UserProfile Cache improvement (#1227)

#1222

- UserProfile lookups are now cached on both UserId and PersonId (SSN)
- DelegationContextHandler now use the same cached implementation from ContextHandler base class

Co-authored-by: Jon Kjetil Øye <acn-joye@ai-dev.no>

Author: jonkjetiloye

src/Authorization/Services/Implementation/ContextHandler.cs

@@ -32,6 +32,9 @@ namespace Altinn.Platform.Authorization.Services.Implementation
     /// </summary>
     public class ContextHandler : IContextHandler
     {
+        private readonly string _uidUserProfileCacheKeyPrefix = "profile:uid:";
+        private readonly string _pidUserProfileCacheKeyPrefix = "profile:pid:";
+
 #pragma warning disable SA1401 // Fields should be private
 #pragma warning disable SA1600 // Elements should be documented
         protected readonly IInstanceMetadataRepository _policyInformationRepository;
@@ -403,8 +406,7 @@ protected async Task EnrichSubjectAttributes(XacmlContextRequest request, string
 
             if (!string.IsNullOrEmpty(subjectSsn))
             {
-                UserProfile subjectProfile = await _profileWrapper.GetUserProfileByPersonId(subjectSsn);
-
+                UserProfile subjectProfile = await GetUserProfileByPersonId(subjectSsn);
                 if (subjectProfile != null)
                 {
                     subjectUserId = subjectProfile.UserId;
@@ -439,7 +441,7 @@ protected async Task EnrichSubjectAttributes(XacmlContextRequest request, string
             {
                 if (string.IsNullOrEmpty(subjectSsn))
                 {
-                    subjectSsn = await GetSsnForUser(subjectUserId);
+                    subjectSsn = await GetPersonIdForUser(subjectUserId);
                 }
 
                 string resourceSsn = await GetSSnForParty(resourcePartyId);
@@ -667,31 +669,77 @@ protected async Task<List<OedRoleAssignment>> GetOedRoleAssignments(string from,
             return oedRoles;
         }
 
-        private string GetCacheKey(int userId, int partyId)
+        /// <summary>
+        /// Method that fetches the user profile for a given user id
+        /// </summary>
+        /// <param name="userId">The user id</param>
+        /// <param name="cancellationToken">The <see cref="CancellationToken"/></param>
+        /// <returns>The user profile</returns>
+        protected async Task<UserProfile> GetUserProfileByUserId(int userId, CancellationToken cancellationToken = default)
         {
-            return "rolelist_" + userId + "_" + partyId;
-        }
+            string uidCacheKey = $"{_uidUserProfileCacheKeyPrefix}{userId}";
 
-        private string GetOedRoleassignmentCacheKey(string from, string to)
-        {
-            return $"oed{from}_{to}";
+            if (!_memoryCache.TryGetValue(uidCacheKey, out UserProfile userProfile))
+            {
+                userProfile = await _profileWrapper.GetUserProfile(userId, cancellationToken);
+
+                var cacheEntryOptions = new MemoryCacheEntryOptions()
+               .SetPriority(CacheItemPriority.High)
+               .SetAbsoluteExpiration(new TimeSpan(0, _generalSettings.RoleCacheTimeout, 0));
+
+                _memoryCache.Set(uidCacheKey, userProfile, cacheEntryOptions);
+
+                if (!string.IsNullOrWhiteSpace(userProfile?.Party?.SSN))
+                {
+                    _memoryCache.Set($"{_pidUserProfileCacheKeyPrefix}{userProfile.Party.SSN}", userProfile, cacheEntryOptions);
+                }
+            }
+
+            return userProfile;
         }
 
-        private async Task<string> GetSsnForUser(int userId)
+        /// <summary>
+        /// Method that fetches the user profile for a given person id (aka national identity number or ssn)
+        /// </summary>
+        /// <param name="personId">The person id</param>
+        /// <param name="cancellationToken">The <see cref="CancellationToken"/></param>
+        /// <returns>The user profile</returns>
+        protected async Task<UserProfile> GetUserProfileByPersonId(string personId, CancellationToken cancellationToken = default)
         {
-            string cacheKey = $"uid:{userId}";
+            string pidCacheKey = $"{_pidUserProfileCacheKeyPrefix}{personId}";
 
-            if (!_memoryCache.TryGetValue(cacheKey, out UserProfile userProfile))
+            if (!_memoryCache.TryGetValue(pidCacheKey, out UserProfile userProfile))
             {
-                userProfile = await _profileWrapper.GetUserProfile(userId);
+                userProfile = await _profileWrapper.GetUserProfileByPersonId(personId, cancellationToken);
 
                 var cacheEntryOptions = new MemoryCacheEntryOptions()
                .SetPriority(CacheItemPriority.High)
                .SetAbsoluteExpiration(new TimeSpan(0, _generalSettings.RoleCacheTimeout, 0));
 
-                _memoryCache.Set(cacheKey, userProfile, cacheEntryOptions);
+                _memoryCache.Set(pidCacheKey, userProfile, cacheEntryOptions);
+
+                if (userProfile?.UserId > 0)
+                {
+                    _memoryCache.Set($"{_uidUserProfileCacheKeyPrefix}{userProfile.UserId}", userProfile, cacheEntryOptions);
+                }
             }
 
+            return userProfile;
+        }
+
+        private string GetCacheKey(int userId, int partyId)
+        {
+            return "rolelist_" + userId + "_" + partyId;
+        }
+
+        private string GetOedRoleassignmentCacheKey(string from, string to)
+        {
+            return $"oed{from}_{to}";
+        }
+
+        private async Task<string> GetPersonIdForUser(int userId, CancellationToken cancellationToken = default)
+        {
+            UserProfile userProfile = await GetUserProfileByUserId(userId, cancellationToken);
             return userProfile?.Party?.SSN;
         }
 

src/Authorization/Services/Implementation/DelegationContextHandler.cs

@@ -56,7 +56,7 @@ public async Task EnrichRequestSubjectAttributes(XacmlContextAttributes requestS
                 if (isInstanceAccessRequest)
                 {
                     // Instance delegation policies use uuid as subject, meaning the request needs to be enriched with the users uuid
-                    UserProfile userProfile = await _profileWrapper.GetUserProfile(subjectUserId, cancellationToken);
+                    UserProfile userProfile = await GetUserProfileByUserId(subjectUserId, cancellationToken);
                     if (userProfile != null && userProfile.Party != null &&
                         userProfile.Party.PartyTypeName == PartyType.Person && userProfile.Party.PartyUuid.HasValue)
                     {

test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/AltinnResourceRegistryMulti0012Request.json

@@ -10,6 +10,15 @@
             "Value": "01039012345"
           }
         ]
+      },
+      {
+        "Id": "s2",
+        "Attribute": [
+          {
+            "AttributeId": "urn:altinn:userid",
+            "Value": "1337"
+          }
+        ]
       }
     ],
     "Action": [
@@ -70,6 +79,26 @@
             "IncludeInResult": true
           }
         ]
+      },
+      {
+        "Id": "r4",
+        "Attribute": [
+          {
+            "AttributeId": "urn:altinn:resource",
+            "Value": "ttd-externalpdp-resource3",
+            "IncludeInResult": true
+          },
+          {
+            "AttributeId": "urn:altinn:resource:instance-id",
+            "Value": "4c1b880e-f425-4050-9a46-cd1b3e56bf94",
+            "IncludeInResult": true
+          },
+          {
+            "AttributeId": "urn:altinn:organization:identifier-no",
+            "Value": "910459880",
+            "IncludeInResult": true
+          }
+        ]
       }
     ],
     "MultiRequests": {
@@ -94,6 +123,13 @@
             "a1",
             "r3"
           ]
+        },
+        {
+          "ReferenceId": [
+            "s2",
+            "a1",
+            "r4"
+          ]
         }
       ]
     }

test/IntegrationTests/Data/Xacml/3.0/ResourceRegistry/AltinnResourceRegistryMulti0012Response.json

@@ -135,6 +135,46 @@
         }
 
       ]
+    },
+    {
+      "Decision": "NotApplicable",
+      "Status": {
+        "StatusCode": {
+          "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
+        }
+      },
+      "Category": [
+        {
+          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
+          "Attribute": [
+            {
+              "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
+              "DataType": "http://www.w3.org/2001/XMLSchema#string",
+              "Value": "read"
+            }
+          ]
+        },
+        {
+          "CategoryId": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
+          "Attribute": [
+            {
+              "AttributeId": "urn:altinn:resource",
+              "DataType": "http://www.w3.org/2001/XMLSchema#string",
+              "Value": "ttd-externalpdp-resource3"
+            },
+            {
+              "AttributeId": "urn:altinn:resource:instance-id",
+              "DataType": "http://www.w3.org/2001/XMLSchema#string",
+              "Value": "4c1b880e-f425-4050-9a46-cd1b3e56bf94"
+            },
+            {
+              "AttributeId": "urn:altinn:organization:identifier-no",
+              "DataType": "http://www.w3.org/2001/XMLSchema#string",
+              "Value": "910459880"
+            }
+          ]
+        }
+      ]
     }
   ]
 }

test/IntegrationTests/MockServices/AccessManagementWrapperMock.cs

@@ -70,6 +70,9 @@ public Task<IEnumerable<DelegationChangeExternal>> GetAllDelegationChanges(Deleg
                 DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("app_org1_app1"), DelegationChangesTestData.WithResourceInstanceId("f8d3526c-596b-4322-a041-38a8925c2a82"), DelegationChangesTestData.WithFromUuid(UuidType.Organization, Guid.Parse("00000000-0000-0000-0005-000000005545")), DelegationChangesTestData.WithToUuid(UuidType.Organization, Guid.Parse("00000000-0000-0000-0005-000000004222"))),
                 WithDefaultCondition("org1/app1", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50005545" }, new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50004222" }),
                 WithDefaultCondition("org1/app1", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50005545" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "20000095" })),
+            ConditionalAdd(
+                DelegationChangesTestData.Default(DelegationChangesTestData.WithResourceID("ttd-externalpdp-resource3"), DelegationChangesTestData.WithResourceInstanceId("4c1b880e-f425-4050-9a46-cd1b3e56bf94"), DelegationChangesTestData.WithOfferedByPartyID(50005545), DelegationChangesTestData.WithCoveredByUserID(1337)),
+                WithDefaultCondition("ttd-externalpdp-resource3", new AttributeMatch { Id = XacmlRequestAttribute.PartyAttribute, Value = "50005545" }, new AttributeMatch { Id = XacmlRequestAttribute.UserAttribute, Value = "1337" })),
         };
 
         var result = new List<DelegationChangeExternal>();

test/IntegrationTests/MockServices/ProfileMock.cs

@@ -16,9 +16,13 @@ public Task<UserProfile> GetUserProfile(int userId, CancellationToken cancellati
             {
                 userProfile = new UserProfile { Party = new Party { SSN = "13923949741" } };
             }
+            else if (userId == 13371337)
+            {
+                userProfile = new UserProfile { UserId = userId, Party = new Party { SSN = "13371337133" } };
+            }
             else if (userId == 1337)
             {
-                userProfile = new UserProfile { Party = new Party { SSN = "13371337133" } };
+                userProfile = new UserProfile { UserId = userId, Party = new Party { SSN = "01039012345", PartyId = 1337, PartyUuid = Guid.Parse("00000000-0000-0000-0005-000000001337"), PartyTypeName = Register.Enums.PartyType.Person } };
             }
             else if (userId == 20000517)
             {
@@ -41,7 +45,7 @@ public Task<UserProfile> GetUserProfileByPersonId(string personId, CancellationT
             }
             else if (personId == "13371337133")
             {
-                userProfile = new UserProfile { Party = new Party { SSN = personId } };
+                userProfile = new UserProfile { UserId = 13371337, Party = new Party { SSN = personId } };
             }
             else if (personId == "01039012345")
             {