Authorization of generic events must include subject as a part of the resource designation

[SandGrainOne]

Description

Authorization logic for generic events must be updated to include subject in the authorization request.

Authorization when creating a subscription needs to use the subjectFilter and authorization of an event should use the subject.

Additional Information

• Do we need to make subject a required field or should it be possible to create events without?

Tasks

• [x] Add mapping of subject from an Event into an Decision Request as a partyid
• [x] Unit tests
• [x] Manual tests
• [x] Documentation

Test cases

We want to test various types of subjects for cloud events in generic events. Generate a resource in the resource registry with a policy that can be tweaked to grant and deny access to events related to different subjects,

Subjec types: /user/, /party/, /org/, /organisation/, urn:altinn:userid, urn:altinn:org, urn:altinn:partyid, urn:altinn:organization:identifier-no, urn:altinn:person:identifier-no, urn:altinn:skobutikk the final one being a random URN Events knows nothing about, but that is defined in the policy file.

Test with policies giving and denying the consumer access to the provided subjects and register a subscription, and then events with the provided subject and subject values not provided in the policy to see if response is as expected.

Acceptance Criterias

• [x] A policy using roles as access subject can give users with a role access to events.

[SandGrainOne]

Testing

Environment: AT22
Resource (Event source): generic-events-dagl-subscribe Person: 20813349761 FORNØYD KLANG DAGL: Organisasjonsnummer: 312718871, Organisasjonsnavn: OVERMODIG ALFABETISK KATT TORN, PartyId: 51582036

NOTE: Can't use normal JWT generated by Authentication after login. It doesn't have subscription scope.

Token generator parameters for identified person above: &userId=20012377&partyId=50139037&pid=20813349761

Subscription request

{
  "endpoint": "https://not.dot.no/webhook",
  "resourceFilter": "urn:altinn:resource:generic-events-dagl-subscribe",
  "subjectFilter": "urn:altinn:organization:identifier-no:312718971"
}

• This test is successful, a subscription were created.
• Tested also without subjectFilter and with a different unrelated organisation number. Both of those gave 401 Unauthorized.

Publish CloudEvent

{
  "id": "{{$guid}}",
  "time": "{{$isoTimestamp}}",
  "type": "something.happened.right.now",
  "source": "https://platform.at22.altinn.cloud/foo/api/v1",
  "resource": "urn:altinn:resource:generic-events-dagl-subscribe",
  "subject": "urn:altinn:organization:identifier-no:312718871",
  "specversion": "1.0"
}

• Test is successful
• The subscription endpoint is getting calls from Events with the expected events.
• Events with other subjects is not sent to the endpoint

Get Events

Example request:

https://platform.at22.altinn.cloud/events/api/v1/events?resource=urn:altinn:resource:generic-events-dagl-subscribe&after=6d3741fd-b473-41e9-b6f5-d2b53c69743c

• Test is successful
• The user gets a filtered list of Events. All included events have subject 312718871 (Other events have been made.)
• For generic events, subject is not a required filter parameter on the GET (list) endpoint

https://platform.at22.altinn.cloud/events/api/v1/events?resource=urn:altinn:resource:generic-events-dagl-subscribe&after=6d3741fd-b473-41e9-b6f5-d2b53c69743c&subject=urn:altinn:organization:identifier-no:312718871

• Test successful
• Returned list contains events with correct subject.
• Changing anything with the subject parameter results in an empty list.

[SandGrainOne]

The last changes are working as expected.

I can create a subscription where subject filter is on the format /party/51582036. The subscription is getting events using the same subject format. User can also GET a list of events when providing a subject on the format /party/51582036. Events on other formats are excluded.

We should consider normalizing the values. Convert any event subject and subject filter in a subscription to the same format. Let's look into that in a separate issue.