Alowed to revoke rights given to system user

Altinn · Dec 11, 2024 · f9bd4d8 · f9bd4d8
1 parent 0408c23
commit f9bd4d8
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 11 deletions.
diff --git a/...inn.AccessManagement/src/Altinn.AccessManagement.Core/Asserters/AttributeMatchAsserter.cs b/...inn.AccessManagement/src/Altinn.AccessManagement.Core/Asserters/AttributeMatchAsserter.cs
@@ -168,13 +168,13 @@ public static void DefaultFrom(this IAssert<AttributeMatch> assert, IDictionary<
     /// <param name="assert">list of assertions</param>
     /// <param name="errors">dictionary for writing assertion errors</param>
     /// <param name="values">list of attributes</param>
-    public static void Altinn2InternalIds(this IAssert<AttributeMatch> assert, IDictionary<string, string[]> errors, IEnumerable<AttributeMatch> values) =>
+    public static void RevokeInternalIds(this IAssert<AttributeMatch> assert, IDictionary<string, string[]> errors, IEnumerable<AttributeMatch> values) =>
         assert.All(
             assert.Single(
                 assert.HasAttributeTypes(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute),
-                assert.HasAttributeTypes(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute)),
-            assert.AllAttributesHasValues,
-            assert.AttributesAreIntegers(BaseUrn.Altinn2InternalIds))(errors, values);
+                assert.HasAttributeTypes(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute),
+                assert.HasAttributeTypes(AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid)),
+            assert.AllAttributesHasValues)(errors, values);
 
     /// <summary>
     /// A default list of assertions that contains the baseline for validating input for a resource.

diff --git a/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Resolvers/BaseUrn.cs b/src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Resolvers/BaseUrn.cs
@@ -21,7 +21,7 @@ public static class BaseUrn
     /// <summary>
     /// InternalIds from Altinn 2
     /// </summary>
-    public static string[] Altinn2InternalIds => [AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute];
+    public static string[] RevokeInternalIds => [AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid];
 
     /// <summary>
     /// Resources that belongs to Altinn 

diff --git a/...n.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs b/...n.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyAdministrationPoint.cs
@@ -908,6 +908,8 @@ private async Task<List<Rule>> DeleteAllRulesInPolicy(RequestToDelete policyToDe
                     OfferedByPartyId = policyToDelete.PolicyMatch.OfferedByPartyId,
                     CoveredByPartyId = coveredByPartyId,
                     CoveredByUserId = coveredByUserId,
+                    ToUuid = coveredByUuid,
+                    ToUuidType = coveredByUuidType,
                     PerformedByUserId = policyToDelete.DeletedByUserId,
                     BlobStoragePolicyPath = policyPath,
                     BlobStorageVersionId = response.Value.VersionId

diff --git a/.../Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs b/.../Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs
@@ -235,18 +235,37 @@ public async Task<ValidationProblemDetails> RevokeRightsDelegation(int authentic
             }
 
             var fromAttribute = await _resolver.Resolve(delegation.From, [AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute], cancellationToken);
-            var toAttribute = await _resolver.Resolve(delegation.To, BaseUrn.Altinn2InternalIds, cancellationToken);
+            var toAttribute = await _resolver.Resolve(delegation.To, BaseUrn.RevokeInternalIds, cancellationToken);
 
-            var to = toAttribute.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute)
-                ? new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, toAttribute.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute).Value)
-                : new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, toAttribute.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute).Value);
+            var to = GetAttributeMatchFromAttributeMatchList(toAttribute);
 
             var policiesToDelete = DelegationHelper.GetRequestToDeleteResource(authenticatedUserId, delegation.Rights[0].Resource, fromAttribute.GetRequiredInt(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute), to);
 
             await _pap.TryDeleteDelegationPolicies(policiesToDelete, cancellationToken);
             return assertion;
         }
 
+        /// <summary>
+        /// Fetch the actual internal id from the attribute match list
+        /// </summary>
+        /// <param name="attributeMatches">the list to fetch from</param>
+        /// <returns>The identified internal id</returns>
+        private AttributeMatch GetAttributeMatchFromAttributeMatchList(IEnumerable<AttributeMatch> attributeMatches)
+        {
+            if (attributeMatches.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute))
+            {
+                return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.UserAttribute).Value);
+            }
+            else if (attributeMatches.Any(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid))
+            {
+                return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.SystemUserUuid).Value);
+            }
+            else
+            {
+                return new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute, attributeMatches.First(p => p.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.PartyAttribute).Value);
+            }
+        }
+
         /// <summary>
         /// Ensures that given input for revoking a delegations contains a combination of attributes that
         /// the service layer can process. If the method return null then input should be processable.
@@ -256,10 +275,10 @@ private ValidationProblemDetails AssertRevokeDelegationInput(DelegationLookup de
             _asserter.Join(
                 _asserter.Evaluate(
                     delegation.From,
-                    _asserter.Altinn2InternalIds),
+                    _asserter.RevokeInternalIds),
                 _asserter.Evaluate(
                     delegation.To,
-                    _asserter.Altinn2InternalIds),
+                    _asserter.RevokeInternalIds),
                 _asserter.Evaluate(
                     delegation.Rights?.FirstOrDefault()?.Resource ?? [],
                     _asserter.DefaultResource));