Skip to content

Feature/remilovoll/26/03/movepolicyfilemigrating #2603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lovoll merged 3 commits into from
Mar 19, 2026
Merged

Feature/remilovoll/26/03/movepolicyfilemigrating #2603

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
70efafd
Changed path algoritm on instance delegation
Mar 18, 2026
4bf9224
Added new policy path
Mar 19, 2026
a8a98ce
Copilot comments
Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 45 additions & 3 deletions ...apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Helpers/DelegationHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,16 +500,16 @@ public static bool TryGetDelegationPolicyPathFromInstanceRule(InstanceRight rule
catch (Exception)
{
return false;
}
}

sb.Append(rule.ToType);
sb.Append('-');
sb.Append(rule.ToUuid);
sb.Append('/');

sb.Append(rule.InstanceDelegationSource);
sb.Append('/');

sb.Append(rule.InstanceDelegationMode);
sb.Append('/');

Expand All @@ -519,6 +519,48 @@ public static bool TryGetDelegationPolicyPathFromInstanceRule(InstanceRight rule
return true;
}

/// <summary>
/// Gets the delegation policy path for a single Rule given the storage is in dbo schema under EntityFramework
/// </summary>
/// <returns>A bool indicating whether necessary params to build the path where found</returns>
public static bool TryGetNewDelegationPolicyPathFromInstanceRule(InstanceRight rule, out string instanceDelegationPolicyPath)
{
instanceDelegationPolicyPath = null;
StringBuilder sb = new StringBuilder();

sb.Append("resourceregistry");
sb.Append('/');

sb.Append(rule.ResourceId);
sb.Append('/');

sb.Append("instances");
sb.Append('/');

sb.Append("from_");
sb.Append(rule.FromUuid);
sb.Append('/');

sb.Append("to_");
sb.Append(rule.ToUuid);
sb.Append('/');

try
{
sb.Append(rule.InstanceId.AsFileName(false));
sb.Append('/');
}
catch (Exception)
{
return false;
}

sb.Append("delegationpolicy.xml");
instanceDelegationPolicyPath = sb.ToString();

return true;
}

/// <summary>
/// Returns the count of unique Policies in a list of Rules
/// </summary>
Expand Down
49 changes: 45 additions & 4 deletions ...cessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
using System.ComponentModel.DataAnnotations;
using System.Formats.Asn1;
using System.ComponentModel.DataAnnotations;
using Altinn.AccessManagement.Core.Clients.Interfaces;
using Altinn.AccessManagement.Core.Configuration;
using Altinn.AccessManagement.Core.Constants;
Expand All @@ -8,6 +7,7 @@
using Altinn.AccessManagement.Core.Helpers;
using Altinn.AccessManagement.Core.Helpers.Extensions;
using Altinn.AccessManagement.Core.Models;
using Altinn.AccessManagement.Core.Models.Party;
using Altinn.AccessManagement.Core.Models.Register;
using Altinn.AccessManagement.Core.Models.ResourceRegistry;
using Altinn.AccessManagement.Core.Models.Rights;
Expand All @@ -17,6 +17,7 @@
using Altinn.Platform.Register.Models;
using Altinn.Urn;
using Altinn.Urn.Json;
using Azure.Core;
using Microsoft.Extensions.Options;

namespace Altinn.AccessManagement.Core.Services.Implementation;
Expand All @@ -27,22 +28,26 @@
public class AppsInstanceDelegationService : IAppsInstanceDelegationService
{
private readonly IPartiesClient _partiesClient;
private readonly IAMPartyService _partyService;
private readonly IPolicyInformationPoint _pip;
private readonly IPolicyAdministrationPoint _pap;
private readonly IResourceRegistryClient _resourceRegistryClient;
private readonly AppsInstanceDelegationSettings _appsInstanceDelegationSettings;
private readonly string appInstanceResourcePath = "appInstanceDelegationRequest.Resource";
private readonly Microsoft.FeatureManagement.IFeatureManager _featureManager;

/// <summary>
/// Initializes a new instance of the <see cref="AppsInstanceDelegationService"/> class.
/// </summary>
public AppsInstanceDelegationService(IPartiesClient partiesClient, IOptions<AppsInstanceDelegationSettings> appsInstanceDelegationSettings, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap)
public AppsInstanceDelegationService(IPartiesClient partiesClient, IAMPartyService partyService, IOptions<AppsInstanceDelegationSettings> appsInstanceDelegationSettings, IResourceRegistryClient resourceRegistryClient, IPolicyInformationPoint pip, IPolicyAdministrationPoint pap, Microsoft.FeatureManagement.IFeatureManager featureManager)
{
_partiesClient = partiesClient;
_partyService = partyService;
_pip = pip;
_resourceRegistryClient = resourceRegistryClient;
_pap = pap;
_appsInstanceDelegationSettings = appsInstanceDelegationSettings.Value;
_featureManager = featureManager;
}

private async Task<(UuidType DelegationType, Guid? Uuid)> TranslatePartyUuidToPersonOrganizationUuid(PartyUrn partyId)
Expand Down Expand Up @@ -224,10 +229,46 @@
return await Task.FromResult(result);
}

private async Task<MinimalParty> GetMinimalParty(PartyUrn urn, CancellationToken cancellationToken)
{
switch (urn.KeySpan.ToString())
{
case AltinnXacmlConstants.MatchAttributeIdentifiers.PartyUuidAttribute:
return await _partyService.GetByUid(new Guid(urn.ValueSpan.ToString()), cancellationToken);
case AltinnXacmlConstants.MatchAttributeIdentifiers.OrganizationNumberAttribute:
return await _partyService.GetByOrgNo(Authorization.Api.Contracts.Register.OrganizationNumber.Parse(urn.ValueSpan), cancellationToken);
default:
return null;
}
}

/// <inheritdoc/>
public async Task<Result<AppsInstanceDelegationResponse>> Delegate(AppsInstanceDelegationRequest request, CancellationToken cancellationToken = default)
{
bool useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
string instanceId = request.InstanceId;

if (useEF)
{
// Create instance urn and use it for the internal processing but reset it for response as we should not change the contract
MinimalParty party = await GetMinimalParty(request.From, cancellationToken);

if (party == null)
{
ValidationErrorBuilder errors = default;
errors.Add(ValidationErrors.InvalidPartyUrn, "From");
if (errors.TryBuild(out var invalidParty))
{
return invalidParty;
}
}

string instanceUrn = $"{AltinnXacmlConstants.MatchAttributeIdentifiers.InstanceAttribute}:{party.PartyId}/{instanceId}";

Check warning on line 266 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/AppsInstanceDelegationService.cs

View check run for this annotation

SonarQubeCloud / [Authorization Altinn.AccessManagement] SonarCloud Code Analysis

'party' is null on at least one execution path. 


See more on https://sonarcloud.io/project/issues?id=Authorization_AccessManagement&issues=AZ0GauAJEnrKnygjMyLS&open=AZ0GauAJEnrKnygjMyLS&pullRequest=2603
request.InstanceId = instanceUrn;
}

(ValidationErrorBuilder Errors, InstanceRight RulesToHandle, List<RightInternal> RightsAppCantHandle) input = await SetUpDelegationOrRevokeRequest(request, cancellationToken);
request.InstanceId = instanceId;

if (input.Errors.TryBuild(out var errorResult))
{
Expand All @@ -239,7 +280,7 @@
From = request.From,
To = request.To,
ResourceId = request.ResourceId,
InstanceId = request.InstanceId,
InstanceId = instanceId,
InstanceDelegationMode = request.InstanceDelegationMode
};

Expand Down
39 changes: 36 additions & 3 deletions ...n.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
private readonly IPolicyFactory _policyFactory;
private readonly IDelegationMetadataRepository _delegationRepository;
private readonly IDelegationChangeEventQueue _eventQueue;
private readonly Microsoft.FeatureManagement.IFeatureManager _featureManager;
private readonly int delegationChangeEventQueueErrorId = 911;

/// <summary>
Expand All @@ -38,13 +39,14 @@
/// <param name="delegationRepository">The delegation change repository (postgresql).</param>
/// <param name="eventQueue">The delegation change event queue service to post events for any delegation change.</param>
/// <param name="logger">Logger instance.</param>
public PolicyAdministrationPoint(IPolicyRetrievalPoint policyRetrievalPoint, IPolicyFactory policyFactory, IDelegationMetadataRepository delegationRepository, IDelegationChangeEventQueue eventQueue, ILogger<IPolicyAdministrationPoint> logger)
public PolicyAdministrationPoint(IPolicyRetrievalPoint policyRetrievalPoint, IPolicyFactory policyFactory, IDelegationMetadataRepository delegationRepository, IDelegationChangeEventQueue eventQueue, ILogger<IPolicyAdministrationPoint> logger, Microsoft.FeatureManagement.IFeatureManager featureManager)

Check warning on line 42 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs

View check run for this annotation

SonarQubeCloud / [Authorization Altinn.AccessManagement] SonarCloud Code Analysis

Update this logger to use its enclosing type. 


See more on https://sonarcloud.io/project/issues?id=Authorization_AccessManagement&issues=AZ0GEb-mkUufV0FpSKOP&open=AZ0GEb-mkUufV0FpSKOP&pullRequest=2603

Check warning on line 42 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs

View check run for this annotation

SonarQubeCloud / [Authorization Altinn.AccessManagement] SonarCloud Code Analysis

Parameter 'featureManager' has no matching param tag in the XML comment for 'PolicyAdministrationPoint.PolicyAdministrationPoint(IPolicyRetrievalPoint, IPolicyFactory, IDelegationMetadataRepository, IDelegationChangeEventQueue, ILogger<IPolicyAdministrationPoint>, IFeatureManager)' (but other parameters do) 


See more on https://sonarcloud.io/project/issues?id=Authorization_AccessManagement&issues=AZ0GEb-mkUufV0FpSKOQ&open=AZ0GEb-mkUufV0FpSKOQ&pullRequest=2603
{
_prp = policyRetrievalPoint;
_policyFactory = policyFactory;
_delegationRepository = delegationRepository;
_eventQueue = eventQueue;
_logger = logger;
_featureManager = featureManager;
}

/// <inheritdoc/>
Expand Down Expand Up @@ -305,7 +307,18 @@
/// <inheritdoc />
public async Task<InstanceRight> TryWriteInstanceDelegationPolicyRules(InstanceRight rules, CancellationToken cancellationToken = default)
{
bool validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out string path);
bool useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
bool validPath;
string path;

if (useEF)
{
validPath = DelegationHelper.TryGetNewDelegationPolicyPathFromInstanceRule(rules, out path);
}
else
{
validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out path);
}

if (validPath)
{
Expand Down Expand Up @@ -356,7 +369,27 @@
}
catch (Exception ex)
{
bool validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out string path);
bool useEF = false;
bool validPath;
string path;

try
{
useEF = await _featureManager.IsEnabledAsync("AccessManagement.InstanceDelegation.EF");
}
catch (Exception)
{
}

Check warning on line 382 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs

View check run for this annotation

SonarQubeCloud / [Authorization Altinn.AccessManagement] SonarCloud Code Analysis

Handle the exception or explain in a comment why it can be ignored. 


See more on https://sonarcloud.io/project/issues?id=Authorization_AccessManagement&issues=AZ0Gat_yEnrKnygjMyLQ&open=AZ0Gat_yEnrKnygjMyLQ&pullRequest=2603

Check warning on line 382 in src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs

View check run for this annotation

SonarQubeCloud / [Authorization Altinn.AccessManagement] SonarCloud Code Analysis

Either remove or fill this block of code. 


See more on https://sonarcloud.io/project/issues?id=Authorization_AccessManagement&issues=AZ0Gat_yEnrKnygjMyLR&open=AZ0Gat_yEnrKnygjMyLR&pullRequest=2603

if (useEF)
{
validPath = DelegationHelper.TryGetNewDelegationPolicyPathFromInstanceRule(rules, out path);
}
else
{
validPath = DelegationHelper.TryGetDelegationPolicyPathFromInstanceRule(rules, out path);
}

if (validPath)
{
_logger.LogError(ex, "An exception occured while processing authorization rules for delegation on delegation policy path: {path}", path);
Expand Down
2 changes: 2 additions & 0 deletions ...ment/src/Altinn.AccessMgmt.Core/HostedServices/Services/SingleInstanceRightSyncService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ public async Task SyncSingleInstanceRights(ILease lease, CancellationToken cance
CreateInstanceUrnFromInstanceIdAndPartyId(item.InstanceId, party.PartyId),
item.InstanceDelegationChangeId,
values,
party.PartyId,
cancellationToken);

if (adds == 0)
Expand Down Expand Up @@ -273,6 +274,7 @@ public async Task SyncFailedSingleInstanceRights(CancellationToken cancellationT
CreateInstanceUrnFromInstanceIdAndPartyId(element.InstanceId, party.PartyId),
element.InstanceDelegationChangeId,
values,
party.PartyId,
cancellationToken);

if (adds == 0)
Expand Down
Loading
Loading