Instansdelegering | API for Apps å kunne hente/sjekke tilganger appen kan delegere #840

jonkjetiloye · 2024-10-08T12:29:05Z

Beskrivelse

Vi skal lage en integrasjon for studio-apps hvor de skal kunne hente og sjekke alle tilganger kan delegere på vegne av en instans. Disse settes opp i Appens Xacml policy med ett eget nytt subject attribut: urn:altinn:resource:delegation hvor verdien er ressurs id i Ressursregisteret. For Altinn Apps som ikke enda er registrert i Ressursregisteret har disse allerede ett fast identifikator format:
app_{orgCode}_{appName}. Altså f.eks: ttd/apps-test har identifikator: app_ttd_apps-test.

Definisjoner

Se #825

Avklaringer

Akseptansekriterier

AC1 - App med Xacml delegeringsregel
GITT en Altinn App har mottatt en eller flere regler i egen eller annen app sin policy med subject attributt urn:altinn:resource:delegation
NÅR app autentisert med PlatformAccessToken signert med sertifikat fra eget app-cluster
OG autentisert app sin ressurs id matcher subject spesifisert i regel i policy
SÅ skal DelegationCheck API returnere alle individuelle rettigheter som kan dekomponeres basert på reglene som er laget i policy

AC2 - App uten Xacml delegeringsregel
GITT app autentisert med PlatformAccessToken signert med sertifikat fra eget app-cluster
NÅR autentisert app sin ressurs id IKKE matcher noe subject spesifisert i regel i policy på urn:altinn:resource:delegation attributtet
SÅ skal DelegationCheck API returnere tomt sett av delegerbare rettigheter

API Design forslag

https://app.swaggerhub.com/apis/jon.kjetil.oye/AccessManagementInstanceDelegation/1.0

Arkitektur tegning

Oppgaver

Trusselmodellering

Give feedback

Åpner denne endringen for mulige nye trusler eller misbruk? | Nei, Xacml policy er åpen metadata
Options

Backend

Give feedback

Nytt kontroller endepunkt og intern service logikk for å hente delegerbare rettigheter en autentisert app har
Options

Dokumentasjon

Give feedback

Apps API for instansdelegering skilles ut i egen swagger doc
Options

Test

Give feedback

Verifisere instans av en app er delegeable via GET/accessmanagement/api/v1/apps/instancedelegation/{resourceId}/delegationcheck
Options

The text was updated successfully, but these errors were encountered:

#840 - New DelegationCheck API endpoint added to AppInstanceDelegationController - New service implementation for DelegationCheck in AppInstanceDelegationService - Rewrite of existing internal delegation check logic in delegation service - Added simple integration test - Added Bruno automated test requests

* Instance Delegation API endpoints for Apps * fix style cop issue * changed route and added scope authorization * Initial DBChange Deploy * Added v1 and v2 controller endpoint examples and models * Added logic for parsing partyuuid to person/organization Fixed writing of changes to db * Fixed some unstaged file missing from last comit * Moved a singlton load from one project to another to be more correct to where it is defined * Added some more tests Fixed missing mapping of delegation mode on response Changed the order of delegation mode so Normal is default value Mocked some required data for response Added a partial responce when not all data has Delegated as status * Removed my commented out hack of app when token is missing with local test Folowed sonarcloud sugestion of not fetching data directly from Request but use built in templates for this. * Fixed some comments on review * Fixed comments on code * Fixed some of Sonar Clouds naging * Some more SonarCloud * More SonarCloud * Sonar cloud tidying * SonarCloud tidying Version n+1 * SonarCloud version n +2 * revert BaseUrn change * - Fixed build error - Fixed path and authorization policy in AppsInstanceDelegationController - Added AppsInstanceDelegation Bruno request templates to Manual test collection * Code smells SonarCload Version n+3 * Soanr Cloud n+4 * Test for better code coverage * Updated example bruno requests for Apps Instance delegation API * Added Error handling test * Test to see if any code lines is tested now * New Test with OrgNumber * New test to get SOnarCloud to pickup test * Moved test to see if it is picked up by SC * Renamed a Model and removed two unused models * - Added Action to compare function of delegable rights - Added check for empty rulesToDelegate to avoid writing empty policy files * Fixed bruno request templates for AppInstanceDelegation * More Model Test and moved the tests as an experiment * Fixed using directive * Forbedre den kognetive lasten med å flytte to if statement til en egen metode Fjernet ubrukte using direktiv Renamet metode til å reflektere modellen den brukte Byttet fra Count metoden på IEnumreble til Count property på List * UnitTest helpers to up test coverage * Fixed code smells * Code smell * Added DelegationCheck support for AppInstanceDelegation #840 - New DelegationCheck API endpoint added to AppInstanceDelegationController - New service implementation for DelegationCheck in AppInstanceDelegationService - Rewrite of existing internal delegation check logic in delegation service - Added simple integration test - Added Bruno automated test requests * Fix Sonar Cloud issues * removed now unused helper method * Moved the automated bruno test requests as they are not ready yet. Path change and APIM deploy needs to be completed first --------- Co-authored-by: Jon Kjetil Øye <acn-joye@ai-dev.no> Co-authored-by: Remi Løvoll <remi.lovoll@avanade.com>

jonkjetiloye mentioned this issue Oct 8, 2024

Instansdelegering | L1 Instansdelegering fra Apps #825

Open

jonkjetiloye added this to Team Tilgangsstyring & Kontroll Oct 8, 2024

github-project-automation bot moved this to New in Team Tilgangsstyring & Kontroll Oct 8, 2024

jonkjetiloye moved this from New to 👷In Progress in Team Tilgangsstyring & Kontroll Oct 8, 2024

jonkjetiloye self-assigned this Oct 8, 2024

jonkjetiloye mentioned this issue Oct 11, 2024

Added DelegationCheck support for AppInstanceDelegation #850

Merged

7 tasks

jonkjetiloye closed this as completed Dec 5, 2024

github-project-automation bot moved this from 🧪Test to ✅ Done in Team Tilgangsstyring & Kontroll Dec 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Instansdelegering | API for Apps å kunne hente/sjekke tilganger appen kan delegere #840

Instansdelegering | API for Apps å kunne hente/sjekke tilganger appen kan delegere #840

jonkjetiloye commented Oct 8, 2024 •

edited by sneha-sirure

Loading

Trusselmodellering

Backend

Dokumentasjon

Test

Instansdelegering | API for Apps å kunne hente/sjekke tilganger appen kan delegere #840

Instansdelegering | API for Apps å kunne hente/sjekke tilganger appen kan delegere #840

Comments

jonkjetiloye commented Oct 8, 2024 • edited by sneha-sirure Loading

Beskrivelse

Definisjoner

Avklaringer

Akseptansekriterier

API Design forslag

Arkitektur tegning

Oppgaver

Trusselmodellering

Backend

Dokumentasjon

Test

jonkjetiloye commented Oct 8, 2024 •

edited by sneha-sirure

Loading