search

Altinn / altinn-authorization

Altinn platform microservice for handling authorization
2 stars 3 forks source link

Support Authorization and delegation of generic resources #21

Open TheTechArch opened 2 years ago

TheTechArch commented 2 years ago

Description

Currently, Altinn 3 PDP only supports XACML Policies created for Apps. The PRP (Policy Retrieval Point) expects that any PDP request to this component contains an org + app.

We need to add support for generic authorization resources.

Considerations

Resource IDentifications

We need to define a fixed id that should be used to identify the policy

Example authzresource 

    <xacml:Description>A rule giving user with role REGNA or DAGL and the app owner brg the right to instantiate a instance of a given app of brg/rrh-innrapportering</xacml:Description>
    <xacml:Target>
      <xacml:AnyOf>
        <xacml:AllOf>
             <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">brg</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">freg.no</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:authzresource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sivilstatus</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:freg:api" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
    </xacml:Target>
  </xacml:Rule>

Do we need that the resource belongs to an org? That would be a limitation

Resource Metadata

To delegate, we need to be able to add metadata about the resources.

Registering of Resources.

We need a new API that allows the registration of resources. The main resource needs to be unique and the organization registration will own that resource forever.

Development task

sivaglen commented 1 year ago

@TheTechArch - er denne US fortsatt aktuell eller kan den arkiveres?

sivaglen commented 1 year ago

@TheTechArch - kan vi lukke denne?

rtafj commented 8 months ago

@TheTechArch - er denne fortsatt aktuell? Evt fikset i https://github.com/Altinn/altinn-authorization/issues/448?