Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support system user in Storage #501

Open
3 of 7 tasks
Tracked by #84
SandGrainOne opened this issue Sep 20, 2024 · 2 comments
Open
3 of 7 tasks
Tracked by #84

Support system user in Storage #501

SandGrainOne opened this issue Sep 20, 2024 · 2 comments
Assignees
@Ahmed-Ghanam
Labels
kind/user-story Used for issues that describes functionality for our users.

Comments

@SandGrainOne
Copy link
Member

SandGrainOne commented Sep 20, 2024
edited
Loading

Description

This is a list of tasks and changes that needs to be done before we can say that Storage support system users.

Additional Information

This issue is based on the analysis performed in #471.

Usecase: A system user (representing a user - i.e. sending a party-id) instantiates an instance and populates it with data. E.g. The MVA-report.

Tasks

Authorizaion

  • Update to a version of the Altinn.Common.PEP package with support for SystemUser authorization (version later than v4.0.0)
  • Update all custom Authorization logic to include system user as AccessSubject in Authorization requests.
    The assumption is that we're mostly using the PEP package and the containing DecisionHelper, but there might be exceptions.

Metadata updates:

  • Search for places where the Intance.CreatedBy property is set. Update the logic to use the organization number of the system owner when caller is a system.
  • Search for places where the Intance.LastChangedBy property is set. Update the logic to use the organization number of the system owner when caller is a system.
  • Search for places where the DataElement.CreatedBy property is set. Update the logic to use the organization number of the system owner when caller is a system.
  • Search for places where the DataElement.LastChangedBy property is set. Update the logic to use the organization number of the system owner when caller is a system.
  • Expand the PlatformUser class with properties for: SystemUserId (guid), SystemUserOwner (string) and SystemUserName.
  • Search for all usage (assignments) of the PlatformUser class and populate the new properties when data is available.
  • Update the logic setting the ProcessHistoryItem.PerformedBy property to support an InstanceEvent created with a system user.
  • Update IdentityTelemetryFilter to handle system users

Authentication

Not decided yet (optional future improvement):

Testing

Preparation

Testing this will require multiple steps.

  1. Find a person with the ability to represent an organization. Preferably the "CEO" (daglig leder). Make node of key data we might need. Like names and ids. There are a few Tenor users we've documented on confluence under Guides.
  2. We would then need to create a system user. I have not looked into how this could be done yet. The system user would need to be associated with the organization we've identified previously. It doesn't matter what type of system we use. Keep the data like system id and update the test data table on confluence.
  3. Find a working app and instantiate an instance or two with the organization as instance owner. (Or find existing instances).
  4. Log in with the organization CEO and delegate at a minimum read access to the system user. I have not looked into how this is done at the moment.
  5. Generate a token for the system user using the token generator. There is a new endpoint to do this part. An example:
    api/GetSystemUserToken?env={{Environment}}&scopes=altinn:instances.read&systemUserId=3d7ff126-890c-4e30-953b-4b736c6591ec&systemUserOrg=312508729
  6. Run GET requests directly against Storage endpoints using the token as a Bearer token in the Authorization header.

Things to check

  1. First of all the GET requests should succeed.
  2. Logging of system user id together with request telemetry. Check in Application Insights.

Testing of mutating operations like POST and PUT is even more work and I suggest we postpone that for when we have a working app to test through.

Blockers
Preview Give feedback
  1. Add support for system user in PDP endpoint altinn-authorization#578
    kind/user-story status/draft
    TheTechArch
  2. Feature/systemuserpdp altinn-authorization#1052

Tasks
Preview Give feedback
  2. Establish feature-flag so e.g. in AT one can activate the new logic and if a system-user is present in TT, it will be rejected #511
    status/pending-feedback
  3. Establish repeatable test-case/test client for system user #512
  4. Establish test-suite - get control over existing cases and decide if they give sufficient coverage for as-is functionallity #513
    SandGrainOne
  5. Clarify UX - how will this be presented to the use? Do we store the needed information? #510
    status/pending-feedback
    olebhansen

Acceptance criteria:

  • Component accepts and responds to calls from system users
    • If feature-flag "off", the component gracefully denies calls from system users
  • Component behaves as before for calls from other users
@SandGrainOne SandGrainOne added kind/user-story Used for issues that describes functionality for our users. status/draft Status: When you create an issue before you have enough info to properly describe the issue. labels Sep 20, 2024
@RonnyB71 RonnyB71 mentioned this issue Sep 23, 2024
Open
This was referenced Oct 2, 2024
Closed
Closed
Closed
@olebhansen olebhansen added the status/blocked Further work depending on the completion of some other task/PoC/issue label Oct 31, 2024
@olebhansen olebhansen added status/blocked Further work depending on the completion of some other task/PoC/issue and removed status/blocked Further work depending on the completion of some other task/PoC/issue labels Nov 8, 2024
@olebhansen olebhansen self-assigned this Nov 11, 2024
@olebhansen olebhansen removed status/draft Status: When you create an issue before you have enough info to properly describe the issue. status/blocked Further work depending on the completion of some other task/PoC/issue labels Nov 12, 2024
@olebhansen
Copy link

Candidate for pair programming

@olebhansen
Copy link

FYI the competency-session with Rune is scheduled. Ticking off the box and unassigning myself.

@olebhansen olebhansen removed their assignment Nov 21, 2024
@SandGrainOne SandGrainOne self-assigned this Nov 27, 2024
@SandGrainOne SandGrainOne mentioned this issue Dec 6, 2024
Merged
5 tasks
@SandGrainOne SandGrainOne mentioned this issue Jan 13, 2025
Merged
5 tasks
@SandGrainOne SandGrainOne removed their assignment Jan 14, 2025
@Ahmed-Ghanam Ahmed-Ghanam self-assigned this Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ahmed-Ghanam Ahmed-Ghanam

Labels
kind/user-story Used for issues that describes functionality for our users.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@olebhansen @SandGrainOne @Ahmed-Ghanam