Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] feat: Add support for legacy enterprise users #634

Closed
wants to merge 3 commits into from
Closed

[WIP] feat: Add support for legacy enterprise users #634

wants to merge 3 commits into from

Conversation

elsand
Copy link
Member

@elsand elsand commented Apr 14, 2024
edited
Loading

This add support for Altinn 2 legacy enterprise users ("virksomhetsbrukere")

Description

This introduces the concept of "user types", and generalizes IUserNameRegistry in order to support legacy Altinn 2 enterprise users, and adds additional extension methods in ClaimsPrincipalExtensions. This should lay some of the ground work required to support the new system users.

This means we no longer require a pid claim to be present in EU-endpoints requiring authorization; a urn:altinn:userId + urn:altinn:username or valid org. number in consumer will be deemed sufficient, and will cause a authorization request to be made. Altinn Authorization already utilizes urn:altinn:userid when enriching the request with roles if a resource party is supplied, so this makes it possible to use enterprise users (which don't have a pid claim) to use Dialogporten.

Allowing just a consumer claim will open for XACML policies with rules identifying specific organization numbers. This is not used in Altinn-contexts today, but it makes little sense to actively not support it as it might be more relevant in services external to Altinn.

This also introduces middleware to validate whether a valid user type is present. IUserNameRegistry and handlers have been refactored to assume that this is handled.

Tasks/considerations

Related Issue(s)

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

  • Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

@elsand elsand requested a review from a team as a code owner April 14, 2024 09:26
oskogstad
oskogstad previously approved these changes Apr 14, 2024
View reviewed changes
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@elsand
Copy link
Member Author

elsand commented Apr 15, 2024

Mht seen-log må vi få inn userType i databasen også. Men mht til #386 ønsker vi nok ikke å ha den med i hashen eller sjekk om om isCurrentUser ..?

@elsand
Copy link
Member Author

elsand commented Apr 16, 2024

Ser det bør gjøres en hel del refaktorering for å introdusere et slikt brukertype-konsept. Legger denne litt på is inntil videre; dette går også i beina på PR628

@elsand elsand changed the title feat: Add support for legacy enterprise users [WIP] feat: Add support for legacy enterprise users Apr 16, 2024
@elsand elsand closed this Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oskogstad oskogstad oskogstad left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elsand @oskogstad