Feature/remilovoll/26/03/bug fixing instance delegation from app (#2624)

* UnitTest for Conection Instance Delegation

* Fix sequence Bruno test
Fix Prefix validering av PartyUrn
Fix instance to only look at the last part for comparison

* Guardrail preventing same instanceid to belonging to more than one reportee.

* Fix responce to not include urn prefix for instanceid

* Changed the counting of fromParties to be done before fetching and parsing policy files as this is unnesesery when failing and is expencive to perform.

* Update src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/test/EnduserAPI/Connections/Instances/Post_Enduser_Conn_Instances_Dagl.bru

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Missed new ProblemDetailCode

---------

Co-authored-by: Løvoll, Remi <acn-rlovo@ai-dev.no>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs

@@ -231,7 +231,7 @@ public async Task<Result<ResourceDelegationCheckResponse>> DelegationCheck(AppsI
 
     private async Task<MinimalParty> GetMinimalParty(PartyUrn urn, CancellationToken cancellationToken)
     {
-        switch (urn.KeySpan.ToString())
+        switch (urn.PrefixSpan.ToString())
         {
             case AltinnXacmlConstants.MatchAttributeIdentifiers.PartyUuidAttribute:
                 return await _partyService.GetByUid(new Guid(urn.ValueSpan.ToString()), cancellationToken);
@@ -264,7 +264,7 @@ public async Task<Result<AppsInstanceDelegationResponse>> Delegate(AppsInstanceD
             }
 
             string instanceUrn = $"{AltinnXacmlConstants.MatchAttributeIdentifiers.InstanceAttribute}:{party.PartyId}/{instanceId}";
-            request.InstanceId = instanceUrn;            
+            request.InstanceId = instanceUrn;
         }
 
         (ValidationErrorBuilder Errors, InstanceRight RulesToHandle, List<RightInternal> RightsAppCantHandle) input = await SetUpDelegationOrRevokeRequest(request, cancellationToken);
@@ -330,7 +330,21 @@ public async Task<Result<List<AppsInstanceRevokeResponse>>> RevokeAll(AppsInstan
         }
 
         // Fetch all existing delegations
-        List<AppsInstanceDelegationResponse> delegations = await _pip.GetInstanceDelegations(request, cancellationToken);
+        List<AppsInstanceDelegationResponse> delegations;
+        try
+        { 
+            delegations = await _pip.GetInstanceDelegations(request, cancellationToken);
+        }
+        catch (ValidationException)
+        {
+            errors.Add(ValidationErrors.InvalidInstanceId, "request.InstanceId");
+            if (errors.TryBuild(out var invalidInstanceId))
+            {
+                return invalidInstanceId;
+            }
+
+            delegations = [];
+        }
 
         // If nothing to delete just return with empty result set and no errors
         if (delegations.Count == 0)
@@ -365,7 +379,7 @@ public async Task<Result<List<AppsInstanceRevokeResponse>>> RevokeAll(AppsInstan
         List<InstanceRight> revokedResult = await _pap.TryWriteInstanceRevokeAllPolicyRules(rightsToRevoke, cancellationToken);
         List<AppsInstanceRevokeResponse> result = TransformInstanceRightListToAppsInstanceDelegationResponseList(revokedResult);
         result = RemoveInstanceIdFromResourceForRevokeResponseList(result);
-        
+        result = RemoveUrnPrefixFromInstanceIdForRevokeResponceList(result, request.InstanceId);
         return result;
     }
 
@@ -683,11 +697,37 @@ public async Task<Result<List<AppsInstanceDelegationResponse>>> Get(AppsInstance
             return errorResult;
         }
 
-        List<AppsInstanceDelegationResponse> result = await _pip.GetInstanceDelegations(request, cancellationToken);
+        List<AppsInstanceDelegationResponse> result;
+        try 
+        {
+            result = await _pip.GetInstanceDelegations(request, cancellationToken);
+        } 
+        catch (ValidationException)
+        {
+            errors.Add(ValidationErrors.InvalidInstanceId, "request.InstanceId");
+            if (errors.TryBuild(out var invalidInstanceId))
+            {
+                return invalidInstanceId;
+            }
+
+            result = [];
+        }
+
         result = RemoveInstanceIdFromResourceForDelegationResponseList(result);
+        result = RemoveUrnPrefixFromInstanceId(result, request.InstanceId);
         return result;
     }
 
+    private static List<AppsInstanceDelegationResponse> RemoveUrnPrefixFromInstanceId(List<AppsInstanceDelegationResponse> input, string instanceId)
+    {
+        foreach (AppsInstanceDelegationResponse item in input)
+        {
+            item.InstanceId = instanceId;
+        }
+
+        return input;
+    }
+
     private static AppsInstanceRevokeResponse RemoveInstanceIdFromResourceForRevokeResponse(AppsInstanceRevokeResponse input)
     {
         foreach (var right in input.Rights)
@@ -708,6 +748,16 @@ private static List<AppsInstanceRevokeResponse> RemoveInstanceIdFromResourceForR
         return input;
     }
 
+    private static List<AppsInstanceRevokeResponse> RemoveUrnPrefixFromInstanceIdForRevokeResponceList(List<AppsInstanceRevokeResponse> input, string instanceId)
+    {
+        foreach (AppsInstanceRevokeResponse item in input)
+        {
+            item.InstanceId = instanceId;
+        }
+
+        return input;
+    }    
+
     private static List<AppsInstanceDelegationResponse> RemoveInstanceIdFromResourceForDelegationResponseList(List<AppsInstanceDelegationResponse> input)
     {
         foreach (AppsInstanceDelegationResponse item in input)

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs

@@ -308,6 +308,12 @@ public async Task<List<AppsInstanceDelegationResponse>> GetInstanceDelegations(A
 
             List<InstanceDelegationChange> delegations = await _delegationRepository.GetAllLatestInstanceDelegationChanges(request.InstanceDelegationSource, request.ResourceId, request.InstanceId, cancellationToken);
 
+            List<Guid> fromParties = delegations.Select(d => d.FromUuid).Distinct().ToList();
+            if (fromParties.Count > 1)
+            {
+                throw new ValidationException($"Multiple from parties found for instance delegations: {string.Join(", ", fromParties)}");
+            }
+            
             foreach (InstanceDelegationChange delegation in delegations)
             {
                 AppsInstanceDelegationResponse appsInstanceDelegationResponse = new AppsInstanceDelegationResponse

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Persistence/DelegationMetadataEF.cs

@@ -686,7 +686,7 @@ public async Task<List<InstanceDelegationChange>> GetAllLatestInstanceDelegation
            .Include(t => t.Resource).ThenInclude(t => t.Type)
 
            .Where(t => t.Resource.RefId == resourceID)
-           .Where(t => t.InstanceId == instanceID)
+           .Where(t => t.InstanceId.EndsWith(instanceID))
            .ToListAsync(cancellationToken);
 
         return result.Select(Convert).ToList();

src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/test/EnduserAPI/Connections/Instances/Post_Enduser_Conn_Instances_Dagl.bru

@@ -0,0 +1,71 @@
+meta {
+  name: Post_Enduser_Conn_Instances_Dagl
+  type: http
+  seq: 1
+}
+
+post {
+  url: {{baseUrl}}/accessmanagement/api/v1/enduser/connections/resources/rights?party={{party}}&from={{from}}&to={{to}}&resource={{resource}}&instance={{instance}}
+  body: json
+  auth: inherit
+}
+
+params:query {
+  party: {{party}}
+  from: {{from}}
+  to: {{to}}
+  resource: {{resource}}
+  instance: {{instance}}
+}
+
+headers {
+  Accept: application/json
+}
+
+body:json {
+  {
+    "DirectRightKeys": [
+      "0144e74457db71df2ba504e6fc5b081d2e72b7396f501de222767cbf838c0a56f3",
+      "0166c5e067d84985ad6974588ad0b76d7e12c1502c65cbb551e16521696088c742",
+      "01f223492db1318fea6edad70bed2c2462e9b431e42596a1a6382f5630dfd9486b",
+      "0159c58c191e76b3e6bbf8e74c81f0b1c1ec2ed6158e51843afb3f7bd9c37fb210"
+    ]
+  }
+}
+
+script:pre-request {
+  const sharedtestdata = require(`./testdata/sharedtestdata.js`);
+  const testdata = require(`./testdata/resource-delegationcheck/${bru.getEnvVar("tokenEnv")}.js`);
+  
+  bru.setVar("requestName", "Post_Enduser_Conn_Instances_Dagl");
+  
+  bru.setVar("party", testdata.VOKSENDE_FRYKTLØS_TIGER.partyUuid);
+  bru.setVar("from", testdata.VOKSENDE_FRYKTLØS_TIGER.partyUuid);
+  bru.setVar("to", testdata.KOMPLEKS_LOJAL_TIGER.dagligleder.partyUuid);
+  bru.setVar("resource", testdata.resources.instanceResourceId);
+  bru.setVar("instance", testdata.instances.testInstance1);
+  
+  var getTokenParameters = {
+    auth_userId: testdata.VOKSENDE_FRYKTLØS_TIGER.dagligleder.userId,
+    auth_partyId: testdata.VOKSENDE_FRYKTLØS_TIGER.dagligleder.partyId,
+    auth_partyUuid: testdata.VOKSENDE_FRYKTLØS_TIGER.dagligleder.partyUuid,
+    auth_ssn: testdata.VOKSENDE_FRYKTLØS_TIGER.dagligleder.pid,
+    auth_tokenType: sharedtestdata.authTokenType.personal,
+    auth_scopes: sharedtestdata.auth_scopes.enduserSystemToOthersWrite
+  }
+  
+  
+  const testTokenGenerator = require(`./TestToolsTokenGenerator.js`);
+  const token = await testTokenGenerator.getToken(getTokenParameters);
+  bru.setVar("bearerToken", token);
+}
+
+tests {
+  
+  test(bru.getVar("requestName"), function() {
+    const body = res.getBody();
+    const actions = body.actions;
+    
+    expect(res.status).to.equal(201);  
+  });
+}

src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/test/EnduserAPI/Connections/Instances/folder.bru

@@ -0,0 +1,8 @@
+meta {
+  name: Instances
+  seq: 10
+}
+
+auth {
+  mode: inherit
+}

src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/test/EnduserAPI/Connections/Resources/AddActions/Post_Enduser_Conn_Resources_Dagl.bru

@@ -33,7 +33,7 @@ script:pre-request {
   const sharedtestdata = require(`./testdata/sharedtestdata.js`);
   const testdata = require(`./testdata/resource-delegationcheck/${bru.getEnvVar("tokenEnv")}.js`);
 
-  bru.setVar("requestName", "GET_Enduser_Conn_Resources_DelgCheck_Dagl");
+  bru.setVar("requestName", "Post_Enduser_Conn_Resources_Dagl");
 
   bru.setVar("party", testdata.VOKSENDE_FRYKTLØS_TIGER.partyUuid);
   bru.setVar("from", testdata.VOKSENDE_FRYKTLØS_TIGER.partyUuid);

src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/testdata/resource-delegationcheck/at22.js

@@ -3,7 +3,11 @@
   "env": "at22",
   "resources": {
     "packageResourceId": "tilgangspakke_delegering_ressurs",
-    "roleResourceId": "jks-test-resource"
+    "roleResourceId": "jks-test-resource",
+    "instanceResourceId": "app_ttd_instance-gui-test"
+  },
+  "instances": {
+    "testInstance1": "urn:altinn:instance-id:51385701/e39ce2dd-7892-44ad-91fd-1b9a03829fac"
   },
   "VOKSENDE_FRYKTLØS_TIGER": {
     "name": "VOKSENDE FRYKTLØS TIGER AS",

src/apps/Altinn.AccessManagement/test/Bruno/AccessMgmt/testdata/resource-delegationcheck/tt02.js

@@ -3,7 +3,11 @@
   "env": "tt02",
   "resources": {
     "packageResourceId": "tilgangspakke_delegering_ressurs",
-    "roleResourceId": "jks-test-resource"
+    "roleResourceId": "jks-test-resource",
+    "instanceResourceId": "app_ttd_instance-gui-test"
+  },
+  "instances": {
+    "testInstance1": "urn:altinn:instance-id:51599233/7567dd1c-1257-4317-85a7-f907810402b4"
   },
   "VOKSENDE_FRYKTLØS_TIGER": {
     "name": "VOKSENDE FRYKTLØS TIGER AS",

src/libs/Altinn.Authorization.Api.Contracts/src/Altinn.Authorization.Api.Contracts/Errors/ValidationErrors.cs

@@ -235,4 +235,10 @@ private static readonly ValidationErrorDescriptorFactory _factory
     /// </summary>
     public static ValidationErrorDescriptor ResourceAndPackageIsSpecified { get; }
         = _factory.Create(46, "Either Resource or Package must be included in the request, but not both.");
+
+    /// <summary>
+    /// More than one fromParty is connected to the same instance uuid this should not be posible
+    /// </summary>
+    public static ValidationErrorDescriptor InvalidInstanceId { get; }
+        = _factory.Create(47, $"The instance ID is invalid as more than one owner was found.");
 }