feat: Add support for external resource references in authorizationAttributes (#801)

## Description

This adds support for supplying fully qualified resource references as
`authorizationAttribute` values in dialog elements and actions. Before
only simple strings were allowed, which was assumed to be a
`urn:altinn:subresource` referring a rule in the same policy. Now it is
possible to refer to other resources, ie. have one dialog element refer
to `urn:altinn:resource:totally-other-resource`. This allows for greater
flexibility, and makes it possible to eg. have notification jobs, which
may refer other resource registry entry, to match the authorization
rules for a dialog element.

Implementation chances:
- Added logic in `CreateResourceCategory` to let
`authorizationAttribute` values referring to `urn:altinn:resource`
namespaced override default resource/resourceinstance attributes
- Moved (most) "elementread" vs "read" logic from application to
infrastructure where it belongs
- Handle other namespaced values by utilizing `SplitNsAndValue` and
adding parameter for fallback namespace (if supplying simple string)
- Changed from `HashSet<AltinnAction>` to List<AltinnAction>` as we are
relying on ordering to match XACML responses to the request (needed
fixing unrelated to functional change)
- Added null cache option to disable caching locally. Timeouts still
apply though, which is annoying during debugging/stepping
- Added checks so that service owners can only refer to external
resources they own (as with `serviceResource`)
- Rewrote `CreateDialogDetailsResponse` for clarity

Also added more unit tests, and made the existing tests more robust.
Also added e2e tests for end users testing external resource references,
as well as service owner checks

## Related Issue(s)

N/A

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [x] Relevant automated test added (if you find this hard, leave it and
we'll help out)


---------

Co-authored-by: Ole Jørgen Skogstad <skogstad@softis.net>

Author: elsand

src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ServiceCollectionExtensions.cs

@@ -24,7 +24,7 @@ public static IServiceCollection ReplaceSingleton<TService, TImplementation>(
         bool predicate = true)
         where TService : class
         where TImplementation : class, TService =>
-        services.Replace<TService, TImplementation>(ServiceLifetime.Scoped, predicate);
+        services.Replace<TService, TImplementation>(ServiceLifetime.Singleton, predicate);
 
     private static IServiceCollection Replace<TService, TImplementation>(
         this IServiceCollection services,

src/Digdir.Domain.Dialogporten.Application/Externals/AltinnAuthorization/DialogDetailsAuthorizationResult.cs

@@ -1,21 +1,33 @@
 using Digdir.Domain.Dialogporten.Application.Common.Authorization;
+using Digdir.Domain.Dialogporten.Application.Features.V1.EndUser.DialogElements.Queries.Get;
+using Digdir.Domain.Dialogporten.Application.Features.V1.EndUser.Dialogs.Queries.Get;
 using Digdir.Domain.Dialogporten.Domain.Dialogs.Entities.Elements;
 
 namespace Digdir.Domain.Dialogporten.Application.Externals.AltinnAuthorization;
 
 public sealed class DialogDetailsAuthorizationResult
 {
-    // Each action applies to a resource. This is the main resource, or another resource indicated by a authorization attribute
-    // eg. "urn:altinn:subresource:some-sub-resource" or "urn:altinn:task:task_1"
-    public HashSet<AltinnAction> AuthorizedAltinnActions { get; init; } = [];
+    // Each action applies to a resource. This is the main resource, another subresource indicated by a authorization attribute
+    // eg. "urn:altinn:subresource:some-sub-resource" or "urn:altinn:task:task_1", or another resource (ie. policy)
+    // eg. urn:altinn:resource:some-other-resource
+    public List<AltinnAction> AuthorizedAltinnActions { get; init; } = [];
 
     public bool HasReadAccessToMainResource() =>
         AuthorizedAltinnActions.Contains(new(Constants.ReadAction, Constants.MainResource));
 
-    public bool HasReadAccessToDialogElement(DialogElement dialogElement)
+    public bool HasReadAccessToDialogElement(DialogElement dialogElement) =>
+        HasReadAccessToDialogElement(dialogElement.AuthorizationAttribute);
+
+    public bool HasReadAccessToDialogElement(GetDialogDialogElementDto dialogElement) =>
+        HasReadAccessToDialogElement(dialogElement.AuthorizationAttribute);
+
+    private bool HasReadAccessToDialogElement(string? authorizationAttribute)
     {
-        return dialogElement.AuthorizationAttribute is not null
-            ? AuthorizedAltinnActions.Contains(new(Constants.ElementReadAction, dialogElement.AuthorizationAttribute))
-            : HasReadAccessToMainResource();
+        return authorizationAttribute is not null
+            ? ( // Dialog elements are authorized by either the elementread or read action, depending on the authorization attribute type
+                // The infrastructure will ensure that the correct action is used, so here we just check for either
+                AuthorizedAltinnActions.Contains(new(Constants.ElementReadAction, authorizationAttribute))
+                || AuthorizedAltinnActions.Contains(new(Constants.ReadAction, authorizationAttribute))
+            ) : HasReadAccessToMainResource();
     }
 }

src/Digdir.Domain.Dialogporten.Application/Features/V1/EndUser/DialogElements/Queries/Get/GetDialogElementQuery.cs

@@ -1,5 +1,6 @@
 using System.Linq.Expressions;
 using AutoMapper;
+using Digdir.Domain.Dialogporten.Application.Common.Authorization;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
 using Digdir.Domain.Dialogporten.Application.Externals;
 using Digdir.Domain.Dialogporten.Application.Externals.AltinnAuthorization;
@@ -80,6 +81,13 @@ public async Task<GetDialogElementResult> Handle(GetDialogElementQuery request,
         var dto = _mapper.Map<GetDialogElementDto>(element);
         dto.IsAuthorized = authorizationResult.HasReadAccessToDialogElement(element);
 
+        if (dto.IsAuthorized) return dto;
+
+        foreach (var url in dto.Urls)
+        {
+            url.Url = Constants.UnauthorizedUri;
+        }
+
         return dto;
     }
 }

src/Digdir.Domain.Dialogporten.Application/Features/V1/EndUser/Dialogs/Queries/Get/GetDialogQuery.cs

@@ -157,15 +157,12 @@ private static void DecorateWithAuthorization(GetDialogDto dto,
                 }
             }
 
-            // Simple "read" on the main resource will give access to a dialog element, unless an authorization attribute is set,
-            // in which case an "elementread" action is required
-            var elements = dto.Elements.Where(dialogElement =>
-                (dialogElement.AuthorizationAttribute is null && action == Constants.ReadAction) ||
-                (dialogElement.AuthorizationAttribute is not null && action == Constants.ElementReadAction));
-
-            foreach (var dialogElement in elements)
+            foreach (var element in dto.Elements)
             {
-                dialogElement.IsAuthorized = true;
+                if (authorizationResult.HasReadAccessToDialogElement(element))
+                {
+                    element.IsAuthorized = true;
+                }
             }
         }
     }

src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs

@@ -50,9 +50,12 @@ public CreateDialogCommandHandler(
 
     public async Task<CreateDialogResult> Handle(CreateDialogCommand request, CancellationToken cancellationToken)
     {
-        if (!await _userResourceRegistry.CurrentUserIsOwner(request.ServiceResource, cancellationToken))
+        foreach (var serviceResourceReference in GetServiceResourceReferences(request))
         {
-            return new Forbidden($"Not owner of {request.ServiceResource}.");
+            if (!await _userResourceRegistry.CurrentUserIsOwner(serviceResourceReference, cancellationToken))
+            {
+                return new Forbidden($"Not allowed to reference {serviceResourceReference}.");
+            }
         }
 
         var serviceResourceType = await _userResourceRegistry.GetResourceType(request.ServiceResource, cancellationToken);
@@ -105,4 +108,26 @@ public async Task<CreateDialogResult> Handle(CreateDialogCommand request, Cancel
             domainError => domainError,
             concurrencyError => throw new UnreachableException("Should never get a concurrency error when creating a new dialog"));
     }
+
+    private static List<string> GetServiceResourceReferences(CreateDialogDto request)
+    {
+        var serviceResourceReferences = new List<string> { request.ServiceResource };
+
+        static bool IsExternalResource(string? resource)
+        {
+            return resource is not null && resource.StartsWith(Constants.ServiceResourcePrefix, StringComparison.OrdinalIgnoreCase);
+        }
+
+        serviceResourceReferences.AddRange(request.ApiActions
+            .Where(action => IsExternalResource(action.AuthorizationAttribute))
+            .Select(action => action.AuthorizationAttribute!));
+        serviceResourceReferences.AddRange(request.GuiActions
+            .Where(action => IsExternalResource(action.AuthorizationAttribute))
+            .Select(action => action.AuthorizationAttribute!));
+        serviceResourceReferences.AddRange(request.Elements
+            .Where(element => IsExternalResource(element.AuthorizationAttribute))
+            .Select(element => element.AuthorizationAttribute!));
+
+        return serviceResourceReferences.Distinct().ToList();
+    }
 }

src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Update/UpdateDialogCommand.cs

@@ -76,6 +76,14 @@ public async Task<UpdateDialogResult> Handle(UpdateDialogCommand request, Cancel
             return new EntityNotFound<DialogEntity>(request.Id);
         }
 
+        foreach (var serviceResourceReference in GetServiceResourceReferences(request.Dto))
+        {
+            if (!await _userResourceRegistry.CurrentUserIsOwner(serviceResourceReference, cancellationToken))
+            {
+                return new Forbidden($"Not allowed to reference {serviceResourceReference}.");
+            }
+        }
+
         if (!_userResourceRegistry.UserCanModifyResourceType(dialog.ServiceResourceType))
         {
             return new Forbidden($"User cannot modify resource type {dialog.ServiceResourceType}.");
@@ -150,6 +158,28 @@ await dialog.Elements
             concurrencyError => concurrencyError);
     }
 
+    private static List<string> GetServiceResourceReferences(UpdateDialogDto request)
+    {
+        var serviceResourceReferences = new List<string>();
+
+        static bool IsExternalResource(string? resource)
+        {
+            return resource is not null && resource.StartsWith(Domain.Common.Constants.ServiceResourcePrefix, StringComparison.OrdinalIgnoreCase);
+        }
+
+        serviceResourceReferences.AddRange(request.ApiActions
+            .Where(action => IsExternalResource(action.AuthorizationAttribute))
+            .Select(action => action.AuthorizationAttribute!));
+        serviceResourceReferences.AddRange(request.GuiActions
+            .Where(action => IsExternalResource(action.AuthorizationAttribute))
+            .Select(action => action.AuthorizationAttribute!));
+        serviceResourceReferences.AddRange(request.Elements
+            .Where(element => IsExternalResource(element.AuthorizationAttribute))
+            .Select(element => element.AuthorizationAttribute!));
+
+        return serviceResourceReferences.Distinct().ToList();
+    }
+
     private void ValidateTimeFields(DialogEntity dialog)
     {
         const string errorMessage = "Must be in future or current value.";

src/Digdir.Domain.Dialogporten.Application/LocalDevelopmentSettings.cs

@@ -10,6 +10,7 @@ public sealed class LocalDevelopmentSettings
     public bool UseLocalDevelopmentAltinnAuthorization { get; init; } = true;
     public bool UseLocalDevelopmentCloudEventBus { get; init; } = true;
     public bool DisableShortCircuitOutboxDispatcher { get; init; } = true;
+    public bool DisableCache { get; init; } = true;
     public bool DisableAuth { get; init; } = true;
     public bool UseLocalDevelopmentNameRegister { get; set; } = true;
     public bool UseLocalDevelopmentOrganizationRegister { get; set; } = true;

src/Digdir.Domain.Dialogporten.GraphQL/appsettings.Development.json

@@ -67,6 +67,7 @@
     "UseLocalDevelopmentAltinnAuthorization": true,
     "UseLocalDevelopmentCloudEventBus": true,
     "DisableShortCircuitOutboxDispatcher": true,
+    "DisableCache": false,
     "DisableAuth": true
   }
 }

src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DecisionRequestHelper.cs

@@ -30,11 +30,13 @@ internal static class DecisionRequestHelper
 
     public static XacmlJsonRequestRoot CreateDialogDetailsRequest(DialogDetailsAuthorizationRequest request)
     {
+        var sortedActions = request.AltinnActions.SortForXacml();
+
         var accessSubject = CreateAccessSubjectCategory(request.Claims);
-        var actions = CreateActionCategories(request.AltinnActions, out var actionIdByName);
-        var resources = CreateResourceCategories(request.ServiceResource, request.DialogId, request.Party, request.AltinnActions, out var resourceIdByName);
+        var actions = CreateActionCategories(sortedActions, out var actionIdByName);
+        var resources = CreateResourceCategories(request.ServiceResource, request.DialogId, request.Party, sortedActions, out var resourceIdByName);
 
-        var multiRequests = CreateMultiRequests(request.AltinnActions, actionIdByName, resourceIdByName);
+        var multiRequests = CreateMultiRequests(sortedActions, actionIdByName, resourceIdByName);
 
         var xacmlJsonRequest = new XacmlJsonRequest
         {
@@ -47,15 +49,29 @@ public static XacmlJsonRequestRoot CreateDialogDetailsRequest(DialogDetailsAutho
         return new XacmlJsonRequestRoot { Request = xacmlJsonRequest };
     }
 
-    public static DialogDetailsAuthorizationResult CreateDialogDetailsResponse(HashSet<AltinnAction> altinnActions, XacmlJsonResponse? xamlJsonResponse) =>
-        new()
+    public static DialogDetailsAuthorizationResult CreateDialogDetailsResponse(List<AltinnAction> altinnActions, XacmlJsonResponse? xamlJsonResponse)
+    {
+        var authorizedAltinnActions = new List<AltinnAction>();
+
+        var sortedAltinnActions = altinnActions.SortForXacml();
+        var xacmlJsonResults = xamlJsonResponse?.Response ?? new List<XacmlJsonResult>();
+
+        int count = Math.Min(sortedAltinnActions.Count, xacmlJsonResults.Count);
+        for (int i = 0; i < count; i++)
         {
-            AuthorizedAltinnActions = altinnActions
-                .Zip(xamlJsonResponse?.Response ?? Enumerable.Empty<XacmlJsonResult>(), (action, response) => (action, response))
-                .Where(x => x.response.Decision == PermitResponse)
-                .Select(x => x.action)
-                .ToHashSet()
+            var action = sortedAltinnActions[i];
+            var response = xacmlJsonResults[i];
+            if (response.Decision == PermitResponse)
+            {
+                authorizedAltinnActions.Add(action);
+            }
+        }
+
+        return new DialogDetailsAuthorizationResult
+        {
+            AuthorizedAltinnActions = authorizedAltinnActions
         };
+    }
 
     private static List<XacmlJsonCategory> CreateAccessSubjectCategory(IEnumerable<Claim> claims)
     {
@@ -92,7 +108,7 @@ private static string GetSystemUserId(Claim claim)
     }
 
     private static List<XacmlJsonCategory> CreateActionCategories(
-        HashSet<AltinnAction> altinnActions, out Dictionary<string, string> actionIdByName)
+        List<AltinnAction> altinnActions, out Dictionary<string, string> actionIdByName)
     {
         actionIdByName = altinnActions
             .Select(x => x.Name)
@@ -115,7 +131,7 @@ private static List<XacmlJsonCategory> CreateResourceCategories(
         string serviceResource,
         Guid dialogId,
         string party,
-        HashSet<AltinnAction> altinnActions, out Dictionary<string, string> resourceIdByName)
+        List<AltinnAction> altinnActions, out Dictionary<string, string> resourceIdByName)
     {
         resourceIdByName = altinnActions
             .Select(x => x.AuthorizationAttribute)
@@ -133,9 +149,9 @@ private static List<XacmlJsonCategory> CreateResourceCategories(
             .ToList();
     }
 
-    private static XacmlJsonCategory CreateResourceCategory(string id, string serviceResource, Guid? dialogId, XacmlJsonAttribute? partyAttribute, string? subResource = null)
+    private static XacmlJsonCategory CreateResourceCategory(string id, string serviceResource, Guid? dialogId, XacmlJsonAttribute? partyAttribute, string? authorizationAttribute = null)
     {
-        var (ns, value, org) = SplitNsAndValue(serviceResource);
+        var (ns, value, org) = SplitNamespaceAndValue(serviceResource);
         var attributes = new List<XacmlJsonAttribute>
         {
             new() { AttributeId = ns, Value = value }
@@ -178,9 +194,19 @@ private static XacmlJsonCategory CreateResourceCategory(string id, string servic
             }
         }
 
-        if (subResource is not null)
+        if (authorizationAttribute is not null)
         {
-            attributes.Add(new XacmlJsonAttribute { AttributeId = AttributeIdSubResource, Value = subResource });
+            var resourceAttributesFromAuthorizationAttribute = GetResourceAttributesForAuthorizationAttribute(authorizationAttribute);
+
+            // If we get either urn:altinn:app/urn:altinn:org or urn:altinn:resource attributes, this should
+            // be considered overrides that should be used instead of the default resource attributes.
+            if (resourceAttributesFromAuthorizationAttribute.Any(x => x.AttributeId is AttributeIdApp or AttributeIdOrg or AttributeIdResource))
+            {
+                attributes.RemoveAll(x =>
+                    x.AttributeId is AttributeIdResource or AttributeIdResourceInstance or AttributeIdApp or AttributeIdOrg or AttributeIdAppInstance);
+            }
+
+            attributes.AddRange(resourceAttributesFromAuthorizationAttribute);
         }
 
         return new XacmlJsonCategory
@@ -190,14 +216,27 @@ private static XacmlJsonCategory CreateResourceCategory(string id, string servic
         };
     }
 
-    private static (string, string, string?) SplitNsAndValue(string serviceResource)
+    private static List<XacmlJsonAttribute> GetResourceAttributesForAuthorizationAttribute(string subResource)
+    {
+        var result = new List<XacmlJsonAttribute>();
+        var (ns, value, org) = SplitNamespaceAndValue(subResource, AttributeIdSubResource);
+        result.Add(new XacmlJsonAttribute { AttributeId = ns, Value = value });
+        if (org is not null)
+        {
+            result.Add(new XacmlJsonAttribute { AttributeId = AttributeIdOrg, Value = org });
+        }
+
+        return result;
+    }
+
+    private static (string, string, string?) SplitNamespaceAndValue(string serviceResource, string defaultNamespace = AttributeIdResource)
     {
         var lastColonIndex = serviceResource.LastIndexOf(':');
         if (lastColonIndex == -1 || lastColonIndex == serviceResource.Length - 1)
         {
             // If we don't recognize the format, we just return the whole string as the value and assume
             // that the caller wants to refer a resource in the Resource Registry namespace.
-            return (AttributeIdResource, serviceResource, null);
+            return (defaultNamespace, serviceResource, null);
         }
 
         var ns = serviceResource[..lastColonIndex];
@@ -232,7 +271,7 @@ private static (string, string, string?) SplitNsAndValue(string serviceResource)
     }
 
     private static XacmlJsonMultiRequests CreateMultiRequests(
-        HashSet<AltinnAction> altinnActions,
+        List<AltinnAction> altinnActions,
         Dictionary<string, string> actionIdByName,
         Dictionary<string, string> resourceIdByName)
     {
@@ -256,6 +295,9 @@ private static XacmlJsonMultiRequests CreateMultiRequests(
         return multiRequests;
     }
 
+    private static List<AltinnAction> SortForXacml(this List<AltinnAction> altinnActions) =>
+        altinnActions.OrderBy(x => x.Name).ThenBy(x => x.AuthorizationAttribute).ToList();
+
     public static class NonScalable
     {
         // This contains the helpers for the preliminary implementation which doesn't scale, and should only be used in very low volume situations
@@ -265,7 +307,7 @@ public static class NonScalable
 
         public static XacmlJsonRequestRoot CreateDialogSearchRequest(DialogSearchAuthorizationRequest request)
         {
-            var requestActions = new HashSet<AltinnAction>
+            var requestActions = new List<AltinnAction>
             {
                 new (Constants.ReadAction, Constants.MainResource)
             };

src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DialogDetailsAuthorizationRequest.cs

@@ -15,7 +15,7 @@ public sealed class DialogDetailsAuthorizationRequest
 
     // Each action applies to a resource. This is the main resource, or another resource indicated by a authorization attribute
     // eg. "urn:altinn:subresource:some-sub-resource" or "urn:altinn:task:task_1"
-    public required HashSet<AltinnAction> AltinnActions { get; init; }
+    public required List<AltinnAction> AltinnActions { get; init; }
 }
 
 public static class DialogDetailsAuthorizationRequestExtensions