fix(webapi): Require base service provider scope on search endpoint

[oskogstad]

Description

Related Issue(s)

• SO search with search scope results in 403 Forbidden #1475

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

• New Features
  • Enhanced authorization logic for the ServiceProviderSearch policy, improving specificity and security.
• Bug Fixes
  • Refined error handling during initialization to ensure valid settings are used.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes in this pull request primarily involve the AuthorizationOptionsSetup class in two files, focusing on the Configure method. The definition of the AuthorizationPolicy.ServiceProviderSearch has been modified to combine it with the ServiceProvider policy retrieved via options.GetPolicy(AuthorizationPolicy.ServiceProvider)! instead of the default policy. This adjustment refines the construction of the ServiceProviderSearch policy while maintaining the overall structure and error handling of the method.

Changes

File Path	Change Summary
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs	Modified Configure method to change how ServiceProviderSearch policy is defined.
src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs	Updated Configure method to combine ServiceProviderSearch policy with ServiceProvider policy.

Possibly related PRs

• fix: (webAPI): Add revision to search dto (ServiceOwner) #1216: Modifies the AuthorizationOptionsSetup class, specifically the Configure method, relating to the ServiceProviderSearch policy.
• feat(webapi): Add ExternalReference to dialog search result #1384: Introduces a new property externalReference in dialog search result schemas, potentially interacting with the authorization logic.
• feat(performance): Performance/create serviceowner search #1413: Enhancements for service owner searches that may be influenced by the authorization policies defined in this PR.

Suggested reviewers

• arealmaas: Suggested reviewer for the changes made in the AuthorizationOptionsSetup class.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (1)

32-36: LGTM! Consider extracting scope constants to a shared configuration.

The changes look good:

• Making ServiceProviderScope private improves encapsulation
• The new ServiceProviderSearchScope follows consistent naming
• TODO comment accurately reflects multiple scopes

As mentioned in issue #647, consider extracting these scope constants to a shared auth library or configuration to avoid duplication and maintain consistency across the codebase.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between cec11e8 and a9d120f.

📒 Files selected for processing (1)

• src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (2 hunks)

🔇 Additional comments (1)

src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (1)

Line range hint 248-252: LGTM! Verify scope usage in authentication middleware.

The changes correctly address the 403 error by allowing either ServiceProviderScope or ServiceProviderSearchScope to grant ServiceOwner access.

Let's verify that these are the only places where the scopes are used:

✅ Verification successful

Let me gather more information about the scope usage in authorization checks.

---

LGTM! The scope usage is consistent across the codebase.

The verification confirms that both scopes (ServiceProviderScope and ServiceProviderSearchScope) are properly handled:

• Both scopes are defined as constants in WebApi and GraphQL authorization policies
• Authorization middleware correctly configures distinct policies for each scope
• The GetUserType method's changes align with the authorization setup, granting ServiceOwner access for either scope
• No inconsistencies found in scope usage across the codebase

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other usages of the service provider scopes
# to ensure consistent handling across the codebase

# Search for any references to the scopes
rg -i "dialogporten\.serviceprovider"

# Search for scope-based authorization checks
ast-grep --pattern 'HasScope($scope)'

Length of output: 5788

---

Script:

#!/bin/bash
# Search for HasScope method usage with context
rg -A 3 "HasScope\(" 

# Search for authorization policy configurations
rg -A 5 "AddAuthorization|RequireScope"

Length of output: 12351

[elsand]

Ref prat på Slack

Ref. Slack, keeping scopes separate for .search

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
100.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs (1)

38-39: LGTM! Consider adding documentation about policy inheritance.

The change correctly implements the authorization hierarchy by requiring both ServiceProvider and ServiceProviderSearch scopes. This makes sense from a security perspective as search capabilities should be restricted to authenticated service providers.

Consider adding a comment to document the policy inheritance chain for clarity:

 options.AddPolicy(AuthorizationPolicy.ServiceProviderSearch, builder => builder
+    // Inherits: DefaultPolicy -> ServiceProvider -> ServiceProviderSearch
     .Combine(options.GetPolicy(AuthorizationPolicy.ServiceProvider)!)
     .RequireScope(AuthorizationScope.ServiceProviderSearch));

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1)

42-43: Consider adding a code comment explaining the policy inheritance.

While the code is correct, adding a comment would help future maintainers understand why ServiceProviderSearch specifically inherits from ServiceProvider rather than using the default policy.

+            // ServiceProviderSearch must inherit ServiceProvider policy to ensure proper authorization context
             .Combine(options.GetPolicy(AuthorizationPolicy.ServiceProvider)!)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a9d120f and 87dac11.

📒 Files selected for processing (2)

• src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1 hunks)
• src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs (1 hunks)

🔇 Additional comments (1)

src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1)

42-43: LGTM! The authorization policy change correctly addresses the 403 issue.

The modification to combine ServiceProviderSearch with ServiceProvider policy instead of the default policy is the right approach, as it ensures that search operations inherit all necessary permissions from the service provider context.

Let's verify the authorization scopes are properly defined:

✅ Verification successful

Authorization scopes and policies are correctly defined and consistently used across both WebAPI and GraphQL

The verification confirms:

• ServiceProviderSearch scope is properly defined as "digdir:dialogporten.serviceprovider.search"
• Both WebAPI and GraphQL implementations consistently:
  • Combine ServiceProviderSearch policy with ServiceProvider policy
  • Require the correct scope for authorization
• The policy inheritance structure matches between both implementations, ensuring consistent behavior

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the AuthorizationScope definitions and usage
# Expected: Find definitions of ServiceProvider and ServiceProviderSearch scopes
# and their usage in authorization policies

# Search for scope definitions
echo "=== Searching for scope definitions ==="
rg -A 1 "AuthorizationScope\." --type cs

# Search for policy usage
echo "=== Searching for policy usage ==="
rg -A 2 "ServiceProviderSearch|ServiceProvider.*scope" --type cs

Length of output: 13808