Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ODS-6362] ODS/API Feature: Permissions API #1123

Merged
merged 3 commits into from
Sep 13, 2024
Merged

[ODS-6362] ODS/API Feature: Permissions API #1123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a25a5ee
Reference the newly generated Security repository
axelmarquezh Sep 13, 2024
eb23690
Add tests
axelmarquezh Sep 13, 2024
73c0da4
Add LF to the end of files
axelmarquezh Sep 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
344 changes: 344 additions & 0 deletions ...ationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,344 @@

-- SPDX-License-Identifier: Apache-2.0
-- Licensed to the Ed-Fi Alliance under one or more agreements.
-- The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
-- See the LICENSE and NOTICES files in the project root for more information.

BEGIN
DECLARE
@claimId AS INT,
@claimName AS nvarchar(max),
@parentResourceClaimId AS INT,
@existingParentResourceClaimId AS INT,
@claimSetId AS INT,
@claimSetName AS nvarchar(max),
@authorizationStrategyId AS INT,
@msg AS nvarchar(max),
@createActionId AS INT,
@readActionId AS INT,
@updateActionId AS INT,
@deleteActionId AS INT,
@readChangesActionId AS INT,
@resourceClaimActionId AS INT,
@claimSetResourceClaimActionId AS INT

DECLARE @claimIdStack AS TABLE (Id INT IDENTITY, ResourceClaimId INT)

SELECT @createActionId = ActionId
FROM [dbo].[Actions] WHERE ActionName = 'Create';

SELECT @readActionId = ActionId
FROM [dbo].[Actions] WHERE ActionName = 'Read';

SELECT @updateActionId = ActionId
FROM [dbo].[Actions] WHERE ActionName = 'Update';

SELECT @deleteActionId = ActionId
FROM [dbo].[Actions] WHERE ActionName = 'Delete';

SELECT @readChangesActionId = ActionId
FROM [dbo].[Actions] WHERE ActionName = 'ReadChanges';

BEGIN TRANSACTION

-- Push claimId to the stack
INSERT INTO @claimIdStack (ResourceClaimId) VALUES (@claimId)

-- Processing children of root
----------------------------------------------------------------------------------------------------------------------------
-- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/educationStandards'
----------------------------------------------------------------------------------------------------------------------------
SET @claimName = 'http://ed-fi.org/ods/identity/claims/domains/educationStandards'
SET @claimId = NULL

SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId
FROM dbo.ResourceClaims
WHERE ClaimName = @claimName

SELECT @parentResourceClaimId = ResourceClaimId
FROM @claimIdStack
WHERE Id = (SELECT Max(Id) FROM @claimIdStack)

IF @claimId IS NULL
BEGIN
PRINT 'Creating new claim: ' + @claimName

INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId)
VALUES ('educationStandards', 'http://ed-fi.org/ods/identity/claims/domains/educationStandards', @parentResourceClaimId)

SET @claimId = SCOPE_IDENTITY()
END
ELSE
BEGIN
IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL)
BEGIN
PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')'

UPDATE dbo.ResourceClaims
SET ParentResourceClaimId = @parentResourceClaimId
WHERE ResourceClaimId = @claimId
END
END

-- Processing claim sets for http://ed-fi.org/ods/identity/claims/domains/educationStandards
----------------------------------------------------------------------------------------------------------------------------
-- Claim set: 'Token Introspection Test'
----------------------------------------------------------------------------------------------------------------------------
SET @claimSetName = 'Token Introspection Test'
SET @claimSetId = NULL

SELECT @claimSetId = ClaimSetId
FROM dbo.ClaimSets
WHERE ClaimSetName = @claimSetName

IF @claimSetId IS NULL
BEGIN
PRINT 'Creating new claim set: ' + @claimSetName

INSERT INTO dbo.ClaimSets(ClaimSetName)
VALUES (@claimSetName)

SET @claimSetId = SCOPE_IDENTITY()
END

PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.'

DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides
WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId)

DELETE FROM dbo.ClaimSetResourceClaimActions
WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId


-- Claim set-specific Create authorization
PRINT 'Creating ''Create'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @CreateActionId) + ').'

INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId)
VALUES (@claimId, @claimSetId, @CreateActionId) -- Create

SET @claimSetResourceClaimActionId = SCOPE_IDENTITY()




-- Claim set-specific Read authorization
PRINT 'Creating ''Read'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @ReadActionId) + ').'

INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId)
VALUES (@claimId, @claimSetId, @ReadActionId) -- Read

SET @claimSetResourceClaimActionId = SCOPE_IDENTITY()



----------------------------------------------------------------------------------------------------------------------------
-- Resource Claim: 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors'
----------------------------------------------------------------------------------------------------------------------------
SET @claimName = 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors'
SET @claimId = NULL

SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId
FROM dbo.ResourceClaims
WHERE ClaimName = @claimName

SELECT @parentResourceClaimId = ResourceClaimId
FROM @claimIdStack
WHERE Id = (SELECT Max(Id) FROM @claimIdStack)

IF @claimId IS NULL
BEGIN
PRINT 'Creating new claim: ' + @claimName

INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId)
VALUES ('systemDescriptors', 'http://ed-fi.org/ods/identity/claims/domains/systemDescriptors', @parentResourceClaimId)

SET @claimId = SCOPE_IDENTITY()
END
ELSE
BEGIN
IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL)
BEGIN
PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')'

UPDATE dbo.ResourceClaims
SET ParentResourceClaimId = @parentResourceClaimId
WHERE ResourceClaimId = @claimId
END
END

-- Push claimId to the stack
INSERT INTO @claimIdStack (ResourceClaimId) VALUES (@claimId)

-- Processing children of http://ed-fi.org/ods/identity/claims/domains/systemDescriptors
----------------------------------------------------------------------------------------------------------------------------
-- Resource Claim: 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor'
----------------------------------------------------------------------------------------------------------------------------
SET @claimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor'
SET @claimId = NULL

SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId
FROM dbo.ResourceClaims
WHERE ClaimName = @claimName

SELECT @parentResourceClaimId = ResourceClaimId
FROM @claimIdStack
WHERE Id = (SELECT Max(Id) FROM @claimIdStack)

IF @claimId IS NULL
BEGIN
PRINT 'Creating new claim: ' + @claimName

INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId)
VALUES ('stateAbbreviationDescriptor', 'http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor', @parentResourceClaimId)

SET @claimId = SCOPE_IDENTITY()
END
ELSE
BEGIN
IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL)
BEGIN
PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')'

UPDATE dbo.ResourceClaims
SET ParentResourceClaimId = @parentResourceClaimId
WHERE ResourceClaimId = @claimId
END
END

-- Processing claim sets for http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor
----------------------------------------------------------------------------------------------------------------------------
-- Claim set: 'Token Introspection Test'
----------------------------------------------------------------------------------------------------------------------------
SET @claimSetName = 'Token Introspection Test'
SET @claimSetId = NULL

SELECT @claimSetId = ClaimSetId
FROM dbo.ClaimSets
WHERE ClaimSetName = @claimSetName

IF @claimSetId IS NULL
BEGIN
PRINT 'Creating new claim set: ' + @claimSetName

INSERT INTO dbo.ClaimSets(ClaimSetName)
VALUES (@claimSetName)

SET @claimSetId = SCOPE_IDENTITY()
END

PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.'

DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides
WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId)

DELETE FROM dbo.ClaimSetResourceClaimActions
WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId


-- Claim set-specific Update authorization
PRINT 'Creating ''Update'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @UpdateActionId) + ').'

INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId)
VALUES (@claimId, @claimSetId, @UpdateActionId) -- Update

SET @claimSetResourceClaimActionId = SCOPE_IDENTITY()




-- Claim set-specific Delete authorization
PRINT 'Creating ''Delete'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @DeleteActionId) + ').'

INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId)
VALUES (@claimId, @claimSetId, @DeleteActionId) -- Delete

SET @claimSetResourceClaimActionId = SCOPE_IDENTITY()




-- Pop the stack
DELETE FROM @claimIdStack WHERE Id = (SELECT Max(Id) FROM @claimIdStack)

----------------------------------------------------------------------------------------------------------------------------
-- Resource Claim: 'http://ed-fi.org/ods/identity/claims/services/identity'
----------------------------------------------------------------------------------------------------------------------------
SET @claimName = 'http://ed-fi.org/ods/identity/claims/services/identity'
SET @claimId = NULL

SELECT @claimId = ResourceClaimId, @existingParentResourceClaimId = ParentResourceClaimId
FROM dbo.ResourceClaims
WHERE ClaimName = @claimName

SELECT @parentResourceClaimId = ResourceClaimId
FROM @claimIdStack
WHERE Id = (SELECT Max(Id) FROM @claimIdStack)

IF @claimId IS NULL
BEGIN
PRINT 'Creating new claim: ' + @claimName

INSERT INTO dbo.ResourceClaims(ResourceName, ClaimName, ParentResourceClaimId)
VALUES ('identity', 'http://ed-fi.org/ods/identity/claims/services/identity', @parentResourceClaimId)

SET @claimId = SCOPE_IDENTITY()
END
ELSE
BEGIN
IF @parentResourceClaimId != @existingParentResourceClaimId OR (@parentResourceClaimId IS NULL AND @existingParentResourceClaimId IS NOT NULL) OR (@parentResourceClaimId IS NOT NULL AND @existingParentResourceClaimId IS NULL)
BEGIN
PRINT 'Repointing claim ''' + @claimName + ''' (ResourceClaimId=' + CONVERT(nvarchar, @claimId) + ') to new parent (ResourceClaimId=' + CONVERT(nvarchar, @parentResourceClaimId) + ')'

UPDATE dbo.ResourceClaims
SET ParentResourceClaimId = @parentResourceClaimId
WHERE ResourceClaimId = @claimId
END
END

-- Processing claim sets for http://ed-fi.org/ods/identity/claims/services/identity
----------------------------------------------------------------------------------------------------------------------------
-- Claim set: 'Token Introspection Test'
----------------------------------------------------------------------------------------------------------------------------
SET @claimSetName = 'Token Introspection Test'
SET @claimSetId = NULL

SELECT @claimSetId = ClaimSetId
FROM dbo.ClaimSets
WHERE ClaimSetName = @claimSetName

IF @claimSetId IS NULL
BEGIN
PRINT 'Creating new claim set: ' + @claimSetName

INSERT INTO dbo.ClaimSets(ClaimSetName)
VALUES (@claimSetName)

SET @claimSetId = SCOPE_IDENTITY()
END

PRINT 'Deleting existing actions for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ') on resource claim ''' + @claimName + '''.'

DELETE FROM dbo.ClaimSetResourceClaimActionAuthorizationStrategyOverrides
WHERE ClaimSetResourceClaimActionId IN (SELECT ClaimSetResourceClaimActionId FROM dbo.ClaimSetResourceClaimActions WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId)

DELETE FROM dbo.ClaimSetResourceClaimActions
WHERE ClaimSetId = @claimSetId AND ResourceClaimId = @claimId


-- Claim set-specific ReadChanges authorization
PRINT 'Creating ''ReadChanges'' action for claim set ''' + @claimSetName + ''' (claimSetId=' + CONVERT(nvarchar, @claimSetId) + ', actionId = ' + CONVERT(nvarchar, @ReadChangesActionId) + ').'

INSERT INTO dbo.ClaimSetResourceClaimActions(ResourceClaimId, ClaimSetId, ActionId)
VALUES (@claimId, @claimSetId, @ReadChangesActionId) -- ReadChanges

SET @claimSetResourceClaimActionId = SCOPE_IDENTITY()




-- Pop the stack
DELETE FROM @claimIdStack WHERE Id = (SELECT Max(Id) FROM @claimIdStack)


COMMIT TRANSACTION
END
37 changes: 37 additions & 0 deletions ...ationTestHarness/Artifacts/MsSql/Data/Security/0060-Token-Introspection-Auth-Metadata.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<SecurityMetadata>
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/domains/educationStandards">
<ClaimSets>
<ClaimSet name="Token Introspection Test">
<Actions>
<Action name="Create"/>
<Action name="Read"/>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/domains/systemDescriptors">
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/stateAbbreviationDescriptor">
<ClaimSets>
<ClaimSet name="Token Introspection Test">
<Actions>
<Action name="Update"/>
<Action name="Delete"/>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/services/identity">
<ClaimSets>
<ClaimSet name="Token Introspection Test">
<Actions>
<Action name="ReadChanges"/>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</SecurityMetadata>
Loading
Loading