Versions Compared

Old Version 1

changes.mady.by.user Geoffrey McElhanon

Saved on

compared with

New Version 2

changes.mady.by.user Geoffrey McElhanon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Stubbed out brief descriptions of all work activity
  • Phase 1 - Capture Ownership on Newly Created Entities
    • Add support for ownership-based claims information
      • Create EF migration in EdFi_Admin EF migrations to support ownership-based security model:
        • Create OwnershipToken entity/table with OwnershipTokenId (short) as the primary key, and a Description (string with maxlength of 50).
        • Add optional OwnershipTokenId foreign key reference to the ApiClient entity/table.
        • Create the ApiClientOwnershipToken entity/table with ApiClientOwnershipTokenId (int IDENTITY), with foreign key references to OwnershipTokenId (short) and ApiClientId (int).
      • Create EF migration in EdFi_Admin EF migrations to enhance the AccessTokenIsValid stored procedure to support ownership-based claims
        • Stored procedure must also return the OwnershipTokenId associated with the API client (for "stamping" newly created resources)
        • Stored procedure must also return the collection of the API client's current OwnershipTokens (for authorizing access to existing resources)
      • Enhance OAuthTokenValidator class to populate the ownership-based claims into the ApiClientDetails class
        • Add CreatorOwnershipTokenId to the ApiClientDetails class and populate.
        • Add OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
      • Enhance the ApiKeyContext class to hold the ownership-based claims values for authorization decisions:
        • Add OwnershipTokenId CreatorOwnershipTokenId to the ApiClientDetails class and populate.
        • Add OwnershipTokens OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
      • Enhance the OAuthAuthenticationProvider's Authenticate method to copy the CreatorOwnershipTokenId and OwnedOwnershipTokenIds from the ApiClientDetails to the ApiKeyContext
    • Add ODS support for capturing resource ownership
      • Create a script for adding boilerplate ownership column to each aggregate root table
        • Suggestion is to use a SELECT statement using INFORMATION_SCHEMA tables to generate a resultset that contains ALTER TABLE edfi.Staff ADD CreatedByOwnershipTokenId smallint NULL  statements.
      • Ed-Fi TODO: Implement MetaEd generator to add CreatedByOwnershipTokenId via feature toggle ala (a la "Change Queries"
      Initialize owner upon entity creation
      • Define an IHasOwner interface exposing a single property CreatedByOwnershipTokenId)
    • Add core API support for capturing ownership on new resources
      • Add CreatedByOwnershipTokenId property to the AggregateRootWIthCompositeKey class
      • Create an ICreateEntity decorator (OwnershipInitializationCreateEntityDecorator) to assign the CreatedByOwnershipTokenId upon entity creation.
          Cast the entity to IHasOwner and assign the ownership token value
          • Inject the IApiKeyContextProvider into the decorator
          • Assign the CreatedByOwnershipTokenId from the API key context (OwnershipTokenId) before
          creation.
      • Modify generated assets to conditionally support ownership
        • Modify generated entities - Check the feature toggle and add an implementation of the IHasOwner interface on to the aggregate root entities
        • Modify ORM mappings - Check the feature toggle and add a mapping for the CreatedByOwnershipTokenId property/column.
        • NOTE: No need to modify the entity mappers.
      Phase 2 - Authorize Access Based on Ownership
          • calling decorated Create method.
      • Implement API Feature for Resource Ownership
        • NOTE: Create as a new project, a la EdFi.Ods.ChangeQueries
        • Implement ResourceOwnershipNHibernateConfigurationActivity (INHibernateBeforeBindMappingActivity) to add ORM mapping of the CreatedByOwnershipTokenId property in all aggregate roots (a la ChangeQueryMappingNHibernateConfigurationActivity)
        • Register all necessary components with the container (ResourceOwnershipInstaller)
          • ResourceOwnershipNHibernateConfigurationActivity
        • Implement ResourceOwnershipFeature (a la ChangeQueriesFeature)
    • Phase 2 - Define and Make Metadata Available for Applying Multiple Authorization Strategies
      • Add database support for defining necessary authorization metadata for applying multiple authorization strategies
        • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
          • Rename the ResourceClaimAuthorizationMetadatas table to ResourceClaimActionAuthorizations.
          • Rename the primary key column of the ResourceClaimActionAuthorizations table from ResourceClaimAuthorizationStrategyId to ResourceClaimActionAuthorizationId
          • Create unique constraint/index on the ResourceClaim_ResourceClaimId and Action_ActionId columns.
          • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
          • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
        • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
          • Rename the ClaimSetResourceClaims table to ClaimSetResourceClaimActionAuthorizations.
          • Rename the primary key of that table from ClaimSetResourceClaimId to ClaimSetResourceClaimActionAuthorizationId.
          • Create unique constraint/index on the ClaimSet_ClaimSetId, ResourceClaim_ResourceClaimId and Action_ActionId columns.
          • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
          • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
        • Create an EF migration (from entity changes) that drops existing FKs and Indexes and moves the AuthorizationStrategyId FKs to new child tables (ResourceClaimActionAuthorizationStrategies and ClaimSetResourceClaimActionAuthorizationStrategyOverrides).
          • Create primary key columns as ResourceClaimActionAuthorizationStrategyId and ClaimSetResourceClaimActionAuthorizationStrategyOverrideId, respectively.
          • Create unique constraint/index on the FK columns of new child tables, as follows (respectively):
            • ResourceClaimActionAuthorization_ResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
            • ClaimSetResourceClaimActionAuthorization_ClaimSetResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
          • Up migration must also move existing inline authorization strategy assignments to the child tables.
          • Down migration must inline the data (using all defined authorization strategies, as they are not constrained) back to the parent table.
      • Modify API authorization components to surface multiple authorization strategies
        • Adjust any artifacts that currently reference authorization strategy names (or overrides) in the singular as type string  to IReadOnlyList<string> (except for EF security model components which should use List<string> ):
          • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\EdFiResourceClaimValue.cs
          • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\IResourceAuthorizationMetadataProvider.cs
          • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Authorization\EdFiAuthorizationProvider.cs
          • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\AuthorizationStrategies\ResourceAuthorizationMetadataProvider.cs
          • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Claims\ClaimsIdentityProvider.cs
    • Phase 3 - Authorize Access Based on Resource Ownership
      • Implement a filter configurator for ownership based authorization
        • OwnershipBasedAuthorizationStrategyFilterConfigurator class should implement the INHibernateFilterConfigurator  interface using the NamespaceBasedAuthorizationStrategyFilterConfigurator as a reference.
        • When defining the criteriaApplicator  action, consider making use of the ApplyPropertyFilters  extension method (of ICriteria).
      • Implement an authorization strategy for ownership-based authorization
        • OwnershipBasedAuthorizationStrategy class should implement the IEdFiAuthorizationStrategy using the NamespaceBasedAuthorizationStrategy as a reference.
        • Named parameter value (CreatedByOwnershipTokenId) should be assigned from the client's claims (OwnershipTokenIds as an array of objects)