Authorization in generic events needs to support a consumer of type organisation number

[SandGrainOne]

Description

Authorization of an organization trying to subscribe to generic events is currently being done based on their party id. This works fine if the policy for the resource contains party id for the subjects with access, but making rules with party id is difficult for people outside Altinn. The party id is primarily internal to Altinn. It is exposed here and there, but we want to avoid forcing the people creating these policies to do that lookup.

We should be able to authorize access to generic events for resources with rules that lists specific organisation numbers in their policy.

This change should not remove support for party id. That would be a breaking change. This issue focus on the ability to handle orgNo as a Consumer value during push.

We're starting with the Authorization logic for push. Authorization for the GET endpoint already support orgNo.

Rule from resource ttd-altinn-events-automated-tests in at23:

<xacml:Rule RuleId="urn:altinn:example:ruleid:3" Effect="Permit">
    <xacml:Description>A rule giving organisation 312508729 the right to subscribe to events registered by the ttd-altinn-events-automated-tests resource</xacml:Description>
    <xacml:Target>
        <xacml:AnyOf>
            <xacml:AllOf>
                <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">312508729</xacml:AttributeValue>
                    <xacml:AttributeDesignator AttributeId="urn:altinn:organizationnumber" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                </xacml:Match>
            </xacml:AllOf>
        </xacml:AnyOf>
        <xacml:AnyOf>
            <xacml:AllOf>
                <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ttd-altinn-events-automated-tests</xacml:AttributeValue>
                    <xacml:AttributeDesignator AttributeId="urn:altinn:resource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                </xacml:Match>
            </xacml:AllOf>
        </xacml:AnyOf>
        <xacml:AnyOf>
            <xacml:AllOf>
                <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">subscribe</xacml:AttributeValue>
                    <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                </xacml:Match>
            </xacml:AllOf>
        </xacml:AnyOf>
    </xacml:Target>
</xacml:Rule>

Tasks

• [ ] The logic in XacmlMapperHelper.CreateSubjectAttributes must be able to handle a consumer containing an organisation number and create a matching Attribute.

Acceptance Criteria

• [ ] A subscription with a consumer of type orgNo is getting generic events pushed
• [ ] A subscription with a consumer of type partyId is still getting generic events pushed

[acn-sbuad]

Push generic event to organization consumer ✅ push app event to organization consumer ❓ Push generic event to party consumer out of scope push app event to party consumer out of scope