Feature/remilovoll/26/03/movepolicyfilemigrating (#2603)

* Changed path algoritm on instance delegation

* Added new policy path
1. when moving instance delegation
2. in app instance delegation in existinf api

* Copilot comments

---------

Co-authored-by: Løvoll, Remi <acn-rlovo@ai-dev.no>

Author: lovoll

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Helpers/DelegationHelper.cs

@@ -500,16 +500,16 @@ public static bool TryGetDelegationPolicyPathFromInstanceRule(InstanceRight rule
             catch (Exception)
             {
                 return false;
-            }            
-            
+            }
+
             sb.Append(rule.ToType);
             sb.Append('-');
             sb.Append(rule.ToUuid);
             sb.Append('/');
 
             sb.Append(rule.InstanceDelegationSource);
             sb.Append('/');
-            
+
             sb.Append(rule.InstanceDelegationMode);
             sb.Append('/');
 
@@ -519,6 +519,48 @@ public static bool TryGetDelegationPolicyPathFromInstanceRule(InstanceRight rule
             return true;
         }
 
+        /// <summary>
+        /// Gets the delegation policy path for a single Rule given the storage is in dbo schema under EntityFramework
+        /// </summary>
+        /// <returns>A bool indicating whether necessary params to build the path where found</returns>
+        public static bool TryGetNewDelegationPolicyPathFromInstanceRule(InstanceRight rule, out string instanceDelegationPolicyPath)
+        {
+            instanceDelegationPolicyPath = null;
+            StringBuilder sb = new StringBuilder();
+
+            sb.Append("resourceregistry");
+            sb.Append('/');
+
+            sb.Append(rule.ResourceId);
+            sb.Append('/');
+
+            sb.Append("instances");
+            sb.Append('/');
+
+            sb.Append("from_");
+            sb.Append(rule.FromUuid);
+            sb.Append('/');
+
+            sb.Append("to_");
+            sb.Append(rule.ToUuid);
+            sb.Append('/');
+
+            try
+            {
+                sb.Append(rule.InstanceId.AsFileName(false));
+                sb.Append('/');
+            }
+            catch (Exception)
+            {
+                return false;
+            }
+
+            sb.Append("delegationpolicy.xml");
+            instanceDelegationPolicyPath = sb.ToString();
+
+            return true;
+        }
+
         /// <summary>
         /// Returns the count of unique Policies in a list of Rules
         /// </summary>

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs

@@ -1,5 +1,4 @@
-using System.ComponentModel.DataAnnotations;
-using System.Formats.Asn1;
+using System.ComponentModel.DataAnnotations;
 using Altinn.AccessManagement.Core.Clients.Interfaces;
 using Altinn.AccessManagement.Core.Configuration;
 using Altinn.AccessManagement.Core.Constants;
@@ -8,6 +7,7 @@
 using Altinn.AccessManagement.Core.Helpers;
 using Altinn.AccessManagement.Core.Helpers.Extensions;
 using Altinn.AccessManagement.Core.Models;
+using Altinn.AccessManagement.Core.Models.Party;
 using Altinn.AccessManagement.Core.Models.Register;
 using Altinn.AccessManagement.Core.Models.ResourceRegistry;
 using Altinn.AccessManagement.Core.Models.Rights;
@@ -17,6 +17,7 @@
 using Altinn.Platform.Register.Models;
 using Altinn.Urn;
 using Altinn.Urn.Json;
+using Azure.Core;
 using Microsoft.Extensions.Options;
 
 namespace Altinn.AccessManagement.Core.Services.Implementation;
@@ -27,22 +28,26 @@ namespace Altinn.AccessManagement.Core.Services.Implementation;
 public class AppsInstanceDelegationService : IAppsInstanceDelegationService
 {
     private readonly IPartiesClient _partiesClient;
+    private readonly IAMPartyService _partyService;
     private readonly IPolicyInformationPoint _pip;
     private readonly IPolicyAdministrationPoint _pap;
     private readonly IResourceRegistryClient _resourceRegistryClient;
     private readonly AppsInstanceDelegationSettings _appsInstanceDelegationSettings;
     private readonly string appInstanceResourcePath = "appInstanceDelegationRequest.Resource";
+    private readonly Microsoft.FeatureManagement.IFeatureManager _featureManager;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="AppsInstanceDelegationService"/> class.
     /// </summary>
-    public AppsInstanceDelegationService(IPartiesClient partiesClient, IOptions<AppsInstanceDelegationSettings> appsInstanceDelegationSettings, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap)
+    public AppsInstanceDelegationService(IPartiesClient partiesClient, IAMPartyService partyService, IOptions<AppsInstanceDelegationSettings> appsInstanceDelegationSettings, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap, Microsoft.FeatureManagement.IFeatureManager featureManager)
     {
         _partiesClient = partiesClient;
+        _partyService = partyService;
         _pip = pip;
         _resourceRegistryClient = resourceRegistryClient;
         _pap = pap;
         _appsInstanceDelegationSettings = appsInstanceDelegationSettings.Value;
+        _featureManager = featureManager;
     }
 
     private async Task<(UuidType DelegationType, Guid? Uuid)> TranslatePartyUuidToPersonOrganizationUuid(PartyUrn partyId)
@@ -224,10 +229,46 @@ public async Task<Result<ResourceDelegationCheckResponse>> DelegationCheck(AppsI
         return await Task.FromResult(result);        
     }
 
+    private async Task<MinimalParty> GetMinimalParty(PartyUrn urn, CancellationToken cancellationToken)
+    {
+        switch (urn.KeySpan.ToString())
+        {
+            case AltinnXacmlConstants.MatchAttributeIdentifiers.PartyUuidAttribute:
+                return await _partyService.GetByUid(new Guid(urn.ValueSpan.ToString()), cancellationToken);
+            case AltinnXacmlConstants.MatchAttributeIdentifiers.OrganizationNumberAttribute:
+                return await _partyService.GetByOrgNo(Authorization.Api.Contracts.Register.OrganizationNumber.Parse(urn.ValueSpan), cancellationToken);
+            default:
+                return null;
+        }
+    }
+
     /// <inheritdoc/>
     public async Task<Result<AppsInstanceDelegationResponse>> Delegate(AppsInstanceDelegationRequest request, CancellationToken cancellationToken = default)
     {
+        bool useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
+        string instanceId = request.InstanceId;
+
+        if (useEF)
+        {
+            // Create instance urn and use it for the internal processing but reset it for response as we should not change the contract
+            MinimalParty party = await GetMinimalParty(request.From, cancellationToken);
+
+            if (party == null) 
+            {
+                ValidationErrorBuilder errors = default;
+                errors.Add(ValidationErrors.InvalidPartyUrn, "From");
+                if (errors.TryBuild(out var invalidParty))
+                {
+                    return invalidParty;
+                }
+            }
+
+            string instanceUrn = $"{AltinnXacmlConstants.MatchAttributeIdentifiers.InstanceAttribute}:{party.PartyId}/{instanceId}";
+            request.InstanceId = instanceUrn;            
+        }
+
         (ValidationErrorBuilder Errors, InstanceRight RulesToHandle, List<RightInternal> RightsAppCantHandle) input = await SetUpDelegationOrRevokeRequest(request, cancellationToken);
+        request.InstanceId = instanceId;
 
         if (input.Errors.TryBuild(out var errorResult))
         {
@@ -239,7 +280,7 @@ public async Task<Result<AppsInstanceDelegationResponse>> Delegate(AppsInstanceD
             From = request.From,
             To = request.To,
             ResourceId = request.ResourceId,
-            InstanceId = request.InstanceId,
+            InstanceId = instanceId,
             InstanceDelegationMode = request.InstanceDelegationMode
         };
 

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs

@@ -28,6 +28,7 @@ public class PolicyAdministrationPoint : IPolicyAdministrationPoint
         private readonly IPolicyFactory _policyFactory;
         private readonly IDelegationMetadataRepository _delegationRepository;
         private readonly IDelegationChangeEventQueue _eventQueue;
+        private readonly Microsoft.FeatureManagement.IFeatureManager _featureManager;
         private readonly int delegationChangeEventQueueErrorId = 911;
 
         /// <summary>
@@ -38,13 +39,14 @@ public class PolicyAdministrationPoint : IPolicyAdministrationPoint
         /// <param name="delegationRepository">The delegation change repository (postgresql).</param>
         /// <param name="eventQueue">The delegation change event queue service to post events for any delegation change.</param>
         /// <param name="logger">Logger instance.</param>
-        public PolicyAdministrationPoint(IPolicyRetrievalPoint policyRetrievalPoint, IPolicyFactory policyFactory, IDelegationMetadataRepository delegationRepository, IDelegationChangeEventQueue eventQueue, ILogger<IPolicyAdministrationPoint> logger)
+        public PolicyAdministrationPoint(IPolicyRetrievalPoint policyRetrievalPoint, IPolicyFactory policyFactory, IDelegationMetadataRepository delegationRepository, IDelegationChangeEventQueue eventQueue, ILogger<IPolicyAdministrationPoint> logger, Microsoft.FeatureManagement.IFeatureManager featureManager)
         {
             _prp = policyRetrievalPoint;
             _policyFactory = policyFactory;
             _delegationRepository = delegationRepository;
             _eventQueue = eventQueue;
             _logger = logger;
+            _featureManager = featureManager;
         }
 
         /// <inheritdoc/>
@@ -305,7 +307,18 @@ private static XacmlPolicy BuildInstanceRevokePolicy(XacmlPolicy delegationPolic
         /// <inheritdoc />
         public async Task<InstanceRight> TryWriteInstanceDelegationPolicyRules(InstanceRight rules, CancellationToken cancellationToken = default)
         {
-            bool validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out string path);
+            bool useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
+            bool validPath;
+            string path;
+
+            if (useEF)
+            {
+                validPath = DelegationHelper.TryGetNewDelegationPolicyPathFromInstanceRule(rules, out path);
+            }
+            else
+            {
+                validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out path);
+            }
 
             if (validPath)
             {
@@ -356,7 +369,27 @@ public async Task<InstanceRight> TryWriteInstanceRevokePolicyRules(InstanceRight
             }
             catch (Exception ex)
             {
-                bool validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out string path);
+                bool useEF = false;
+                bool validPath;
+                string path;
+
+                try
+                {
+                    useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
+                }
+                catch (Exception)
+                {
+                }
+                
+                if (useEF)
+                {
+                    validPath = DelegationHelper.TryGetNewDelegationPolicyPathFromInstanceRule(rules, out path);
+                }
+                else
+                {
+                    validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out path);
+                }
+
                 if (validPath)
                 {
                     _logger.LogError(ex, "An exception occured while processing authorization rules for delegation on delegation policy path: {path}", path);

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/HostedServices/Services/SingleInstanceRightSyncService.cs

@@ -141,6 +141,7 @@ public async Task SyncSingleInstanceRights(ILease lease, CancellationToken cance
                                     CreateInstanceUrnFromInstanceIdAndPartyId(item.InstanceId, party.PartyId),
                                     item.InstanceDelegationChangeId,
                                     values,
+                                    party.PartyId,
                                     cancellationToken);
 
                                 if (adds == 0)
@@ -273,6 +274,7 @@ public async Task SyncFailedSingleInstanceRights(CancellationToken cancellationT
                             CreateInstanceUrnFromInstanceIdAndPartyId(element.InstanceId, party.PartyId),
                             element.InstanceDelegationChangeId,
                             values,
+                            party.PartyId,
                             cancellationToken);
 
                         if (adds == 0)