feat: create scope package

src/pkgs/Altinn.Authorization.PEP/src/Altinn.Authorization.PEP/Extensions/AuthorizationBuilderExtensions.cs

@@ -1,4 +1,4 @@
-using Altinn.Common.PEP.Authorization;
+using Altinn.Common.PEP.Authorization;
 using Microsoft.AspNetCore.Authorization;
 
 namespace Altinn.Authorization.PEP.Extensions;
@@ -41,20 +41,4 @@ public static AuthorizationBuilder AddAltinnPEPResourceAccessPolicy(this Authori
         ArgumentException.ThrowIfNullOrEmpty(actionType, nameof(actionType));
         return builder.AddPolicy(name, policy => policy.Requirements.Add(new ResourceAccessRequirement(resourceId, actionType)));
     }
-
-    /// <summary>
-    /// Adds a scope-based access policy to the authorization builder.
-    /// </summary>
-    /// <param name="builder">The <see cref="AuthorizationBuilder"/> to which the policy will be added.</param>
-    /// <param name="name">The name of the policy.</param>
-    /// <param name="scopes">An array of scopes required by the policy.</param>
-    /// <exception cref="ArgumentException">Thrown if <paramref name="name"/> is null or empty or if <paramref name="scopes"/> contains null or empty values.</exception>
-    /// <exception cref="ArgumentNullException">Thrown if <paramref name="scopes"/> is null.</exception>
-    /// <returns>The updated <see cref="AuthorizationBuilder"/>.</returns>
-    public static AuthorizationBuilder AddAltinnPEPScopePolicy(this AuthorizationBuilder builder, string name, params string[] scopes)
-    {
-        ArgumentException.ThrowIfNullOrEmpty(name, nameof(name));
-        ArgumentNullException.ThrowIfNull(scopes, nameof(scopes));
-        return builder.AddPolicy(name, policy => policy.Requirements.Add(new ScopeAccessRequirement(scopes)));
-    }
 }

src/pkgs/Altinn.Authorization.PEP/src/Altinn.Authorization.PEP/Extensions/ServiceCollectionExtensions.cs

@@ -1,4 +1,4 @@
-using Altinn.Common.PEP.Authorization;
+using Altinn.Common.PEP.Authorization;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
@@ -20,7 +20,6 @@ public static IServiceCollection AddAltinnPEP(this IServiceCollection services)
     {
         services.TryAddScoped<IAuthorizationHandler, ClaimAccessHandler>();
         services.TryAddScoped<IAuthorizationHandler, ResourceAccessHandler>();
-        services.TryAddScoped<IAuthorizationHandler, ScopeAccessHandler>();
         return services;
     }
 }

src/pkgs/Altinn.Authorization.PEP/src/Altinn.Authorization.Scopes/Altinn.Authorization.Scopes.csproj

@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<PropertyGroup>
+		<Nullable>enable</Nullable>
+		<LangVersion>13.0</LangVersion>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<FrameworkReference Include="Microsoft.AspNetCore.App" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<InternalsVisibleTo Include="Altinn.Authorization.PEP.Tests" />
+	</ItemGroup>
+
+</Project>

src/pkgs/Altinn.Authorization.PEP/src/Altinn.Authorization.Scopes/AnyOfScopeAuthorizationHandler.cs

@@ -0,0 +1,37 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Altinn.Authorization.Scopes;
+
+/// <summary>
+/// Represents an authorization handler that can perform authorization based on scope
+/// </summary>
+internal sealed class AnyOfScopeAuthorizationHandler
+    : AuthorizationHandler<IAnyOfScopeAuthorizationRequirement>
+{
+    /// <inheritdoc/>
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, IAnyOfScopeAuthorizationRequirement requirement)
+    {
+        foreach (var identity in context.User.Identities.Where(static i => string.Equals(i.AuthenticationType, "AuthenticationTypes.Federation")))
+        {
+            foreach (var claim in identity.Claims.Where(static c => string.Equals(c.Type, "urn:altinn:scope")))
+            {
+                if (requirement.AnyOfScopes.Check(claim.Value))
+                {
+                    context.Succeed(requirement);
+                    return Task.CompletedTask;
+                }
+            }
+        }
+
+        foreach (var claim in context.User.Claims.Where(static c => string.Equals(c.Type, "scope")))
+        {
+            if (requirement.AnyOfScopes.Check(claim.Value))
+            {
+                context.Succeed(requirement);
+                return Task.CompletedTask;
+            }
+        }
+
+        return Task.CompletedTask;
+    }
+}