Merge pull request #36 from Altinn/feature/am-827_AddTtdOrgIssuerSupportForPlatformAccessTokens

jonkjetiloye · web-flow · commit 4e4f0bdd1121 · 2024-09-26T07:57:16.000+02:00
Added TTD org issuer support for PlatformAccessTokens
diff --git a/TokenGenerator/GetPlatformAccessToken.cs b/TokenGenerator/GetPlatformAccessToken.cs
@@ -34,14 +34,15 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "
 
             requestValidator.ValidateQueryParam("env", true, tokenHelper.IsValidEnvironment, out string env);
             requestValidator.ValidateQueryParam("app", true, tokenHelper.IsValidDottedIdentifier, out string appClaim);
+            requestValidator.ValidateQueryParam("org", false, tokenHelper.IsValidIdentifier, out string issuerOrg);
             requestValidator.ValidateQueryParam<uint>("ttl", false, uint.TryParse, out uint ttl, 1800);
 
             if (requestValidator.GetErrors().Count > 0)
             {
                  return new BadRequestObjectResult(requestValidator.GetErrors());
             }
 
-            string token = await tokenHelper.GetPlatformAccessToken(env, appClaim, ttl);
+            string token = await tokenHelper.GetPlatformAccessToken(env, appClaim, ttl, issuerOrg ?? settings.PlatformAccessTokenIssuerName);
 
             if (!string.IsNullOrEmpty(req.Query["dump"]))
             {
diff --git a/TokenGenerator/Services/CertificateKeyVault.cs b/TokenGenerator/Services/CertificateKeyVault.cs
@@ -56,14 +56,31 @@ public async Task<X509Certificate2> GetConsentTokenSigningCertificate(string env
             return GetLatestCertificateWithRolloverDelay(certificates, 1);
         }
 
-        public async Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment)
+        public async Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer)
         {
-            if (string.IsNullOrEmpty(environment) || settings.EnvironmentsApiTokenDict[environment] == null || settings.PlatformAccessTokenSigningCertNamesDict[environment] == null)
+            List<X509Certificate2> certificates = null;
+            if (issuer == settings.PlatformAccessTokenIssuerName)
             {
-                throw new ArgumentException("Invalid environment");
+                if (string.IsNullOrEmpty(environment) || settings.EnvironmentsApiTokenDict[environment] == null || settings.PlatformAccessTokenSigningCertNamesDict[environment] == null)
+                {
+                    throw new ArgumentException("Invalid environment");
+                }
+
+                certificates = await GetCertificates(settings.EnvironmentsApiTokenDict[environment], settings.PlatformAccessTokenSigningCertNamesDict[environment]);
             }
+            else if (issuer == settings.TtdAccessTokenIssuerName)
+            {
+                if (string.IsNullOrEmpty(issuer) || settings.EnvironmentsApiTokenDict[environment] == null || settings.TtdAccessTokenSigningCertNamesDict[environment] == null)
+                {
+                    throw new ArgumentException("Invalid environment or org issuer");
+                }
 
-            var certificates = await GetCertificates(settings.EnvironmentsApiTokenDict[environment], settings.PlatformAccessTokenSigningCertNamesDict[environment]);
+                certificates = await GetCertificates(settings.EnvironmentsApiTokenDict[environment], settings.TtdAccessTokenSigningCertNamesDict[environment]);
+            }
+            else
+            {
+                throw new ArgumentException("Invalid issuer");
+            }
 
             return GetLatestCertificateWithRolloverDelay(certificates, 1);
         }
diff --git a/TokenGenerator/Services/CertificatePfx.cs b/TokenGenerator/Services/CertificatePfx.cs
@@ -57,5 +57,10 @@ public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string en
         {
             throw new NotImplementedException();
         }
+
+        public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer)
+        {
+            throw new NotImplementedException();
+        }
     }
 }
diff --git a/TokenGenerator/Services/Interfaces/ICertificateService.cs b/TokenGenerator/Services/Interfaces/ICertificateService.cs
@@ -7,6 +7,6 @@ public interface ICertificateService
     {
         Task<X509Certificate2> GetApiTokenSigningCertificate(string environment);
         Task<X509Certificate2> GetConsentTokenSigningCertificate(string environment);
-        Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment);
+        Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer);
     }
 }
diff --git a/TokenGenerator/Services/Interfaces/IToken.cs b/TokenGenerator/Services/Interfaces/IToken.cs
@@ -12,7 +12,7 @@ public interface IToken
         Task<string> GetPersonalToken(string env, string[] scopes, uint userId, uint partyId, string pid, string authLvl, string consumerOrgNo, string userName, string clientAmr, uint ttl, string delegationSource);
         Task<string> GetConsentToken(string env, string[] serviceCodes, IQueryCollection queryParameters, Guid authorizationCode, string offeredBy, string coveredBy, string handledBy, uint ttl);
         Task<string> GetPlatformToken(string env, string appClaim, uint ttl);
-        Task<string> GetPlatformAccessToken(string env, string appClaim, uint ttl);
+        Task<string> GetPlatformAccessToken(string env, string appClaim, uint ttl, string iss = "platform");
 
         string Dump(string token);
         bool IsValidAuthLvl(string authLvl);
diff --git a/TokenGenerator/Services/SelfSignedCertificate.cs b/TokenGenerator/Services/SelfSignedCertificate.cs
@@ -25,7 +25,7 @@ public Task<X509Certificate2> GetConsentTokenSigningCertificate(string environme
         return Task.FromResult(lazyCertificate.Value);
     }
 
-    public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment)
+    public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer)
     {
         return Task.FromResult(lazyCertificate.Value);
     }
diff --git a/TokenGenerator/Services/Token.cs b/TokenGenerator/Services/Token.cs
@@ -301,10 +301,23 @@ public async Task<string> GetPlatformToken(string env, string appClaim, uint ttl
         /// <param name="env">The environment id.</param>
         /// <param name="appClaim">The name of the platform application.</param>
         /// <param name="ttl">Time to live.</param>
-        public async Task<string> GetPlatformAccessToken(string env, string appClaim, uint ttl)
+        /// <param name="issuer">The issuer of the token. Default is <c>platform</c>.</param>
+        public async Task<string> GetPlatformAccessToken(string env, string appClaim, uint ttl, string issuer)
         {
-            var signingCertificate = await certificateHelper.GetPlatformAccessTokenSigningCertificate(env);
-            return CreateAccessToken(appClaim, ttl, "platform", signingCertificate);
+            if (issuer == settings.PlatformAccessTokenIssuerName)
+            {
+                var signingCertificate = await certificateHelper.GetPlatformAccessTokenSigningCertificate(env, settings.PlatformAccessTokenIssuerName);
+                return CreateAccessToken(appClaim, ttl, settings.PlatformAccessTokenIssuerName, signingCertificate);
+            }
+            else if (issuer == settings.TtdAccessTokenIssuerName)
+            {
+                var signingCertificate = await certificateHelper.GetPlatformAccessTokenSigningCertificate(env, settings.TtdAccessTokenIssuerName);
+                return CreateAccessToken(appClaim, ttl, settings.TtdAccessTokenIssuerName, signingCertificate);
+            }
+            else
+            {
+                throw new ArgumentException("Invalid issuer");
+            }
         }
 
         public bool TryParseScopes(string input, out string[] scopes)
diff --git a/TokenGenerator/Settings.cs b/TokenGenerator/Settings.cs
@@ -8,8 +8,12 @@ public class Settings
     {
         public string ApiTokenSigningCertNames { get; set; }
         public Dictionary<string, string> ApiTokenSigningCertNamesDict => GetKeyValuePairs(ApiTokenSigningCertNames);
+        public string PlatformAccessTokenIssuerName { get; set; }
         public string PlatformAccessTokenSigningCertNames { get; set; }
         public Dictionary<string, string> PlatformAccessTokenSigningCertNamesDict => GetKeyValuePairs(PlatformAccessTokenSigningCertNames);
+        public string TtdAccessTokenIssuerName { get; set; }
+        public string TtdAccessTokenSigningCertNames { get; set; }
+        public Dictionary<string, string> TtdAccessTokenSigningCertNamesDict => GetKeyValuePairs(TtdAccessTokenSigningCertNames);
         public string ConsentTokenSigningCertNames { get; set; }
         public Dictionary<string, string> ConsentTokenSigningCertNamesDict => GetKeyValuePairs(ConsentTokenSigningCertNames);
         public string BasicAuthorizationUsers { get; set; }
diff --git a/TokenGenerator/TokenGenerator.csproj b/TokenGenerator/TokenGenerator.csproj
@@ -5,15 +5,15 @@
     <_FunctionsSkipCleanOutput>true</_FunctionsSkipCleanOutput>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.11.3" />
+    <PackageReference Include="Azure.Identity" Version="1.12.0" />
     <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.2.5" />
     <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.5.1" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.5.1" />
-    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.3.0" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.5.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.1.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.1.0" />
+    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.1.0" />
   </ItemGroup>
   <ItemGroup>
     <None Update="Certificates\apitoken.pfx">
diff --git a/TokenGenerator/local.settings.json.COPYME b/TokenGenerator/local.settings.json.COPYME
@@ -6,7 +6,10 @@
   },
   "Settings": {
     "ApiTokenSigningCertNames": "dev:altinn-testtools-api-token-signing-cert",
+    "PlatformAccessTokenIssuerName": "platform",
     "PlatformAccessTokenSigningCertNames": "dev:altinn-testtools-api-token-signing-cert",
+    "TtdAccessTokenIssuerName": "ttd",
+    "TtdAccessTokenSigningCertNames": "dev:altinn-testtools-ttd-accesstoken-signing-cert",
     "AuthorizedScope": "altinn:testtools/tokengenerator",
     "AuthorizedScopeEnterprise": "altinn:testtools/tokengenerator/enterprise",
     "AuthorizedScopeEnterpriseUser": "altinn:testtools/tokengenerator/enterpriseuser",

Original file line number	Diff line number	Diff line change
`@@ -34,14 +34,15 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "`
`34`	`34`
`35`	`35`	`requestValidator.ValidateQueryParam("env", true, tokenHelper.IsValidEnvironment, out string env);`
`36`	`36`	`requestValidator.ValidateQueryParam("app", true, tokenHelper.IsValidDottedIdentifier, out string appClaim);`
	`37`	`+ requestValidator.ValidateQueryParam("org", false, tokenHelper.IsValidIdentifier, out string issuerOrg);`
`37`	`38`	`requestValidator.ValidateQueryParam<uint>("ttl", false, uint.TryParse, out uint ttl, 1800);`
`38`	`39`
`39`	`40`	`if (requestValidator.GetErrors().Count > 0)`
`40`	`41`	`{`
`41`	`42`	`return new BadRequestObjectResult(requestValidator.GetErrors());`
`42`	`43`	`}`
`43`	`44`
`44`		`- string token = await tokenHelper.GetPlatformAccessToken(env, appClaim, ttl);`
	`45`	`+ string token = await tokenHelper.GetPlatformAccessToken(env, appClaim, ttl, issuerOrg ?? settings.PlatformAccessTokenIssuerName);`
`45`	`46`
`46`	`47`	`if (!string.IsNullOrEmpty(req.Query["dump"]))`
`47`	`48`	`{`
Original file line number	Diff line number	Diff line change
`@@ -57,5 +57,10 @@ public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string en`
`57`	`57`	`{`
`58`	`58`	`throw new NotImplementedException();`
`59`	`59`	`}`
	`60`	`+`
	`61`	`+ public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer)`
	`62`	`+ {`
	`63`	`+ throw new NotImplementedException();`
	`64`	`+ }`
`60`	`65`	`}`
`61`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,6 @@ public interface ICertificateService`
`7`	`7`	`{`
`8`	`8`	`Task<X509Certificate2> GetApiTokenSigningCertificate(string environment);`
`9`	`9`	`Task<X509Certificate2> GetConsentTokenSigningCertificate(string environment);`
`10`		`- Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment);`
	`10`	`+ Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer);`
`11`	`11`	`}`
`12`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ public Task<X509Certificate2> GetConsentTokenSigningCertificate(string environme`
`25`	`25`	`return Task.FromResult(lazyCertificate.Value);`
`26`	`26`	`}`
`27`	`27`
`28`		`- public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment)`
	`28`	`+ public Task<X509Certificate2> GetPlatformAccessTokenSigningCertificate(string environment, string issuer)`
`29`	`29`	`{`
`30`	`30`	`return Task.FromResult(lazyCertificate.Value);`
`31`	`31`	`}`