Assume LastName in person lookup is base64 encoded. (#8171)

* Add required authentication level
* Assume LastName is base64 encoded.
* Copy latest person lookup to LocalTest

src/Controllers/Register/PersonsController.cs

@@ -17,7 +17,7 @@ namespace Altinn.Platform.Register.Controllers
     /// <summary>
     /// The <see cref="PersonsController"/> provides the API endpoints related to persons.
     /// </summary>
-    [Authorize]
+    [Authorize(Policy = "AuthorizationLevel2")]
     [Route("register/api/v1/persons")]
     public class PersonsController : ControllerBase
     {
@@ -36,10 +36,10 @@ public PersonsController(IPersonLookup personLookup)
         /// Gets the <see cref="Person"/> with the given national identity number.
         /// </summary>
         /// <remarks>
-        /// This method can be used to retrieve the party and person object for an identified person with
-        /// a national identity number. The service will track the number of invalid input combinations and
-        /// block further requests if the number of failed lookups have exceeded a configurable number. The
-        /// user will be prevented from performing new searches for a configurable number of seconds.
+        /// This endpoint can be used to retrieve the person object for an identified person. The service
+        /// will track the number of failed lookup attempts and block further requests if the number of failed
+        /// lookups have exceeded a configurable number. The user will be prevented from performing new searches
+        /// for a configurable number of seconds.
         /// </remarks>
         /// <returns>The party of the identified person.</returns>
         [HttpGet]

src/Models/PersonLookupIdentifiers.cs

@@ -1,4 +1,6 @@
-using System.ComponentModel.DataAnnotations;
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.Text;
 
 using Microsoft.AspNetCore.Mvc;
 
@@ -9,6 +11,8 @@ namespace Altinn.Platform.Register.Models
     /// </summary>
     public class PersonLookupIdentifiers
     {
+        private string _lastName;
+
         /// <summary>
         /// The unique national identity number of the person.
         /// </summary>
@@ -17,10 +21,29 @@ public class PersonLookupIdentifiers
         public string NationalIdentityNumber { get; set; }
 
         /// <summary>
-        /// The last name of the person. This must match.
+        /// The last name of the person. This must match the last name of the identified person.
+        /// The value is assumed to be base64 encoded from an UTF-8 string.
         /// </summary>
         [FromHeader(Name = "X-Ai-LastName")]
         [Required]
-        public string LastName { get; set; }
+        public string LastName
+        {
+            get
+            {
+                if (_lastName is null)
+                {
+                    return null;
+                }
+
+                Span<byte> buffer = stackalloc byte[_lastName.Length];
+                bool success = Convert.TryFromBase64String(_lastName, buffer, out int bytesParsed);
+                return success ? Encoding.UTF8.GetString(buffer[..bytesParsed]) : _lastName;
+            }
+
+            set
+            {
+                _lastName = value;
+            }
+        }
     }
 }

src/Startup.cs

@@ -125,15 +125,29 @@ public void ConfigureServices(IServiceCollection services)
 
             services.AddAuthorization(options =>
             {
-                options.AddPolicy(AuthzConstants.POLICY_INSTANCE_READ, policy => policy.Requirements.Add(new AppAccessRequirement("read")));
-                options.AddPolicy(AuthzConstants.POLICY_INSTANCE_WRITE, policy => policy.Requirements.Add(new AppAccessRequirement("write")));
-                options.AddPolicy(AuthzConstants.POLICY_INSTANCE_DELETE, policy => policy.Requirements.Add(new AppAccessRequirement("delete")));
-                options.AddPolicy(AuthzConstants.POLICY_INSTANCE_COMPLETE, policy => policy.Requirements.Add(new AppAccessRequirement("complete")));
-                options.AddPolicy(AuthzConstants.POLICY_SCOPE_APPDEPLOY, policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:appdeploy")));
-                options.AddPolicy(AuthzConstants.POLICY_SCOPE_INSTANCE_READ, policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:instances.read")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_INSTANCE_READ,
+                    policy => policy.Requirements.Add(new AppAccessRequirement("read")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_INSTANCE_WRITE,
+                    policy => policy.Requirements.Add(new AppAccessRequirement("write")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_INSTANCE_DELETE,
+                    policy => policy.Requirements.Add(new AppAccessRequirement("delete")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_INSTANCE_COMPLETE,
+                    policy => policy.Requirements.Add(new AppAccessRequirement("complete")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_SCOPE_APPDEPLOY,
+                    policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:appdeploy")));
+                options.AddPolicy(
+                    AuthzConstants.POLICY_SCOPE_INSTANCE_READ,
+                    policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:instances.read")));
+                options.AddPolicy(
+                    "AuthorizationLevel2",
+                    policy => policy.RequireClaim(AltinnCoreClaimTypes.AuthenticationLevel, "2", "3", "4"));
             });
 
-
             services.AddMvc(options =>
             {
                 // Adding custom model binders