Skip to content

Commit

Permalink
Make delegations PIP cachekey great again (#1097)
Browse files Browse the repository at this point in the history 
* Make delegations PIP cachekey great again
#1096

* Added integration tests and Bruno automated tests
- Multi-request test for two Altinn Apps based on delegations
- Multi-request test for two Resourceregistry Resources based on delegations

---------

Co-authored-by: Jon Kjetil Øye <acn-joye@ai-dev.no>
  • Loading branch information
@jonkjetiloye
jonkjetiloye and Jon Kjetil Øye authored Sep 30, 2024
1 parent b196999 commit 711e6f1
Show file tree
Hide file tree
Showing 14 changed files with 1,191 additions and 7 deletions.
4 changes: 2 additions & 2 deletions src/Authorization/Controllers/DecisionController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -469,8 +469,8 @@ private async Task<IEnumerable<DelegationChangeExternal>> GetAllCachedDelegation
var cacheKey = CreateCacheKey(
$"s:{delegation.Subject.Id}:{delegation.Subject.Value}",
$"p:{delegation.Party.Value}",
$"a:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)}/{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)}",
$"r:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistry)}");
$"a:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)?.Value}/{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)?.Value}",
$"r:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistry)?.Value}");

if (!_memoryCache.TryGetValue(cacheKey, out IEnumerable<DelegationChangeExternal> result))
{
Expand Down
157 changes: 157 additions & 0 deletions ...Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqAppDelegations.bru
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
meta {
name: MultiReqAppDelegations
type: http
seq: 12
}

post {
url: {{baseUrl}}/authorization/api/v1/authorize
body: json
auth: inherit
}

headers {
Content-Type: application/json
Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}}
}

body:json {
{
"Request": {
"ReturnPolicyIdList": false,
"AccessSubject": [
{
"Id": "s1",
"Attribute": [
{
"AttributeId": "urn:altinn:person:identifier-no",
"Value": "24925798149",
"IncludeInResult": true
}
]
}
],
"Action": [
{
"Id": "a1",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
}
],
"Resource": [
{
"Id": "r1",
"Attribute": [
{
"AttributeId": "urn:altinn:org",
"Value": "ttd",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:app",
"Value": "authz-bruno-testapp1",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "313332330",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
},
{
"Id": "r2",
"Attribute": [
{
"AttributeId": "urn:altinn:org",
"Value": "ttd",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:app",
"Value": "authz-bruno-testapp2",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "313332330",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
}
],
"MultiRequests": {
"RequestReference": [
{
"ReferenceId": [
"s1",
"a1",
"r1"
]
},
{
"ReferenceId": [
"s1",
"a1",
"r2"
]
}
]
}
}
}
}

assert {
~res.status: eq 200
~res.body: contains created
}

script:pre-request {
const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`);
const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`);

var getTokenParameters = {
auth_tokenType: sharedtestdata.authTokenType.enterprise,
auth_scopes: sharedtestdata.auth_scopes.authorize,
auth_org: "digdir",
auth_orgNo: "991825827"
}

const token = await testTokenGenerator.getToken(getTokenParameters);

bru.setVar("bearerToken", token);
}

tests {

test("MultiReqAppDelegations Decision result on read is permit", function() {
const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`);
const data = res.getBody();
expect(res.status).to.equal(200);
expect(data.response[0]).to.have.property('decision', "Permit");
expect(data.response[1]).to.have.property('decision', "Permit");
});
}

docs {
Get a decision from PDP with appOwner details and validate response to have Permit.

AccessSubject: ['urn:altinn:org']

Action: ['read']

Resource: ['urn:altinn:app', 'urn:altinn:org']
}
140 changes: 140 additions & 0 deletions .../Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqResourceDelegations.bru
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
meta {
name: MultiReqResourceDelegations
type: http
seq: 11
}

post {
url: {{baseUrl}}/authorization/api/v1/authorize
body: json
auth: inherit
}

headers {
Content-Type: application/json
Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}}
}

body:json {
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": [
{
"Id": "s1",
"Attribute": [
{
"AttributeId": "urn:altinn:person:identifier-no",
"Value": "01866696531"
}
]
}
],
"Action": [
{
"Id": "a1",
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"Value": "read",
"DataType": "http://www.w3.org/2001/XMLSchema#string",
"IncludeInResult": true
}
]
}
],
"Resource": [
{
"Id": "r1",
"Attribute": [
{
"AttributeId": "urn:altinn:resource",
"Value": "authz_bruno_gar_resource1",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "311694936",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
},
{
"Id": "r2",
"Attribute": [
{
"AttributeId": "urn:altinn:resource",
"Value": "authz_bruno_gar_resource2",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
},
{
"AttributeId": "urn:altinn:organization:identifier-no",
"Value": "311694936",
"DataType": "http://www.w3.org/2001/XMLSchema#string"
}
]
}
],
"MultiRequests": {
"RequestReference": [
{
"ReferenceId": [
"s1",
"a1",
"r1"
]
},
{
"ReferenceId": [
"s1",
"a1",
"r2"
]
}
]
}
}
}
}

assert {
~res.status: eq 200
~res.body: contains created
}

script:pre-request {
const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`);
const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`);

var getTokenParameters = {
auth_tokenType: sharedtestdata.authTokenType.enterprise,
auth_scopes: sharedtestdata.auth_scopes.authorize,
auth_org: "digdir",
auth_orgNo: "991825827"
}

const token = await testTokenGenerator.getToken(getTokenParameters);

bru.setVar("bearerToken", token);
}

tests {

test("MultiReqResourceDelegations Decision result on read is permit", function() {
const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`);
const data = res.getBody();
expect(res.status).to.equal(200);
expect(data.response[0]).to.have.property('decision', "Permit");
expect(data.response[1]).to.have.property('decision', "Permit");
});
}

docs {
Get a decision from PDP with appOwner details and validate response to have Permit.

AccessSubject: ['urn:altinn:org']

Action: ['read']

Resource: ['urn:altinn:app', 'urn:altinn:org']
}
Loading

0 comments on commit 711e6f1

Please sign in to comment.