Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When using admin-scope, dialog.Org should be set to service resource owner #1409

Closed
elsand opened this issue Nov 6, 2024 · 5 comments
Closed
Assignees
Labels
bug Something isn't working

Comments

@elsand
Copy link
Member

elsand commented Nov 6, 2024

Description

The admin-scope short circuits the AuthorizeServiceResources check, such that the calling system can create dialogs for any service resource. This is meant for othter internal writing Altinn integrations, such as correspondence and the Altinn Storage.

The Org population is however always performed based on the authenticated user, which causes "Digitaliseringsdirektoratet" to be the sender for all correspondence.

Reproduction

  1. Authenticate as Digdir, using the scope digdir:dialogporten.serviceprovider.admin
  2. Create a dialog referring a service resource owned by SKE
  3. Authenticate as an enduser with access to that dialog
  4. Fetch the dialog

Expected behavior

The dialog should have the "Org" field set to "ske"

Actual behavior

The dialog has the "Org" field set to "digdir"

Additional information

If there is additional context that is relevant to include.

@elsand elsand added the bug Something isn't working label Nov 6, 2024
@elsand elsand self-assigned this Nov 25, 2024
@elsand elsand linked a pull request Nov 25, 2024 that will close this issue
4 tasks
elsand added a commit that referenced this issue Nov 26, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…ogs (#1529)

## Description

This implements a proper handling of serviceprovider.admin-scope, where
the "org"-value for the actual service resource is used instead of
always being "digdir".

This also maintains the possibility for the admin-scope-wielder to
access and update the dialog afterwards. The search-endpoint is however
not changed (will only display actually owned dialogs, and requiring
search-scope)

## Related Issue(s)

- #1409

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [x] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Release Notes

- **New Features**
- Added a new property `OwnOrgShortName` to enhance resource
information.
- Introduced conditional filtering in various query handlers to improve
access control based on user roles.
- Expanded testing coverage for service owners with admin capabilities.

- **Bug Fixes**
- Improved error handling for missing organization information in dialog
creation.

- **Documentation**
- Updated test setup to reflect changes in dependencies for dialog
creation tests.

- **Chores**
- Modified API call in tests to retrieve a larger number of dialog
items.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
oskogstad pushed a commit that referenced this issue Nov 26, 2024
## Description

This causes any deserialization exceptions happening when fetching
caches to trigger a factory run, instead of bubbling up and hitting the
global exception handler.

This error was introduced in #1409, which added a non-nullable field to
an entity that existed in the distributed cache.

## Related Issue(s)

- #1409 

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)
@LeifHelstad
Copy link

Test:

Forstår at deler av testen inkluderer "Scopes" som kan angis i "GET EnterpriseToken"
Setter denne til "digdir:dialogporten.serviceprovider.admin"
(Litt usikker på om det kreves lagring der...?)
Tar derfor vare på digdir:dialogporten.serviceprovider digdir:dialogporten.serviceprovider.search digdir:dialogporten digdir:dialogporten.developer.test

Velger dialogen til DMF
Som har "serviceResource": "urn:altinn:resource:dmf-dialog-tjenester"
Og via {Party_Person} peker på 08895699684
Får 403 Forbidden
"Not allowed to reference the following unowned resources: [urn:altinn:resource:dmf-dialog-tjenester]."
Har et script som alltid setter orgNo for Authenticate så det må kommenteres ut
Får 403 Forbidden
Velger å lagre Params Scopes (skal sette dem tilbake etterpå...)
Fortsatt 403 Forbidden

Tar inn igjen scriptet og setter det slik at orgNo tillhører DMF
Det gir en dialog "0193c04c-bd83-70cd-9cea-666feb489fe2"
Men hvor ser jeg hvilket Scope den er opprettet i?
Resultatet er
"org": "dmf",
"serviceResource": "urn:altinn:resource:dmf-dialog-tjenester",
Det er "riktig" resultat.
Men har egentlig mitt valg av Scope tatt effekt?
Antakelig, for det er det eneste som er angitt
Men har jeg testet som er den egentlige endringen her?
Jeg har jo angitt ORG til DMF når jeg opprettet dialog.
DMF med admin Scope. Men slik jeg har lest saken hadde jeg mistanke om at kallet skulle gjøres av digdir (digdir org) med admin Scope.
Samtidig forstår jeg ikke da hvordan dialogporten skulle oppfatte DMF som service owner for dialogen. Så det kan være jeg har testet det riktige.

@LeifHelstad
Copy link

@elsand det kan hende jeg har testet denne på riktig måte og at den er god, fordi jeg får forventet resultat.
Men jeg er litt usikker på om jag har kjørt testen rett.
Skal jeg være orgNo for DMF med scope digdir:dialogporten.serviceprovider.admin?
Eller er det helt spesielle her at orgNo skal være for digdir?

  • Hvis det siste forstår jeg ikke helt hvordan det skal bli rett serviceOwner på dialogen. (Så jeg tror jeg her testet rett med det første)

@LeifHelstad
Copy link

LeifHelstad commented Dec 17, 2024

Jeg hadde testet feil fordi jeg hadde et script i mellom som oppdaterte scope. Men med "digdir:dialogporten.serviceprovider.admin" som eneste scope så får jeg 403 Forbidden.

Hvis jeg legger nevnte scope til blandt de som finnes fungerer det og feilen beskrevet i repro steps oppstår ikke.

Det store spørsmålet nå er om det er ment "digdir:dialogporten.serviceprovider.admin" som eneste scope, eller som scope sammen med andre scope?

{
"scope": "digdir:dialogporten.serviceprovider.admin",
"token_type": "Bearer",
"exp": 1734515789,
"iat": 1734429389,
"client_id": "9a7510b7-f6f7-492e-82f0-2bd7f5fb3ef5",
"jti": "hapyU9DW2MWp1bZE2Yn5GYfEBYD3ZOrjJxrbCmp9JPB",
"consumer": {
"authority": "iso6523-actorid-upis",
"ID": "0192:991825827"
},
"urn:altinn:orgNumber": "991825827",
"urn:altinn:authenticatemethod": "maskinporten",
"urn:altinn:authlevel": 3,
"iss": "https://platform.tt02.altinn.no/authentication/api/v1/openid/",
"actual_iss": "altinn-test-tools",
"nbf": 1734429389
}

@LeifHelstad
Copy link

Q:
Kan dette stå alene, eller om det må finnes andre suffiks scope samtidig?
"scope": "digdir:dialogporten.serviceprovider.admin"

A:
Det kan ikke stå alene; alle "subscopes", altså digdir:dialogporten.serviceprovider.*, må brukes sammen med digdir:dialogporten.serviceprovider. Så du trenger:
"scope": "digdir:dialogporten.serviceprovider digdir:dialogporten.serviceprovider.admin"

@LeifHelstad
Copy link

Test:

Denne er fra request som fungerte (er scopet ned men måtte ha med et subscope til på grunn av innholdet):

{
"scope": "digdir:dialogporten.serviceprovider digdir:dialogporten.serviceprovider.legacyhtml digdir:dialogporten.serviceprovider.admin",
"token_type": "Bearer",
"exp": 1734593860,
"iat": 1734507460,
"client_id": "efd31198-3706-4dec-ab00-f206fcc39a44",
"jti": "R0g5NjhtGgCMdEvMeElbtqfR0UlBjd11F3Gf1seZzcO",
"consumer": {
"authority": "iso6523-actorid-upis",
"ID": "0192:974760282"
},
"urn:altinn:orgNumber": "974760282",
"urn:altinn:authenticatemethod": "maskinporten",
"urn:altinn:authlevel": 3,
"iss": "https://platform.tt02.altinn.no/authentication/api/v1/openid/",
"actual_iss": "altinn-test-tools",
"nbf": 1734507460
}

Dialog "0193d8b3-83fe-72b9-b6c7-a27f9864bf6c" ble oppettet.

Denne fikk kallende ServiceOwner sitt "org" og derfor er Test Passed.

"id": "0193d8b3-83fe-72b9-b6c7-a27f9864bf6c",
"revision": "521ddc03-7f7a-4ebe-927b-ede6efa48497",
"org": "dmf",
"serviceResource": "urn:altinn:resource:dmf-dialog-tjenester",
"serviceResourceType": "genericaccessresource",
"party": "urn:altinn:person:identifier-no:08895699684",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Development

No branches or pull requests

2 participants