Allow whitelisted resources to bypass malware scan (#1760)

* Allow whitelisted resources to bypass malware scan

* Add to infra

* Fix typo

* Generalized terminology

* Typo

* Remove unintended change

* Update current status to get correct response

* Fix error message on failed malware scan

* Align boolean inversion of virus scan concept

* Deleted irrelevant elements from test

---------

Co-authored-by: Ceredron <roar.mjelde@digdir.no>

Author: Ceredron

.azure/modules/containerApp/main.bicep

@@ -33,6 +33,7 @@ var predefinedKeyvaultSecretEnvVars = [
   { name: 'IdportenSettings__ClientId', secretName: 'idporten-client-id' }
   { name: 'IdportenSettings__ClientSecret', secretName: 'idporten-client-secret' }
   { name: 'StatisticsApiKey', secretName: 'statistics-api-key' }
+  { name: 'GeneralSettings__MalwareScanBypassWhiteList', secretName: 'malware-scan-bypass-white-list' }
 ]
 
 var setByPipelineSecretEnvVars = [

Test/Altinn.Correspondence.Tests/Common/TestConstants.cs

@@ -0,0 +1,7 @@
+namespace Altinn.Correspondence.Tests.Common
+{
+    public class TestConstants
+    {
+        public static readonly string ResourceWhitelistedForMalwareScanBypass = "correspondence-attachment-test-bypass-malware-scan";
+    }
+}

Test/Altinn.Correspondence.Tests/Factories/AttachmentBuilder.cs

@@ -57,5 +57,11 @@ public AttachmentBuilder WithExpirationInDays(int expirationInDays)
             _attachment.ExpirationInDays = expirationInDays;
             return this;
         }
+
+        public AttachmentBuilder WithResourceId(string resourceId)
+        {
+            _attachment.ResourceId = resourceId;
+            return this;
+        }
     }
 }

Test/Altinn.Correspondence.Tests/Helpers/AttachmentHelper.cs

@@ -1,10 +1,11 @@
+using Altinn.Correspondence.API.Models;
+using Altinn.Correspondence.API.Models.Enums;
+using Altinn.Correspondence.Tests.Common;
+using Altinn.Correspondence.Tests.Factories;
 using System.Net;
 using System.Net.Http.Json;
 using System.Text;
 using System.Text.Json;
-using Altinn.Correspondence.API.Models;
-using Altinn.Correspondence.API.Models.Enums;
-using Altinn.Correspondence.Tests.Factories;
 
 namespace Altinn.Correspondence.Tests.Helpers
 {
@@ -36,6 +37,24 @@ public static async Task<Guid> GetInitializedAttachment(HttpClient client, JsonS
             Assert.Equal(AttachmentStatusExt.Initialized, attachmentOverview?.Status);
             return attachmentId;
         }
+
+        public static async Task<Guid> GetInitializedAttachmentForResourceWhitelistedForBypassMalwareScan(HttpClient client, JsonSerializerOptions responseSerializerOptions, string? sender = null)
+        {
+            var tempData = new AttachmentBuilder().CreateAttachment();
+            if (sender != null)
+            {
+                tempData.WithSender(sender);
+            }
+            tempData.WithResourceId(TestConstants.ResourceWhitelistedForMalwareScanBypass);
+            var attachment = tempData.Build();
+            var initializeAttachmentResponse = await client.PostAsJsonAsync("correspondence/api/v1/attachment", attachment);
+            Assert.Equal(HttpStatusCode.OK, initializeAttachmentResponse.StatusCode);
+            var attachmentId = await initializeAttachmentResponse.Content.ReadFromJsonAsync<Guid>();
+            var attachmentOverview = await (await client.GetAsync($"correspondence/api/v1/attachment/{attachmentId}")).Content.ReadFromJsonAsync<AttachmentOverviewExt>(responseSerializerOptions);
+            Assert.Equal(AttachmentStatusExt.Initialized, attachmentOverview?.Status);
+            return attachmentId;
+        }
+
         public async static Task<Guid> GetPublishedAttachment(HttpClient client, JsonSerializerOptions responseSerializerOptions)
         {
             var attachment = new AttachmentBuilder().CreateAttachment().Build();

Test/Altinn.Correspondence.Tests/Helpers/CustomWebApplicationFactory.cs

@@ -23,6 +23,7 @@
 using System.Text.Json;
 using Altinn.Correspondence.Core.Models.Enums;
 using Altinn.Correspondence.Common.Helpers;
+using Altinn.Correspondence.Tests.Common;
 
 namespace Altinn.Correspondence.Tests.Helpers;
 
@@ -43,6 +44,10 @@ protected override void ConfigureWebHost(
         builder.UseConfiguration(new ConfigurationBuilder()
             .AddJsonFile("appsettings.json")
             .AddJsonFile("appsettings.Development.json")
+            .AddInMemoryCollection(new Dictionary<string, string?>
+            {
+                ["GeneralSettings:MalwareScanBypassWhiteList"] = TestConstants.ResourceWhitelistedForMalwareScanBypass
+            })
             .Build());
 
         // Overwrite registrations from Program.cs

Test/Altinn.Correspondence.Tests/TestingController/Attachment/AttachmentUploadTests.cs

@@ -240,15 +240,55 @@ public async Task UploadAttachmentData_InDevelopmentMode_GetsPublishedAfterSimul
             Assert.True(hostEnvironment.IsDevelopment(), "Test requires Development environment for automatic malware scan simulation");
             var attachmentId = await AttachmentHelper.GetInitializedAttachment(_senderClient, _responseSerializerOptions);
             var content = new ByteArrayContent(Encoding.UTF8.GetBytes("Test content"));
-            
+
             // Act
             var uploadResponse = await AttachmentHelper.UploadAttachment(attachmentId, _senderClient, content);
             Assert.True(uploadResponse.IsSuccessStatusCode, await uploadResponse.Content.ReadAsStringAsync());
             var attachmentOverview = await AttachmentHelper.WaitForAttachmentStatusUpdate(_senderClient, _responseSerializerOptions, attachmentId, AttachmentStatusExt.Published);
-            
+
             // Assert
             Assert.NotNull(attachmentOverview);
             Assert.Equal(AttachmentStatusExt.Published, attachmentOverview.Status);
         }
+
+        [Fact]
+        public async Task UploadAttachmentData_ToWhiteListedResource_InstantlyPublished()
+        {
+            // Arrange
+            var attachmentId = await AttachmentHelper.GetInitializedAttachmentForResourceWhitelistedForBypassMalwareScan(_senderClient, _responseSerializerOptions);
+            var contentBytes = Encoding.UTF8.GetBytes("Test content for checksum");
+            var content = new ByteArrayContent(contentBytes);
+            var expectedChecksum = AttachmentHelper.CalculateChecksum(contentBytes);
+
+            // Act
+            var uploadResponse = await AttachmentHelper.UploadAttachment(attachmentId, _senderClient, content);
+            Assert.True(uploadResponse.IsSuccessStatusCode, await uploadResponse.Content.ReadAsStringAsync());
+            var uploadedAttachmentOverview = await uploadResponse.Content.ReadFromJsonAsync<AttachmentOverviewExt>(_responseSerializerOptions);
+
+            // Assert
+            Assert.NotNull(uploadedAttachmentOverview);
+            Assert.Equal(AttachmentStatusExt.Published, uploadedAttachmentOverview.Status);
+            Assert.Equal(expectedChecksum, uploadedAttachmentOverview.Checksum);
+        }
+
+        [Fact]
+        public async Task UploadAttachmentData_ToNonWhiteListedResource_NotInstantlyPublished()
+        {
+            // Arrange
+            var attachmentId = await AttachmentHelper.GetInitializedAttachment(_senderClient, _responseSerializerOptions);
+            var contentBytes = Encoding.UTF8.GetBytes("Test content for checksum");
+            var content = new ByteArrayContent(contentBytes);
+            var expectedChecksum = AttachmentHelper.CalculateChecksum(contentBytes);
+            
+            // Act
+            var uploadResponse = await AttachmentHelper.UploadAttachment(attachmentId, _senderClient, content);
+            Assert.True(uploadResponse.IsSuccessStatusCode, await uploadResponse.Content.ReadAsStringAsync());
+            var uploadedAttachmentOverview = await uploadResponse.Content.ReadFromJsonAsync<AttachmentOverviewExt>(_responseSerializerOptions);
+            
+            // Assert
+            Assert.NotNull(uploadedAttachmentOverview);
+            Assert.NotEqual(AttachmentStatusExt.Published, uploadedAttachmentOverview.Status);
+            Assert.Equal(expectedChecksum, uploadedAttachmentOverview.Checksum);
+        }
     }
 }

src/Altinn.Correspondence.Application/Helpers/AttachmentHelper.cs

@@ -12,6 +12,8 @@
 using OneOf;
 using Hangfire;
 using System.Text.RegularExpressions;
+using Microsoft.Extensions.Options;
+using Altinn.Correspondence.Core.Options;
 
 namespace Altinn.Correspondence.Application.Helpers
 {
@@ -24,6 +26,7 @@ public class AttachmentHelper(
         IHostEnvironment hostEnvironment,
         IBackgroundJobClient backgroundJobClient,
         MalwareScanResultHandler malwareScanResultHandler,
+        IOptions<GeneralSettings> generalSettings,
         ILogger<AttachmentHelper> logger)
     {
 
@@ -37,7 +40,7 @@ public class AttachmentHelper(
         RegexOptions.IgnoreCase | RegexOptions.Compiled
         );
 
-        public async Task<OneOf<UploadAttachmentResponse, Error>> UploadAttachment(Stream file, Guid attachmentId, Guid partyUuid, bool forMigration, CancellationToken cancellationToken)
+        public async Task<OneOf<UploadAttachmentResponse, Error>> UploadAttachment(Stream file, Guid attachmentId, Guid partyUuid, CancellationToken cancellationToken)
         {
             logger.LogInformation("Start upload of attachment {attachmentId} for party {partyUuid}", attachmentId, partyUuid);
             var attachment = await attachmentRepository.GetAttachmentById(attachmentId, true, cancellationToken);
@@ -49,7 +52,8 @@ public async Task<OneOf<UploadAttachmentResponse, Error>> UploadAttachment(Strea
 
             var currentStatus = await SetAttachmentStatus(attachmentId, AttachmentStatus.UploadProcessing, partyUuid, cancellationToken);
             logger.LogInformation("Set attachment status of {attachmentId} to UploadProcessing", attachmentId);
-            var storageProvider = await GetStorageProvider(attachment, forMigration, cancellationToken);
+            var bypassMalwareScan = ShouldBypassMalwareScan(attachment);
+            var storageProvider = await GetStorageProvider(attachment, bypassMalwareScan, cancellationToken);
             var uploadResult = await UploadBlob(attachment, file, storageProvider, partyUuid, cancellationToken);
             if (uploadResult.TryPickT1(out var uploadError, out var successResult))
             {
@@ -69,11 +73,15 @@ public async Task<OneOf<UploadAttachmentResponse, Error>> UploadAttachment(Strea
 
                 if (!isValidUpdate)
                 {
-                    await SetAttachmentStatus(attachmentId, AttachmentStatus.Failed, partyUuid, cancellationToken, AttachmentStatusText.UploadFailed);
+                    currentStatus = await SetAttachmentStatus(attachmentId, AttachmentStatus.Failed, partyUuid, cancellationToken, AttachmentStatusText.UploadFailed);
                     await storageRepository.PurgeAttachment(attachment.Id, attachment.StorageProvider, cancellationToken);
                     return AttachmentErrors.UploadFailed;
                 }
-                if (hostEnvironment.IsDevelopment())
+                if (bypassMalwareScan)
+                {
+                    currentStatus = await SetAttachmentStatus(attachmentId, AttachmentStatus.Published, partyUuid, cancellationToken, "Bypassed malware scan");
+                }
+                else if (hostEnvironment.IsDevelopment())
                 {
                     logger.LogInformation("Development mode detected. Enqueing simulated malware scan result for attachment {attachmentId}", attachmentId);
                     backgroundJobClient.Enqueue<AttachmentHelper>(helper => helper.SimulateMalwareScanResult(attachmentId));
@@ -91,10 +99,20 @@ public async Task<OneOf<UploadAttachmentResponse, Error>> UploadAttachment(Strea
             }, logger, cancellationToken);
         }
 
-        public async Task<StorageProviderEntity> GetStorageProvider(AttachmentEntity attachment, bool forMigration, CancellationToken cancellationToken)
+        private bool ShouldBypassMalwareScan(AttachmentEntity attachment)
+        {
+            if (string.IsNullOrWhiteSpace(generalSettings.Value.MalwareScanBypassWhiteList))
+            {
+                return false;
+            }
+            var whiteList = generalSettings.Value.MalwareScanBypassWhiteList.Split(',').ToList();
+            return whiteList.Any(whiteListedResource => attachment.ResourceId == whiteListedResource);
+        }
+
+        public async Task<StorageProviderEntity> GetStorageProvider(AttachmentEntity attachment, bool bypassMalwareScan, CancellationToken cancellationToken)
         {
             ServiceOwnerEntity? serviceOwnerEntity = null;
-            if (forMigration)
+            if (bypassMalwareScan)
             {
                 var serviceOwnerShortHand = attachment.ResourceId.Split('-')[0];
                 serviceOwnerEntity = await serviceOwnerRepository.GetServiceOwnerByOrgCode(serviceOwnerShortHand.ToLower(), cancellationToken);
@@ -114,7 +132,7 @@ public async Task<StorageProviderEntity> GetStorageProvider(AttachmentEntity att
                 logger.LogError($"Could not find service owner entity for {attachment.ResourceId} in database");
                 //return AttachmentErrors.ServiceOwnerNotFound; // Future PR will add service owner registry as requirement when we have ensured that existing service owners have been provisioned
             }
-            return serviceOwnerEntity?.GetStorageProvider(forMigration ? false : true);
+            return serviceOwnerEntity?.GetStorageProvider(bypassMalwareScan: bypassMalwareScan);
         }
 
         private async Task<OneOf<(string? locationUrl, string? hash, long size),Error>> UploadBlob(AttachmentEntity attachment, Stream stream, StorageProviderEntity? storageProvider, Guid partyUuid, CancellationToken cancellationToken)

src/Altinn.Correspondence.Application/Helpers/InitializeCorrespondenceHelper.cs

@@ -447,7 +447,7 @@ public CorrespondenceStatus GetCurrentCorrespondenceStatus(CorrespondenceEntity
                 OneOf<UploadAttachmentResponse, Error> uploadResponse;
                 await using (var f = file.OpenReadStream())
                 {
-                    uploadResponse = await attachmentHelper.UploadAttachment(f, attachment.Id, partyUuid, forMigration: false, cancellationToken);
+                    uploadResponse = await attachmentHelper.UploadAttachment(f, attachment.Id, partyUuid, cancellationToken);
                 }
                 var error = uploadResponse.Match(
                     _ => { return null; },

src/Altinn.Correspondence.Application/MalwareScanResult/MalwareScanResultHandler.cs

@@ -10,6 +10,7 @@
 using OneOf;
 using System.Security.Claims;
 using Altinn.Correspondence.Application.ExpireAttachment;
+using System.Text.Json;
 
 namespace Altinn.Correspondence.Application;
 
@@ -87,7 +88,7 @@ await attachmentStatusRepository.AddAttachmentStatus(new AttachmentStatusEntity(
                     AttachmentId = attachmentId,
                     Status = AttachmentStatus.Failed,
                     StatusChanged = DateTimeOffset.UtcNow,
-                    StatusText = $"Malware scan failed: {data.ScanResultType}",
+                    StatusText = $"Malware scan failed: {data.ScanResultDetails?.ErrorMessage ?? data.ScanResultType}",
                     PartyUuid = partyUuid
                 }, cancellationToken);
                 backgroundJobClient.Enqueue<IEventBus>((eventBus) => eventBus.Publish(
@@ -101,7 +102,7 @@ await attachmentStatusRepository.AddAttachmentStatus(new AttachmentStatusEntity(
                     attachmentId, 
                     attachment.FileName,
                     data.ScanResultType,
-                    data.ScanResultDetails);
+                    JsonSerializer.Serialize(data.ScanResultDetails));
                 backgroundJobClient.Enqueue(() => FailAssociatedCorrespondences(attachmentId, partyUuid, CancellationToken.None));
                 return Task.CompletedTask;
             }, logger, cancellationToken);

src/Altinn.Correspondence.Application/MalwareScanResult/Models/ScanResultData.cs

@@ -1,4 +1,5 @@
-using System.Text.Json.Serialization;
+using Azure.Core.Serialization;
+using System.Text.Json.Serialization;
 
 namespace Altinn.Correspondence.Application.MalwareScanResult.Models;
 
@@ -9,6 +10,9 @@ public class ScanResultDetails
 
     [JsonPropertyName("sha256")]
     public string Sha256 { get; set; }
+
+    [JsonPropertyName("errorMessage")]
+    public string? ErrorMessage { get; set; }
 }
 
 public class ScanResultData