diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs index 35dce29c8..f24db9364 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs @@ -129,11 +129,13 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll } int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy); + var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource); + if (userRoles.Any() || returnAllPolicyRights || getDelegableRights) { List userRoleAttributeMatches = RightsHelper.GetRoleAttributeMatches(userRoles); RightSourceType policyType = resourceMatchType == ResourceAttributeMatchType.ResourceRegistry ? RightSourceType.ResourceRegistryPolicy : RightSourceType.AppPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); } // Delegation Policy Rights @@ -143,7 +145,7 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll { XacmlPolicy delegationPolicy = await _prp.GetPolicyVersionAsync(delegation.BlobStoragePolicyPath, delegation.BlobStorageVersionId, cancellationToken); List subjects = RightsHelper.GetDelegationSubjectAttributeMatches(delegation); - EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, validPolicyResourceAttributes, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); } if (returnAllPolicyRights) @@ -172,7 +174,9 @@ public async Task> GetDelegableRightsByApp(RightsQuery rightsQuery, int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy); RightSourceType policyType = rightsQuery.Resource.ResourceType == ResourceType.AltinnApp ? RightSourceType.AppPolicy : RightSourceType.ResourceRegistryPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); + var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource); + + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); return result.Values.Where(r => r.CanDelegate.HasValue && r.CanDelegate.Value).ToList(); } @@ -309,6 +313,21 @@ public async Task> GetInstanceDelegations(A return result; } + private static List> GetValidResourceAttributes(ServiceResource resource) + { + var validResourceAttributes = new List> + { + resource.AuthorizationReference + }; + + if (resource.ResourceType == ResourceType.AltinnApp) + { + validResourceAttributes.Add(new List { new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute, resource.Identifier) }); + } + + return validResourceAttributes; + } + private static List GetRightsFromPolicy(XacmlPolicy policy) { List result = new List(); @@ -550,7 +569,7 @@ private static void AddAttributeMatchToRule(XacmlMatch xacmlMatch, Rule rule) } } - private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) + private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, List> validResourceAttr, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(); @@ -563,6 +582,12 @@ private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary ruleRights = PolicyHelper.GetRightsFromXacmlRules(rule.SingleToList()); foreach (Right ruleRight in ruleRights) { + // If rule from policy does not match the resource of the originating policy, skip it + if (!validResourceAttr.Any(attrSet => attrSet.All(attr => ruleRight.Resource.Any(r => attr.Id.Equals(r.Id, StringComparison.OrdinalIgnoreCase) && attr.Value.Equals(r.Value, StringComparison.OrdinalIgnoreCase))))) + { + continue; + } + ICollection contextAttributes = PolicyHelper.GetContextAttributes(subjectMatches, ruleRight.Resource, ruleRight.Action.SingleToList()); XacmlContextRequest authRequest = new XacmlContextRequest(false, false, contextAttributes); diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs index 1def59d37..e95ddce73 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs @@ -554,7 +554,12 @@ private static bool ValidateAllRightsAreForTheSameResource(List rights) foreach (Right right in rights) { DelegationHelper.TryGetResourceFromAttributeMatch(right.Resource, out ResourceAttributeMatchType resourceMatchType, out string resourceRegistryId, out string org, out string app, out string serviceCode, out string serviceEditionCode); - string currentResourceKey = $"{resourceMatchType}{resourceRegistryId}{org}{app}{serviceCode}{serviceEditionCode}"; + if (resourceMatchType == ResourceAttributeMatchType.AltinnAppId) + { + resourceRegistryId = $"app_{org.ToLower()}_{app.ToLower()}"; + } + + string currentResourceKey = $"{resourceRegistryId}{serviceCode}{serviceEditionCode}"; if (firstResourceKey == string.Empty) { diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs index c2aa4aacf..e869247b5 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs @@ -44,18 +44,23 @@ public RightsQuery ToRightsQueryInternal(IMapper mapper) Type = RightsQueryType.User, From = mapper.Map>(From), To = mapper.Map>(To), - Resource = new ServiceResource - { - Identifier = GetResourceIdentifier(Resource), - AuthorizationReference = mapper.Map>(Resource) - } + Resource = GetResource(Resource, mapper) }; } - private static string GetResourceIdentifier(List resource) + private ServiceResource GetResource(List resource, IMapper mapper) { - return resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ?? + var id = resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ?? $"app_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)?.Value}_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)?.Value}"; + + var serviceResource = new ServiceResource + { + Identifier = id, + ResourceType = id.StartsWith("app_") ? ResourceType.AltinnApp : ResourceType.Default, + AuthorizationReference = mapper.Map>(resource) + }; + + return serviceResource; } } } diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json index 391753a61..3f6b3040b 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json @@ -995,5 +995,132 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "canDelegate": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "canDelegate": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json index 6a10f4904..e23121b01 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json @@ -1260,5 +1260,132 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "canDelegate": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "canDelegate": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json index 4dd4d1d75..f6f53e5e6 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json @@ -1022,5 +1022,136 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "hasPermit": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "hasPermit": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + }, + { + "id": "urn:altinn:rolecode", + "value": "APIADM" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json index 086880c30..a7713c0d4 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json @@ -1296,5 +1296,136 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "hasPermit": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "hasPermit": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + }, + { + "id": "urn:altinn:rolecode", + "value": "APIADM" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml index 31df7c2bd..8ebe798fb 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml @@ -220,6 +220,68 @@ + + Invalid rule that tries to define that DAGL can read a totally different app then ttd/rf-0002: ttd/rf-h4x0r + + + + + DAGL + + + + + + + + ttd + + + + rf-h4x0r + + + + + + + + read + + + + + + + + Valid rule using app resourceId to define that DAGL have Access action using the app resource identifier + + + + + DAGL + + + + + + + + app_ttd_rf-0002 + + + + + + + + access + + + + + + diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml index 31df7c2bd..8ebe798fb 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml @@ -220,6 +220,68 @@ + + Invalid rule that tries to define that DAGL can read a totally different app then ttd/rf-0002: ttd/rf-h4x0r + + + + + DAGL + + + + + + + + ttd + + + + rf-h4x0r + + + + + + + + read + + + + + + + + Valid rule using app resourceId to define that DAGL have Access action using the app resource identifier + + + + + DAGL + + + + + + + + app_ttd_rf-0002 + + + + + + + + access + + + + + +