From 2bc9b6486843a079be8c90e096947cfe5b793db5 Mon Sep 17 00:00:00 2001 From: Terje Holene Date: Mon, 7 Mar 2022 12:11:53 +0100 Subject: [PATCH] Assume LastName in person lookup is base64 encoded. (#8171) * Add required authentication level * Assume LastName is base64 encoded. * Copy latest person lookup to LocalTest --- src/Controllers/Register/PersonsController.cs | 10 +++---- src/Models/PersonLookupIdentifiers.cs | 29 +++++++++++++++++-- src/Startup.cs | 28 +++++++++++++----- 3 files changed, 52 insertions(+), 15 deletions(-) diff --git a/src/Controllers/Register/PersonsController.cs b/src/Controllers/Register/PersonsController.cs index 89faa734..2515da60 100644 --- a/src/Controllers/Register/PersonsController.cs +++ b/src/Controllers/Register/PersonsController.cs @@ -17,7 +17,7 @@ namespace Altinn.Platform.Register.Controllers /// /// The provides the API endpoints related to persons. /// - [Authorize] + [Authorize(Policy = "AuthorizationLevel2")] [Route("register/api/v1/persons")] public class PersonsController : ControllerBase { @@ -36,10 +36,10 @@ public PersonsController(IPersonLookup personLookup) /// Gets the with the given national identity number. /// /// - /// This method can be used to retrieve the party and person object for an identified person with - /// a national identity number. The service will track the number of invalid input combinations and - /// block further requests if the number of failed lookups have exceeded a configurable number. The - /// user will be prevented from performing new searches for a configurable number of seconds. + /// This endpoint can be used to retrieve the person object for an identified person. The service + /// will track the number of failed lookup attempts and block further requests if the number of failed + /// lookups have exceeded a configurable number. The user will be prevented from performing new searches + /// for a configurable number of seconds. /// /// The party of the identified person. [HttpGet] diff --git a/src/Models/PersonLookupIdentifiers.cs b/src/Models/PersonLookupIdentifiers.cs index 634ba674..b7d3033d 100644 --- a/src/Models/PersonLookupIdentifiers.cs +++ b/src/Models/PersonLookupIdentifiers.cs @@ -1,4 +1,6 @@ -using System.ComponentModel.DataAnnotations; +using System; +using System.ComponentModel.DataAnnotations; +using System.Text; using Microsoft.AspNetCore.Mvc; @@ -9,6 +11,8 @@ namespace Altinn.Platform.Register.Models /// public class PersonLookupIdentifiers { + private string _lastName; + /// /// The unique national identity number of the person. /// @@ -17,10 +21,29 @@ public class PersonLookupIdentifiers public string NationalIdentityNumber { get; set; } /// - /// The last name of the person. This must match. + /// The last name of the person. This must match the last name of the identified person. + /// The value is assumed to be base64 encoded from an UTF-8 string. /// [FromHeader(Name = "X-Ai-LastName")] [Required] - public string LastName { get; set; } + public string LastName + { + get + { + if (_lastName is null) + { + return null; + } + + Span buffer = stackalloc byte[_lastName.Length]; + bool success = Convert.TryFromBase64String(_lastName, buffer, out int bytesParsed); + return success ? Encoding.UTF8.GetString(buffer[..bytesParsed]) : _lastName; + } + + set + { + _lastName = value; + } + } } } diff --git a/src/Startup.cs b/src/Startup.cs index 1d0f17f3..fa4e66a1 100644 --- a/src/Startup.cs +++ b/src/Startup.cs @@ -125,15 +125,29 @@ public void ConfigureServices(IServiceCollection services) services.AddAuthorization(options => { - options.AddPolicy(AuthzConstants.POLICY_INSTANCE_READ, policy => policy.Requirements.Add(new AppAccessRequirement("read"))); - options.AddPolicy(AuthzConstants.POLICY_INSTANCE_WRITE, policy => policy.Requirements.Add(new AppAccessRequirement("write"))); - options.AddPolicy(AuthzConstants.POLICY_INSTANCE_DELETE, policy => policy.Requirements.Add(new AppAccessRequirement("delete"))); - options.AddPolicy(AuthzConstants.POLICY_INSTANCE_COMPLETE, policy => policy.Requirements.Add(new AppAccessRequirement("complete"))); - options.AddPolicy(AuthzConstants.POLICY_SCOPE_APPDEPLOY, policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:appdeploy"))); - options.AddPolicy(AuthzConstants.POLICY_SCOPE_INSTANCE_READ, policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:instances.read"))); + options.AddPolicy( + AuthzConstants.POLICY_INSTANCE_READ, + policy => policy.Requirements.Add(new AppAccessRequirement("read"))); + options.AddPolicy( + AuthzConstants.POLICY_INSTANCE_WRITE, + policy => policy.Requirements.Add(new AppAccessRequirement("write"))); + options.AddPolicy( + AuthzConstants.POLICY_INSTANCE_DELETE, + policy => policy.Requirements.Add(new AppAccessRequirement("delete"))); + options.AddPolicy( + AuthzConstants.POLICY_INSTANCE_COMPLETE, + policy => policy.Requirements.Add(new AppAccessRequirement("complete"))); + options.AddPolicy( + AuthzConstants.POLICY_SCOPE_APPDEPLOY, + policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:appdeploy"))); + options.AddPolicy( + AuthzConstants.POLICY_SCOPE_INSTANCE_READ, + policy => policy.Requirements.Add(new ScopeAccessRequirement("altinn:instances.read"))); + options.AddPolicy( + "AuthorizationLevel2", + policy => policy.RequireClaim(AltinnCoreClaimTypes.AuthenticationLevel, "2", "3", "4")); }); - services.AddMvc(options => { // Adding custom model binders