Feature/updated delegationcheck consent (#2583)

* First iteration of updated delegation check

* seeding

* Updated for testing

* Removed moq and seeds data

* Removed var

* Added more unit tests for consents

* Merge

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Namespace fix

* Another try to rename

* Fixed unused namespace

* Namespace

* Namspaces

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Fixed so code rabit understand it is correct. It was correct already since ToString = id

* File fix

* Code smell

* Code smell

* cleaned up namespaces

---------

Co-authored-by: Rune T. Larsen <rune.tommeras-larsen@digdir.no>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Api.Enduser/Controllers/ConnectionsController.cs

@@ -673,7 +673,7 @@ public async Task<IActionResult> CheckResource(
         Guid authenticatedUserUuid = AuthenticationHelper.GetPartyUuid(HttpContext);
         string languageCode = this.GetLanguageCode();
 
-        var result = await ConnectionService.ResourceDelegationCheck(authenticatedUserUuid, party, resource, ConfigureConnections, languageCode, cancellationToken);
+        var result = await ConnectionService.ResourceDelegationCheck(authenticatedUserUuid, party, resource, ConfigureConnections, languageCode, cancellationToken: cancellationToken);
         if (result.IsProblem)
         {
             if (result.Problem.Equals(Core.Errors.Problems.InvalidResource))

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Constants/AltinnXacmlConstants.cs

@@ -200,6 +200,11 @@ public static class MatchAttributeIdentifiers
             /// Gets the value action id for request consent
             /// </summary>
             public const string RequestconsentAction = "requestconsent";
+
+            /// <summary>
+            /// Delegation attribute match identifier used for user controlled delegation
+            /// </summary>
+            public const string Delegation = "urn:altinn:resource:delegation";
         }
 
         /// <summary>

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Models/ConsentDelegationCheckResult.cs

@@ -0,0 +1,25 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Altinn.AccessManagement.Core.Models
+{
+    /// <summary>
+    /// Result of a consent delegation check, containing the actions the user is authorized to delegate.
+    /// </summary>
+    public class ConsentDelegationCheckResult
+    {
+        /// <summary>
+        /// Gets or sets a value indicating whether the delegation check was successful.
+        /// </summary>
+        public bool IsSuccess { get; set; }
+
+        /// <summary>
+        /// Gets or sets the list of action URNs (e.g. "urn:oasis:names:tc:xacml:1.0:action:action-id:read") 
+        /// that the authenticated user is authorized to delegate on behalf of the party.
+        /// </summary>
+        public IEnumerable<string> DelegatableActions { get; set; } = [];
+    }
+}

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/ConsentService.cs

@@ -1,11 +1,9 @@
-using System;
-using System.Diagnostics;
+using System.Diagnostics;
 using System.Diagnostics.Metrics;
 using System.Text;
 using Altinn.AccessManagement.Core.Clients.Interfaces;
 using Altinn.AccessManagement.Core.Configuration;
 using Altinn.AccessManagement.Core.Constants;
-using Altinn.AccessManagement.Core.Enums;
 using Altinn.AccessManagement.Core.Errors;
 using Altinn.AccessManagement.Core.Models;
 using Altinn.AccessManagement.Core.Models.Consent;
@@ -16,11 +14,11 @@
 using Altinn.AccessManagement.Core.Services.Interfaces;
 using Altinn.Authorization.Api.Contracts.Register;
 using Altinn.Authorization.ProblemDetails;
-using Altinn.Platform.Profile.Models;
 using Altinn.Platform.Register.Models;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using static Altinn.Authorization.ABAC.Constants.XacmlConstants;
 
 namespace Altinn.AccessManagement.Core.Services
 {
@@ -30,11 +28,10 @@ namespace Altinn.AccessManagement.Core.Services
     /// <remarks>
     /// Service responsible for consent functionality
     /// </remarks>
-    public class ConsentService: IConsent
+    public class ConsentService : IConsent
     {
         private readonly IConsentRepository _consentRepository;
-        private readonly IPartiesClient _partiesClient ;
-        private readonly ISingleRightsService _singleRightsService;
+        private readonly IPartiesClient _partiesClient;
         private readonly IResourceRegistryClient _resourceRegistryClient;
         private readonly IAMPartyService _ampartyService;
         private readonly IMemoryCache _memoryCache;
@@ -43,6 +40,7 @@ public class ConsentService: IConsent
         private readonly GeneralSettings _generalSettings;
         private readonly IAltinn2ConsentClient _altinn2ConsentClient;
         private readonly ILogger<ConsentService> _logger;
+        private readonly IConsentDelegationCheckService _consentDelegationCheckService;
 
         // histograms for sub-step durations (seconds)
         private readonly Histogram<double>? _getA2Histogram;
@@ -55,30 +53,30 @@ public class ConsentService: IConsent
         private const string ResourceParam = "Resource";
 
         public ConsentService(
-            ILogger<ConsentService> logger, 
-            IConsentRepository consentRepository, 
-            IAltinn2ConsentClient altinn2ConsentClient, 
-            IPartiesClient partiesClient, 
-            ISingleRightsService singleRightsService,
-            IResourceRegistryClient resourceRegistryClient, 
-            IAMPartyService ampartyService, 
-            IMemoryCache memoryCache, 
-            IProfileClient profileClient, 
-            TimeProvider timeProvider, 
+            ILogger<ConsentService> logger,
+            IConsentRepository consentRepository,
+            IAltinn2ConsentClient altinn2ConsentClient,
+            IPartiesClient partiesClient,
+            IResourceRegistryClient resourceRegistryClient,
+            IAMPartyService ampartyService,
+            IMemoryCache memoryCache,
+            IProfileClient profileClient,
+            TimeProvider timeProvider,
             IOptions<GeneralSettings> generalSettings,
-            IMeterFactory meterFactory)
+            IMeterFactory meterFactory,
+            IConsentDelegationCheckService consentDelegationCheckService)
         {
             _logger = logger;
             _consentRepository = consentRepository;
             _altinn2ConsentClient = altinn2ConsentClient;
             _partiesClient = partiesClient;
-            _singleRightsService = singleRightsService;
             _resourceRegistryClient = resourceRegistryClient;
             _ampartyService = ampartyService;
             _memoryCache = memoryCache;
             _profileClient = profileClient;
             _timeProvider = timeProvider;
             _generalSettings = generalSettings.Value;
+            _consentDelegationCheckService = consentDelegationCheckService;
 
             var meter = meterFactory.Create("Altinn.AccessManagement.ConsentMigration");
             _getA2Histogram = meter.CreateHistogram<double>("consent_migration_get_a2_duration_seconds", unit: "s", description: "Seconds to get a single consent from Altinn2");
@@ -739,55 +737,41 @@ private async Task<bool> AuthorizeUserForConsentRequest(Guid userUuid, ConsentRe
 
         private async Task<bool> AuthorizeForConsentRight(Party party, NewUserProfile profile, ConsentRight consentRight)
         {
-            DelegationCheckResponse response = await GetDelegatableRightsForConsentResource(party, profile, consentRight);
-
-            if (response.RightDelegationCheckResults != null)
+            if (consentRight.Resource == null || consentRight.Resource.Count != 1)
             {
-                foreach (string action in consentRight.Action)
-                {
-                    bool actionMatch = false;
-                    foreach (RightDelegationCheckResult result in response.RightDelegationCheckResults)
-                    {
-                        if (result.Action.Value.Equals(action, StringComparison.InvariantCultureIgnoreCase) && result.Status.Equals(DelegableStatus.Delegable))
-                        {
-                            actionMatch = true;
-                            break;
-                        }
-                    }
-
-                    if (!actionMatch)
-                    {
-                        return false;
-                    }
-                }
+                return false;
             }
-            else
+
+            if (profile.UserUuid == null || party.PartyUuid == null || party.PartyUuid == default)
             {
                 return false;
             }
 
-            return true;
-        }
+            // A ConsentRight should only have one resource. Currently no support for subresources as part of a consent request.
+            ConsentResourceAttribute resource = consentRight.Resource[0];
 
-        private async Task<DelegationCheckResponse> GetDelegatableRightsForConsentResource(Party party, NewUserProfile profile, ConsentRight consentRight)
-        {
-            RightsDelegationCheckRequest rightsDelegationCheckRequest = new()
-            {
-                From = [new AttributeMatch { Id = AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, Value = party.PartyId.ToString() }]
-            };
+            ConsentDelegationCheckResult checkResult = await _consentDelegationCheckService.CheckDelegatableRights(
+                authenticatedUserUuid: profile.UserUuid.Value,
+                partyUuid: party.PartyUuid.Value,
+                resourceIdentifier: resource.Value);
 
-            if (consentRight.Resource != null && consentRight.Resource.Count == 1)
+            if (!checkResult.IsSuccess)
             {
-                // A ConsentRight Should only have one resource.  Currently no support for subresources as part of a consent request.
-                ConsentResourceAttribute resource = consentRight.Resource[0];
-                rightsDelegationCheckRequest.Resource = [new AttributeMatch { Id = resource.Type, Value = resource.Value }];
+                return false;
             }
-            else
+
+            foreach (string action in consentRight.Action)
             {
-                return null;
+                bool actionMatch = checkResult.DelegatableActions.Any(a =>
+                    a.Replace(MatchAttributeIdentifiers.ActionId + ":", string.Empty).Equals(action, StringComparison.OrdinalIgnoreCase));
+
+                if (!actionMatch)
+                {
+                    return false;
+                }
             }
 
-            return await _singleRightsService.RightsDelegationCheck(profile.UserId, 3, rightsDelegationCheckRequest);
+            return true;
         }
 
         /// <summary>

src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/Interfaces/IConsentDelegationCheckService.cs

@@ -0,0 +1,21 @@
+using Altinn.AccessManagement.Core.Models;
+
+namespace Altinn.AccessManagement.Core.Services.Interfaces;
+
+/// <summary>
+/// Service for performing delegation checks for consent scenarios.
+/// Uses the new delegation check that supports access packages, roles, and direct resource rights.
+/// </summary>
+public interface IConsentDelegationCheckService
+{
+    /// <summary>
+    /// Checks which rights the authenticated user can delegate on behalf of the specified party for a given resource.
+    /// The resource's Delegable flag is ignored since consent only needs to verify user access, not re-delegation capability.
+    /// </summary>
+    /// <param name="authenticatedUserUuid">The UUID of the authenticated user performing the delegation.</param>
+    /// <param name="partyUuid">The UUID of the party on whose behalf the delegation check is performed.</param>
+    /// <param name="resourceIdentifier">The resource identifier (e.g. "skd_samtykketest").</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>A <see cref="ConsentDelegationCheckResult"/> indicating which actions the user can delegate.</returns>
+    Task<ConsentDelegationCheckResult> CheckDelegatableRights(Guid authenticatedUserUuid, Guid partyUuid, string resourceIdentifier, CancellationToken cancellationToken = default);
+}

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Extensions/ServiceCollectionExtensions.cs

@@ -47,6 +47,7 @@ public static IServiceCollection AddAccessMgmtCore(this IServiceCollection servi
         services.AddScoped<IClientDelegationService, ClientDelegationService>();
         services.AddScoped<IRequestService, RequestService>();
         services.AddScoped<IAuthorizedPartiesService, AuthorizedPartiesServiceEf>();
+        services.AddScoped<IConsentDelegationCheckService, ConsentDelegationCheckService>();
 
         services.AddScoped<IAuthorizationScopeProvider, DefaultAuthorizationScopeProvider>();
         services.AddScoped<IAuthorizationHandler, ScopeConditionAuthorizationHandler>();

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConnectionService.cs

@@ -902,7 +902,7 @@ public async Task<Result<IEnumerable<RoleDtoCheck>>> RoleDelegationCheck(Guid pa
     }
 
     /// <inheritdoc />
-    public async Task<Result<ResourceCheckDto>> ResourceDelegationCheck(Guid authenticatedUserUuid, Guid party, string resource, Action<ConnectionOptions> configureConnection = null, string languageCode = "nb", CancellationToken cancellationToken = default)
+    public async Task<Result<ResourceCheckDto>> ResourceDelegationCheck(Guid authenticatedUserUuid, Guid party, string resource, Action<ConnectionOptions> configureConnection = null, string languageCode = "nb", bool ignoreDelegableFlag = false, CancellationToken cancellationToken = default)
     {
         // Get fromParty
         MinimalParty fromParty = await partyService.GetByUid(party, cancellationToken);
@@ -945,7 +945,7 @@ public async Task<Result<ResourceCheckDto>> ResourceDelegationCheck(Guid authent
         }        
 
         ResourceAccessListMode accessListMode = resourceMetadata.AccessListMode;
-        bool isResourceDelegable = resourceMetadata.Delegable;
+        bool isResourceDelegable = ignoreDelegableFlag || resourceMetadata.Delegable;
 
         // Decompose policy into resource/tasks
         List<Models.Right> rights = DelegationCheckHelper.DecomposePolicy(policy, resource);

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConsentDelegationCheckService.cs

@@ -0,0 +1,39 @@
+using Altinn.AccessManagement.Core.Models;
+using Altinn.AccessManagement.Core.Services.Interfaces;
+using Altinn.AccessMgmt.Core.Services.Contracts;
+
+namespace Altinn.AccessMgmt.Core.Services;
+
+/// <summary>
+/// Adapter that implements <see cref="IConsentDelegationCheckService"/> using the new 
+/// <see cref="IConnectionService.ResourceDelegationCheck"/> method which supports access packages.
+/// </summary>
+public class ConsentDelegationCheckService(IConnectionService connectionService) : IConsentDelegationCheckService
+{
+    /// <inheritdoc />
+    public async Task<ConsentDelegationCheckResult> CheckDelegatableRights(Guid authenticatedUserUuid, Guid partyUuid, string resourceIdentifier, CancellationToken cancellationToken = default)
+    {
+        var result = await connectionService.ResourceDelegationCheck(
+            authenticatedUserUuid: authenticatedUserUuid,
+            party: partyUuid,
+            resource: resourceIdentifier,
+            ignoreDelegableFlag: true,
+            cancellationToken: cancellationToken);
+
+        if (result.IsProblem)
+        {
+            return new ConsentDelegationCheckResult { IsSuccess = false };
+        }
+
+        var delegatableActions = result.Value.Rights
+            .Where(r => r.Result && r.Right.Action is not null)
+            .Select(r => r.Right.Action.Urn())
+            .ToList();
+
+        return new ConsentDelegationCheckResult
+        {
+            IsSuccess = true,
+            DelegatableActions = delegatableActions
+        };
+    }
+}

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/Contracts/IConnectionService.cs

@@ -186,13 +186,14 @@ public interface IConnectionService
     /// Method to check if a resource is delegable by an authenticated user on behalf of a party
     /// </summary>
     /// <param name="authenticatedUserUuid">The authenticated user</param>
-    /// <param name="party">The party performing the checl on behalf of</param>
+    /// <param name="party">The party performing the check on behalf of</param>
     /// <param name="resource">The resource id to check</param>
     /// <param name="configureConnection">ConnectionOptions</param>
     /// <param name="languageCode">the requested language code fallback "nb"</param>
+    /// <param name="ignoreDelegableFlag">When true, the resource's Delegable flag is ignored and only the user's access is checked. Used for consent scenarios where re-delegation should not be allowed but access verification is still needed.</param>
     /// <param name="cancellationToken">The <see cref="CancellationToken"/></param>
-    /// <returns>The result on all the resource/action that is delegable on the resource and a reason behinf if the user can or can not delegate a given action</returns>
-    Task<Result<ResourceCheckDto>> ResourceDelegationCheck(Guid authenticatedUserUuid, Guid party, string resource, Action<ConnectionOptions> configureConnection = null, string languageCode = "nb", CancellationToken cancellationToken = default);
+    /// <returns>The result on all the resource/action that is delegable on the resource and a reason behind if the user can or can not delegate a given action</returns>
+    Task<Result<ResourceCheckDto>> ResourceDelegationCheck(Guid authenticatedUserUuid, Guid party, string resource, Action<ConnectionOptions> configureConnection = null, string languageCode = "nb", bool ignoreDelegableFlag = false, CancellationToken cancellationToken = default);
 
     /// <summary>
     /// Method to check if a resource instance is delegable by an authenticated user on behalf of a party

src/apps/Altinn.AccessManagement/test/AccessMgmt.Tests/Controllers/Altinn2RightsControllerTest.cs

@@ -1,4 +1,4 @@
-using System.Net;
+using System.Net;
 using System.Net.Http.Headers;
 using System.Net.Mime;
 using System.Text;