Epic: Capture

...

ownership of newly created resources

This epic covers all the stories needed to capture resource ownership on each resource stored in the Ed-Fi ODS by the API. It can be implemented independently from the use of this information to perform ownership-based authorization of API requests.

...

• Phase 1 - Capture Ownership on Newly Created Entities
  • Add support for ownership-based claims information
    • Create EF migration in EdFi_Admin to support ownership-based security model:
      • Create OwnershipToken entity/table with OwnershipTokenId (short) as the primary key, and a Description (string with maxlength of 50).
      • Add optional OwnershipTokenId foreign key reference to the ApiClient entity/table.
      • Create the ApiClientOwnershipToken entity/table with ApiClientOwnershipTokenId (int IDENTITY), with foreign key references to OwnershipTokenId (short) and ApiClientId (int).
    • Create EF migration in EdFi_Admin to enhance the AccessTokenIsValid stored procedure to support ownership-based claims
      • Stored procedure must also return the OwnershipTokenId associated with the API client (for "stamping" newly created resources)
      • Stored procedure must also return the collection of the API client's current OwnershipTokens (for authorizing access to existing resources)
    • Enhance OAuthTokenValidator class to populate the ownership-based claims into the ApiClientDetails class
      • Add CreatorOwnershipTokenId to the ApiClientDetails class and populate.
      • Add OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
    • Enhance the ApiKeyContext class to hold the ownership-based claims values for authorization decisions:
      • Add CreatorOwnershipTokenId to the ApiClientDetails class and populate.
      • Add OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
    • Enhance the OAuthAuthenticationProvider's Authenticate method to copy the CreatorOwnershipTokenId and OwnedOwnershipTokenIds from the ApiClientDetails to the ApiKeyContext
  • Add ODS support for capturing resource ownership
    • Create a script for adding boilerplate ownership column to each aggregate root table
      • Suggestion is to use a SELECT statement using INFORMATION_SCHEMA tables to generate a resultset that contains ALTER TABLE edfi.Staff ADD CreatedByOwnershipTokenId smallint NULL  statements.
    • Ed-Fi TODO: Implement MetaEd generator to add CreatedByOwnershipTokenId via feature toggle (a la "Change Queries")
  • Add core API support for capturing ownership on new resources
    • Add CreatedByOwnershipTokenId property to the AggregateRootWIthCompositeKey class
    • Create an ICreateEntity decorator (OwnershipInitializationCreateEntityDecorator) to assign the CreatedByOwnershipTokenId upon entity creation.
      • Inject the IApiKeyContextProvider into the decorator
      • Assign the CreatedByOwnershipTokenId from the API key context (OwnershipTokenId) before calling decorated Create method.
  • Implement API Feature for Resource Ownership
    • NOTE: Create as a new project, a la EdFi.Ods.ChangeQueries. 
    • Implement ResourceOwnershipNHibernateConfigurationActivity (INHibernateBeforeBindMappingActivity) to add ORM mapping of the CreatedByOwnershipTokenId property in all aggregate roots (a la ChangeQueryMappingNHibernateConfigurationActivity)
    • Register all necessary components with the container (ResourceOwnershipInstaller)
      • ResourceOwnershipNHibernateConfigurationActivity
    • Implement ResourceOwnershipFeature (a la ChangeQueriesFeature)
• Phase 2 - Define and Make Metadata Available for Applying Multiple Authorization Strategies
  
  • Add database support for defining necessary authorization metadata for applying multiple authorization strategies
    • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
      • Rename the ResourceClaimAuthorizationMetadatas table to ResourceClaimActionAuthorizations.
      • Rename the primary key column of the ResourceClaimActionAuthorizations table from ResourceClaimAuthorizationStrategyId to ResourceClaimActionAuthorizationId
      • Create unique constraint/index on the ResourceClaim_ResourceClaimId and Action_ActionId columns.
      • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
      • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
    • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
      • Rename the ClaimSetResourceClaims table to ClaimSetResourceClaimActionAuthorizations.
      • Rename the primary key of that table from ClaimSetResourceClaimId to ClaimSetResourceClaimActionAuthorizationId.
      • Create unique constraint/index on the ClaimSet_ClaimSetId, ResourceClaim_ResourceClaimId and Action_ActionId columns.
      • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
      • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
    • Create an EF migration (from entity changes) that drops existing FKs and Indexes and moves the AuthorizationStrategyId FKs to new child tables (ResourceClaimActionAuthorizationStrategies and ClaimSetResourceClaimActionAuthorizationStrategyOverrides).
      • Create primary key columns as ResourceClaimActionAuthorizationStrategyId and ClaimSetResourceClaimActionAuthorizationStrategyOverrideId, respectively.
      • Create unique constraint/index on the FK columns of new child tables, as follows (respectively):
        • ResourceClaimActionAuthorization_ResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
        • ClaimSetResourceClaimActionAuthorization_ClaimSetResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
      • Up migration must also move existing inline authorization strategy assignments to the child tables.
      • Down migration must inline the data (using all defined authorization strategies, as they are not constrained) back to the parent table.
  • Modify API authorization components to surface multiple authorization strategies
    • Adjust any artifacts that currently reference authorization strategy names (or overrides) in the singular as type string  to IReadOnlyList<string> (except for EF security model components which should use List<string> ):
      • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\EdFiResourceClaimValue.cs
      • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\IResourceAuthorizationMetadataProvider.cs
      • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Authorization\EdFiAuthorizationProvider.cs
      • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\AuthorizationStrategies\ResourceAuthorizationMetadataProvider.cs
      • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Claims\ClaimsIdentityProvider.cs
• Phase 3 - Authorize Access Based on Resource Ownership
  • Implement a filter configurator for ownership based authorization
    • OwnershipBasedAuthorizationStrategyFilterConfigurator class should implement the INHibernateFilterConfigurator  interface using the NamespaceBasedAuthorizationStrategyFilterConfigurator as a reference.
    • When defining the criteriaApplicator  action, consider making use of the ApplyPropertyFilters  extension method (of ICriteria).
  • Implement an authorization strategy for ownership-based authorization
    • OwnershipBasedAuthorizationStrategy class should implement the IEdFiAuthorizationStrategy using the NamespaceBasedAuthorizationStrategy as a reference.
    • Named parameter value (CreatedByOwnershipTokenId) should be assigned from the client's claims (OwnershipTokenIds as an array of objects)

...