Altinn · tomshag · Jan 8, 2024 · Jan 8, 2024 · Jan 8, 2024 · Jan 8, 2024
diff --git a/Test/Altinn.Broker.Tests/Altinn.Broker.Tests.csproj b/Test/Altinn.Broker.Tests/Altinn.Broker.Tests.csproj
@@ -23,4 +23,11 @@
   <ItemGroup>
 	  <ProjectReference Include="..\..\src\Altinn.Broker\Altinn.Broker.csproj" />
   </ItemGroup>
+
+  <ItemGroup>
+    <Content Include="..\..\Test\Altinn.Broker.Tests\Data\*.json">
+    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+  </ItemGroup>
+
 </Project>
diff --git a/Test/Altinn.Broker.Tests/Data/MalwareScanResult_Malicious.json b/Test/Altinn.Broker.Tests/Data/MalwareScanResult_Malicious.json
@@ -1,6 +1,6 @@
 {
   "data": {
-      "blobUri": "https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/EICAR antivirus test file.txt",
+      "blobUri": "https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/--FILEID--",
       "correlationId": "2ee9f258-c96a-4982-9e6e-16b8485d71da",
       "eTag": "0x8DBF7C56A86430D",
       "scanFinishedTimeUtc": "2023-12-08T08:12:31.9933275Z",
@@ -17,6 +17,6 @@
   "eventType": "Microsoft.Security.MalwareScanningResult",
   "id": "2ee9f258-c96a-4982-9e6e-16b8485d71da",
   "metadataVersion": "1",
-  "subject": "storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/EICAR antivirus test file.txt",
+  "subject": "storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/--FILEID--",
   "topic": "/subscriptions/81cc3a6b-dfdf-49c7-96f0-3efddb159356/resourceGroups/serviceowner-test-0192-991825827-rg/providers/Microsoft.EventGrid/topics/test-broker-defenderresults"
 }
diff --git a/Test/Altinn.Broker.Tests/Data/MalwareScanResult_NoThreatFound.json b/Test/Altinn.Broker.Tests/Data/MalwareScanResult_NoThreatFound.json
@@ -1,6 +1,6 @@
 {
     "data": {
-        "blobUri": "https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/emptydoctest.txt",
+        "blobUri": "https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/--FILEID--",
         "correlationId": "21c48159-e5ef-4376-ba96-4f8d6e0f1c7f",
         "eTag": "0x8DBF7C550ADB6E7",
         "scanFinishedTimeUtc": "2023-12-08T08:11:44.9457492Z",
@@ -12,6 +12,6 @@
     "eventType": "Microsoft.Security.MalwareScanningResult",
     "id": "21c48159-e5ef-4376-ba96-4f8d6e0f1c7f",
     "metadataVersion": "1",
-    "subject": "storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/emptydoctest.txt",
+    "subject": "storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/--FILEID--",
     "topic": "/subscriptions/81cc3a6b-dfdf-49c7-96f0-3efddb159356/resourceGroups/serviceowner-test-0192-991825827-rg/providers/Microsoft.EventGrid/topics/test-broker-defenderresults"
 }
diff --git a/Test/Altinn.Broker.Tests/Data/WebHookSubscriptionValidationTest.json b/Test/Altinn.Broker.Tests/Data/WebHookSubscriptionValidationTest.json
@@ -0,0 +1,13 @@
+[{
+    "id": "2d1781af-3a4c-4d7c-bd0c-e34b19da4e66",
+    "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "subject": "",
+    "data": {
+      "validationCode": "512d38b6-c7b8-40c8-89fe-f46f9e9622b6",
+      "validationUrl": "https://www.contoso.com/"
+    },
+    "eventType": "Microsoft.EventGrid.SubscriptionValidationEvent",
+    "eventTime": "2018-01-25T22:12:19.4556811Z",
+    "metadataVersion": "1",
+    "dataVersion": "1"
+}]
diff --git a/Test/Altinn.Broker.Tests/MalwareScanResultControllerTests.cs b/Test/Altinn.Broker.Tests/MalwareScanResultControllerTests.cs
@@ -59,11 +59,13 @@ public async Task MalwareScanFoundNoThreat_Success()
         {
             content.Headers.ContentType = new MediaTypeHeaderValue("application/octet-stream");
             var uploadResponse = await _senderClient.PostAsync($"broker/api/v1/file/{fileId}/upload", content);
-            Assert.True(uploadResponse.IsSuccessStatusCode);
+            string response = await uploadResponse.Content.ReadAsStringAsync();
+            Assert.True(uploadResponse.IsSuccessStatusCode, "Response: " + response);
         }
 
-        // Webhook
-        string jsonBody = "{\"data\":{\"blobUri\":\"https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/" + fileId + "\",\"correlationId\":\"21c48159-e5ef-4376-ba96-4f8d6e0f1c7f\",\"eTag\":\"0x8DBF7C550ADB6E7\",\"scanFinishedTimeUtc\":\"2023-12-08T08:11:44.9457492Z\",\"scanResultDetails\":null,\"scanResultType\":\"No threats found\"},\"dataVersion\":\"1.0\",\"eventTime\":\"2023-12-08T08:11:44.9464641Z\",\"eventType\":\"Microsoft.Security.MalwareScanningResult\",\"id\":\"21c48159-e5ef-4376-ba96-4f8d6e0f1c7f\",\"metadataVersion\":\"1\",\"subject\":\"storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/emptydoctest.txt\",\"topic\":\"/subscriptions/81cc3a6b-dfdf-49c7-96f0-3efddb159356/resourceGroups/serviceowner-test-0192-991825827-rg/providers/Microsoft.EventGrid/topics/test-broker-defenderresults\"}";
+        // Webhook        
+        string jsonBody = File.ReadAllText("Data/MalwareScanResult_NoThreatFound.json");
+        jsonBody = jsonBody.Replace("--FILEID--", fileId);
         var result = await _webhookClient.PostAsync("broker/api/v1/webhooks/malwarescanresults", new StringContent(jsonBody, Encoding.UTF8, "application/json"));
 
         Assert.Equal(System.Net.HttpStatusCode.OK, result.StatusCode);
@@ -97,7 +99,8 @@ public async Task MalwareScanFoundMaliciousSignature_Success()
         Assert.True(fileAfterUpload.FileStatus == FileStatusExt.Published); // When running integration test this happens instantly as of now.
 
         // Webhook
-        string jsonBody = "{\"data\":{\"blobUri\":\"https://aitest0192991825827sa.blob.core.windows.net/brokerfiles/" + fileId + "\",\"correlationId\":\"2ee9f258-c96a-4982-9e6e-16b8485d71da\",\"eTag\":\"0x8DBF7C56A86430D\",\"scanFinishedTimeUtc\":\"2023-12-08T08:12:31.9933275Z\",\"scanResultDetails\":{\"malwareNamesFound\":[\"Virus:DOS/EICAR_Test_File\"],\"sha256\":\"275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F\"},\"scanResultType\":\"Malicious\"},\"dataVersion\":\"1.0\",\"eventTime\":\"2023-12-08T08:12:31.9939079Z\",\"eventType\":\"Microsoft.Security.MalwareScanningResult\",\"id\":\"2ee9f258-c96a-4982-9e6e-16b8485d71da\",\"metadataVersion\":\"1\",\"subject\":\"storageAccounts/aitest0192991825827sa/containers/brokerfiles/blobs/EICAR antivirus test file.txt\",\"topic\":\"/subscriptions/81cc3a6b-dfdf-49c7-96f0-3efddb159356/resourceGroups/serviceowner-test-0192-991825827-rg/providers/Microsoft.EventGrid/topics/test-broker-defenderresults\"}";
+        string jsonBody = File.ReadAllText("Data/MalwareScanResult_Malicious.json");
+        jsonBody = jsonBody.Replace("--FILEID--", fileId);
         var result = await _webhookClient.PostAsync("broker/api/v1/webhooks/malwarescanresults", new StringContent(jsonBody, Encoding.UTF8, "application/json"));
 
         Assert.Equal(System.Net.HttpStatusCode.OK, result.StatusCode);
@@ -108,4 +111,15 @@ public async Task MalwareScanFoundMaliciousSignature_Success()
         Assert.NotNull(scannedFile);
         Assert.True(scannedFile.FileStatus == FileStatusExt.Failed);
     }
+
+    [Fact]
+    public async Task MalwareScanWebhookSubscription_OK()
+    {
+        // Webhook
+        string jsonBody = File.ReadAllText("Data/WebHookSubscriptionValidationTest.json");
+        var result = await _webhookClient.PostAsync("broker/api/v1/webhooks/malwarescanresults", new StringContent(jsonBody, Encoding.UTF8, "application/json"));
+        string rs = await result.Content.ReadAsStringAsync();
+        Assert.Equal(System.Net.HttpStatusCode.OK, result.StatusCode);
+        Assert.Equal("{\"validationResponse\":\"512d38b6-c7b8-40c8-89fe-f46f9e9622b6\"}", rs);
+    }
 }
diff --git a/src/Altinn.Broker/Altinn.Broker.csproj b/src/Altinn.Broker/Altinn.Broker.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
@@ -11,9 +11,9 @@
     <PackageReference Include="Hangfire.AspNetCore" Version="1.8.6" />
     <PackageReference Include="Hangfire.MemoryStorage" Version="1.8.0" />
     <PackageReference Include="Hangfire.PostgreSql" Version="1.20.4" />
+    <PackageReference Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />     
     <PackageReference Include="Microsoft.ApplicationInsights" Version="2.22.0" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
-    <PackageReference Include="Microsoft.AspNet.WebApi.Core" Version="5.3.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.0" />
     <PackageReference Include="Microsoft.Identity.Web" Version="2.16.0" />
@@ -23,6 +23,7 @@
     <PackageReference Include="Serilog.Sinks.ApplicationInsights" Version="4.0.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.21.0" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Altinn.Broker/Controllers/MalwareScanResultsController.cs b/src/Altinn.Broker/Controllers/MalwareScanResultsController.cs
@@ -1,12 +1,18 @@
 using System.Net;
+using System.Text.Json.Serialization;
 
 using Altinn.Broker.Core.Repositories;
 using Altinn.Broker.Webhooks.Models;
 
+using Azure.Messaging.EventGrid;
+using Azure.Messaging.EventGrid.SystemEvents;
+
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
+using Newtonsoft.Json;
+
 namespace Altinn.Broker.Webhooks.Controllers
 {
     [ApiController]
@@ -22,35 +28,51 @@ public MalwareScanResultsController(IFileRepository fileRepository, IFileStatusR
             _fileStatusRepository = fileStatusRepository;
         }
 
-        /// <summary>
-        /// Used to receive Malware Scan Results from Azure Defender.
-        /// </summary>
-        /// <returns>Should always return 200 OK when file status has been updated by Scan Result</returns>
         [HttpPost]
-        public ActionResult ProcessMalwareScanResults(EventMessage eventMessage)
+        public ActionResult ProcessMalwareScanResult()
         {
-            this.Response.StatusCode = (int)HttpStatusCode.OK;
-            string blobUri = eventMessage.Data.BlobUri;
-            string fileIdFromUri = blobUri.Split("/").Last();
-
-            string result = eventMessage.Data.ScanResultType;
-            Guid fileId = Guid.Parse(fileIdFromUri);
-
-            if (fileId == Guid.Empty)
+            BinaryData events = BinaryData.FromStreamAsync(this.Request.Body).Result;
+            EventGridEvent[] eventGridEvents = EventGridEvent.ParseMany(events);
+            foreach (EventGridEvent eventGridEvent in eventGridEvents)
             {
-                return NotFound();
-            }
+                if (eventGridEvent.TryGetSystemEventData(out object eventData))
+                {
+                    if (eventData is SubscriptionValidationEventData subscriptionValidationEventData)
+                    {
+                        // TODO: validate that eventGridEvent WebHook subscription is actually from an Altinn Azure Defender EventGrid
+                        var responseData = new
+                        {
+                            ValidationResponse = subscriptionValidationEventData.ValidationCode
+                        };
+                        return new OkObjectResult(responseData);
+                    }
+                }
+                else if (eventGridEvent.EventType == "Microsoft.Security.MalwareScanningResult")
+                {
+                    string jsonString = eventGridEvent.Data.ToString();
+                    ScanResultData result = JsonConvert.DeserializeObject<ScanResultData>(jsonString);
+                    string fileIdFromUri = result.BlobUri.Split("/")
+                                                         .Last() ?? Guid.Empty.ToString();
+                    Guid fileId = Guid.Parse(fileIdFromUri);
+                    if (fileId == Guid.Empty)
+                    {
+                        return NotFound();
+                    }
 
-            if (result.Equals("malicious", StringComparison.InvariantCultureIgnoreCase))
-            {
-                _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Failed);
-                return Ok();
-            }
-            else
-            {
-                _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Published);
-                return Ok();
+                    if (result.ScanResultType.Equals("malicious", StringComparison.InvariantCultureIgnoreCase))
+                    {
+                        _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Failed);
+                        return Ok();
+                    }
+                    else
+                    {
+                        _fileStatusRepository.InsertFileStatus(fileId, Core.Domain.Enums.FileStatus.Published);
+                        return Ok();
+                    }
+                }
             }
+
+            return Ok();
         }
     }
 }