From a25a5ee1ca49a5cb5adf71e05facfe288cfe7697 Mon Sep 17 00:00:00 2001 From: Axel Marquez Date: Thu, 12 Sep 2024 19:34:34 -0600 Subject: [PATCH 1/3] Reference the newly generated Security repository --- .../EdFi.Ods.Api.IntegrationTestHarness.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/EdFi.Ods.Api.IntegrationTestHarness.csproj b/Application/EdFi.Ods.Api.IntegrationTestHarness/EdFi.Ods.Api.IntegrationTestHarness.csproj index 317b3b387..c45ebe0ea 100644 --- a/Application/EdFi.Ods.Api.IntegrationTestHarness/EdFi.Ods.Api.IntegrationTestHarness.csproj +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/EdFi.Ods.Api.IntegrationTestHarness.csproj @@ -37,7 +37,7 @@ - + From eb2369094ed441c84b3881edb720c8415bdfcdd8 Mon Sep 17 00:00:00 2001 From: Axel Marquez Date: Thu, 12 Sep 2024 19:51:32 -0600 Subject: [PATCH 2/3] Add tests --- ...0060-Token-Introspection-Auth-Metadata.sql | 344 ++++++++++++++++++ ...0060-Token-Introspection-Auth-Metadata.xml | 37 ++ ...0060-Token-Introspection-Auth-Metadata.sql | 326 +++++++++++++++++ ...0060-Token-Introspection-Auth-Metadata.xml | 37 ++ .../postmanTestHarnessConfiguration.json | 17 + 5 files changed, 761 insertions(+) create mode 100644 Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql create mode 100644 Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml create mode 100644 Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql create mode 100644 Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql new file mode 100644 index 000000000..2e405992a --- /dev/null +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql @@ -0,0 +1,344 @@ + +-- SPDX-License-Identifier: Apache-2.0 +-- Licensed to the Ed-Fi Alliance under one or more agreements. +-- The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +-- See the LICENSE and NOTICES files in the project root for more information. + +BEGIN + DECLARE + @claimId AS INT, + @claimName AS nvarchar(max), + @parentResourceClaimId AS INT, + @existingParentResourceClaimId AS INT, + @claimSetId AS INT, + @claimSetName AS nvarchar(max), + @authorizationStrategyId AS INT, + @msg AS nvarchar(max), + @createActionId AS INT, + @readActionId AS INT, + @updateActionId AS INT, + @deleteActionId AS INT, + @readChangesActionId AS INT, + @resourceClaimActionId AS INT, + @claimSetResourceClaimActionId AS INT + + DECLARE @claimIdStack AS TABLE (Id INT IDENTITY, ResourceClaimId INT) + + SELECT @createActionId = ActionId + FROM [dbo].[Actions] WHERE ActionName = 'Create'; + + SELECT @readActionId = ActionId + FROM [dbo].[Actions] WHERE ActionName = 'Read'; + + SELECT @updateActionId = ActionId + FROM [dbo].[Actions] WHERE ActionName = 'Update'; + + SELECT @deleteActionId = ActionId + FROM [dbo].[Actions] WHERE ActionName = 'Delete'; + + SELECT @readChangesActionId = ActionId + FROM [dbo].[Actions] WHERE ActionName = 'ReadChanges'; + + BEGIN TRANSACTION + + -- Push claimId to the stack + INSERT INTO @claimIdStack (ResourceClaimId) VALUES (@claimId) + + -- Processing children of root + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/educationStandards' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimName = 'http://ed-fi.org/ods/identity/claims/domains/educationStandards' + SET @claimId = NULL + + SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId + FROM dbo.ResourceClaims + WHERE ClaimName = @claimName + + SELECT @parentResourceClaimId = ResourceClaimId + FROM @claimIdStack + WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + IF @claimId IS NULL + BEGIN + PRINT 'Creating new claim: ' + @claimName + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('educationStandards', 'http://ed-fi.org/ods/identity/claims/domains/educationStandards', @parentResourceClaimId) + + SET @claimId = SCOPE_IDENTITY() + END + ELSE + BEGIN + IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL) + BEGIN + PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')' + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = @parentResourceClaimId + WHERE ResourceClaimId = @claimId + END + END + + -- Processing claim sets for http://ed-fi.org/ods/identity/claims/domains/educationStandards + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimSetName = 'Token Introspection Test' + SET @claimSetId = NULL + + SELECT @claimSetId = ClaimSetId + FROM dbo.ClaimSets + WHERE ClaimSetName = @claimSetName + + IF @claimSetId IS NULL + BEGIN + PRINT 'Creating new claim set: ' + @claimSetName + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (@claimSetName) + + SET @claimSetId = SCOPE_IDENTITY() + END + + PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.' + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId) + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId + + + -- Claim set-specific Create authorization + PRINT 'Creating ''Create'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @CreateActionId) + ').' + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (@claimId, @claimSetId, @CreateActionId) -- Create + + SET @claimSetResourceClaimActionId = SCOPE_IDENTITY() + + + + + -- Claim set-specific Read authorization + PRINT 'Creating ''Read'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @ReadActionId) + ').' + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (@claimId, @claimSetId, @ReadActionId) -- Read + + SET @claimSetResourceClaimActionId = SCOPE_IDENTITY() + + + + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimName = 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors' + SET @claimId = NULL + + SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId + FROM dbo.ResourceClaims + WHERE ClaimName = @claimName + + SELECT @parentResourceClaimId = ResourceClaimId + FROM @claimIdStack + WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + IF @claimId IS NULL + BEGIN + PRINT 'Creating new claim: ' + @claimName + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('systemDescriptors', 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors', @parentResourceClaimId) + + SET @claimId = SCOPE_IDENTITY() + END + ELSE + BEGIN + IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL) + BEGIN + PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')' + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = @parentResourceClaimId + WHERE ResourceClaimId = @claimId + END + END + + -- Push claimId to the stack + INSERT INTO @claimIdStack (ResourceClaimId) VALUES (@claimId) + + -- Processing children of http://ed-fi.org/ods/identity/claims/domains/systemDescriptors + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor' + SET @claimId = NULL + + SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId + FROM dbo.ResourceClaims + WHERE ClaimName = @claimName + + SELECT @parentResourceClaimId = ResourceClaimId + FROM @claimIdStack + WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + IF @claimId IS NULL + BEGIN + PRINT 'Creating new claim: ' + @claimName + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('stateAbbreviationDescriptor', 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor', @parentResourceClaimId) + + SET @claimId = SCOPE_IDENTITY() + END + ELSE + BEGIN + IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL) + BEGIN + PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')' + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = @parentResourceClaimId + WHERE ResourceClaimId = @claimId + END + END + + -- Processing claim sets for http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimSetName = 'Token Introspection Test' + SET @claimSetId = NULL + + SELECT @claimSetId = ClaimSetId + FROM dbo.ClaimSets + WHERE ClaimSetName = @claimSetName + + IF @claimSetId IS NULL + BEGIN + PRINT 'Creating new claim set: ' + @claimSetName + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (@claimSetName) + + SET @claimSetId = SCOPE_IDENTITY() + END + + PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.' + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId) + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId + + + -- Claim set-specific Update authorization + PRINT 'Creating ''Update'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @UpdateActionId) + ').' + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (@claimId, @claimSetId, @UpdateActionId) -- Update + + SET @claimSetResourceClaimActionId = SCOPE_IDENTITY() + + + + + -- Claim set-specific Delete authorization + PRINT 'Creating ''Delete'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @DeleteActionId) + ').' + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (@claimId, @claimSetId, @DeleteActionId) -- Delete + + SET @claimSetResourceClaimActionId = SCOPE_IDENTITY() + + + + + -- Pop the stack + DELETE FROM @claimIdStack WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/services/identity' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimName = 'http://ed-fi.org/ods/identity/claims/services/identity' + SET @claimId = NULL + + SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId + FROM dbo.ResourceClaims + WHERE ClaimName = @claimName + + SELECT @parentResourceClaimId = ResourceClaimId + FROM @claimIdStack + WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + IF @claimId IS NULL + BEGIN + PRINT 'Creating new claim: ' + @claimName + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('identity', 'http://ed-fi.org/ods/identity/claims/services/identity', @parentResourceClaimId) + + SET @claimId = SCOPE_IDENTITY() + END + ELSE + BEGIN + IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL) + BEGIN + PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')' + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = @parentResourceClaimId + WHERE ResourceClaimId = @claimId + END + END + + -- Processing claim sets for http://ed-fi.org/ods/identity/claims/services/identity + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + SET @claimSetName = 'Token Introspection Test' + SET @claimSetId = NULL + + SELECT @claimSetId = ClaimSetId + FROM dbo.ClaimSets + WHERE ClaimSetName = @claimSetName + + IF @claimSetId IS NULL + BEGIN + PRINT 'Creating new claim set: ' + @claimSetName + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (@claimSetName) + + SET @claimSetId = SCOPE_IDENTITY() + END + + PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.' + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId) + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId + + + -- Claim set-specific ReadChanges authorization + PRINT 'Creating ''ReadChanges'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @ReadChangesActionId) + ').' + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (@claimId, @claimSetId, @ReadChangesActionId) -- ReadChanges + + SET @claimSetResourceClaimActionId = SCOPE_IDENTITY() + + + + + -- Pop the stack + DELETE FROM @claimIdStack WHERE Id = (SELECT Max(Id) FROM @claimIdStack) + + + COMMIT TRANSACTION +END diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml new file mode 100644 index 000000000..1112e87ed --- /dev/null +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql new file mode 100644 index 000000000..38e98b24e --- /dev/null +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql @@ -0,0 +1,326 @@ + +-- SPDX-License-Identifier: Apache-2.0 +-- Licensed to the Ed-Fi Alliance under one or more agreements. +-- The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +-- See the LICENSE and NOTICES files in the project root for more information. + +DO $$ +DECLARE + claim_id INTEGER; + claim_name VARCHAR(2048); + parent_resource_claim_id INTEGER; + existing_parent_resource_claim_id INTEGER; + claim_set_id INTEGER; + claim_set_name VARCHAR(255); + authorization_strategy_id INTEGER; + create_action_id INTEGER; + read_action_id INTEGER; + update_action_id INTEGER; + delete_action_id INTEGER; + readchanges_action_id INTEGER; + resource_claim_action_id INTEGER; + claim_set_resource_claim_action_id INTEGER; + claim_id_stack INTEGER ARRAY; +BEGIN + SELECT actionid INTO create_action_id + FROM dbo.actions WHERE ActionName = 'Create'; + + SELECT actionid INTO read_action_id + FROM dbo.actions WHERE ActionName = 'Read'; + + SELECT actionid INTO update_action_id + FROM dbo.actions WHERE ActionName = 'Update'; + + SELECT actionid INTO delete_action_id + FROM dbo.actions WHERE ActionName = 'Delete'; + + SELECT actionid INTO readchanges_action_id + FROM dbo.actions WHERE ActionName = 'ReadChanges'; + + + -- Push claimId to the stack + claim_id_stack := array_append(claim_id_stack, claim_id); + + -- Processing children of root + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/educationStandards' + ---------------------------------------------------------------------------------------------------------------------------- + claim_name := 'http://ed-fi.org/ods/identity/claims/domains/educationStandards'; + claim_id := NULL; + + SELECT ResourceClaimId, ParentResourceClaimId INTO claim_id, existing_parent_resource_claim_id + FROM dbo.ResourceClaims + WHERE ClaimName = claim_name; + + parent_resource_claim_id := claim_id_stack[array_upper(claim_id_stack, 1)]; + + IF claim_id IS NULL THEN + RAISE NOTICE 'Creating new claim: %', claim_name; + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('educationStandards', 'http://ed-fi.org/ods/identity/claims/domains/educationStandards', parent_resource_claim_id) + RETURNING ResourceClaimId + INTO claim_id; + ELSE + IF parent_resource_claim_id != existing_parent_resource_claim_id OR (parent_resource_claim_id IS NULL AND existing_parent_resource_claim_id IS NOT NULL) OR (parent_resource_claim_id IS NOT NULL AND existing_parent_resource_claim_id IS NULL) THEN + RAISE NOTICE USING MESSAGE = 'Repointing claim ''' || claim_name || ''' (ResourceClaimId=' || claim_id || ') to new parent (from ResourceClaimId=' || COALESCE(existing_parent_resource_claim_id, 0) || ' to ResourceClaimId=' || COALESCE(parent_resource_claim_id, 0) || ')'; + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = parent_resource_claim_id + WHERE ResourceClaimId = claim_id; + END IF; + END IF; + + -- Processing claimsets for http://ed-fi.org/ods/identity/claims/domains/educationStandards + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + claim_set_name := 'Token Introspection Test'; + claim_set_id := NULL; + + SELECT ClaimSetId INTO claim_set_id + FROM dbo.ClaimSets + WHERE ClaimSetName = claim_set_name; + + IF claim_set_id IS NULL THEN + RAISE NOTICE 'Creating new claim set: %', claim_set_name; + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (claim_set_name) + RETURNING ClaimSetId + INTO claim_set_id; + END IF; + + + RAISE NOTICE USING MESSAGE = 'Deleting existing actions for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ') on resource claim ''' || claim_name || '''.'; + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN ( + SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id); + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id; + + + + -- Claim set-specific Create authorization + RAISE NOTICE USING MESSAGE = 'Creating ''Create'' action for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ', actionId = ' || Create_action_id || ').'; + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (claim_id, claim_set_id, Create_action_id) -- Create + RETURNING ClaimSetResourceClaimActionId + INTO claim_set_resource_claim_action_id; + + + + + -- Claim set-specific Read authorization + RAISE NOTICE USING MESSAGE = 'Creating ''Read'' action for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ', actionId = ' || Read_action_id || ').'; + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (claim_id, claim_set_id, Read_action_id) -- Read + RETURNING ClaimSetResourceClaimActionId + INTO claim_set_resource_claim_action_id; + + + + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors' + ---------------------------------------------------------------------------------------------------------------------------- + claim_name := 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors'; + claim_id := NULL; + + SELECT ResourceClaimId, ParentResourceClaimId INTO claim_id, existing_parent_resource_claim_id + FROM dbo.ResourceClaims + WHERE ClaimName = claim_name; + + parent_resource_claim_id := claim_id_stack[array_upper(claim_id_stack, 1)]; + + IF claim_id IS NULL THEN + RAISE NOTICE 'Creating new claim: %', claim_name; + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('systemDescriptors', 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors', parent_resource_claim_id) + RETURNING ResourceClaimId + INTO claim_id; + ELSE + IF parent_resource_claim_id != existing_parent_resource_claim_id OR (parent_resource_claim_id IS NULL AND existing_parent_resource_claim_id IS NOT NULL) OR (parent_resource_claim_id IS NOT NULL AND existing_parent_resource_claim_id IS NULL) THEN + RAISE NOTICE USING MESSAGE = 'Repointing claim ''' || claim_name || ''' (ResourceClaimId=' || claim_id || ') to new parent (from ResourceClaimId=' || COALESCE(existing_parent_resource_claim_id, 0) || ' to ResourceClaimId=' || COALESCE(parent_resource_claim_id, 0) || ')'; + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = parent_resource_claim_id + WHERE ResourceClaimId = claim_id; + END IF; + END IF; + + -- Push claimId to the stack + claim_id_stack := array_append(claim_id_stack, claim_id); + + -- Processing children of http://ed-fi.org/ods/identity/claims/domains/systemDescriptors + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor' + ---------------------------------------------------------------------------------------------------------------------------- + claim_name := 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor'; + claim_id := NULL; + + SELECT ResourceClaimId, ParentResourceClaimId INTO claim_id, existing_parent_resource_claim_id + FROM dbo.ResourceClaims + WHERE ClaimName = claim_name; + + parent_resource_claim_id := claim_id_stack[array_upper(claim_id_stack, 1)]; + + IF claim_id IS NULL THEN + RAISE NOTICE 'Creating new claim: %', claim_name; + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('stateAbbreviationDescriptor', 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor', parent_resource_claim_id) + RETURNING ResourceClaimId + INTO claim_id; + ELSE + IF parent_resource_claim_id != existing_parent_resource_claim_id OR (parent_resource_claim_id IS NULL AND existing_parent_resource_claim_id IS NOT NULL) OR (parent_resource_claim_id IS NOT NULL AND existing_parent_resource_claim_id IS NULL) THEN + RAISE NOTICE USING MESSAGE = 'Repointing claim ''' || claim_name || ''' (ResourceClaimId=' || claim_id || ') to new parent (from ResourceClaimId=' || COALESCE(existing_parent_resource_claim_id, 0) || ' to ResourceClaimId=' || COALESCE(parent_resource_claim_id, 0) || ')'; + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = parent_resource_claim_id + WHERE ResourceClaimId = claim_id; + END IF; + END IF; + + -- Processing claimsets for http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + claim_set_name := 'Token Introspection Test'; + claim_set_id := NULL; + + SELECT ClaimSetId INTO claim_set_id + FROM dbo.ClaimSets + WHERE ClaimSetName = claim_set_name; + + IF claim_set_id IS NULL THEN + RAISE NOTICE 'Creating new claim set: %', claim_set_name; + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (claim_set_name) + RETURNING ClaimSetId + INTO claim_set_id; + END IF; + + + RAISE NOTICE USING MESSAGE = 'Deleting existing actions for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ') on resource claim ''' || claim_name || '''.'; + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN ( + SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id); + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id; + + + + -- Claim set-specific Update authorization + RAISE NOTICE USING MESSAGE = 'Creating ''Update'' action for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ', actionId = ' || Update_action_id || ').'; + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (claim_id, claim_set_id, Update_action_id) -- Update + RETURNING ClaimSetResourceClaimActionId + INTO claim_set_resource_claim_action_id; + + + + + -- Claim set-specific Delete authorization + RAISE NOTICE USING MESSAGE = 'Creating ''Delete'' action for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ', actionId = ' || Delete_action_id || ').'; + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (claim_id, claim_set_id, Delete_action_id) -- Delete + RETURNING ClaimSetResourceClaimActionId + INTO claim_set_resource_claim_action_id; + + + + + -- Pop the stack + claim_id_stack := (select claim_id_stack[1:array_upper(claim_id_stack, 1) - 1]); + + ---------------------------------------------------------------------------------------------------------------------------- + -- Resource Claim: 'http://ed-fi.org/ods/identity/claims/services/identity' + ---------------------------------------------------------------------------------------------------------------------------- + claim_name := 'http://ed-fi.org/ods/identity/claims/services/identity'; + claim_id := NULL; + + SELECT ResourceClaimId, ParentResourceClaimId INTO claim_id, existing_parent_resource_claim_id + FROM dbo.ResourceClaims + WHERE ClaimName = claim_name; + + parent_resource_claim_id := claim_id_stack[array_upper(claim_id_stack, 1)]; + + IF claim_id IS NULL THEN + RAISE NOTICE 'Creating new claim: %', claim_name; + + INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId) + VALUES ('identity', 'http://ed-fi.org/ods/identity/claims/services/identity', parent_resource_claim_id) + RETURNING ResourceClaimId + INTO claim_id; + ELSE + IF parent_resource_claim_id != existing_parent_resource_claim_id OR (parent_resource_claim_id IS NULL AND existing_parent_resource_claim_id IS NOT NULL) OR (parent_resource_claim_id IS NOT NULL AND existing_parent_resource_claim_id IS NULL) THEN + RAISE NOTICE USING MESSAGE = 'Repointing claim ''' || claim_name || ''' (ResourceClaimId=' || claim_id || ') to new parent (from ResourceClaimId=' || COALESCE(existing_parent_resource_claim_id, 0) || ' to ResourceClaimId=' || COALESCE(parent_resource_claim_id, 0) || ')'; + + UPDATE dbo.ResourceClaims + SET ParentResourceClaimId = parent_resource_claim_id + WHERE ResourceClaimId = claim_id; + END IF; + END IF; + + -- Processing claimsets for http://ed-fi.org/ods/identity/claims/services/identity + ---------------------------------------------------------------------------------------------------------------------------- + -- Claim set: 'Token Introspection Test' + ---------------------------------------------------------------------------------------------------------------------------- + claim_set_name := 'Token Introspection Test'; + claim_set_id := NULL; + + SELECT ClaimSetId INTO claim_set_id + FROM dbo.ClaimSets + WHERE ClaimSetName = claim_set_name; + + IF claim_set_id IS NULL THEN + RAISE NOTICE 'Creating new claim set: %', claim_set_name; + + INSERT INTO dbo.ClaimSets(ClaimSetName) + VALUES (claim_set_name) + RETURNING ClaimSetId + INTO claim_set_id; + END IF; + + + RAISE NOTICE USING MESSAGE = 'Deleting existing actions for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ') on resource claim ''' || claim_name || '''.'; + + DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides + WHERE ClaimSetResourceClaimActionId IN ( + SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id); + + DELETE FROM dbo.ClaimSetResourceClaimActions + WHERE ClaimSetId = claim_set_id AND ResourceClaimId = claim_id; + + + + -- Claim set-specific ReadChanges authorization + RAISE NOTICE USING MESSAGE = 'Creating ''ReadChanges'' action for claim set ''' || claim_set_name || ''' (claimSetId=' || claim_set_id || ', actionId = ' || ReadChanges_action_id || ').'; + + INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId) + VALUES (claim_id, claim_set_id, ReadChanges_action_id) -- ReadChanges + RETURNING ClaimSetResourceClaimActionId + INTO claim_set_resource_claim_action_id; + + + + + -- Pop the stack + claim_id_stack := (select claim_id_stack[1:array_upper(claim_id_stack, 1) - 1]); + + COMMIT; + + -- TODO: Remove - For interactive development only + -- SELECT dbo.GetAuthorizationMetadataDocument(); + -- ROLLBACK; +END $$; diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml new file mode 100644 index 000000000..1112e87ed --- /dev/null +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/logistics/scripts/modules/postmanTestHarnessConfiguration.json b/logistics/scripts/modules/postmanTestHarnessConfiguration.json index ed9752d4a..f330829ba 100644 --- a/logistics/scripts/modules/postmanTestHarnessConfiguration.json +++ b/logistics/scripts/modules/postmanTestHarnessConfiguration.json @@ -783,6 +783,23 @@ } ], "NamespacePrefixes": ["uri://ed-fi.org"] + }, + { + "Email": "test-token-introspection@other.org", + "VendorName": "Token Introspection Test", + "Applications": [ + { + "ApplicationName": "ODS/API", + "ClaimSetName": "Token Introspection Test", + "ApiClients": [ + { + "ApiClientName": "TokenIntrospection_255901", + "LocalEducationOrganizations": [255901] + } + ] + } + ], + "NamespacePrefixes": ["uri://ed-fi.org"] } ] } From 73c0da4a846e61704cfd22ff75982b0bbe212865 Mon Sep 17 00:00:00 2001 From: Axel Marquez Date: Fri, 13 Sep 2024 15:20:18 -0600 Subject: [PATCH 3/3] Add LF to the end of files --- .../Data/Security/0060-Token-Introspection-Auth-Metadata.xml | 2 +- .../Data/Security/0060-Token-Introspection-Auth-Metadata.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml index 1112e87ed..fed73887a 100644 --- a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml @@ -34,4 +34,4 @@ - \ No newline at end of file + diff --git a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml index 1112e87ed..fed73887a 100644 --- a/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml +++ b/Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/PgSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml @@ -34,4 +34,4 @@ - \ No newline at end of file +