From 711e6f119775e1ed5daf759222fba9cd90b3838e Mon Sep 17 00:00:00 2001 From: jonkjetiloye <40996230+jonkjetiloye@users.noreply.github.com> Date: Mon, 30 Sep 2024 12:22:42 +0200 Subject: [PATCH] Make delegations PIP cachekey great again (#1097) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Make delegations PIP cachekey great again #1096 * Added integration tests and Bruno automated tests - Multi-request test for two Altinn Apps based on delegations - Multi-request test for two Resourceregistry Resources based on delegations --------- Co-authored-by: Jon Kjetil Øye --- .../Controllers/DecisionController.cs | 4 +- .../Authorize/MultiReqAppDelegations.bru | 157 +++++++++++++++ .../Authorize/MultiReqResourceDelegations.bru | 140 +++++++++++++ .../Authorize (external)/MultiReqApps.bru | 157 +++++++++++++++ .../Authorize (external)/MultiReqResource.bru | 140 +++++++++++++ ...form.Authorization.IntegrationTests.csproj | 5 - .../AltinnApps_DecisionTests.cs | 20 ++ ...Org1App1AndApp2_UserDelegationRequest.json | 89 +++++++++ ...rg1App1AndApp2_UserDelegationResponse.json | 186 ++++++++++++++++++ ...elegations_MultiRequest_PermitRequest.json | 79 ++++++++ ...legations_MultiRequest_PermitResponse.json | 162 +++++++++++++++ .../delegationpolicy.xml | 33 ++++ test/IntegrationTests/ExternalDecisionTest.cs | 20 ++ .../AccessManagementWrapperMock.cs | 6 + 14 files changed, 1191 insertions(+), 7 deletions(-) create mode 100644 test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqAppDelegations.bru create mode 100644 test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqResourceDelegations.bru create mode 100644 test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqApps.bru create mode 100644 test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqResource.bru create mode 100644 test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationRequest.json create mode 100644 test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationResponse.json create mode 100644 test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitRequest.json create mode 100644 test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitResponse.json create mode 100644 test/IntegrationTests/Data/blobs/input/ttd-externalpdp-resource2/50005545/SystemUser47caea5b-a80b-4343-b1d3-31eb523a4e28/delegationpolicy.xml diff --git a/src/Authorization/Controllers/DecisionController.cs b/src/Authorization/Controllers/DecisionController.cs index 88f3196c..e594d3ef 100644 --- a/src/Authorization/Controllers/DecisionController.cs +++ b/src/Authorization/Controllers/DecisionController.cs @@ -469,8 +469,8 @@ private async Task> GetAllCachedDelegation var cacheKey = CreateCacheKey( $"s:{delegation.Subject.Id}:{delegation.Subject.Value}", $"p:{delegation.Party.Value}", - $"a:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)}/{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)}", - $"r:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistry)}"); + $"a:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)?.Value}/{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)?.Value}", + $"r:{delegation.Resource.FirstOrDefault(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistry)?.Value}"); if (!_memoryCache.TryGetValue(cacheKey, out IEnumerable result)) { diff --git a/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqAppDelegations.bru b/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqAppDelegations.bru new file mode 100644 index 00000000..0b59119b --- /dev/null +++ b/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqAppDelegations.bru @@ -0,0 +1,157 @@ +meta { + name: MultiReqAppDelegations + type: http + seq: 12 +} + +post { + url: {{baseUrl}}/authorization/api/v1/authorize + body: json + auth: inherit +} + +headers { + Content-Type: application/json + Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}} +} + +body:json { + { + "Request": { + "ReturnPolicyIdList": false, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:person:identifier-no", + "Value": "24925798149", + "IncludeInResult": true + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "ttd", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "authz-bruno-testapp1", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "313332330", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "ttd", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "authz-bruno-testapp2", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "313332330", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } + } +} + +assert { + ~res.status: eq 200 + ~res.body: contains created +} + +script:pre-request { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`); + + var getTokenParameters = { + auth_tokenType: sharedtestdata.authTokenType.enterprise, + auth_scopes: sharedtestdata.auth_scopes.authorize, + auth_org: "digdir", + auth_orgNo: "991825827" + } + + const token = await testTokenGenerator.getToken(getTokenParameters); + + bru.setVar("bearerToken", token); +} + +tests { + + test("MultiReqAppDelegations Decision result on read is permit", function() { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const data = res.getBody(); + expect(res.status).to.equal(200); + expect(data.response[0]).to.have.property('decision', "Permit"); + expect(data.response[1]).to.have.property('decision', "Permit"); + }); +} + +docs { + Get a decision from PDP with appOwner details and validate response to have Permit. + + AccessSubject: ['urn:altinn:org'] + + Action: ['read'] + + Resource: ['urn:altinn:app', 'urn:altinn:org'] +} diff --git a/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqResourceDelegations.bru b/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqResourceDelegations.bru new file mode 100644 index 00000000..306e266a --- /dev/null +++ b/test/Bruno/Altinn.Authorization/Automatic Test Collection/Authorize/MultiReqResourceDelegations.bru @@ -0,0 +1,140 @@ +meta { + name: MultiReqResourceDelegations + type: http + seq: 11 +} + +post { + url: {{baseUrl}}/authorization/api/v1/authorize + body: json + auth: inherit +} + +headers { + Content-Type: application/json + Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}} +} + +body:json { + { + "Request": { + "ReturnPolicyIdList": true, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:person:identifier-no", + "Value": "01866696531" + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "authz_bruno_gar_resource1", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "311694936", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "authz_bruno_gar_resource2", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "311694936", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } + } +} + +assert { + ~res.status: eq 200 + ~res.body: contains created +} + +script:pre-request { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`); + + var getTokenParameters = { + auth_tokenType: sharedtestdata.authTokenType.enterprise, + auth_scopes: sharedtestdata.auth_scopes.authorize, + auth_org: "digdir", + auth_orgNo: "991825827" + } + + const token = await testTokenGenerator.getToken(getTokenParameters); + + bru.setVar("bearerToken", token); +} + +tests { + + test("MultiReqResourceDelegations Decision result on read is permit", function() { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const data = res.getBody(); + expect(res.status).to.equal(200); + expect(data.response[0]).to.have.property('decision', "Permit"); + expect(data.response[1]).to.have.property('decision', "Permit"); + }); +} + +docs { + Get a decision from PDP with appOwner details and validate response to have Permit. + + AccessSubject: ['urn:altinn:org'] + + Action: ['read'] + + Resource: ['urn:altinn:app', 'urn:altinn:org'] +} diff --git a/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqApps.bru b/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqApps.bru new file mode 100644 index 00000000..c52e3f17 --- /dev/null +++ b/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqApps.bru @@ -0,0 +1,157 @@ +meta { + name: MultiReqApps + type: http + seq: 19 +} + +post { + url: {{baseUrl}}/authorization/api/v1/authorize + body: json + auth: inherit +} + +headers { + Content-Type: application/json + Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}} +} + +body:json { + { + "Request": { + "ReturnPolicyIdList": false, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:person:identifier-no", + "Value": "08069402071", + "IncludeInResult": true + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "ttd", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "security-level0-app", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "ttd", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "security-level1-app", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } + } +} + +assert { + ~res.status: eq 200 + ~res.body: contains created +} + +script:pre-request { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`); + + var getTokenParameters = { + auth_tokenType: sharedtestdata.authTokenType.enterprise, + auth_scopes: sharedtestdata.auth_scopes.authorize, + auth_org: "digdir", + auth_orgNo: "991825827" + } + + const token = await testTokenGenerator.getToken(getTokenParameters); + + bru.setVar("bearerToken", token); +} + +tests { + + test("MultiReqApps Decision result on read is permit", function() { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const data = res.getBody(); + expect(res.status).to.equal(200); + expect(data.response[0]).to.have.property('decision', "Permit"); + expect(data.response[1]).to.have.property('decision', "Permit"); + }); +} + +docs { + Get a decision from PDP with appOwner details and validate response to have Permit. + + AccessSubject: ['urn:altinn:org'] + + Action: ['read'] + + Resource: ['urn:altinn:app', 'urn:altinn:org'] +} diff --git a/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqResource.bru b/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqResource.bru new file mode 100644 index 00000000..d3b2a93c --- /dev/null +++ b/test/Bruno/Altinn.Authorization/Manual Test Collection/Authorize (external)/MultiReqResource.bru @@ -0,0 +1,140 @@ +meta { + name: MultiReqResource + type: http + seq: 18 +} + +post { + url: {{baseUrl}}/authorization/api/v1/authorize + body: json + auth: inherit +} + +headers { + Content-Type: application/json + Ocp-Apim-Subscription-Key: {{apimSubscriptionKey}} +} + +body:json { + { + "Request": { + "ReturnPolicyIdList": true, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:person:identifier-no", + "Value": "08069402071" + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "DataType": "http://www.w3.org/2001/XMLSchema#string", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "security-level0-app", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "security-level1-app", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "DataType": "http://www.w3.org/2001/XMLSchema#string" + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } + } +} + +assert { + ~res.status: eq 200 + ~res.body: contains created +} + +script:pre-request { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const sharedtestdata = require(`./Testdata/Authorization/sharedtestdata.json`); + + var getTokenParameters = { + auth_tokenType: sharedtestdata.authTokenType.enterprise, + auth_scopes: sharedtestdata.auth_scopes.authorize, + auth_org: "digdir", + auth_orgNo: "991825827" + } + + const token = await testTokenGenerator.getToken(getTokenParameters); + + bru.setVar("bearerToken", token); +} + +tests { + + test("MultiReqResource Decision result on read is permit", function() { + const testdata = require(`./Testdata/Authorization/${bru.getEnvVar("tokenEnv")}testdata.json`); + const data = res.getBody(); + expect(res.status).to.equal(200); + expect(data.response[0]).to.have.property('decision', "Permit"); + expect(data.response[1]).to.have.property('decision', "Permit"); + }); +} + +docs { + Get a decision from PDP with appOwner details and validate response to have Permit. + + AccessSubject: ['urn:altinn:org'] + + Action: ['read'] + + Resource: ['urn:altinn:app', 'urn:altinn:org'] +} diff --git a/test/IntegrationTests/Altinn.Platform.Authorization.IntegrationTests.csproj b/test/IntegrationTests/Altinn.Platform.Authorization.IntegrationTests.csproj index 8f3e6d04..dfafb79a 100644 --- a/test/IntegrationTests/Altinn.Platform.Authorization.IntegrationTests.csproj +++ b/test/IntegrationTests/Altinn.Platform.Authorization.IntegrationTests.csproj @@ -67,9 +67,4 @@ PreserveNewest - - - - - diff --git a/test/IntegrationTests/AltinnApps_DecisionTests.cs b/test/IntegrationTests/AltinnApps_DecisionTests.cs index 221b94f9..50ad339e 100644 --- a/test/IntegrationTests/AltinnApps_DecisionTests.cs +++ b/test/IntegrationTests/AltinnApps_DecisionTests.cs @@ -435,6 +435,26 @@ public async Task PDP_Decision_AltinnApps_OedFormuesfullmakt_Json_Permit() AssertionUtil.AssertEqual(expected, contextResponse); } + /// + /// Tests a multirequest with two requests, one for Altinn App Org1/App1 and one for Org1/App2. + /// Both Apps are delegated from the party 50001337 to the user 20001336. + /// Expected: Both requests should be permitted. + /// + [Fact] + public async Task PDP_Decision_DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegation_Permit() + { + string testCase = "DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegation"; + HttpClient client = GetTestClient(); + HttpRequestMessage httpRequestMessage = TestSetupUtil.CreateJsonProfileXacmlRequest(testCase); + XacmlJsonResponse expected = TestSetupUtil.ReadExpectedJsonProfileResponse(testCase); + + // Act + XacmlJsonResponse contextResponse = await TestSetupUtil.GetXacmlJsonProfileContextResponseAsync(client, httpRequestMessage); + + // Assert + AssertionUtil.AssertEqual(expected, contextResponse); + } + private HttpClient GetTestClient(IEventsQueueClient eventLog = null, IFeatureManager featureManager = null, TimeProvider timeProviderMock = null) { HttpClient client = _factory.WithWebHostBuilder(builder => diff --git a/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationRequest.json b/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationRequest.json new file mode 100644 index 00000000..a67db94a --- /dev/null +++ b/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationRequest.json @@ -0,0 +1,89 @@ +{ + "Request": { + "ReturnPolicyIdList": true, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:userid", + "Value": "20001337", + "IncludeInResult": true + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "org1", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "app1", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:partyid", + "Value": "50001337", + "IncludeInResult": true + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:org", + "Value": "org1", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:app", + "Value": "app2", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:partyid", + "Value": "50001337", + "IncludeInResult": true + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationResponse.json b/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationResponse.json new file mode 100644 index 00000000..69cf8ca4 --- /dev/null +++ b/test/IntegrationTests/Data/Xacml/3.0/AltinnApps/DelegationPolicyMultiRequest_AltinnAppsOrg1App1AndApp2_UserDelegationResponse.json @@ -0,0 +1,186 @@ +{ + "Response": [ + { + "decision": "Permit", + "status": { + "statusMessage": null, + "statusDetails": null, + "statusCode": { + "value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "statusCode": null + } + }, + "obligations": [ + { + "id": "urn:altinn:obligation:1", + "attributeAssignment": [ + { + "attributeId": "urn:altinn:obligation-assignment:1", + "value": "4", + "category": "urn:altinn:minimum-authenticationlevel", + "dataType": "http://www.w3.org/2001/XMLSchema#integer", + "issuer": null + } + ] + }, + { + "id": "urn:altinn:obligation:2", + "attributeAssignment": [ + { + "attributeId": "urn:altinn:obligation-assignment:2", + "value": "3", + "category": "urn:altinn:minimum-authenticationlevel-org", + "dataType": "http://www.w3.org/2001/XMLSchema#integer", + "issuer": null + } + ] + } + ], + "associateAdvice": null, + "category": [ + { + "categoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:userid", + "value": "20001337", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "value": "read", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:org", + "value": "org1", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:app", + "value": "app1", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:partyid", + "value": "50001337", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + } + ], + "policyIdentifierList": null + }, + { + "decision": "Permit", + "status": { + "statusMessage": null, + "statusDetails": null, + "statusCode": { + "value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "statusCode": null + } + }, + "obligations": [ + { + "id": "urn:altinn:obligation:1", + "attributeAssignment": [ + { + "attributeId": "urn:altinn:obligation1-assignment1", + "value": "2", + "category": "urn:altinn:minimum-authenticationlevel", + "dataType": "http://www.w3.org/2001/XMLSchema#integer", + "issuer": null + } + ] + } + ], + "associateAdvice": null, + "category": [ + { + "categoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:userid", + "value": "20001337", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "value": "read", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:org", + "value": "org1", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:app", + "value": "app2", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:partyid", + "value": "50001337", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + } + ], + "policyIdentifierList": null + } + ] +} diff --git a/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitRequest.json b/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitRequest.json new file mode 100644 index 00000000..61bbe0de --- /dev/null +++ b/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitRequest.json @@ -0,0 +1,79 @@ +{ + "Request": { + "ReturnPolicyIdList": true, + "AccessSubject": [ + { + "Id": "s1", + "Attribute": [ + { + "AttributeId": "urn:altinn:systemuser:uuid", + "Value": "47caea5b-a80b-4343-b1d3-31eb523a4e28", + "IncludeInResult": true + } + ] + } + ], + "Action": [ + { + "Id": "a1", + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read", + "IncludeInResult": true + } + ] + } + ], + "Resource": [ + { + "Id": "r1", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "ttd-externalpdp-resource1", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "IncludeInResult": true + } + ] + }, + { + "Id": "r2", + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "ttd-externalpdp-resource2", + "IncludeInResult": true + }, + { + "AttributeId": "urn:altinn:organization:identifier-no", + "Value": "910459880", + "IncludeInResult": true + } + ] + } + ], + "MultiRequests": { + "RequestReference": [ + { + "ReferenceId": [ + "s1", + "a1", + "r1" + ] + }, + { + "ReferenceId": [ + "s1", + "a1", + "r2" + ] + } + ] + } + } +} \ No newline at end of file diff --git a/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitResponse.json b/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitResponse.json new file mode 100644 index 00000000..fd21831e --- /dev/null +++ b/test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/ResourceRegistry_SystemUserWithDelegations_MultiRequest_PermitResponse.json @@ -0,0 +1,162 @@ +{ + "Response": [ + { + "decision": "Permit", + "status": { + "statusMessage": null, + "statusDetails": null, + "statusCode": { + "value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "statusCode": null + } + }, + "obligations": [ + { + "id": "urn:altinn:obligation:authenticationLevel1", + "attributeAssignment": [ + + { + "attributeId": "urn:altinn:obligation-assignment:1", + "value": "2", + "category": "urn:altinn:minimum-authenticationlevel", + "dataType": "http://www.w3.org/2001/XMLSchema#integer", + "issuer": null + } + ] + } + ], + "associateAdvice": null, + "category": [ + { + "categoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:systemuser:uuid", + "value": "47caea5b-a80b-4343-b1d3-31eb523a4e28", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "value": "read", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:resource", + "value": "ttd-externalpdp-resource1", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:organization:identifier-no", + "value": "910459880", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + } + ], + "policyIdentifierList": null + }, + { + "decision": "Permit", + "status": { + "statusMessage": null, + "statusDetails": null, + "statusCode": { + "value": "urn:oasis:names:tc:xacml:1.0:status:ok", + "statusCode": null + } + }, + "obligations": [ + { + "id": "urn:altinn:obligation:authenticationLevel1", + "attributeAssignment": [ + + { + "attributeId": "urn:altinn:obligation-assignment:1", + "value": "2", + "category": "urn:altinn:minimum-authenticationlevel", + "dataType": "http://www.w3.org/2001/XMLSchema#integer", + "issuer": null + } + ] + } + ], + "associateAdvice": null, + "category": [ + { + "categoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:systemuser:uuid", + "value": "47caea5b-a80b-4343-b1d3-31eb523a4e28", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "value": "read", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + }, + { + "categoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource", + "id": null, + "content": null, + "attribute": [ + { + "attributeId": "urn:altinn:resource", + "value": "ttd-externalpdp-resource2", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + }, + { + "attributeId": "urn:altinn:organization:identifier-no", + "value": "910459880", + "issuer": null, + "dataType": "http://www.w3.org/2001/XMLSchema#string", + "includeInResult": false + } + ] + } + ], + "policyIdentifierList": null + } + ] +} diff --git a/test/IntegrationTests/Data/blobs/input/ttd-externalpdp-resource2/50005545/SystemUser47caea5b-a80b-4343-b1d3-31eb523a4e28/delegationpolicy.xml b/test/IntegrationTests/Data/blobs/input/ttd-externalpdp-resource2/50005545/SystemUser47caea5b-a80b-4343-b1d3-31eb523a4e28/delegationpolicy.xml new file mode 100644 index 00000000..d6c01cf9 --- /dev/null +++ b/test/IntegrationTests/Data/blobs/input/ttd-externalpdp-resource2/50005545/SystemUser47caea5b-a80b-4343-b1d3-31eb523a4e28/delegationpolicy.xml @@ -0,0 +1,33 @@ + + + Delegation policy containing all delegated rights/actions from 50001337 to systemuser 47caea5b-a80b-4343-b1d3-31eb523a4e28, on the resource; ttd-externalpdp-resource1 + + + + + + + 47caea5b-a80b-4343-b1d3-31eb523a4e28 + + + + + + + + ttd-externalpdp-resource2 + + + + + + + + read + + + + + + + diff --git a/test/IntegrationTests/ExternalDecisionTest.cs b/test/IntegrationTests/ExternalDecisionTest.cs index b85e5984..95547d52 100644 --- a/test/IntegrationTests/ExternalDecisionTest.cs +++ b/test/IntegrationTests/ExternalDecisionTest.cs @@ -258,6 +258,26 @@ public async Task PDPExternal_Decision_SystemUserWithDelegation_TooManyRequestSu AssertionUtil.AssertEqual(expected, contextResponse); } + /// + /// Scenario where systemuser has received delegation from the resource party for two resources. Multirequest should give Permit result for both. + /// + [Fact] + public async Task PDPExternal_Decision_SystemUserWithDelegations_MultiRequest_Permit() + { + string token = PrincipalUtil.GetOrgToken("skd", "974761076", "altinn:authorization/authorize"); + string testCase = "ResourceRegistry_SystemUserWithDelegations_MultiRequest_Permit"; + HttpClient client = GetTestClient(); + client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", token); + HttpRequestMessage httpRequestMessage = TestSetupUtil.CreateXacmlRequestExternal(testCase); + XacmlJsonResponse expected = TestSetupUtil.ReadExpectedJsonProfileResponse(testCase); + + // Act + XacmlJsonResponse contextResponse = await TestSetupUtil.GetXacmlJsonProfileContextResponseAsync(client, httpRequestMessage); + + // Assert + AssertionUtil.AssertEqual(expected, contextResponse); + } + private HttpClient GetTestClient() { HttpClient client = _factory.WithWebHostBuilder(builder => diff --git a/test/IntegrationTests/MockServices/AccessManagementWrapperMock.cs b/test/IntegrationTests/MockServices/AccessManagementWrapperMock.cs index 103aa060..337d2cf1 100644 --- a/test/IntegrationTests/MockServices/AccessManagementWrapperMock.cs +++ b/test/IntegrationTests/MockServices/AccessManagementWrapperMock.cs @@ -22,6 +22,9 @@ public Task> GetAllDelegationChanges(Deleg DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("org1/app1"), DelegationChangesTestData.WithOfferedByPartyID(50001337), DelegationChangesTestData.WithCoveredByUserID(20001337)), WithDefaultCondition("org1/app1", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50001335" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "20001337" }), WithDefaultCondition("org1/app1", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50001337" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "20001337" })), // UserDelegation MainUnit Permit + ConditionalAdd( + DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("org1/app2"), DelegationChangesTestData.WithOfferedByPartyID(50001337), DelegationChangesTestData.WithCoveredByUserID(20001337)), + WithDefaultCondition("org1/app2", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50001337" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "20001337" })), ConditionalAdd( DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("skd/taxreport"), DelegationChangesTestData.WithOfferedByPartyID(1000), DelegationChangesTestData.WithCoveredByUserID(20001337)), WithDefaultCondition("skd/taxreport", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "1000" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "20001337" })), @@ -39,6 +42,9 @@ public Task> GetAllDelegationChanges(Deleg ConditionalAdd( DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("ttd-externalpdp-resource1"), DelegationChangesTestData.WithOfferedByPartyID(50005545), DelegationChangesTestData.WithCoveredByUuid(UuidType.SystemUser, Guid.Parse("47caea5b-a80b-4343-b1d3-31eb523a4e28"))), WithDefaultCondition("ttd-externalpdp-resource1", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50005545" }, new AttributeMatch { Id = XacmlRequestAttribute.SystemUserIdAttribute, Value = "47caea5b-a80b-4343-b1d3-31eb523a4e28" })), + ConditionalAdd( + DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("ttd-externalpdp-resource2"), DelegationChangesTestData.WithOfferedByPartyID(50005545), DelegationChangesTestData.WithCoveredByUuid(UuidType.SystemUser, Guid.Parse("47caea5b-a80b-4343-b1d3-31eb523a4e28"))), + WithDefaultCondition("ttd-externalpdp-resource2", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50005545" }, new AttributeMatch { Id = XacmlRequestAttribute.SystemUserIdAttribute, Value = "47caea5b-a80b-4343-b1d3-31eb523a4e28" })), }; var result = new List();