Skip to content

Commit 06fbf65

Browse files
gmcelhanongmcelhanon
authored
[ODS-6464] Testing support for extended authorization authorization filtering based on custom database views (#1112)
1 parent bdda6a4 commit 06fbf65

File tree

49 files changed

+11200
-592
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

49 files changed

+11200
-592
lines changed

Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0010-Create-Custom-View-Authorization-Strategies.sql

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
INSERT INTO dbo.AuthorizationStrategies(DisplayName, AuthorizationStrategyName)
2+
VALUES
3+
('Students Enrolled in CTE courses', 'StudentWithCTECourseEnrollments'),
4+
('ACT assessments', 'AssessmentWithAnACTIdentifier'),
5+
('Transportation With a Bus', 'TransportationTypeDescriptorWithABus'),
6+
('EdOrgs With An S-Word in the Category', 'EducationOrganizationWithACategoryContainingAnSWord');

Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0015-Clean-up-and-migrate-legacy-EdFi-claims.sql

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----------------------------------------------------------------
2+
-- Delete legacy claims that have been replaced with new format
3+
-----------------------------------------------------------------
4+
DELETE FROM dbo.ResourceClaims
5+
WHERE
6+
LEFT(ClaimName, 37) = 'http://ed-fi.org/ods/identity/claims/'
7+
AND CHARINDEX('/', SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)) <= 0
8+
AND EXISTS (
9+
SELECT 1
10+
FROM dbo.ResourceClaims rc
11+
WHERE ClaimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/' + SUBSTRING(ResourceClaims.ClaimName, 38, LEN(ResourceClaims.ClaimName) - 37)
12+
)
13+
GO
14+
15+
-------------------------------------------------------------
16+
-- Migrate existing Ed-Fi legacy claims to new format
17+
-------------------------------------------------------------
18+
UPDATE dbo.ResourceClaims SET ClaimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/' + SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)
19+
WHERE LEFT(ClaimName, 37) = 'http://ed-fi.org/ods/identity/claims/' AND CHARINDEX('/', SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)) <= 0
20+
GO

Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0020-Custom-View-Based-Auth-Metadata.sql

+1,791
Large diffs are not rendered by default.

Application/EdFi.Ods.Api.IntegrationTestHarness/Artifacts/MsSql/Data/Security/0020-Custom-View-Based-Auth-Metadata.xml

+263
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,263 @@
1+
<SecurityMetadata>
2+
<Claims>
3+
<Claim name="http://ed-fi.org/ods/identity/claims/domains/relationshipBasedData">
4+
<Claims>
5+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentProgramAssociation">
6+
<ClaimSets>
7+
<ClaimSet name="Custom View Test">
8+
<Actions>
9+
<Action name="Create">
10+
<AuthorizationStrategyOverrides>
11+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
12+
</AuthorizationStrategyOverrides>
13+
</Action>
14+
<Action name="Read">
15+
<AuthorizationStrategyOverrides>
16+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
17+
</AuthorizationStrategyOverrides>
18+
</Action>
19+
<Action name="Update">
20+
<AuthorizationStrategyOverrides>
21+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
22+
</AuthorizationStrategyOverrides>
23+
</Action>
24+
<Action name="Delete">
25+
<AuthorizationStrategyOverrides>
26+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
27+
</AuthorizationStrategyOverrides>
28+
</Action>
29+
<Action name="ReadChanges">
30+
<AuthorizationStrategyOverrides>
31+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
32+
</AuthorizationStrategyOverrides>
33+
</Action>
34+
</Actions>
35+
</ClaimSet>
36+
</ClaimSets>
37+
</Claim>
38+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentSpecialEducationProgramEligibilityAssociation">
39+
<ClaimSets>
40+
<ClaimSet name="Custom View Test">
41+
<Actions>
42+
<Action name="Create">
43+
<AuthorizationStrategyOverrides>
44+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
45+
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
46+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
47+
</AuthorizationStrategyOverrides>
48+
</Action>
49+
<Action name="Read">
50+
<AuthorizationStrategyOverrides>
51+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
52+
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
53+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
54+
</AuthorizationStrategyOverrides>
55+
</Action>
56+
<Action name="Update">
57+
<AuthorizationStrategyOverrides>
58+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
59+
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
60+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
61+
</AuthorizationStrategyOverrides>
62+
</Action>
63+
<Action name="Delete">
64+
<AuthorizationStrategyOverrides>
65+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
66+
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
67+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
68+
</AuthorizationStrategyOverrides>
69+
</Action>
70+
<Action name="ReadChanges">
71+
<AuthorizationStrategyOverrides>
72+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeopleIncludingDeletes" />
73+
<AuthorizationStrategy
74+
name="RelationshipsWithStudentsOnlyThroughResponsibilityIncludingDeletes" />
75+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
76+
</AuthorizationStrategyOverrides>
77+
</Action>
78+
</Actions>
79+
</ClaimSet>
80+
</ClaimSets>
81+
</Claim>
82+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentTransportation">
83+
<ClaimSets>
84+
<ClaimSet name="Custom View Test">
85+
<Actions>
86+
<Action name="Create">
87+
<AuthorizationStrategyOverrides>
88+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
89+
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
90+
</AuthorizationStrategyOverrides>
91+
</Action>
92+
<Action name="Read">
93+
<AuthorizationStrategyOverrides>
94+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
95+
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
96+
</AuthorizationStrategyOverrides>
97+
</Action>
98+
<Action name="Update">
99+
<AuthorizationStrategyOverrides>
100+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
101+
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
102+
</AuthorizationStrategyOverrides>
103+
</Action>
104+
<Action name="Delete">
105+
<AuthorizationStrategyOverrides>
106+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
107+
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
108+
</AuthorizationStrategyOverrides>
109+
</Action>
110+
<Action name="ReadChanges">
111+
<AuthorizationStrategyOverrides>
112+
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeopleIncludingDeletes" />
113+
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
114+
</AuthorizationStrategyOverrides>
115+
</Action>
116+
</Actions>
117+
</ClaimSet>
118+
</ClaimSets>
119+
</Claim>
120+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/accountabilityRating">
121+
<ClaimSets>
122+
<ClaimSet name="Custom View Test">
123+
<Actions>
124+
<Action name="Create">
125+
<AuthorizationStrategyOverrides>
126+
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
127+
</AuthorizationStrategyOverrides>
128+
</Action>
129+
<Action name="Read">
130+
<AuthorizationStrategyOverrides>
131+
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
132+
</AuthorizationStrategyOverrides>
133+
</Action>
134+
<Action name="Update">
135+
<AuthorizationStrategyOverrides>
136+
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
137+
</AuthorizationStrategyOverrides>
138+
</Action>
139+
<Action name="Delete">
140+
<AuthorizationStrategyOverrides>
141+
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
142+
</AuthorizationStrategyOverrides>
143+
</Action>
144+
<Action name="ReadChanges">
145+
<AuthorizationStrategyOverrides>
146+
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
147+
</AuthorizationStrategyOverrides>
148+
</Action>
149+
</Actions>
150+
</ClaimSet>
151+
</ClaimSets>
152+
</Claim>
153+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/chartOfAccount">
154+
<ClaimSets>
155+
<ClaimSet name="Custom View Test">
156+
<Actions>
157+
<Action name="Create">
158+
<AuthorizationStrategyOverrides>
159+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
160+
</AuthorizationStrategyOverrides>
161+
</Action>
162+
<Action name="Read">
163+
<AuthorizationStrategyOverrides>
164+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
165+
</AuthorizationStrategyOverrides>
166+
</Action>
167+
<Action name="Update">
168+
<AuthorizationStrategyOverrides>
169+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
170+
</AuthorizationStrategyOverrides>
171+
</Action>
172+
<Action name="Delete">
173+
<AuthorizationStrategyOverrides>
174+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
175+
</AuthorizationStrategyOverrides>
176+
</Action>
177+
<Action name="ReadChanges">
178+
<AuthorizationStrategyOverrides>
179+
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
180+
</AuthorizationStrategyOverrides>
181+
</Action>
182+
</Actions>
183+
</ClaimSet>
184+
</ClaimSets>
185+
</Claim>
186+
</Claims>
187+
</Claim>
188+
<Claim name="http://ed-fi.org/ods/identity/claims/domains/assessmentMetadata">
189+
<Claims>
190+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentAssessment">
191+
<ClaimSets>
192+
<ClaimSet name="Custom View Test">
193+
<Actions>
194+
<Action name="Create">
195+
<AuthorizationStrategyOverrides>
196+
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
197+
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
198+
</AuthorizationStrategyOverrides>
199+
</Action>
200+
<Action name="Read">
201+
<AuthorizationStrategyOverrides>
202+
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
203+
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
204+
</AuthorizationStrategyOverrides>
205+
</Action>
206+
<Action name="Update">
207+
<AuthorizationStrategyOverrides>
208+
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
209+
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
210+
</AuthorizationStrategyOverrides>
211+
</Action>
212+
<Action name="Delete">
213+
<AuthorizationStrategyOverrides>
214+
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
215+
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
216+
</AuthorizationStrategyOverrides>
217+
</Action>
218+
<Action name="ReadChanges">
219+
<AuthorizationStrategyOverrides>
220+
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
221+
<!--
222+
This authorization strategy does not work with with reading Changes because
223+
it uses ReportedSchoolId for authorization context, but the tracked_changes_edfi
224+
table only include the entity's primary key columns, so the query fails.
225+
-->
226+
<!-- <AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" /> -->
227+
</AuthorizationStrategyOverrides>
228+
</Action>
229+
</Actions>
230+
</ClaimSet>
231+
</ClaimSets>
232+
</Claim>
233+
</Claims>
234+
</Claim>
235+
<!-- This provides read access to a root resource used in a Composites test -->
236+
<Claim name="http://ed-fi.org/ods/identity/claims/domains/primaryRelationships">
237+
<Claims>
238+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentSchoolAssociation">
239+
<ClaimSets>
240+
<ClaimSet name="Custom View Test">
241+
<Actions>
242+
<Action name="Read" />
243+
</Actions>
244+
</ClaimSet>
245+
</ClaimSets>
246+
</Claim>
247+
</Claims>
248+
</Claim>
249+
<Claim name="http://ed-fi.org/ods/identity/claims/domains/people">
250+
<Claims>
251+
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/student">
252+
<ClaimSets>
253+
<ClaimSet name="Custom View Test">
254+
<Actions>
255+
<Action name="Read" />
256+
</Actions>
257+
</ClaimSet>
258+
</ClaimSets>
259+
</Claim>
260+
</Claims>
261+
</Claim>
262+
</Claims>
263+
</SecurityMetadata>

0 commit comments

Comments
 (0)