDesignator.AttributeId.Equals(AltinnXacmlConstants.MatchAttributeIdentifiers.RoleAttribute))
                                 {
@@ -215,7 +215,7 @@
         /// Subject have multiple matches in a AllOf element, but it is not used in the current implementation in Altinn. (requiring a user to have multiple roles to access a resource)
         /// A resource can have multiple matched in a AllOf element to be able to match on multiple attributes. (app, task1 , task2 etc)
         /// </summary>
         private static void FlattenXacmlRule(XacmlRule xacmlRule, List<PolicyRule> policyRules)
         {
             XacmlAnyOf anyOfSubjects = null;
             XacmlAnyOf anyOfActions = null;
@@ -227,7 +227,7 @@
 
                 foreach (XacmlAllOf allOf in anyOf.AllOf)
                 {
                     foreach (XacmlMatch match in allOf.Matches)
                     {
                         if (category == null)
                         {
@@ -240,7 +240,7 @@
                     }
                 }
 
                 if (category.Equals(XacmlConstants.MatchAttributeCategory.Action))
                 {
                     anyOfActions = anyOf;
                 }
@@ -254,9 +254,9 @@
                 }
             }
 
             foreach (XacmlAllOf allOfSubject in anyOfSubjects.AllOf)
             {
                 foreach (XacmlAllOf allOfAction in anyOfActions.AllOf)
                 {
                     foreach (XacmlAllOf allOfResource in anyOfResourcs.AllOf)
                     {
@@ -308,7 +308,7 @@
             return KeyValueUrn.Create($"{matchId}:{match.AttributeValue.Value}", matchId.Length + 1);
         }
 
         private static AttributeMatch GetActionValueFromRule(XacmlRule rule)
         {
             foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
             {
@@ -346,7 +346,6 @@
             }
 
             return result;
-        }
-
+        }    
     }
 }

src/Altinn.ResourceRegistry/Controllers/ResourceController.cs

@@ -14,6 +14,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.ApplicationModels;
 using Microsoft.AspNetCore.Mvc.ModelBinding.Validation;
+using System.Xml;
 
 namespace Altinn.ResourceRegistry.Controllers
 {
@@ -395,6 +396,11 @@
                 _logger.LogError(ex.Message);
                 return BadRequest(ex.Message);
             }
+            catch (XmlException ex)
+            {
+                _logger.LogError(ex.Message);
+                return BadRequest(ex.Message);
+            }
             catch (Exception ex)
             {
                 _logger.LogError(ex.ToString());

test/Altinn.ResourceRegistry.Tests/Altinn.ResourceRegistry.Tests.csproj

@@ -22,6 +22,9 @@
     <None Update="appsettings.test.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Update="Data\ResourcePolicies\altinn_access_management_missinganyof.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
     <None Update="Data\ResourcePolicies\altinn_access_management\resourcepolicy.xml">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

test/Altinn.ResourceRegistry.Tests/Data/ResourcePolicies/altinn_access_management_missinganyof.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xacml:Policy xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:altinn:example:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
+  <xacml:Target/>
+  <xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
+    <xacml:Description>Policy for altinn_access_management</xacml:Description>
+    <xacml:Target>
+      <xacml:AnyOf>
+        <xacml:AllOf>
+          <xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
+            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ADMAI</xacml:AttributeValue>
+            <xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+          </xacml:Match>
+        </xacml:AllOf>
+      </xacml:AnyOf>
+      <xacml:AnyOf>
+        <xacml:AllOf>
+          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">altinn_access_management</xacml:AttributeValue>
+            <xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+          </xacml:Match>
+        </xacml:AllOf>
+      </xacml:AnyOf>
+        <xacml:AllOf>
+            <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
+            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+            </xacml:Match>
+        </xacml:AllOf>
+        <xacml:AllOf>
+            <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml:AttributeValue>
+            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+            </xacml:Match>
+        </xacml:AllOf>
+    </xacml:Target>
+  </xacml:Rule>
+  <xacml:ObligationExpressions>
+    <xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
+      <xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
+        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
+      </xacml:AttributeAssignmentExpression>
+    </xacml:ObligationExpression>
+  </xacml:ObligationExpressions>
+</xacml:Policy>

test/Altinn.ResourceRegistry.Tests/ResourceControllerWithDbTests.cs

@@ -160,6 +160,52 @@ public async Task SetResourcePolicy_OK()
 
     }
 
+    [Fact]
+    public async Task SetResourcePolicy_MissingAnyOf_()
+    {
+        // Add one that should be marked as deleted when updating with policy
+        await Repository.SetResourceSubjects(CreateResourceSubjects("urn:altinn:resource:altinn_access_management", ["urn:altinn:rolecode:tobedeleted"], "skd"));
+
+        ServiceResource resource = new ServiceResource()
+        {
+            Identifier = "altinn_access_management",
+            HasCompetentAuthority = new CompetentAuthority()
+            {
+                Organization = "974761076",
+                Orgcode = "skd"
+            }
+        };
+        await Repository.CreateResource(resource);
+
+        using var client = CreateClient();
+        string token = PrincipalUtil.GetOrgToken("skd", "974761076", "altinn:resourceregistry/resource.write");
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+
+        string fileName = $"{resource.Identifier}_missinganyof.xml";
+        string filePath = $"Data/ResourcePolicies/{fileName}";
+
+        Uri requestUri = new Uri($"resourceregistry/api/v1/Resource/{resource.Identifier}/policy", UriKind.Relative);
+
+        ByteArrayContent fileContent = new ByteArrayContent(File.ReadAllBytes(filePath));
+        fileContent.Headers.ContentType = MediaTypeHeaderValue.Parse("text/xml");
+
+        MultipartFormDataContent content = new();
+        content.Add(fileContent, "policyFile", fileName);
+
+        HttpRequestMessage httpRequestMessage = new() { Method = HttpMethod.Post, RequestUri = requestUri, Content = content };
+        httpRequestMessage.Headers.Add("ContentType", "multipart/form-data");
+
+        HttpResponseMessage response = await client.SendAsync(httpRequestMessage);
+
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+
+        string responseContent = await response.Content.ReadAsStringAsync();
+
+        Assert.Contains("invalid XmlNodeType", responseContent);
+
+    }
+
     [Fact]
     public async Task GetUpdatedResourceSubjects_Paginates()
     {