public async Task <ActionResult> Get(
[FromRoute] string org,
[FromRoute] string app,
[FromRoute] int instanceOwnerPartyId,
[FromRoute] Guid instanceGuid)
{
EnforcementResult enforcementResult = await AuthorizeAction(org, app, instanceOwnerPartyId, instanceGuid, "read");
if (!enforcementResult.Authorized)
{
return(Forbidden(enforcementResult));
}
try
{
Instance instance = await _instanceService.GetInstance(app, org, instanceOwnerPartyId, instanceGuid);
SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request);
string userOrgClaim = User.GetOrg();
if (userOrgClaim == null || !org.Equals(userOrgClaim, StringComparison.InvariantCultureIgnoreCase))
{
await _instanceService.UpdateReadStatus(instanceOwnerPartyId, instanceGuid, "read");
}
return(Ok(instance));
}
catch (Exception exception)
{
return(ExceptionResponse(exception, $"Get instance {instanceOwnerPartyId}/{instanceGuid} failed"));
}
}
public async Task <ActionResult> Get(
[FromRoute] string org,
[FromRoute] string app,
[FromRoute] int instanceOwnerPartyId,
[FromRoute] Guid instanceGuid)
{
EnforcementResult enforcementResult = await AuthorizeAction(org, app, instanceOwnerPartyId, "read");
if (!enforcementResult.Authorized)
{
if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0)
{
return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations));
}
return(StatusCode((int)HttpStatusCode.Forbidden));
}
try
{
Instance instance = await _instanceService.GetInstance(app, org, instanceOwnerPartyId, instanceGuid);
SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request);
return(Ok(instance));
}
catch (Exception exception)
{
return(ExceptionResponse(exception, $"Get instance {instanceOwnerPartyId}/{instanceGuid} failed"));
}
}
public void ValidatePdpDecision_TC08()
{
// Arrange
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult xacmlJsonResult = new XacmlJsonResult();
xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(xacmlJsonResult);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevel = "3";
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = minAuthLevel
};
obligation.AttributeAssignment.Add(authenticationAttribute);
xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>();
xacmlJsonResult.Obligations.Add(obligation);
// Act
EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false));
// Assert
Assert.False(result.Authorized);
Assert.Contains(AltinnObligations.RequiredAuthenticationLevel, result.FailedObligations.Keys);
Assert.Equal(minAuthLevel, result.FailedObligations[AltinnObligations.RequiredAuthenticationLevel]);
}
public EnforcementResult IsRequirementSatisfied(Installer installer)
{
switch (installer.Architecture)
{
case ArchitectureTypes.x86:
{
return(EnforcementResult.Pass());
}
case ArchitectureTypes.x64:
{
if (_envInfo.Is64BitOperatingSystem)
{
return(EnforcementResult.Pass());
}
return(EnforcementResult.Fail("x64 OS required for installation"));
}
default:
{
return(EnforcementResult.Fail("Unsupported architecture: " + installer.Architecture));
}
}
}
private ActionResult Forbidden(EnforcementResult enforcementResult)
{
if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0)
{
return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations));
}
return(StatusCode((int)HttpStatusCode.Forbidden));
}
public async Task <ActionResult> Post(
[FromRoute] string org,
[FromRoute] string app,
[FromQuery] string dataType)
{
if (string.IsNullOrEmpty(dataType))
{
return(BadRequest($"Invalid dataType {dataType} provided. Please provide a valid dataType as query parameter."));
}
string classRef = _appResourcesService.GetClassRefForLogicDataType(dataType);
if (string.IsNullOrEmpty(classRef))
{
return(BadRequest($"Invalid dataType {dataType} provided. Please provide a valid dataType as query parameter."));
}
if (GetPartyHeader(HttpContext).Count > 1)
{
return(BadRequest($"Invalid party. Only one allowed"));
}
InstanceOwner owner = await GetInstanceOwner(HttpContext);
if (string.IsNullOrEmpty(owner.PartyId))
{
return(StatusCode((int)HttpStatusCode.Forbidden));
}
EnforcementResult enforcementResult = await AuthorizeAction(org, app, Convert.ToInt32(owner.PartyId), "read");
if (!enforcementResult.Authorized)
{
return(Forbidden(enforcementResult));
}
ModelDeserializer deserializer = new ModelDeserializer(_logger, _altinnApp.GetAppModelType(classRef));
object appModel = await deserializer.DeserializeAsync(Request.Body, Request.ContentType);
if (!string.IsNullOrEmpty(deserializer.Error))
{
return(BadRequest(deserializer.Error));
}
// runs prefill from repo configuration if config exists
await _prefillService.PrefillDataModel(owner.PartyId, dataType, appModel);
Instance virutalInstance = new Instance()
{
InstanceOwner = owner
};
await _altinnApp.RunProcessDataRead(virutalInstance, null, appModel);
return(Ok(appModel));
}
public EnforcementResult IsRequirementSatisfied(Installer installer)
{
if (installer.MinWindowsVersion == null)
{
return(EnforcementResult.Pass());
}
if (_environmentProxy.WindowsVersion >= installer.MinWindowsVersion)
{
return(EnforcementResult.Pass());
}
return(EnforcementResult.Fail($"Min supported OS version: {installer.MinWindowsVersion}. Current version: {_environmentProxy.WindowsVersion}"));
}
private async Task <EnforcementResult> AuthorizeAction(string org, string app, int partyId, string action)
{
EnforcementResult enforcementResult = new EnforcementResult();
XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, action, partyId, null);
XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request);
if (response?.Response == null)
{
_logger.LogInformation($"// Instances Controller // Authorization of action {action} failed with request: {JsonConvert.SerializeObject(request)}.");
return(enforcementResult);
}
enforcementResult = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, HttpContext.User);
return(enforcementResult);
}
public void ValidatePdpDecision_TC10()
{
// Arrange
XacmlJsonResponse response = new XacmlJsonResponse();
response.Response = new List <XacmlJsonResult>();
XacmlJsonResult xacmlJsonResult = new XacmlJsonResult();
xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString();
response.Response.Add(xacmlJsonResult);
// Add obligation to result with a minimum authentication level attribute
XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice();
obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevel = "4";
XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel",
Value = minAuthLevel
};
obligation.AttributeAssignment.Add(authenticationAttribute);
XacmlJsonObligationOrAdvice obligationOrg = new XacmlJsonObligationOrAdvice();
obligationOrg.AttributeAssignment = new List <XacmlJsonAttributeAssignment>();
string minAuthLevelOrg = "2";
XacmlJsonAttributeAssignment authenticationAttributeOrg = new XacmlJsonAttributeAssignment()
{
Category = "urn:altinn:minimum-authenticationlevel-org",
Value = minAuthLevelOrg
};
obligationOrg.AttributeAssignment.Add(authenticationAttributeOrg);
xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>();
xacmlJsonResult.Obligations.Add(obligationOrg);
xacmlJsonResult.Obligations.Add(obligation);
// Act
EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false, "ttd"));
// Assert
Assert.True(result.Authorized);
Assert.Null(result.FailedObligations);
}
public void Setup()
{
_approved = new Mock <IEnforceRequirements>();
_rejected = new Mock <IEnforceRequirements>();
_approved.Setup(s => s.IsRequirementSatisfied(It.IsAny <Installer>()))
.Returns(EnforcementResult.Pass);
_rejected.Setup(s => s.IsRequirementSatisfied(It.IsAny <Installer>()))
.Returns(EnforcementResult.Fail("Test failure"));
_x86Installer = new Installer {
Architecture = ArchitectureTypes.x86
};
_x64Installer = new Installer {
Architecture = ArchitectureTypes.x64
};
}
public async Task <ActionResult <Instance> > Post(
[FromRoute] string org,
[FromRoute] string app,
[FromQuery] int?instanceOwnerPartyId)
{
if (string.IsNullOrEmpty(org))
{
return(BadRequest("The path parameter 'org' cannot be empty"));
}
if (string.IsNullOrEmpty(app))
{
return(BadRequest("The path parameter 'app' cannot be empty"));
}
Application application = _appResourcesService.GetApplication();
if (application == null)
{
return(NotFound($"AppId {org}/{app} was not found"));
}
MultipartRequestReader parsedRequest = new MultipartRequestReader(Request);
await parsedRequest.Read();
if (parsedRequest.Errors.Any())
{
return(BadRequest($"Error when reading content: {JsonConvert.SerializeObject(parsedRequest.Errors)}"));
}
Instance instanceTemplate = await ExtractInstanceTemplate(parsedRequest);
if (!instanceOwnerPartyId.HasValue && instanceTemplate == null)
{
return(BadRequest("Cannot create an instance without an instanceOwner.partyId. Either provide instanceOwner party Id as a query parameter or an instanceTemplate object in the body."));
}
if (instanceOwnerPartyId.HasValue && instanceTemplate?.InstanceOwner?.PartyId != null)
{
return(BadRequest("You cannot provide an instanceOwnerPartyId as a query param as well as an instance template in the body. Choose one or the other."));
}
RequestPartValidator requestValidator = new RequestPartValidator(application);
string multipartError = requestValidator.ValidateParts(parsedRequest.Parts);
if (!string.IsNullOrEmpty(multipartError))
{
return(BadRequest($"Error when comparing content to application metadata: {multipartError}"));
}
if (instanceTemplate != null)
{
InstanceOwner lookup = instanceTemplate.InstanceOwner;
if (lookup == null || lookup.PersonNumber == null && lookup.OrganisationNumber == null && lookup.PartyId == null)
{
return(BadRequest("Error: instanceOwnerPartyId query parameter is empty and InstanceOwner is missing from instance template. You must populate instanceOwnerPartyId or InstanceOwner"));
}
}
else
{
// create minimum instance template
instanceTemplate = new Instance
{
InstanceOwner = new InstanceOwner {
PartyId = instanceOwnerPartyId.Value.ToString()
}
};
}
Party party;
try
{
party = await LookupParty(instanceTemplate);
}
catch (Exception partyLookupException)
{
return(NotFound($"Cannot lookup party: {partyLookupException.Message}"));
}
EnforcementResult enforcementResult = await AuthorizeAction(org, app, party.PartyId, "instantiate");
if (!enforcementResult.Authorized)
{
if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0)
{
return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations));
}
return(StatusCode((int)HttpStatusCode.Forbidden));
}
if (!InstantiationHelper.IsPartyAllowedToInstantiate(party, application.PartyTypesAllowed))
{
return(StatusCode((int)HttpStatusCode.Forbidden, $"Party {party.PartyId} is not allowed to instantiate this application {org}/{app}"));
}
// Run custom app logic to validate instantiation
InstantiationValidationResult validationResult = await _altinnApp.RunInstantiationValidation(instanceTemplate);
if (validationResult != null && !validationResult.Valid)
{
return(StatusCode((int)HttpStatusCode.Forbidden, validationResult));
}
Instance instance;
ProcessStateChange processResult;
try
{
// start process and goto next task
instanceTemplate.Process = null;
string startEvent = await _altinnApp.OnInstantiateGetStartEvent();
processResult = _processService.ProcessStartAndGotoNextTask(instanceTemplate, startEvent, User);
// create the instance
instance = await _instanceService.CreateInstance(org, app, instanceTemplate);
}
catch (Exception exception)
{
return(ExceptionResponse(exception, $"Instantiation of appId {org}/{app} failed for party {instanceTemplate.InstanceOwner?.PartyId}"));
}
try
{
await StorePrefillParts(instance, application, parsedRequest.Parts);
// get the updated instance
instance = await _instanceService.GetInstance(app, org, int.Parse(instance.InstanceOwner.PartyId), Guid.Parse(instance.Id.Split("/")[1]));
// notify app and store events
await ProcessController.NotifyAppAboutEvents(_altinnApp, instance, processResult.Events);
await _processService.DispatchProcessEventsToStorage(instance, processResult.Events);
}
catch (Exception exception)
{
return(ExceptionResponse(exception, $"Instantiation of data elements failed for instance {instance.Id} for party {instanceTemplate.InstanceOwner?.PartyId}"));
}
SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request);
string url = instance.SelfLinks.Apps;
return(Created(url, instance));
}
