Altinn · tomshag · Jan 8, 2024 · Jan 8, 2024 · Jan 8, 2024 · Jan 8, 2024
diff --git a/Test/Altinn.Broker.Tests/Data/WebHookSubscriptionValidationTest.json b/Test/Altinn.Broker.Tests/Data/WebHookSubscriptionValidationTest.json
@@ -0,0 +1,13 @@
+[{
+    "id": "2d1781af-3a4c-4d7c-bd0c-e34b19da4e66",
+    "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "subject": "",
+    "data": {
+      "validationCode": "512d38b6-c7b8-40c8-89fe-f46f9e9622b6",
+      "validationUrl": "https://www.contoso.com/"
+    },
+    "eventType": "Microsoft.EventGrid.SubscriptionValidationEvent",
+    "eventTime": "2018-01-25T22:12:19.4556811Z",
+    "metadataVersion": "1",
+    "dataVersion": "1"
+}]
diff --git a/Test/Altinn.Broker.Tests/MalwareScanResultControllerTests.cs b/Test/Altinn.Broker.Tests/MalwareScanResultControllerTests.cs
@@ -108,4 +108,15 @@ public async Task MalwareScanFoundMaliciousSignature_Success()
         Assert.NotNull(scannedFile);
         Assert.True(scannedFile.FileStatus == FileStatusExt.Failed);
     }
+
+    [Fact]
+    public async Task MalwareScanWebhookSubscription_OK()
+    {
+        // Webhook
+        string jsonBody = "[{\"id\":\"2d1781af-3a4c-4d7c-bd0c-e34b19da4e66\",\"topic\":\"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"subject\":\"\",\"data\":{\"validationCode\":\"512d38b6-c7b8-40c8-89fe-f46f9e9622b6\",\"validationUrl\":\"https://www.contoso.com/\"},\"eventType\":\"Microsoft.EventGrid.SubscriptionValidationEvent\",\"eventTime\":\"2018-01-25T22:12:19.4556811Z\",\"metadataVersion\":\"1\",\"dataVersion\":\"1\"}]";
+        var result = await _webhookClient.PostAsync("broker/api/v1/webhooks/malwarescanresults", new StringContent(jsonBody, Encoding.UTF8, "application/json"));
+        string rs = result.Content.ReadAsStringAsync().Result;
+        Assert.Equal(System.Net.HttpStatusCode.OK, result.StatusCode);
+        Assert.Equal("{\"validationResponse\":\"512d38b6-c7b8-40c8-89fe-f46f9e9622b6\"}", rs);
+    }
 }
diff --git a/src/Altinn.Broker/Altinn.Broker.csproj b/src/Altinn.Broker/Altinn.Broker.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
@@ -23,6 +23,7 @@
     <PackageReference Include="Serilog.Sinks.ApplicationInsights" Version="4.0.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.21.0" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Altinn.Broker/Controllers/MalwareScanResultsController.cs b/src/Altinn.Broker/Controllers/MalwareScanResultsController.cs
@@ -1,12 +1,18 @@
 using System.Net;
+using System.Text.Json.Serialization;
 
 using Altinn.Broker.Core.Repositories;
 using Altinn.Broker.Webhooks.Models;
 
+using Azure.Messaging.EventGrid;
+using Azure.Messaging.EventGrid.SystemEvents;
+
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
+using Newtonsoft.Json;
+
 namespace Altinn.Broker.Webhooks.Controllers
 {
     [ApiController]
@@ -22,35 +28,51 @@ public MalwareScanResultsController(IFileRepository fileRepository, IFileStatusR
             _fileStatusRepository = fileStatusRepository;
         }
 
-        /// <summary>
-        /// Used to receive Malware Scan Results from Azure Defender.
-        /// </summary>
-        /// <returns>Should always return 200 OK when file status has been updated by Scan Result</returns>
         [HttpPost]
-        public ActionResult ProcessMalwareScanResults(EventMessage eventMessage)
-        {
-            this.Response.StatusCode = (int)HttpStatusCode.OK;
-            string blobUri = eventMessage.Data.BlobUri;
-            string fileIdFromUri = blobUri.Split("/").Last();
-
-            string result = eventMessage.Data.ScanResultType;
-            Guid fileId = Guid.Parse(fileIdFromUri);
-
-            if (fileId == Guid.Empty)
+        public ActionResult ProcessMalwareScanResult()
+        {            
+            BinaryData events = BinaryData.FromStreamAsync(this.Request.Body).Result;
+            EventGridEvent[] eventGridEvents = EventGridEvent.ParseMany(events);
+            foreach(EventGridEvent eventGridEvent in eventGridEvents)
             {
-                return NotFound();
-            }
+                if(eventGridEvent.TryGetSystemEventData(out object eventData))
+                {
+                    if(eventData is SubscriptionValidationEventData subscriptionValidationEventData)
+                    {
+                        // TODO: validate that eventGridEvent WebHook subscription is actually from an Altinn Azure Defender EventGrid
+                        var responseData = new
+                        {
+                            ValidationResponse = subscriptionValidationEventData.ValidationCode
+                        };
+                        return new OkObjectResult(responseData);
+                    }
+                }
+                else if (eventGridEvent.EventType == "Microsoft.Security.MalwareScanningResult")
+                {
+                    string jsonString = eventGridEvent.Data.ToString();
+                    ScanResultData result = JsonConvert.DeserializeObject<ScanResultData>(jsonString);
+                    string fileIdFromUri = result.BlobUri.Split("/")
+                                                         .Last() ?? Guid.Empty.ToString();
+                    Guid fileId = Guid.Parse(fileIdFromUri);                    
+                    if (fileId == Guid.Empty)
+                    {
+                        return NotFound();
+                    }
 
-            if (result.Equals("malicious", StringComparison.InvariantCultureIgnoreCase))
-            {
-                _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Failed);
-                return Ok();
-            }
-            else
-            {
-                _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Published);
-                return Ok();
+                    if (result.ScanResultType.Equals("malicious", StringComparison.InvariantCultureIgnoreCase))
+                    {
+                        _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Failed);
+                        return Ok();
+                    }
+                    else
+                    {
+                        _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Published);
+                        return Ok();
+                    }
+                }
             }
+
+            return Ok();
         }
     }
 }