Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add name property to API actions #2032

Open
1 of 5 tasks
elsand opened this issue Mar 11, 2025 · 2 comments
Open
1 of 5 tasks

Add name property to API actions #2032

elsand opened this issue Mar 11, 2025 · 2 comments
Assignees
@knuhau

Comments

@elsand
Copy link
Member

elsand commented Mar 11, 2025

Introduction

This adds a name property to API-actions, which can be used by EUS-es to navigate to the correct action without looking at the URL

Description

Often there are distinct actions that require the same XACML action to be authorized, eg. correspondence:

"apiActions": [
        {
            "id": "01956b2c-59db-720c-a7c7-89cb924f3a75",
            "action": "read",
            "isAuthorized": "true",
            "endpoints": [
                {
                    "id": "01956b2c-59db-720c-a76e-20f369c8b64b",
                    "version": "v1",
                    "url": "https://platform.tt02.altinn.no/correspondence/api/v1/correspondence/01956b2c-55bd-77fb-89ce-8c4a80f85fdc",
                    "httpMethod": "GET",
                    "deprecated": false
                }
            ]
        },
        {
            "id": "01956b2c-59db-720c-a796-c2cfcfdd5d9f",
            "action": "write",
            "isAuthorized": true,
            "endpoints": [
                {
                    "id": "01956b2c-59db-720c-a7a2-74ba1b2eba4f",
                    "url": "https://platform.tt02.altinn.no/correspondence/api/v1/correspondence/01956b2c-55bd-77fb-89ce-8c4a80f85fdc/confirm",
                    "httpMethod": "POST",
                    "deprecated": false
                }
            ]
        },        
        {
            "id": "01956b2c-59db-720c-a7c2-26201abbf8f0",
            "action": "write",
            "isAuthorized": true,
            "endpoints": [
                {
                    "id": "01956b2c-59db-720c-a7cc-dee5473ba96f",
                    "url": "https://platform.tt02.altinn.no/correspondence/api/v1/correspondence/01956b2c-55bd-77fb-89ce-8c4a80f85fdc/purge",
                    "httpMethod": "DELETE",
                    "deprecated": false
                }
            ]
        },
        {
            "id": "01956b2c-59db-720c-a7d0-b43baadec8ad",
            "action": "write",
            "isAuthorized": true,
            "endpoints": [
                {
                    "id": "01956b2c-59db-720c-a7d7-3c94d09b19f3",
                    "url": "https://platform.tt02.altinn.no/correspondence/api/v1/correspondence/01956b2c-55bd-77fb-89ce-8c4a80f85fdc/markasread",
                    "httpMethod": "POST",
                    "deprecated": false
                }
            ]
        }        
    ]

Currently, the only way for a system to differentiate the various write-actions is to look at the URL, which we want to avoid. By adding a optional "name"-property, which can be the logical name for the apiAction, this can be remedied.

Tasks

  • Add nullable field to entity
  • DB migration
  • Add nullable name property to all DTOs
  • Add validation (standard max 255 chars, if supplied)

Threat Modelling

  • I have considered potential security risks (if risks were found, please list them below)

Acceptance criteria

GIVEN an API action with a name value
WHEN the API action is retrieved
THEN the name value should be returned in the response

GIVEN a request to create or update an API action with a name value
WHEN the name value is 255 characters or less
THEN the API action should be created or updated with the provided name

GIVEN a request to create or update an API action with a name value
WHEN the name value exceeds 255 characters
THEN the request should be rejected with an appropriate validation error

GIVEN a request to create or update an API action without a name value
WHEN the API action is processed
THEN the API action should be created or updated with a null name value
@elsand elsand moved this from New issues to Sprint Backlog in Dialogporten / Arbeidsflate Mar 11, 2025
@knuhau knuhau self-assigned this Mar 11, 2025
@knuhau knuhau moved this from Sprint Backlog to Doing in Dialogporten / Arbeidsflate Mar 11, 2025
@knuhau knuhau mentioned this issue Mar 11, 2025
Merged
4 tasks
knuhau added a commit that referenced this issue Mar 11, 2025
@knuhau
feat: Add Name to ApiAction as optional field (#2034)
95ba41e 
<!--- Provide a general summary of your changes in the Title above -->

## Description

Added an optional name field to ApiActions, to allow for easier
identification of the purpose of the action.

## Related Issue(s)

- #2032 

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)
@knuhau knuhau moved this from Doing to Code Review og PR in Dialogporten / Arbeidsflate Mar 11, 2025
@knuhau knuhau moved this from Code Review og PR to Testing in Dialogporten / Arbeidsflate Mar 11, 2025
@LeifHelstad
Copy link

LeifHelstad commented Mar 19, 2025
edited
Loading

Test

TC-100 + TC-200

🟢 ser i utgangspunktet bra ut
Image
Dekker disse:

GIVEN an API action with a name value
WHEN the API action is retrieved
THEN the name value should be returned in the response

GIVEN a request to create or update an API action with a name value
WHEN the name value is 255 characters or less
THEN the API action should be created or updated with the provided name

TC-300

🟢 lengdebegrensningen er på

Image
Dekker:

GIVEN a request to create or update an API action with a name value
WHEN the name value exceeds 255 characters
THEN the request should be rejected with an appropriate validation error

TC-400

🟢 uten noe angitt "name" vil heller ikke returen inneholde noe name

Image
Dekker:

GIVEN a request to create or update an API action without a name value
WHEN the API action is processed
THEN the API action should be created or updated with a null name value

@LeifHelstad
Copy link

OBS

🟡 Hvis "name" oppgis som en tom streng så aksepteres det at name er en tom steng og den forblir det. Men det er ikke noe krav mot dette så det passerer test.

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@knuhau knuhau

Labels
None yet
Projects
Dialogporten / Arbeidsflate
Status: Testing
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elsand @knuhau @LeifHelstad