From 20cc9d596603ef2793d33e24553689b98a90420b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jon=20Kjetil=20=C3=98ye?= Date: Tue, 1 Jul 2025 11:24:12 +0200 Subject: [PATCH 1/3] AccMgmt | DelegationCheck ignore policy rules not matching resource identifiers of the originating resource #797 --- .../Services/PolicyInformationPoint.cs | 14 +++++--- .../3.0/AltinnApps/ttd/rf-0002/policy.xml | 33 +++++++++++++++++++ .../Data/blobs/input/ttd/rf-0002/policy.xml | 33 +++++++++++++++++++ 3 files changed, 76 insertions(+), 4 deletions(-) diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs index 35dce29c8..bffc55e82 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs @@ -133,7 +133,7 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll { List userRoleAttributeMatches = RightsHelper.GetRoleAttributeMatches(userRoles); RightSourceType policyType = resourceMatchType == ResourceAttributeMatchType.ResourceRegistry ? RightSourceType.ResourceRegistryPolicy : RightSourceType.AppPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, rightsQuery.Resource.AuthorizationReference, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); } // Delegation Policy Rights @@ -143,7 +143,7 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll { XacmlPolicy delegationPolicy = await _prp.GetPolicyVersionAsync(delegation.BlobStoragePolicyPath, delegation.BlobStorageVersionId, cancellationToken); List subjects = RightsHelper.GetDelegationSubjectAttributeMatches(delegation); - EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, rightsQuery.Resource.AuthorizationReference, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); } if (returnAllPolicyRights) @@ -172,7 +172,7 @@ public async Task> GetDelegableRightsByApp(RightsQuery rightsQuery, int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy); RightSourceType policyType = rightsQuery.Resource.ResourceType == ResourceType.AltinnApp ? RightSourceType.AppPolicy : RightSourceType.ResourceRegistryPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, rightsQuery.Resource.AuthorizationReference, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); return result.Values.Where(r => r.CanDelegate.HasValue && r.CanDelegate.Value).ToList(); } @@ -550,7 +550,7 @@ private static void AddAttributeMatchToRule(XacmlMatch xacmlMatch, Rule rule) } } - private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) + private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, List policyResource, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(); @@ -563,6 +563,12 @@ private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary ruleRights = PolicyHelper.GetRightsFromXacmlRules(rule.SingleToList()); foreach (Right ruleRight in ruleRights) { + // If rule from policy does not match the resource of the originating policy, skip it + if (!policyResource.All(pr => ruleRight.Resource.Any(r => pr.Id.Equals(r.Id, StringComparison.OrdinalIgnoreCase) && pr.Value.Equals(r.Value, StringComparison.OrdinalIgnoreCase)))) + { + continue; + } + ICollection contextAttributes = PolicyHelper.GetContextAttributes(subjectMatches, ruleRight.Resource, ruleRight.Action.SingleToList()); XacmlContextRequest authRequest = new XacmlContextRequest(false, false, contextAttributes); diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml index 31df7c2bd..f752308d5 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml @@ -220,6 +220,39 @@ + + Invalid rule that tries to define that DAGL can read a totally different app then ttd/rf-0002: ttd/rf-h4x0r + + + + + DAGL + + + + + + + + ttd + + + + rf-h4x0r + + + + + + + + read + + + + + + diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml index 31df7c2bd..f752308d5 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml @@ -220,6 +220,39 @@ + + Invalid rule that tries to define that DAGL can read a totally different app then ttd/rf-0002: ttd/rf-h4x0r + + + + + DAGL + + + + + + + + ttd + + + + rf-h4x0r + + + + + + + + read + + + + + + From 9430411671265bfb6d442251b0574cff67b3c33c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jon=20Kjetil=20=C3=98ye?= Date: Tue, 1 Jul 2025 13:15:31 +0200 Subject: [PATCH 2/3] Added support for Apps to use both Org/App attributes or ResourceRegistry attribute --- .../Services/PolicyInformationPoint.cs | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs index bffc55e82..f24db9364 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs @@ -129,11 +129,13 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll } int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy); + var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource); + if (userRoles.Any() || returnAllPolicyRights || getDelegableRights) { List userRoleAttributeMatches = RightsHelper.GetRoleAttributeMatches(userRoles); RightSourceType policyType = resourceMatchType == ResourceAttributeMatchType.ResourceRegistry ? RightSourceType.ResourceRegistryPolicy : RightSourceType.AppPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, rightsQuery.Resource.AuthorizationReference, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights); } // Delegation Policy Rights @@ -143,7 +145,7 @@ public async Task> GetRights(RightsQuery rightsQuery, bool returnAll { XacmlPolicy delegationPolicy = await _prp.GetPolicyVersionAsync(delegation.BlobStoragePolicyPath, delegation.BlobStorageVersionId, cancellationToken); List subjects = RightsHelper.GetDelegationSubjectAttributeMatches(delegation); - EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, rightsQuery.Resource.AuthorizationReference, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); + EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, validPolicyResourceAttributes, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights); } if (returnAllPolicyRights) @@ -172,7 +174,9 @@ public async Task> GetDelegableRightsByApp(RightsQuery rightsQuery, int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy); RightSourceType policyType = rightsQuery.Resource.ResourceType == ResourceType.AltinnApp ? RightSourceType.AppPolicy : RightSourceType.ResourceRegistryPolicy; - EnrichRightsDictionaryWithRightsFromPolicy(result, policy, rightsQuery.Resource.AuthorizationReference, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); + var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource); + + EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true); return result.Values.Where(r => r.CanDelegate.HasValue && r.CanDelegate.Value).ToList(); } @@ -309,6 +313,21 @@ public async Task> GetInstanceDelegations(A return result; } + private static List> GetValidResourceAttributes(ServiceResource resource) + { + var validResourceAttributes = new List> + { + resource.AuthorizationReference + }; + + if (resource.ResourceType == ResourceType.AltinnApp) + { + validResourceAttributes.Add(new List { new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute, resource.Identifier) }); + } + + return validResourceAttributes; + } + private static List GetRightsFromPolicy(XacmlPolicy policy) { List result = new List(); @@ -550,7 +569,7 @@ private static void AddAttributeMatchToRule(XacmlMatch xacmlMatch, Rule rule) } } - private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, List policyResource, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) + private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary rights, XacmlPolicy policy, List> validResourceAttr, RightSourceType policySourceType, List subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false) { PolicyDecisionPoint pdp = new PolicyDecisionPoint(); @@ -564,7 +583,7 @@ private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary ruleRight.Resource.Any(r => pr.Id.Equals(r.Id, StringComparison.OrdinalIgnoreCase) && pr.Value.Equals(r.Value, StringComparison.OrdinalIgnoreCase)))) + if (!validResourceAttr.Any(attrSet => attrSet.All(attr => ruleRight.Resource.Any(r => attr.Id.Equals(r.Id, StringComparison.OrdinalIgnoreCase) && attr.Value.Equals(r.Value, StringComparison.OrdinalIgnoreCase))))) { continue; } From d434309892e391820ab5718611d0f85f7548d63f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jon=20Kjetil=20=C3=98ye?= Date: Tue, 1 Jul 2025 20:45:37 +0200 Subject: [PATCH 3/3] Add support for mixing app resourceId and org/app attributes on delegation --- .../Services/SingleRightsService.cs | 7 +- .../Models/Rights/RightsQueryExternal.cs | 19 ++- .../expected_rights_returnall_false.json | 127 +++++++++++++++++ .../expected_rights_returnall_true.json | 127 +++++++++++++++++ .../expected_rights_returnall_false.json | 131 ++++++++++++++++++ .../expected_rights_returnall_true.json | 131 ++++++++++++++++++ .../3.0/AltinnApps/ttd/rf-0002/policy.xml | 29 ++++ .../Data/blobs/input/ttd/rf-0002/policy.xml | 29 ++++ 8 files changed, 592 insertions(+), 8 deletions(-) diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs index 1def59d37..e95ddce73 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs @@ -554,7 +554,12 @@ private static bool ValidateAllRightsAreForTheSameResource(List rights) foreach (Right right in rights) { DelegationHelper.TryGetResourceFromAttributeMatch(right.Resource, out ResourceAttributeMatchType resourceMatchType, out string resourceRegistryId, out string org, out string app, out string serviceCode, out string serviceEditionCode); - string currentResourceKey = $"{resourceMatchType}{resourceRegistryId}{org}{app}{serviceCode}{serviceEditionCode}"; + if (resourceMatchType == ResourceAttributeMatchType.AltinnAppId) + { + resourceRegistryId = $"app_{org.ToLower()}_{app.ToLower()}"; + } + + string currentResourceKey = $"{resourceRegistryId}{serviceCode}{serviceEditionCode}"; if (firstResourceKey == string.Empty) { diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs index c2aa4aacf..e869247b5 100644 --- a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs +++ b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs @@ -44,18 +44,23 @@ public RightsQuery ToRightsQueryInternal(IMapper mapper) Type = RightsQueryType.User, From = mapper.Map>(From), To = mapper.Map>(To), - Resource = new ServiceResource - { - Identifier = GetResourceIdentifier(Resource), - AuthorizationReference = mapper.Map>(Resource) - } + Resource = GetResource(Resource, mapper) }; } - private static string GetResourceIdentifier(List resource) + private ServiceResource GetResource(List resource, IMapper mapper) { - return resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ?? + var id = resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ?? $"app_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)?.Value}_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)?.Value}"; + + var serviceResource = new ServiceResource + { + Identifier = id, + ResourceType = id.StartsWith("app_") ? ResourceType.AltinnApp : ResourceType.Default, + AuthorizationReference = mapper.Map>(resource) + }; + + return serviceResource; } } } diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json index 391753a61..3f6b3040b 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json @@ -995,5 +995,132 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "canDelegate": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "canDelegate": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json index 6a10f4904..e23121b01 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/DelegableRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json @@ -1260,5 +1260,132 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "canDelegate": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "canDelegate": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json index 4dd4d1d75..f6f53e5e6 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json @@ -1022,5 +1022,136 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "hasPermit": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "hasPermit": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + }, + { + "id": "urn:altinn:rolecode", + "value": "APIADM" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json index 086880c30..a7713c0d4 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Json/RightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json @@ -1296,5 +1296,136 @@ ] } ] + }, + { + "rightKey": "app_ttd_rf-0002:access", + "resource": [ + { + "id": "urn:altinn:resource", + "value": "app_ttd_rf-0002" + } + ], + "action": "access", + "hasPermit": true, + "rightSources": [ + { + "rightSourceType": "AppPolicy", + "policyId": "urn:altinn:example:policyid:1", + "policyVersion": "1.0", + "ruleId": "urn:altinn:example:ruleid:7", + "hasPermit": true, + "userSubjects": [ + { + "id": "urn:altinn:rolecode", + "value": "LOPER" + }, + { + "id": "urn:altinn:rolecode", + "value": "ADMAI" + }, + { + "id": "urn:altinn:rolecode", + "value": "REGNA" + }, + { + "id": "urn:altinn:rolecode", + "value": "SISKD" + }, + { + "id": "urn:altinn:rolecode", + "value": "UILUF" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTINN" + }, + { + "id": "urn:altinn:rolecode", + "value": "UTOMR" + }, + { + "id": "urn:altinn:rolecode", + "value": "KLADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "ATTST" + }, + { + "id": "urn:altinn:rolecode", + "value": "HVASK" + }, + { + "id": "urn:altinn:rolecode", + "value": "PAVAD" + }, + { + "id": "urn:altinn:rolecode", + "value": "SIGNE" + }, + { + "id": "urn:altinn:rolecode", + "value": "UIHTL" + }, + { + "id": "urn:altinn:rolecode", + "value": "KOMAB" + }, + { + "id": "urn:altinn:rolecode", + "value": "LEDE" + }, + { + "id": "urn:altinn:rolecode", + "value": "DAGL" + }, + { + "id": "urn:altinn:rolecode", + "value": "ECKEYROLE" + }, + { + "id": "urn:altinn:rolecode", + "value": "HADM" + }, + { + "id": "urn:altinn:rolecode", + "value": "PASIG" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0278" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0236" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0212" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0293" + }, + { + "id": "urn:altinn:rolecode", + "value": "A0294" + }, + { + "id": "urn:altinn:rolecode", + "value": "APIADM" + } + ], + "policySubjects": [ + [ + { + "matchFound": null, + "id": "urn:altinn:rolecode", + "value": "DAGL" + } + ] + ] + } + ] } ] diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml index f752308d5..8ebe798fb 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/Xacml/3.0/AltinnApps/ttd/rf-0002/policy.xml @@ -253,6 +253,35 @@ + + Valid rule using app resourceId to define that DAGL have Access action using the app resource identifier + + + + + DAGL + + + + + + + + app_ttd_rf-0002 + + + + + + + + access + + + + + + diff --git a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml index f752308d5..8ebe798fb 100644 --- a/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml +++ b/src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Data/blobs/input/ttd/rf-0002/policy.xml @@ -253,6 +253,35 @@ + + Valid rule using app resourceId to define that DAGL have Access action using the app resource identifier + + + + + DAGL + + + + + + + + app_ttd_rf-0002 + + + + + + + + access + + + + + +