Skip to content

[ODS-6464] Testing support for extended authorization authorization filtering based on custom database views #1112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 28 commits into from
Sep 10, 2024
Merged

[ODS-6464] Testing support for extended authorization authorization filtering based on custom database views #1112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
8e52a51
Added migration scripts for existing initialization logic.
gmcelhanon Aug 30, 2024
fde4c8d
Add support for applying database migrations at Integration Test Harn…
gmcelhanon Aug 30, 2024
2adf3fe
Remove obsolete code around security metadata initialization.
gmcelhanon Aug 30, 2024
cc3393a
Added configuration for a Custom View-based authorization client.
gmcelhanon Aug 30, 2024
cb316f8
Updated EdFi.Common package to 7.3.157.
gmcelhanon Aug 30, 2024
6a7fb31
Updated EdFi.Admin.DataAccess and EdFi.Security.DataAccess package ve…
gmcelhanon Aug 30, 2024
178699c
Updating EdFi.Suite3.Common package version.
gmcelhanon Aug 31, 2024
16395df
Updating EdFi.Suite3 Security and Admin package versions.
gmcelhanon Aug 31, 2024
b342d20
Fixed issue with Postres migration journal table.
gmcelhanon Aug 31, 2024
1365b0b
Fixed issue with Postres migration journal table schema.
gmcelhanon Aug 31, 2024
26ebdb0
Updated security metadata.
gmcelhanon Aug 31, 2024
f31a8c8
Empty-commit
gmcelhanon Aug 31, 2024
6b3777b
Updated migrations to support Standard version-specific scripts to de…
gmcelhanon Aug 31, 2024
5cba8d5
Modified migrating ODS connection string decorator to introspect the …
gmcelhanon Aug 31, 2024
ffc9d33
Opened the connection before trying to use it to inspect for Standard…
gmcelhanon Aug 31, 2024
2ebbb51
Fixed bug with applying standard version as regex pattern against emb…
gmcelhanon Sep 1, 2024
840174e
Fixed errors in security metadata files and scripts.
gmcelhanon Sep 1, 2024
426f325
Updated XSLT-generated scripts to avoid movement of resource claims t…
gmcelhanon Sep 1, 2024
5712fed
Introduced migration scripts to delete legacy format claim names that…
gmcelhanon Sep 1, 2024
bab8312
Modified the Admin metadata task to generate keys/secrets that match …
gmcelhanon Sep 1, 2024
6656f21
Updated the XSLT template to only perform resource claim relocation i…
gmcelhanon Sep 1, 2024
8d0c01d
Fixed issue with Postres migration deleting resource claims in legacy…
gmcelhanon Sep 2, 2024
89f0dbb
Fixed security metadata for Multiple Authorization Strategy Postman t…
gmcelhanon Sep 4, 2024
73d4a36
Minor code cleanup from self-code review.
gmcelhanon Sep 4, 2024
7292be5
Added security metadata to support testing for new behavior detecting…
gmcelhanon Sep 10, 2024
e83b319
Added support for mapping the CreatedByOwnershipTokenId for use with …
gmcelhanon Sep 10, 2024
43f7461
Empty-commit
gmcelhanon Sep 10, 2024
7157efb
Revert "Updated the XSLT template to only perform resource claim relo…
gmcelhanon Sep 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions ...arness/Artifacts/MsSql/Data/Security/0010-Create-Custom-View-Authorization-Strategies.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
INSERT INTO dbo.AuthorizationStrategies(DisplayName, AuthorizationStrategyName)
VALUES
('Students Enrolled in CTE courses', 'StudentWithCTECourseEnrollments'),
('ACT assessments', 'AssessmentWithAnACTIdentifier'),
('Transportation With a Bus', 'TransportationTypeDescriptorWithABus'),
('EdOrgs With An S-Word in the Category', 'EducationOrganizationWithACategoryContainingAnSWord');
20 changes: 20 additions & 0 deletions ...estHarness/Artifacts/MsSql/Data/Security/0015-Clean-up-and-migrate-legacy-EdFi-claims.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----------------------------------------------------------------
-- Delete legacy claims that have been replaced with new format
-----------------------------------------------------------------
DELETE FROM dbo.ResourceClaims
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cleanup and migration to the schema-based URI resource claim names is only applied to the security metadata used for the Postman integration testing. It essentially ensures that there are no resource claims using the legacy (schema-less) name format with additional security metadata attached (such as claim set-specific overrides). In such a case, the migration script will fail and draw attention to the ambiguity.

WHERE
LEFT(ClaimName, 37) = 'http://ed-fi.org/ods/identity/claims/'
AND CHARINDEX('/', SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)) <= 0
AND EXISTS (
SELECT 1
FROM dbo.ResourceClaims rc
WHERE ClaimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/' + SUBSTRING(ResourceClaims.ClaimName, 38, LEN(ResourceClaims.ClaimName) - 37)
)
GO

-------------------------------------------------------------
-- Migrate existing Ed-Fi legacy claims to new format
-------------------------------------------------------------
UPDATE dbo.ResourceClaims SET ClaimName = 'http://ed-fi.org/ods/identity/claims/ed-fi/' + SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)
WHERE LEFT(ClaimName, 37) = 'http://ed-fi.org/ods/identity/claims/' AND CHARINDEX('/', SUBSTRING(ClaimName, 38, LEN(ClaimName) - 37)) <= 0
GO
1,791 changes: 1,791 additions & 0 deletions ...grationTestHarness/Artifacts/MsSql/Data/Security/0020-Custom-View-Based-Auth-Metadata.sql
View file
Open in desktop

Large diffs are not rendered by default.

263 changes: 263 additions & 0 deletions ...grationTestHarness/Artifacts/MsSql/Data/Security/0020-Custom-View-Based-Auth-Metadata.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,263 @@
<SecurityMetadata>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Support for C#-based security metadata manipulation is being replaced with the declarative XML-based management (in combination with XSLT-based SQL script generation).

<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/domains/relationshipBasedData">
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentProgramAssociation">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentSpecialEducationProgramEligibilityAssociation">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="RelationshipsWithStudentsOnlyThroughResponsibility" />
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeopleIncludingDeletes" />
<AuthorizationStrategy
name="RelationshipsWithStudentsOnlyThroughResponsibilityIncludingDeletes" />
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentTransportation">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeople" />
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="RelationshipsWithEdOrgsAndPeopleIncludingDeletes" />
<AuthorizationStrategy name="TransportationTypeDescriptorWithABus" />
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/accountabilityRating">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="EducationOrganizationWithACategoryContainingAnSWord" />
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/chartOfAccount">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="StudentWithCTECourseEnrollments" />
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/domains/assessmentMetadata">
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentAssessment">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Create">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Read">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Update">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="Delete">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
<AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" />
</AuthorizationStrategyOverrides>
</Action>
<Action name="ReadChanges">
<AuthorizationStrategyOverrides>
<AuthorizationStrategy name="AssessmentWithAnACTIdentifier" />
<!--
This authorization strategy does not work with with reading Changes because
it uses ReportedSchoolId for authorization context, but the tracked_changes_edfi
table only include the entity's primary key columns, so the query fails.
-->
<!-- <AuthorizationStrategy name="RelationshipsWithEdOrgsOnly" /> -->
</AuthorizationStrategyOverrides>
</Action>
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</Claim>
<!-- This provides read access to a root resource used in a Composites test -->
<Claim name="http://ed-fi.org/ods/identity/claims/domains/primaryRelationships">
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/studentSchoolAssociation">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Read" />
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</Claim>
<Claim name="http://ed-fi.org/ods/identity/claims/domains/people">
<Claims>
<Claim name="http://ed-fi.org/ods/identity/claims/ed-fi/student">
<ClaimSets>
<ClaimSet name="Custom View Test">
<Actions>
<Action name="Read" />
</Actions>
</ClaimSet>
</ClaimSets>
</Claim>
</Claims>
</Claim>
</Claims>
</SecurityMetadata>
Loading
Loading