Use service resource org, allow admin-scope to fetch/update dialogs

digdir · Nov 25, 2024 · 298b682 · 298b682
1 parent 9266d1d
commit 298b682
Show file tree

Hide file tree

Showing 13 changed files with 50 additions and 23 deletions.
diff --git a/src/Digdir.Domain.Dialogporten.Application/Externals/IResourceRegistry.cs b/src/Digdir.Domain.Dialogporten.Application/Externals/IResourceRegistry.cs
@@ -14,13 +14,15 @@ public sealed record ServiceResourceInformation
 {
     public string ResourceType { get; }
     public string OwnerOrgNumber { get; }
+    public string OwnOrgShortName { get; }
     public string ResourceId { get; }
 
-    public ServiceResourceInformation(string resourceId, string resourceType, string ownerOrgNumber)
+    public ServiceResourceInformation(string resourceId, string resourceType, string ownerOrgNumber, string ownOrgShortName)
     {
         ResourceId = resourceId.ToLowerInvariant();
         ResourceType = resourceType.ToLowerInvariant();
         OwnerOrgNumber = ownerOrgNumber.ToLowerInvariant();
+        OwnOrgShortName = ownOrgShortName.ToLowerInvariant();
     }
 }
 

diff --git a/...ten.Application/Features/V1/ServiceOwner/DialogActivities/Queries/Get/GetActivityQuery.cs b/...ten.Application/Features/V1/ServiceOwner/DialogActivities/Queries/Get/GetActivityQuery.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Digdir.Domain.Dialogporten.Application.Common;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Domain.Dialogs.Entities;
@@ -43,7 +44,7 @@ public async Task<GetActivityResult> Handle(GetActivityQuery request,
             .Include(x => x.Activities.Where(x => x.Id == request.ActivityId))
                 .ThenInclude(x => x.Description!.Localizations)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.DialogId,
                 cancellationToken: cancellationToken);
 

diff --git a/...plication/Features/V1/ServiceOwner/DialogActivities/Queries/Search/SearchActivityQuery.cs b/...plication/Features/V1/ServiceOwner/DialogActivities/Queries/Search/SearchActivityQuery.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Digdir.Domain.Dialogporten.Application.Common;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Domain.Dialogs.Entities;
@@ -37,7 +38,7 @@ public async Task<SearchActivityResult> Handle(SearchActivityQuery request, Canc
         var dialog = await _db.Dialogs
             .Include(x => x.Activities)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.DialogId,
                 cancellationToken: cancellationToken);
 

diff --git a/...lication/Features/V1/ServiceOwner/DialogTransmissions/Queries/Get/GetTransmissionQuery.cs b/...lication/Features/V1/ServiceOwner/DialogTransmissions/Queries/Get/GetTransmissionQuery.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Digdir.Domain.Dialogporten.Application.Common;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Domain.Dialogs.Entities;
@@ -50,7 +51,7 @@ public async Task<GetTransmissionResult> Handle(GetTransmissionQuery request,
             .Include(x => x.Transmissions)
                 .ThenInclude(x => x.Sender)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.DialogId,
                 cancellationToken: cancellationToken);
 

diff --git a/...on/Features/V1/ServiceOwner/DialogTransmissions/Queries/Search/SearchTransmissionQuery.cs b/...on/Features/V1/ServiceOwner/DialogTransmissions/Queries/Search/SearchTransmissionQuery.cs
@@ -1,5 +1,6 @@
 using AutoMapper;
 using Digdir.Domain.Dialogporten.Application.Common;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Domain.Dialogs.Entities;
@@ -47,7 +48,7 @@ public async Task<SearchTransmissionResult> Handle(SearchTransmissionQuery reque
             .Include(x => x.Transmissions)
                 .ThenInclude(x => x.Sender)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.DialogId,
                 cancellationToken: cancellationToken);
 

diff --git a/...orten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs b/...orten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs
@@ -30,7 +30,7 @@ internal sealed class CreateDialogCommandHandler : IRequestHandler<CreateDialogC
     private readonly IMapper _mapper;
     private readonly IUnitOfWork _unitOfWork;
     private readonly IDomainContext _domainContext;
-    private readonly IUserOrganizationRegistry _userOrganizationRegistry;
+    private readonly IResourceRegistry _resourceRegistry;
     private readonly IServiceResourceAuthorizer _serviceResourceAuthorizer;
     private readonly IUser _user;
 
@@ -40,16 +40,16 @@ public CreateDialogCommandHandler(
         IMapper mapper,
         IUnitOfWork unitOfWork,
         IDomainContext domainContext,
-        IUserOrganizationRegistry userOrganizationRegistry,
+        IResourceRegistry resourceRegistry,
         IServiceResourceAuthorizer serviceResourceAuthorizer)
     {
         _user = user ?? throw new ArgumentNullException(nameof(user));
         _db = db ?? throw new ArgumentNullException(nameof(db));
         _mapper = mapper ?? throw new ArgumentNullException(nameof(mapper));
         _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
         _domainContext = domainContext ?? throw new ArgumentNullException(nameof(domainContext));
-        _userOrganizationRegistry = userOrganizationRegistry ?? throw new ArgumentNullException(nameof(userOrganizationRegistry));
-        _serviceResourceAuthorizer = serviceResourceAuthorizer;
+        _resourceRegistry = resourceRegistry ?? throw new ArgumentNullException(nameof(resourceRegistry));
+        _serviceResourceAuthorizer = serviceResourceAuthorizer ?? throw new ArgumentNullException(nameof(serviceResourceAuthorizer));
     }
 
     public async Task<CreateDialogResult> Handle(CreateDialogCommand request, CancellationToken cancellationToken)
@@ -63,12 +63,17 @@ public async Task<CreateDialogResult> Handle(CreateDialogCommand request, Cancel
             return forbiddenResult;
         }
 
-        dialog.Org = await _userOrganizationRegistry.GetCurrentUserOrgShortName(cancellationToken) ?? string.Empty;
-        if (string.IsNullOrWhiteSpace(dialog.Org))
+        var serviceResourceInformation = await _resourceRegistry.GetResourceInformation(dialog.ServiceResource, cancellationToken);
+        if (serviceResourceInformation is null)
         {
             _domainContext.AddError(new DomainFailure(nameof(DialogEntity.Org),
-                "Cannot find service owner organization shortname for current user. Please ensure that you are logged in as a service owner."));
+                "Cannot find service owner organization shortname for referenced service resource."));
         }
+        else
+        {
+            dialog.Org = serviceResourceInformation.OwnOrgShortName;
+        }
+
         CreateDialogEndUserContext(request, dialog);
         await EnsureNoExistingUserDefinedIds(dialog, cancellationToken);
 

diff --git a/...orten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Update/UpdateDialogCommand.cs b/...orten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Update/UpdateDialogCommand.cs
@@ -83,7 +83,7 @@ public async Task<UpdateDialogResult> Handle(UpdateDialogCommand request, Cancel
             .Include(x => x.Transmissions)
             .Include(x => x.DialogEndUserContext)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.Id, cancellationToken);
 
         if (dialog is null)

diff --git a/...n.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Queries/Get/GetDialogQuery.cs b/...n.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Queries/Get/GetDialogQuery.cs
@@ -2,6 +2,7 @@
 using AutoMapper;
 using Digdir.Domain.Dialogporten.Application.Common;
 using Digdir.Domain.Dialogporten.Application.Common.Authorization;
+using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Application.Externals.AltinnAuthorization;
@@ -85,7 +86,7 @@ public async Task<GetDialogResult> Handle(GetDialogQuery request, CancellationTo
                 .ThenInclude(x => x.SeenBy)
             .Include(x => x.DialogEndUserContext)
             .IgnoreQueryFilters()
-            .Where(x => resourceIds.Contains(x.ServiceResource))
+            .WhereIf(!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin(), x => resourceIds.Contains(x.ServiceResource))
             .FirstOrDefaultAsync(x => x.Id == request.DialogId, cancellationToken);
 
         if (dialog is null)

diff --git a/...n.Dialogporten.Infrastructure/Altinn/ResourceRegistry/LocalDevelopmentResourceRegistry.cs b/...n.Dialogporten.Infrastructure/Altinn/ResourceRegistry/LocalDevelopmentResourceRegistry.cs
@@ -9,6 +9,7 @@ internal sealed class LocalDevelopmentResourceRegistry : IResourceRegistry
 {
     private const string LocalResourceType = "LocalResourceType";
     private const string LocalOrgId = "742859274";
+    private const string LocalOrgShortName = "ttd";
     private static readonly HashSet<ServiceResourceInformation> CachedResourceIds = new(new ServiceResourceInformationEqualityComparer());
     private readonly IDialogDbContext _db;
 
@@ -26,7 +27,7 @@ public async Task<IReadOnlyCollection<ServiceResourceInformation>> GetResourceIn
 
         foreach (var id in newIds)
         {
-            CachedResourceIds.Add(new ServiceResourceInformation(id, LocalResourceType, orgNumber));
+            CachedResourceIds.Add(new ServiceResourceInformation(id, LocalResourceType, orgNumber, LocalOrgShortName));
         }
 
         return CachedResourceIds;
@@ -35,7 +36,7 @@ public async Task<IReadOnlyCollection<ServiceResourceInformation>> GetResourceIn
     public Task<ServiceResourceInformation?> GetResourceInformation(string serviceResourceId, CancellationToken cancellationToken)
     {
         return Task.FromResult<ServiceResourceInformation?>(
-            new ServiceResourceInformation(serviceResourceId, LocalResourceType, LocalOrgId));
+            new ServiceResourceInformation(serviceResourceId, LocalResourceType, LocalOrgId, LocalOrgShortName));
     }
 
     [SuppressMessage("Performance", "CA1822:Mark members as static")]

diff --git a/...gdir.Domain.Dialogporten.Infrastructure/Altinn/ResourceRegistry/ResourceRegistryClient.cs b/...gdir.Domain.Dialogporten.Infrastructure/Altinn/ResourceRegistry/ResourceRegistryClient.cs
@@ -192,7 +192,8 @@ ResourceTypeAltinnApp or
                     .Select(x => new ServiceResourceInformation(
                         $"{Constants.ServiceResourcePrefix}{x.Identifier}",
                         x.ResourceType,
-                        x.HasCompetentAuthority.Organization!))
+                        x.HasCompetentAuthority.Organization!,
+                        x.HasCompetentAuthority.OrgCode))
                     .ToArray();
             },
             token: cancellationToken);

diff --git a/...ten.Application.Unit.Tests/Features/V1/ServiceOwner/Dialogs/Commands/CreateDialogTests.cs b/...ten.Application.Unit.Tests/Features/V1/ServiceOwner/Dialogs/Commands/CreateDialogTests.cs
@@ -27,7 +27,7 @@ public async Task CreateDialogCommand_Should_Return_Forbidden_When_Scope_Is_Miss
         var unitOfWorkSub = Substitute.For<IUnitOfWork>();
         var domainContextSub = Substitute.For<IDomainContext>();
         var userResourceRegistrySub = Substitute.For<IUserResourceRegistry>();
-        var userOrganizationRegistrySub = Substitute.For<IUserOrganizationRegistry>();
+        var resourceRegistrySub = Substitute.For<IResourceRegistry>();
         var serviceAuthorizationSub = Substitute.For<IServiceResourceAuthorizer>();
         var userSub = Substitute.For<IUser>();
 
@@ -41,9 +41,13 @@ public async Task CreateDialogCommand_Should_Return_Forbidden_When_Scope_Is_Miss
             .CurrentUserIsOwner(createCommand.ServiceResource, Arg.Any<CancellationToken>())
             .Returns(true);
 
+        resourceRegistrySub
+            .GetResourceInformation(createCommand.ServiceResource, Arg.Any<CancellationToken>())
+            .Returns(new ServiceResourceInformation(createCommand.ServiceResource, "foo", "912345678", "ttd"));
+
         var commandHandler = new CreateDialogCommandHandler(userSub, dialogDbContextSub,
             mapper, unitOfWorkSub, domainContextSub,
-            userOrganizationRegistrySub, serviceAuthorizationSub);
+            resourceRegistrySub, serviceAuthorizationSub);
 
         // Act
         var result = await commandHandler.Handle(createCommand, CancellationToken.None);
@@ -66,7 +70,7 @@ public async Task CreateDialogCommand_Should_Return_Forbidden_When_User_Is_Not_O
         var unitOfWorkSub = Substitute.For<IUnitOfWork>();
         var domainContextSub = Substitute.For<IDomainContext>();
         var userResourceRegistrySub = Substitute.For<IUserResourceRegistry>();
-        var userOrganizationRegistrySub = Substitute.For<IUserOrganizationRegistry>();
+        var resourceRegistrySub = Substitute.For<IResourceRegistry>();
         var serviceAuthorizationSub = Substitute.For<IServiceResourceAuthorizer>();
         var userSub = Substitute.For<IUser>();
         var createCommand = DialogGenerator.GenerateSimpleFakeDialog();
@@ -79,9 +83,13 @@ public async Task CreateDialogCommand_Should_Return_Forbidden_When_User_Is_Not_O
             .CurrentUserIsOwner(createCommand.ServiceResource, Arg.Any<CancellationToken>())
             .Returns(false);
 
+        resourceRegistrySub
+            .GetResourceInformation(createCommand.ServiceResource, Arg.Any<CancellationToken>())
+            .Returns(new ServiceResourceInformation(createCommand.ServiceResource, "foo", "912345678", "ttd"));
+
         var commandHandler = new CreateDialogCommandHandler(userSub, dialogDbContextSub,
             mapper, unitOfWorkSub, domainContextSub,
-            userOrganizationRegistrySub, serviceAuthorizationSub);
+            resourceRegistrySub, serviceAuthorizationSub);
 
         // Act
         var result = await commandHandler.Handle(createCommand, CancellationToken.None);

diff --git a/tests/k6/common/sentinel.js b/tests/k6/common/sentinel.js
@@ -12,7 +12,7 @@ export default function () {
         let continuationToken = "";
         let dialogIdsToPurge = [];
         do {
-            let r = getSO('dialogs/?Search=' + sentinelValue + continuationToken, null, tokenOptions);
+            let r = getSO('dialogs/?Limit=1000&Search=' + sentinelValue + continuationToken, null, tokenOptions);
             expectStatusFor(r).to.equal(200);
             expect(r, 'response').to.have.validJsonBody();
             let response = r.json();

diff --git a/tests/k6/tests/serviceowner/authorization.js b/tests/k6/tests/serviceowner/authorization.js
@@ -5,6 +5,7 @@ export default function () {
 
     let validSo = null;
     let invalidSo = { orgName: "other", orgNo: "310778737" };
+    let validSoAdmin = { orgName: "other", orgNo: "310778737", scopes: "digdir:dialogporten.serviceprovider digdir:dialogporten.serviceprovider.admin" };
 
     let dialog = dialogToInsert();
     let transmissionId = null; // known after successful insert
@@ -18,12 +19,16 @@ export default function () {
 
     let permutations = [
         [ true, validSo ],
-        [ false, invalidSo ]
+        [ false, invalidSo ],
+        [ true, validSoAdmin ]
     ];
 
     permutations.forEach(([shouldSucceed, tokenOptions]) => {
         let logPrefix = shouldSucceed ? "Allow" : "Deny";
         let logSuffix = shouldSucceed ? "valid serviceowner" : "invalid serviceowner"
+        if (tokenOptions && tokenOptions["scopes"] && tokenOptions["scopes"].indexOf("admin") > -1) {
+            logSuffix += " (admin)";
+        }
 
         describe(`${logPrefix} dialog create as ${logSuffix}`, () => {
             let r = postSO('dialogs', dialog, null, tokenOptions);