Versions Compared

Old Version 6

changes.mady.by.user Geoffrey McElhanon

Saved on

compared with

New Version Current

changes.mady.by.user Geoffrey McElhanon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2

...

  • Add a new CreatedByOwnershipTokenId property (short) to the AggregateRootWithCompositeKey class.
  • Add a new IHasCreator interface (containing just the CreatedByOwnershipTokenId property) in the EdFi.Ods.Common project (alongside IHasIdentifier)
  • Add a generic constraint (of IHasCreator) on the TEntity generic types defined on the ICreateEntity, CreateEntity and CreateEntityAuthorizationDecorator interfaces and implementations.
  • Provide an INHibernateBeforeBindMappingActivity implementation (OwnershipBasedAuthorizationNHibernateConfigurationActivity)  that adds the necessary run-time ORM mapping of the CreatedByOwnershipTokenId property in all aggregate roots. Use the ChangeQueryMappingNHibernateConfigurationActivity as a reference implementation.
  • Create an ICreateEntity decorator (OwnershipInitializationCreateEntityDecorator, with a generic constraint of IHasCreator on the generic type argument TEntity) to assign the CreatedByOwnershipTokenId upon entity creation.
    • Inject the IApiKeyContextProvider into the decorator (along with the decorated ICreateEntity instance). (NOTE: Following this pattern and registering the decorator first will result in Castle Windsor automatically injecting the decorated instance into the decorator.)
    • Assign the CreatedByOwnershipTokenId property from the current API key context (CreatorOwnershipTokenId property) before calling decorated instance's Create method.
  • Implement API Feature for Ownership-Based Authorizations
    • Create a OwnershipBasedAuthorizationInstaller class (using ChangeQueriesInstaller as a referenced) to register all new components with the Castle Windsor container.
    • Create a OwnershipBasedAuthorizationFeature class (using ChangeQueriesFeature as a reference implementation) to allow for configuration-based activation of the feature and invoke the installer.

Original Notes (to be deleted):

  • Phase 1 - Capture Ownership on Newly Created Entities
    • Add support for ownership-based claims information
      • Create EF migration in EdFi_Admin to support ownership-based security model:
        • Create OwnershipToken entity/table with OwnershipTokenId (short) as the primary key, and a Description (string with maxlength of 50).
        • Add optional OwnershipTokenId foreign key reference to the ApiClient entity/table.
        • Create the ApiClientOwnershipToken entity/table with ApiClientOwnershipTokenId (int IDENTITY), with foreign key references to OwnershipTokenId (short) and ApiClientId (int).
      • Create EF migration in EdFi_Admin to enhance the AccessTokenIsValid stored procedure to support ownership-based claims
        • Stored procedure must also return the OwnershipTokenId associated with the API client (for "stamping" newly created resources)
        • Stored procedure must also return the collection of the API client's current OwnershipTokens (for authorizing access to existing resources)
      • Enhance OAuthTokenValidator class to populate the ownership-based claims into the ApiClientDetails class
        • Add CreatorOwnershipTokenId to the ApiClientDetails class and populate.
        • Add OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
      • Enhance the ApiKeyContext class to hold the ownership-based claims values for authorization decisions:
        • Add CreatorOwnershipTokenId to the ApiClientDetails class and populate.
        • Add OwnedOwnershipTokenIds collection to the ApiClientDetails class, and populate from stored procedure results.
      • Enhance the OAuthAuthenticationProvider's Authenticate method to copy the CreatorOwnershipTokenId and OwnedOwnershipTokenIds from the ApiClientDetails to the ApiKeyContext
    • Add ODS support for capturing resource ownership
      • Create a script for adding boilerplate ownership column to each aggregate root table
        • Suggestion is to use a SELECT statement using INFORMATION_SCHEMA tables to generate a resultset that contains ALTER TABLE edfi.Staff ADD CreatedByOwnershipTokenId smallint NULL  statements.
      • Ed-Fi TODO: Implement MetaEd generator to add CreatedByOwnershipTokenId via feature toggle (a la "Change Queries")
    • Add core API support for capturing ownership on new resources
      • Add CreatedByOwnershipTokenId property to the AggregateRootWIthCompositeKey class
      • Create an ICreateEntity decorator (OwnershipInitializationCreateEntityDecorator) to assign the CreatedByOwnershipTokenId upon entity creation.
        • Inject the IApiKeyContextProvider into the decorator
        • Assign the CreatedByOwnershipTokenId from the API key context (OwnershipTokenId) before calling decorated Create method.
    • Implement API Feature for Resource Ownership
      • NOTE: Create as a new project, a la EdFi.Ods.ChangeQueries
      • Implement ResourceOwnershipNHibernateConfigurationActivity (INHibernateBeforeBindMappingActivity) to add ORM mapping of the CreatedByOwnershipTokenId property in all aggregate roots (a la ChangeQueryMappingNHibernateConfigurationActivity)
      • Register all necessary components with the container (ResourceOwnershipInstaller)
        • ResourceOwnershipNHibernateConfigurationActivity
      • Implement ResourceOwnershipFeature (a la ChangeQueriesFeature)
  • Phase 2 - Define and Make Metadata Available for Applying Multiple Authorization Strategies
    • Add database support for defining necessary authorization metadata for applying multiple authorization strategies
      • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
        • Rename the ResourceClaimAuthorizationMetadatas table to ResourceClaimActionAuthorizations.
        • Rename the primary key column of the ResourceClaimActionAuthorizations table from ResourceClaimAuthorizationStrategyId to ResourceClaimActionAuthorizationId
        • Create unique constraint/index on the ResourceClaim_ResourceClaimId and Action_ActionId columns.
        • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
        • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
      • Create an EF migration (from entity changes) that renames existing columns and tables as follows:
        • Rename the ClaimSetResourceClaims table to ClaimSetResourceClaimActionAuthorizations.
        • Rename the primary key of that table from ClaimSetResourceClaimId to ClaimSetResourceClaimActionAuthorizationId.
        • Create unique constraint/index on the ClaimSet_ClaimSetId, ResourceClaim_ResourceClaimId and Action_ActionId columns.
        • Ensure that all related artifacts (i.e. FK constraint names) are named correctly to prevent future EF migration failures.
        • Create and preserve a single commit inclusive of the changes to entities and the associated migrations (do not squash the commit).
      • Create an EF migration (from entity changes) that drops existing FKs and Indexes and moves the AuthorizationStrategyId FKs to new child tables (ResourceClaimActionAuthorizationStrategies and ClaimSetResourceClaimActionAuthorizationStrategyOverrides).
        • Create primary key columns as ResourceClaimActionAuthorizationStrategyId and ClaimSetResourceClaimActionAuthorizationStrategyOverrideId, respectively.
        • Create unique constraint/index on the FK columns of new child tables, as follows (respectively):
          • ResourceClaimActionAuthorization_ResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
          • ClaimSetResourceClaimActionAuthorization_ClaimSetResourceClaimActionAuthorizationIdId, and AuthorizationStrategy_AuthorizationStrategyId columns.
        • Up migration must also move existing inline authorization strategy assignments to the child tables.
        • Down migration must inline the data (using all defined authorization strategies, as they are not constrained) back to the parent table.
    • Modify API authorization components to surface multiple authorization strategies
      • Adjust any artifacts that currently reference authorization strategy names (or overrides) in the singular as type string  to IReadOnlyList<string> (except for EF security model components which should use List<string> ):
        • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\EdFiResourceClaimValue.cs
        • ~\Ed-Fi-ODS\Application\EdFi.Ods.Common\Security\Claims\IResourceAuthorizationMetadataProvider.cs
        • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Authorization\EdFiAuthorizationProvider.cs
        • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\AuthorizationStrategies\ResourceAuthorizationMetadataProvider.cs
        • ~\Ed-Fi-ODS\Application\EdFi.Ods.Security\Claims\ClaimsIdentityProvider.cs
  • Phase 3 - Authorize Access Based on Resource Ownership
    • Implement a filter configurator for ownership based authorization
      • OwnershipBasedAuthorizationStrategyFilterConfigurator class should implement the INHibernateFilterConfigurator  interface using the NamespaceBasedAuthorizationStrategyFilterConfigurator as a reference.
      • When defining the criteriaApplicator  action, consider making use of the ApplyPropertyFilters  extension method (of ICriteria).
    • Implement an authorization strategy for ownership-based authorization
    • OwnershipBasedAuthorizationStrategy class should implement the IEdFiAuthorizationStrategy using the NamespaceBasedAuthorizationStrategy as a reference.
      • Named parameter value (CreatedByOwnershipTokenId) should be assigned from the client's claims (OwnershipTokenIds as an array of objects)Add an instance of the OwnershipBasedAuthorizationFeature instance to the feature list built in the constructor of the FeatureProvider class (in EdFi.Ods.Api.Startup).