Skip to content

Feature/instansdelegering api put and delete#2522

Open
howieandersen wants to merge 11 commits intomainfrom
feature/instansdelegering_api_put_and_delete
Open

Feature/instansdelegering api put and delete#2522
howieandersen wants to merge 11 commits intomainfrom
feature/instansdelegering_api_put_and_delete

Conversation

@howieandersen
Copy link
Contributor

@howieandersen howieandersen commented Mar 11, 2026

Description

Adding functionality for instance delegation to Enduser API ConnectionsController with the following new endpoints:

Related Issue(s)

To be merged in this PR:

  • PUT /connections/resources/instances/rights - Update instance right delegation
  • DELETE /connections/resources/instances - Remove instance delegation

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)
  • All tests run green

Documentation

  • User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

howieandersen and others added 10 commits March 10, 2026 16:51
@howieandersen
Implement GET /connections/resources/instances endpoint for retrieving
9d1621b 
instance-level delegations with filtering by party, resource, and instance.

Key changes:
- Add InstanceIds and IncludeInstances properties to ConnectionQueryFilter
- Create ConnectionQueryInstance model for instance query results
- Add Instances collection to ConnectionQueryExtendedRecord
- Implement LoadInstancesByKeyAsync joining with AssignmentInstance table
- Add ResourceId filtering to scope instances to specific resources
- Implement GetResourceInstances service method in ConnectionService
- Add MapConnectionsToInstancePermissions helper for DTO mapping
- Implement GetInstances controller endpoint with validation

Uses existing AssignmentInstance table as the data source for instance
delegations, following the pattern of Connection view for querying.
@howieandersen
Add endpoint to retrieve instance-specific delegation rights with det…
ce6ab95 
…ailed

permission breakdown for direct and indirect access paths.

Key changes:
- Add GetInstanceRightsToOthers/FromOthers methods to IConnectionService
- Implement GetInstanceRights query method in ConnectionService
- Create AssignmentInstanceQueryResult model for instance delegation queries
- Query AssignmentInstance table with Direct, KeyRole, and Hierarchy patterns
- Add GetInstanceRights controller endpoint with all required parameters
- Return ExtInstanceRightDto with DirectRights and IndirectRights arrays
- Follow established patterns from GET /resources/rights endpoint

Queries support filtering by party relationships and handle access through
key roles and entity hierarchy as per acceptance criteria.
@howieandersen
ConnectionService PR comment fixes
639bfc2
@howieandersen
Removed unused code causing error in GetInstanceRights()
52d8b39
@howieandersen
Add POST /resources/instances/rights endpoint for instance-specific d…
7bb8cb9 
…elegations

Implements endpoint for delegating rights to specific instances using InstanceRight
and InstanceRule models with URN types for isolated instance authorization.
@howieandersen
Add GET instances/delegationcheck endpoint
186e38a 
Implements delegation check for instance-specific rights. Returns which rights the authenticated user can delegate to others for a given instance.

- Added InstanceCheckDto response model with Resource, Instance, and Rights
- Added InstanceDelegationCheck method to IConnectionService/ConnectionService
- Activated CheckInstance controller endpoint with required party, resource, and instance parameters
- Reuses existing delegation check logic for packages, roles, resources, and access lists
@howieandersen
Add PUT instances/rights endpoint
b829b96 
Implements update (replace) operation for instance-specific rights delegation.
Unlike POST which adds rules, PUT replaces all existing rules with new ones.

- Added UpdateInstance method to IConnectionService/ConnectionService
- Calls InstanceDelegationCheck for instance-specific validation
- Uses TryWriteInstanceDelegationPolicyRules with ignoreExistingPolicy: true
- Activated UpdateInstanceRights controller endpoint with required parameters
@howieandersen
Add DELETE instances endpoint
b026d33 
Implements deletion of instance-specific rights delegations. Removes only
direct delegations between parties for a specific instance, leaving
inherited delegations via key roles intact.

- Added RemoveInstance method to IConnectionService/ConnectionService
- Clears policy rules before removing AssignmentInstances record
- Fixed route to DELETE /resources/instances (was incorrectly /resources)
- All parameters (party, from, to, resource, instance) are required
@howieandersen
Remove empty folders that caused script error in CI pipeline
0ae84b8
@howieandersen
Merge branch 'main' into feature/instansdelegering_api_put_and_delete
5a00383
Copilot AI review requested due to automatic review settings March 17, 2026 12:53
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds instance-level delegation management to the Enduser Connections API by implementing the previously stubbed PUT/DELETE endpoints.

Changes:

  • Implements PUT /connections/resources/instances/rights via IConnectionService.UpdateInstance(...) and ConnectionService.UpdateInstance(...).
  • Implements DELETE /connections/resources/instances via IConnectionService.RemoveInstance(...) and ConnectionService.RemoveInstance(...).
  • Updates SingleRightsService instance-rule generation to accept more context (from/to/performedBy).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File Description
src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/Contracts/IConnectionService.cs Adds service contract methods for updating/removing instance delegations.
src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConnectionService.cs Implements update/remove instance delegation logic and wires authorization checks.
src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs Extends instance rule generation API to take additional delegation context.
src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Api.Enduser/Controllers/ConnectionsController.cs Enables the new instance endpoints by removing the previous NotFound() stubs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConnectionService.cs
Comment on lines +1245 to +1249
public async Task<Result<bool>> UpdateInstance(Entity from, Entity to, Resource resourceObj, string instanceId, IEnumerable<string> rightKeys, Entity by, Action<ConnectionOptions> configureConnection = null, CancellationToken cancellationToken = default)
{
var canDelegate = await InstanceDelegationCheck(by.Id, from.Id, resourceObj?.RefId, instanceId, ConfigureConnections, cancellationToken: cancellationToken);
if (canDelegate.IsProblem)
{
src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConnectionService.cs
Comment on lines +1253 to +1261
foreach (var rightKey in rightKeys)
{
if (!canDelegate.Value.Rights.Any(a => a.Right.Key == rightKey && a.Result))
{
return Problems.NotAuthorizedForDelegationRequest;
}
}

List<InstanceRule> result = await singleRightsService.TryWriteInstanceDelegationPolicyRules(from, to, resourceObj, instanceId, rightKeys.ToList(), by, ignoreExistingPolicy: true, cancellationToken: cancellationToken);
.../Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/Contracts/IConnectionService.cs
Task<Result<bool>> AddInstance(Entity from, Entity to, Resource resourceObj, string instanceId, RightKeyListDto rightKeys, Entity by, Action<ConnectionOptions> configureConnection = null, CancellationToken cancellationToken = default);

/// <summary>
/// Updates (replaces) a delegation to a resource instance between two entities with the specified action keys. If not all actions is posible nothing is performed and a Problem is returned
.../Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/Contracts/IConnectionService.cs
/// Token to monitor for cancellation requests.
/// </param>
/// <returns>
/// A <see cref="ValidationProblemInstance"/> indicating success or describing any validation errors.
src/apps/Altinn.AccessManagement/src/Altinn.AccessMgmt.Core/Services/ConnectionService.cs
Comment on lines +1273 to +1277
var resourceObj = await dbContext.Resources.AsNoTracking().FirstOrDefaultAsync(t => t.RefId == resource, cancellationToken);
if (resourceObj == null)
{
return null;
}
jonkjetiloye
jonkjetiloye approved these changes Mar 17, 2026
View reviewed changes
Copy link
Member

@jonkjetiloye jonkjetiloye left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kan evt. se over copilot tilbakemeldinger

@howieandersen
Potential fix for pull request finding
02f7bed 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 17, 2026

Quality Gate Failed Quality Gate failed for 'Authorization Altinn.AccessManagement'

Failed conditions
0.0% Coverage on New Code (required ≥ 65%)
25.2% Duplication on New Code (required ≤ 10%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jonkjetiloye jonkjetiloye jonkjetiloye approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@howieandersen @jonkjetiloye