public async Task <ActionResult> Get( [FromRoute] string org, [FromRoute] string app, [FromRoute] int instanceOwnerPartyId, [FromRoute] Guid instanceGuid) { EnforcementResult enforcementResult = await AuthorizeAction(org, app, instanceOwnerPartyId, instanceGuid, "read"); if (!enforcementResult.Authorized) { return(Forbidden(enforcementResult)); } try { Instance instance = await _instanceService.GetInstance(app, org, instanceOwnerPartyId, instanceGuid); SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request); string userOrgClaim = User.GetOrg(); if (userOrgClaim == null || !org.Equals(userOrgClaim, StringComparison.InvariantCultureIgnoreCase)) { await _instanceService.UpdateReadStatus(instanceOwnerPartyId, instanceGuid, "read"); } return(Ok(instance)); } catch (Exception exception) { return(ExceptionResponse(exception, $"Get instance {instanceOwnerPartyId}/{instanceGuid} failed")); } }
public async Task <ActionResult> Get( [FromRoute] string org, [FromRoute] string app, [FromRoute] int instanceOwnerPartyId, [FromRoute] Guid instanceGuid) { EnforcementResult enforcementResult = await AuthorizeAction(org, app, instanceOwnerPartyId, "read"); if (!enforcementResult.Authorized) { if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0) { return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations)); } return(StatusCode((int)HttpStatusCode.Forbidden)); } try { Instance instance = await _instanceService.GetInstance(app, org, instanceOwnerPartyId, instanceGuid); SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request); return(Ok(instance)); } catch (Exception exception) { return(ExceptionResponse(exception, $"Get instance {instanceOwnerPartyId}/{instanceGuid} failed")); } }
public void ValidatePdpDecision_TC08() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "3"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false)); // Assert Assert.False(result.Authorized); Assert.Contains(AltinnObligations.RequiredAuthenticationLevel, result.FailedObligations.Keys); Assert.Equal(minAuthLevel, result.FailedObligations[AltinnObligations.RequiredAuthenticationLevel]); }
public EnforcementResult IsRequirementSatisfied(Installer installer) { switch (installer.Architecture) { case ArchitectureTypes.x86: { return(EnforcementResult.Pass()); } case ArchitectureTypes.x64: { if (_envInfo.Is64BitOperatingSystem) { return(EnforcementResult.Pass()); } return(EnforcementResult.Fail("x64 OS required for installation")); } default: { return(EnforcementResult.Fail("Unsupported architecture: " + installer.Architecture)); } } }
private ActionResult Forbidden(EnforcementResult enforcementResult) { if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0) { return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations)); } return(StatusCode((int)HttpStatusCode.Forbidden)); }
public async Task <ActionResult> Post( [FromRoute] string org, [FromRoute] string app, [FromQuery] string dataType) { if (string.IsNullOrEmpty(dataType)) { return(BadRequest($"Invalid dataType {dataType} provided. Please provide a valid dataType as query parameter.")); } string classRef = _appResourcesService.GetClassRefForLogicDataType(dataType); if (string.IsNullOrEmpty(classRef)) { return(BadRequest($"Invalid dataType {dataType} provided. Please provide a valid dataType as query parameter.")); } if (GetPartyHeader(HttpContext).Count > 1) { return(BadRequest($"Invalid party. Only one allowed")); } InstanceOwner owner = await GetInstanceOwner(HttpContext); if (string.IsNullOrEmpty(owner.PartyId)) { return(StatusCode((int)HttpStatusCode.Forbidden)); } EnforcementResult enforcementResult = await AuthorizeAction(org, app, Convert.ToInt32(owner.PartyId), "read"); if (!enforcementResult.Authorized) { return(Forbidden(enforcementResult)); } ModelDeserializer deserializer = new ModelDeserializer(_logger, _altinnApp.GetAppModelType(classRef)); object appModel = await deserializer.DeserializeAsync(Request.Body, Request.ContentType); if (!string.IsNullOrEmpty(deserializer.Error)) { return(BadRequest(deserializer.Error)); } // runs prefill from repo configuration if config exists await _prefillService.PrefillDataModel(owner.PartyId, dataType, appModel); Instance virutalInstance = new Instance() { InstanceOwner = owner }; await _altinnApp.RunProcessDataRead(virutalInstance, null, appModel); return(Ok(appModel)); }
public EnforcementResult IsRequirementSatisfied(Installer installer) { if (installer.MinWindowsVersion == null) { return(EnforcementResult.Pass()); } if (_environmentProxy.WindowsVersion >= installer.MinWindowsVersion) { return(EnforcementResult.Pass()); } return(EnforcementResult.Fail($"Min supported OS version: {installer.MinWindowsVersion}. Current version: {_environmentProxy.WindowsVersion}")); }
private async Task <EnforcementResult> AuthorizeAction(string org, string app, int partyId, string action) { EnforcementResult enforcementResult = new EnforcementResult(); XacmlJsonRequestRoot request = DecisionHelper.CreateDecisionRequest(org, app, HttpContext.User, action, partyId, null); XacmlJsonResponse response = await _pdp.GetDecisionForRequest(request); if (response?.Response == null) { _logger.LogInformation($"// Instances Controller // Authorization of action {action} failed with request: {JsonConvert.SerializeObject(request)}."); return(enforcementResult); } enforcementResult = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, HttpContext.User); return(enforcementResult); }
public void ValidatePdpDecision_TC10() { // Arrange XacmlJsonResponse response = new XacmlJsonResponse(); response.Response = new List <XacmlJsonResult>(); XacmlJsonResult xacmlJsonResult = new XacmlJsonResult(); xacmlJsonResult.Decision = XacmlContextDecision.Permit.ToString(); response.Response.Add(xacmlJsonResult); // Add obligation to result with a minimum authentication level attribute XacmlJsonObligationOrAdvice obligation = new XacmlJsonObligationOrAdvice(); obligation.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevel = "4"; XacmlJsonAttributeAssignment authenticationAttribute = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel", Value = minAuthLevel }; obligation.AttributeAssignment.Add(authenticationAttribute); XacmlJsonObligationOrAdvice obligationOrg = new XacmlJsonObligationOrAdvice(); obligationOrg.AttributeAssignment = new List <XacmlJsonAttributeAssignment>(); string minAuthLevelOrg = "2"; XacmlJsonAttributeAssignment authenticationAttributeOrg = new XacmlJsonAttributeAssignment() { Category = "urn:altinn:minimum-authenticationlevel-org", Value = minAuthLevelOrg }; obligationOrg.AttributeAssignment.Add(authenticationAttributeOrg); xacmlJsonResult.Obligations = new List <XacmlJsonObligationOrAdvice>(); xacmlJsonResult.Obligations.Add(obligationOrg); xacmlJsonResult.Obligations.Add(obligation); // Act EnforcementResult result = DecisionHelper.ValidatePdpDecisionDetailed(response.Response, CreateUserClaims(false, "ttd")); // Assert Assert.True(result.Authorized); Assert.Null(result.FailedObligations); }
public void Setup() { _approved = new Mock <IEnforceRequirements>(); _rejected = new Mock <IEnforceRequirements>(); _approved.Setup(s => s.IsRequirementSatisfied(It.IsAny <Installer>())) .Returns(EnforcementResult.Pass); _rejected.Setup(s => s.IsRequirementSatisfied(It.IsAny <Installer>())) .Returns(EnforcementResult.Fail("Test failure")); _x86Installer = new Installer { Architecture = ArchitectureTypes.x86 }; _x64Installer = new Installer { Architecture = ArchitectureTypes.x64 }; }
public async Task <ActionResult <Instance> > Post( [FromRoute] string org, [FromRoute] string app, [FromQuery] int?instanceOwnerPartyId) { if (string.IsNullOrEmpty(org)) { return(BadRequest("The path parameter 'org' cannot be empty")); } if (string.IsNullOrEmpty(app)) { return(BadRequest("The path parameter 'app' cannot be empty")); } Application application = _appResourcesService.GetApplication(); if (application == null) { return(NotFound($"AppId {org}/{app} was not found")); } MultipartRequestReader parsedRequest = new MultipartRequestReader(Request); await parsedRequest.Read(); if (parsedRequest.Errors.Any()) { return(BadRequest($"Error when reading content: {JsonConvert.SerializeObject(parsedRequest.Errors)}")); } Instance instanceTemplate = await ExtractInstanceTemplate(parsedRequest); if (!instanceOwnerPartyId.HasValue && instanceTemplate == null) { return(BadRequest("Cannot create an instance without an instanceOwner.partyId. Either provide instanceOwner party Id as a query parameter or an instanceTemplate object in the body.")); } if (instanceOwnerPartyId.HasValue && instanceTemplate?.InstanceOwner?.PartyId != null) { return(BadRequest("You cannot provide an instanceOwnerPartyId as a query param as well as an instance template in the body. Choose one or the other.")); } RequestPartValidator requestValidator = new RequestPartValidator(application); string multipartError = requestValidator.ValidateParts(parsedRequest.Parts); if (!string.IsNullOrEmpty(multipartError)) { return(BadRequest($"Error when comparing content to application metadata: {multipartError}")); } if (instanceTemplate != null) { InstanceOwner lookup = instanceTemplate.InstanceOwner; if (lookup == null || lookup.PersonNumber == null && lookup.OrganisationNumber == null && lookup.PartyId == null) { return(BadRequest("Error: instanceOwnerPartyId query parameter is empty and InstanceOwner is missing from instance template. You must populate instanceOwnerPartyId or InstanceOwner")); } } else { // create minimum instance template instanceTemplate = new Instance { InstanceOwner = new InstanceOwner { PartyId = instanceOwnerPartyId.Value.ToString() } }; } Party party; try { party = await LookupParty(instanceTemplate); } catch (Exception partyLookupException) { return(NotFound($"Cannot lookup party: {partyLookupException.Message}")); } EnforcementResult enforcementResult = await AuthorizeAction(org, app, party.PartyId, "instantiate"); if (!enforcementResult.Authorized) { if (enforcementResult.FailedObligations != null && enforcementResult.FailedObligations.Count > 0) { return(StatusCode((int)HttpStatusCode.Forbidden, enforcementResult.FailedObligations)); } return(StatusCode((int)HttpStatusCode.Forbidden)); } if (!InstantiationHelper.IsPartyAllowedToInstantiate(party, application.PartyTypesAllowed)) { return(StatusCode((int)HttpStatusCode.Forbidden, $"Party {party.PartyId} is not allowed to instantiate this application {org}/{app}")); } // Run custom app logic to validate instantiation InstantiationValidationResult validationResult = await _altinnApp.RunInstantiationValidation(instanceTemplate); if (validationResult != null && !validationResult.Valid) { return(StatusCode((int)HttpStatusCode.Forbidden, validationResult)); } Instance instance; ProcessStateChange processResult; try { // start process and goto next task instanceTemplate.Process = null; string startEvent = await _altinnApp.OnInstantiateGetStartEvent(); processResult = _processService.ProcessStartAndGotoNextTask(instanceTemplate, startEvent, User); // create the instance instance = await _instanceService.CreateInstance(org, app, instanceTemplate); } catch (Exception exception) { return(ExceptionResponse(exception, $"Instantiation of appId {org}/{app} failed for party {instanceTemplate.InstanceOwner?.PartyId}")); } try { await StorePrefillParts(instance, application, parsedRequest.Parts); // get the updated instance instance = await _instanceService.GetInstance(app, org, int.Parse(instance.InstanceOwner.PartyId), Guid.Parse(instance.Id.Split("/")[1])); // notify app and store events await ProcessController.NotifyAppAboutEvents(_altinnApp, instance, processResult.Events); await _processService.DispatchProcessEventsToStorage(instance, processResult.Events); } catch (Exception exception) { return(ExceptionResponse(exception, $"Instantiation of data elements failed for instance {instance.Id} for party {instanceTemplate.InstanceOwner?.PartyId}")); } SelfLinkHelper.SetInstanceAppSelfLinks(instance, Request); string url = instance.SelfLinks.Apps; return(Created(url, instance)); }