Closed SandGrainOne closed 1 week ago
Environment: AT22
Resource (Event source): generic-events-dagl-subscribe
Person: 20813349761 FORNØYD KLANG
DAGL: Organisasjonsnummer: 312718871, Organisasjonsnavn: OVERMODIG ALFABETISK KATT TORN, PartyId: 51582036
NOTE: Can't use normal JWT generated by Authentication after login. It doesn't have subscription scope.
Token generator parameters for identified person above: &userId=20012377&partyId=50139037&pid=20813349761
{
"endpoint": "https://not.dot.no/webhook",
"resourceFilter": "urn:altinn:resource:generic-events-dagl-subscribe",
"subjectFilter": "urn:altinn:organization:identifier-no:312718971"
}
subjectFilter
and with a different unrelated organisation number. Both of those gave 401 Unauthorized.{
"id": "{{$guid}}",
"time": "{{$isoTimestamp}}",
"type": "something.happened.right.now",
"source": "https://platform.at22.altinn.cloud/foo/api/v1",
"resource": "urn:altinn:resource:generic-events-dagl-subscribe",
"subject": "urn:altinn:organization:identifier-no:312718871",
"specversion": "1.0"
}
Example request:
https://platform.at22.altinn.cloud/events/api/v1/events?resource=urn:altinn:resource:generic-events-dagl-subscribe&after=6d3741fd-b473-41e9-b6f5-d2b53c69743c
https://platform.at22.altinn.cloud/events/api/v1/events?resource=urn:altinn:resource:generic-events-dagl-subscribe&after=6d3741fd-b473-41e9-b6f5-d2b53c69743c&subject=urn:altinn:organization:identifier-no:312718871
The last changes are working as expected.
I can create a subscription where subject filter is on the format /party/51582036. The subscription is getting events using the same subject format. User can also GET a list of events when providing a subject on the format /party/51582036. Events on other formats are excluded.
We should consider normalizing the values. Convert any event subject and subject filter in a subscription to the same format. Let's look into that in a separate issue.
Description
Authorization logic for generic events must be updated to include subject in the authorization request.
Authorization when creating a subscription needs to use the subjectFilter and authorization of an event should use the subject.
Additional Information
Tasks
Test cases
We want to test various types of subjects for cloud events in generic events. Generate a resource in the resource registry with a policy that can be tweaked to grant and deny access to events related to different subjects,
Subjec types:
/user/
,/party/
,/org/
,/organisation/
,urn:altinn:userid
,urn:altinn:org
,urn:altinn:partyid
,urn:altinn:organization:identifier-no
,urn:altinn:person:identifier-no
,urn:altinn:skobutikk
the final one being a random URN Events knows nothing about, but that is defined in the policy file.Test with policies giving and denying the consumer access to the provided subjects and register a subscription, and then events with the provided subject and subject values not provided in the policy to see if response is as expected.
Acceptance Criterias