From 4f0344f6cb8f3a606d5bb3eaa9118ecd5bf66ebf Mon Sep 17 00:00:00 2001 From: Phil Schneider Date: Mon, 31 Jul 2023 14:21:59 +0200 Subject: [PATCH] chore: add identity check to policy CompanyUser and ServiceAccount Refs: CPLP-2863 --- .../Controllers/CompanyDataController.cs | 6 ------ .../Controllers/ConnectorsController.cs | 5 ----- .../Controllers/InvitationController.cs | 1 - .../Framework.Web/StartupServiceExtensions.cs | 12 ++++++++++-- .../Controllers/AppReleaseProcessController.cs | 5 ----- .../Controllers/ServiceReleaseController.cs | 4 ---- 6 files changed, 10 insertions(+), 23 deletions(-) diff --git a/src/administration/Administration.Service/Controllers/CompanyDataController.cs b/src/administration/Administration.Service/Controllers/CompanyDataController.cs index 84f29f9fe6..8516987d03 100644 --- a/src/administration/Administration.Service/Controllers/CompanyDataController.cs +++ b/src/administration/Administration.Service/Controllers/CompanyDataController.cs @@ -146,7 +146,6 @@ public IAsyncEnumerable GetCompanyRoleAndConsentAgre /// All agreement need to get signed [HttpPost] [Authorize(Roles = "view_company_data")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [Route("companyRolesAndConsents")] [ProducesResponseType(typeof(NoContentResult), StatusCodes.Status204NoContent)] @@ -194,7 +193,6 @@ public Task> GetSsiCertificationData() => /// Returns a collection of certificates. [HttpGet] [Authorize(Roles = "request_ssicredential")] - [Authorize(Policy = PolicyTypes.ValidCompany)] [Route("certificateTypes")] [ProducesResponseType(typeof(IEnumerable), StatusCodes.Status200OK)] public IAsyncEnumerable GetCertificateTypes() => @@ -211,7 +209,6 @@ public IAsyncEnumerable GetCertificateTypes() => [HttpPost] [Consumes("multipart/form-data")] [Authorize(Roles = "request_ssicredential")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [Route("useCaseParticipation")] [ProducesResponseType(StatusCodes.Status204NoContent)] @@ -232,7 +229,6 @@ public async Task CreateUseCaseParticipation([FromForm] UseCase [HttpPost] [Consumes("multipart/form-data")] [Authorize(Roles = "request_ssicredential")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [Route("certificates")] [ProducesResponseType(StatusCodes.Status204NoContent)] @@ -277,7 +273,6 @@ public async Task CreateSsiCertificate([FromForm] SsiCertificat /// Successfully approved the credentials. [HttpPut] [Authorize(Roles = "decision_ssicredential")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [Route("credentials/{credentialId}/approval")] [ProducesResponseType(StatusCodes.Status204NoContent)] @@ -296,7 +291,6 @@ public async Task ApproveCredential([FromRoute] Guid credential /// Successfully rejected the credentials. [HttpPut] [Authorize(Roles = "decision_ssicredential")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [Route("credentials/{credentialId}/reject")] [ProducesResponseType(StatusCodes.Status204NoContent)] diff --git a/src/administration/Administration.Service/Controllers/ConnectorsController.cs b/src/administration/Administration.Service/Controllers/ConnectorsController.cs index 34fc0f186e..5a869b74e5 100644 --- a/src/administration/Administration.Service/Controllers/ConnectorsController.cs +++ b/src/administration/Administration.Service/Controllers/ConnectorsController.cs @@ -119,7 +119,6 @@ public Task GetCompanyConnectorByIdForCurrentUserAsync([FromRoute [Route("")] [Authorize(Roles = "add_connectors")] [Authorize(Policy = PolicyTypes.ValidCompany)] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [ProducesResponseType(typeof(Guid), StatusCodes.Status201Created)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status503ServiceUnavailable)] @@ -143,7 +142,6 @@ public async Task CreateConnectorAsync([FromForm] Connecto [Route("managed")] [Authorize(Roles = "add_connectors")] [Authorize(Policy = PolicyTypes.ValidCompany)] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [ProducesResponseType(typeof(Guid), StatusCodes.Status201Created)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status503ServiceUnavailable)] @@ -171,7 +169,6 @@ public async Task CreateManagedConnectorAsync([FromForm] M [Route("trigger-daps/{connectorId:guid}")] [Authorize(Roles = "notexistingrole")] [Authorize(Policy = PolicyTypes.ValidCompany)] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [ProducesResponseType(typeof(bool), StatusCodes.Status200OK)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status404NotFound)] @@ -227,7 +224,6 @@ public IAsyncEnumerable GetCompanyConnectorEndPointAsync( [HttpPost] [Authorize(Roles = "submit_connector_sd")] [Route("clearinghouse/selfDescription")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ServiceAccount)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status409Conflict)] @@ -254,7 +250,6 @@ public async Task ProcessClearinghouseSelfDescription([FromBody [HttpPut] [Route("{connectorId:guid}/connectorUrl")] [Authorize(Roles = "modify_connectors")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] diff --git a/src/administration/Administration.Service/Controllers/InvitationController.cs b/src/administration/Administration.Service/Controllers/InvitationController.cs index a64b42d8f1..4242d11c61 100644 --- a/src/administration/Administration.Service/Controllers/InvitationController.cs +++ b/src/administration/Administration.Service/Controllers/InvitationController.cs @@ -63,7 +63,6 @@ public InvitationController(IInvitationBusinessLogic logic) /// user is not associated with company. [HttpPost] [Authorize(Roles = "invite_new_partner")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] diff --git a/src/framework/Framework.Web/StartupServiceExtensions.cs b/src/framework/Framework.Web/StartupServiceExtensions.cs index d8b5c7a05f..f64bdd4809 100644 --- a/src/framework/Framework.Web/StartupServiceExtensions.cs +++ b/src/framework/Framework.Web/StartupServiceExtensions.cs @@ -77,8 +77,16 @@ public static IServiceCollection AddDefaultServices(this IServiceColle { options.AddPolicy(PolicyTypes.ValidIdentity, policy => policy.Requirements.Add(new MandatoryGuidClaimRequirement(PortalClaimTypes.IdentityId))); options.AddPolicy(PolicyTypes.ValidCompany, policy => policy.Requirements.Add(new MandatoryGuidClaimRequirement(PortalClaimTypes.CompanyId))); - options.AddPolicy(PolicyTypes.CompanyUser, policy => policy.Requirements.Add(new MandatoryEnumTypeClaimRequirement(PortalClaimTypes.IdentityType, IdentityTypeId.COMPANY_USER))); - options.AddPolicy(PolicyTypes.ServiceAccount, policy => policy.Requirements.Add(new MandatoryEnumTypeClaimRequirement(PortalClaimTypes.IdentityType, IdentityTypeId.COMPANY_SERVICE_ACCOUNT))); + options.AddPolicy(PolicyTypes.CompanyUser, policy => + { + policy.Requirements.Add(new MandatoryEnumTypeClaimRequirement(PortalClaimTypes.IdentityType, IdentityTypeId.COMPANY_USER)); + policy.Requirements.Add(new MandatoryGuidClaimRequirement(PortalClaimTypes.IdentityId)); + }); + options.AddPolicy(PolicyTypes.ServiceAccount, policy => + { + policy.Requirements.Add(new MandatoryEnumTypeClaimRequirement(PortalClaimTypes.IdentityType, IdentityTypeId.COMPANY_SERVICE_ACCOUNT)); + policy.Requirements.Add(new MandatoryGuidClaimRequirement(PortalClaimTypes.IdentityId)); + }); }); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); diff --git a/src/marketplace/Apps.Service/Controllers/AppReleaseProcessController.cs b/src/marketplace/Apps.Service/Controllers/AppReleaseProcessController.cs index 25c416e367..2f37099152 100644 --- a/src/marketplace/Apps.Service/Controllers/AppReleaseProcessController.cs +++ b/src/marketplace/Apps.Service/Controllers/AppReleaseProcessController.cs @@ -95,7 +95,6 @@ public async Task UpdateApp([FromRoute] Guid appId, [FromBody] [HttpPut] [Route("updateappdoc/{appId}/documentType/{documentTypeId}/documents")] [Authorize(Roles = "app_management")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [Consumes("multipart/form-data")] [RequestFormLimits(ValueLengthLimit = 819200, MultipartBodyLengthLimit = 819200)] @@ -250,7 +249,6 @@ public IAsyncEnumerable GetAppProviderSalesManagerAsync() = [HttpPost] [Route("createapp")] [Authorize(Roles = "add_apps")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [ProducesResponseType(typeof(Guid), StatusCodes.Status201Created)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] @@ -276,7 +274,6 @@ public async Task ExecuteAppCreation([FromBody] AppRequest [HttpPut] [Route("{appId}")] [Authorize(Roles = "edit_apps")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] @@ -342,7 +339,6 @@ public async Task SubmitAppReleaseRequest([FromRoute] Guid appI [HttpPut] [Route("{appId}/approveApp")] [Authorize(Roles = "approve_app_release")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status404NotFound)] @@ -382,7 +378,6 @@ public Task GetPrivacyPolicyDataAsync() => [HttpPut] [Route("{appId:guid}/declineApp")] [Authorize(Roles = "decline_app_release")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] diff --git a/src/marketplace/Services.Service/Controllers/ServiceReleaseController.cs b/src/marketplace/Services.Service/Controllers/ServiceReleaseController.cs index 836ab92803..556f32e12f 100644 --- a/src/marketplace/Services.Service/Controllers/ServiceReleaseController.cs +++ b/src/marketplace/Services.Service/Controllers/ServiceReleaseController.cs @@ -206,7 +206,6 @@ public async Task DeleteServiceDocumentsAsync([FromRoute] Guid [HttpPost] [Route("addservice")] [Authorize(Roles = "add_service_offering")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [ProducesResponseType(typeof(OfferProviderResponse), StatusCodes.Status201Created)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] @@ -276,7 +275,6 @@ public async Task SubmitService([FromRoute] Guid serviceId) [HttpPut] [Route("{serviceId}/approveService")] [Authorize(Roles = "approve_service_release")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status404NotFound)] @@ -303,7 +301,6 @@ public async Task ApproveServiceRequest([FromRoute] Guid servic [HttpPut] [Route("{serviceId:guid}/declineService")] [Authorize(Roles = "decline_service_release")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.CompanyUser)] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(typeof(ErrorResponse), StatusCodes.Status400BadRequest)] @@ -334,7 +331,6 @@ public async Task DeclineServiceRequest([FromRoute] Guid servic [HttpPut] [Route("updateservicedoc/{serviceId}/documentType/{documentTypeId}/documents")] [Authorize(Roles = "add_service_offering")] - [Authorize(Policy = PolicyTypes.ValidIdentity)] [Authorize(Policy = PolicyTypes.ValidCompany)] [Consumes("multipart/form-data")] [RequestFormLimits(ValueLengthLimit = 819200, MultipartBodyLengthLimit = 819200)]