Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use organization number as resource party - fails PartyLookup #600

Closed
elsand opened this issue Dec 3, 2023 · 0 comments · Fixed by #639
Closed

Unable to use organization number as resource party - fails PartyLookup #600

elsand opened this issue Dec 3, 2023 · 0 comments · Fixed by #639
Labels
kind/bug Used when something isn't working

Comments

@elsand
Copy link
Member

elsand commented Dec 3, 2023
edited
Loading

Description of the bug

EnrichResourceParty attempts to load the party id for the resource party if only an organization number is supplied. This however fails, due to PartyLookup attempting to generate a "access token" with _accessTokenGenerator.GenerateAccessToken("platform", "authorization"); using non-existent key material. (It attempts to call _signingKeysResolver.GetSigningCredentials(), where _signingKeysResolver is registered using the standard implementation in Altinn.Common.AccessTokenClient. This tries to load a X509 certificate from a file path that does not exist, causing an exception to be thrown.

Supplying a bearer token in the call to /authorization/api/v1/decision doesn't appear to have any effect.

Steps To Reproduce

Perform a request https://platform.tt02.altinn.no/authorization/api/v1/decision (using a valid subscription key) with the following body:

{
  "Request": {
    "ReturnPolicyIdList": true,
    "AccessSubject": [
      {
        "Attribute": [
          {
            "AttributeId": "urn:altinn:userid",
            "Value": "1260207"
          }
        ]
      }
    ],
    "Resource": [
      {
        "Attribute": [
          {
            "AttributeId": "urn:altinn:resource",
            "Value": "super-simple-service"
          },
          {
            "AttributeId": "urn:altinn:organizationnumber",
            "Value": "310029246"
          }
        ]
      }
    ],
    "Action": [
      {
        "Attribute": [
          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
            "Value": "read"
          }
        ]
      }
    ]    
  }
}

Expected result:

{
    "response": [
        {
            "decision": "Permit",
            "status": {
                "statusMessage": null,
                "statusDetails": null,
                "statusCode": {
                    "value": "urn:oasis:names:tc:xacml:1.0:status:ok",
                    "statusCode": null
                }
            },
            "obligations": null,
            "associateAdvice": null,
            "category": null,
            "policyIdentifierList": null
        }
    ]
}

Actual result:

{
    "response": [
        {
            "decision": "Indeterminate",
            "status": {
                "statusMessage": null,
                "statusDetails": null,
                "statusCode": {
                    "value": "urn:oasis:names:tc:xacml:1.0:status:syntax-error",
                    "statusCode": null
                }
            },
            "obligations": null,
            "associateAdvice": null,
            "category": null,
            "policyIdentifierList": null
        }
    ]
}

Additional Information

Adding the following partyid attribute avoids the PartyLookup, causing the request to succeed (ie. give a permit response)

{
  "AttributeId": "urn:altinn:partyid",
  "Value": "51526960"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Used when something isn't working
Projects
Team Tilgangsstyring & Kontroll
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/externalpdp Altinn/altinn-authorization
1 participant
@elsand