From 8a95fe3a6c1dab628e9c4f0bcd7adfa5dfc80e41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rune=20T=C3=B8mmer=C3=A5s=20Larsen?= Date: Tue, 21 Feb 2023 16:14:12 +0100 Subject: [PATCH] Matching authorization (#25) * Matching authorization * Updated git ignore --- .gitignore | 3 +- .../Authorization/XacmlRequestAttribute.cs | 15 ++++ .../Authorization/XacmlResourceAttributes.cs | 15 ++++ .../Implementation/ContextHandler.cs | 78 ++++++++++++++----- 4 files changed, 92 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index 3b5d2b84..8a9a6352 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,5 @@ bld/ [Bb]in/ [Oo]bj/ msbuild.log -AltinnPlatformLocal/ \ No newline at end of file +AltinnPlatformLocal/ +/.vs/LocalTest diff --git a/src/Constants/Authorization/XacmlRequestAttribute.cs b/src/Constants/Authorization/XacmlRequestAttribute.cs index 9ba767a8..f2da038f 100644 --- a/src/Constants/Authorization/XacmlRequestAttribute.cs +++ b/src/Constants/Authorization/XacmlRequestAttribute.cs @@ -20,16 +20,31 @@ public static class XacmlRequestAttribute /// public const string InstanceAttribute = "urn:altinn:instance-id"; + /// + /// xacm string that represents appresource + /// + public const string AppResourceAttribute = "urn:altinn:appresource"; + /// /// xacml string that represents task /// public const string TaskAttribute = "urn:altinn:task"; + /// + /// xacml string that represents end event + /// + public const string EndEventAttribute = "urn:altinn:end-event"; + /// /// xacml string that represents party /// public const string PartyAttribute = "urn:altinn:partyid"; + /// + /// xacml string that represents organization number + /// + public const string OrganizationNumberAttribute = "urn:altinn:organizationnumber"; + /// /// xacml string that represents user /// diff --git a/src/Models/Authorization/XacmlResourceAttributes.cs b/src/Models/Authorization/XacmlResourceAttributes.cs index e0a21981..7cbb7d4f 100644 --- a/src/Models/Authorization/XacmlResourceAttributes.cs +++ b/src/Models/Authorization/XacmlResourceAttributes.cs @@ -29,5 +29,20 @@ public class XacmlResourceAttributes /// Gets or sets the value for task attribute /// public string TaskValue { get; set; } + + /// + /// Gets or sets the value for app resource. + /// + public string AppResourceValue { get; set; } + + /// + /// Gets or sets the resource registry Id + /// + public string ResourceRegistryId { get; set; } + + /// + /// Gets or sets the OrganizationNumber for the org owning the resource + /// + public string OrganizationNumber { get; set; } } } diff --git a/src/Services/Authorization/Implementation/ContextHandler.cs b/src/Services/Authorization/Implementation/ContextHandler.cs index 74a7ee13..d2d267bf 100644 --- a/src/Services/Authorization/Implementation/ContextHandler.cs +++ b/src/Services/Authorization/Implementation/ContextHandler.cs @@ -56,8 +56,37 @@ private async Task EnrichResourceAttributes(XacmlContextRequest request) XacmlContextAttributes resourceContextAttributes = request.GetResourceAttributes(); XacmlResourceAttributes resourceAttributes = GetResourceAttributeValues(resourceContextAttributes); - bool resourceAttributeComplete = false; + bool resourceAttributeComplete = IsResourceComplete(resourceAttributes); + + if (!resourceAttributeComplete && !string.IsNullOrEmpty(resourceAttributes.InstanceValue)) + { + Instance instanceData = await _policyInformationRepository.GetInstance(resourceAttributes.InstanceValue); + if (instanceData != null) + { + AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org); + string app = instanceData.AppId.Split("/")[1]; + AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app); + if (instanceData.Process?.CurrentTask != null) + { + AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId); + } + else if (instanceData.Process?.EndEvent != null) + { + AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.EndEventAttribute, null, instanceData.Process.EndEvent); + } + + AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId); + resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId; + } + } + await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue); + } + + + private static bool IsResourceComplete(XacmlResourceAttributes resourceAttributes) + { + bool resourceAttributeComplete = false; if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && !string.IsNullOrEmpty(resourceAttributes.AppValue) && !string.IsNullOrEmpty(resourceAttributes.InstanceValue) && @@ -76,26 +105,24 @@ private async Task EnrichResourceAttributes(XacmlContextRequest request) // The resource attributes are complete resourceAttributeComplete = true; } - - if (!resourceAttributeComplete && !string.IsNullOrEmpty(resourceAttributes.InstanceValue)) + else if (!string.IsNullOrEmpty(resourceAttributes.OrgValue) && + !string.IsNullOrEmpty(resourceAttributes.AppValue) && + !string.IsNullOrEmpty(resourceAttributes.InstanceValue) && + !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue) && + !string.IsNullOrEmpty(resourceAttributes.AppResourceValue) && + resourceAttributes.AppResourceValue.Equals("events")) { - Instance instanceData = await _policyInformationRepository.GetInstance(resourceAttributes.InstanceValue); - if (instanceData != null) - { - AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.OrgAttribute, resourceAttributes.OrgValue, instanceData.Org); - string app = instanceData.AppId.Split("/")[1]; - AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.AppAttribute, resourceAttributes.AppValue, app); - if (instanceData.Process?.CurrentTask != null) - { - AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.TaskAttribute, resourceAttributes.TaskValue, instanceData.Process.CurrentTask.ElementId); - } - - AddIfValueDoesNotExist(resourceContextAttributes, XacmlRequestAttribute.PartyAttribute, resourceAttributes.ResourcePartyValue, instanceData.InstanceOwner.PartyId); - resourceAttributes.ResourcePartyValue = instanceData.InstanceOwner.PartyId; - } + // The resource attributes are complete + resourceAttributeComplete = true; + } + else if (!string.IsNullOrEmpty(resourceAttributes.ResourceRegistryId) && + !string.IsNullOrEmpty(resourceAttributes.ResourcePartyValue)) + { + // The resource attributes are complete + resourceAttributeComplete = true; } - await EnrichSubjectAttributes(request, resourceAttributes.ResourcePartyValue); + return resourceAttributeComplete; } private static XacmlResourceAttributes GetResourceAttributeValues(XacmlContextAttributes resourceContextAttributes) @@ -128,6 +155,21 @@ private static XacmlResourceAttributes GetResourceAttributeValues(XacmlContextAt { resourceAttributes.TaskValue = attribute.AttributeValues.First().Value; } + + if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.AppResourceAttribute)) + { + resourceAttributes.AppResourceValue = attribute.AttributeValues.First().Value; + } + + if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.ResourceRegistryAttribute)) + { + resourceAttributes.ResourceRegistryId = attribute.AttributeValues.First().Value; + } + + if (attribute.AttributeId.OriginalString.Equals(XacmlRequestAttribute.OrganizationNumberAttribute)) + { + resourceAttributes.OrganizationNumber = attribute.AttributeValues.First().Value; + } } return resourceAttributes;