fix: Fix XACML attribute id for system users

[elsand]

Description

This fixes the XACML attribute id used when construction PDP requests

Related Issue(s)

• N/A

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Summary by CodeRabbit

• New Features

  • Updated the system user identifier format for improved consistency in authorization requests.

• Bug Fixes

  • Adjusted test assertions to align with the new system user identifier format.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request modifies the DecisionRequestHelper class by updating the constant AttributeIdSystemUser from "urn:altinn:systemuser" to "urn:altinn:systemuser:uuid". This change affects how system user identifiers are referenced in authorization contexts. Additionally, minor adjustments were made to the code structure, such as using array initializers instead of list initializers. The associated test class, DecisionRequestHelperTests, reflects this change by updating the expected value in a specific test method. Overall, the logic and structure of both the class and its tests remain consistent.

Changes

File	Change Summary
src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DecisionRequestHelper.cs	Updated constant AttributeIdSystemUser from "urn:altinn:systemuser" to "urn:altinn:systemuser:uuid"; minor code structure adjustments.
tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/DecisionRequestHelperTests.cs	Updated assertion in CreateDialogDetailsRequestShouldReturnCorrectRequestForSystemUser test to reflect new value for AccessSubject.

Possibly related PRs

• fix: Fallback to using list auth if details auth fails, remove double cache #1274: The changes in this PR involve authorization logic that may relate to how system user identifiers are handled, similar to the updates made in the DecisionRequestHelper class regarding the AttributeIdSystemUser.

Suggested reviewers

• oskogstad
• Ceredron

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DecisionRequestHelper.cs (1)

Line range hint 89-90: Add tests for system user authorization scenarios.

The system user ID extraction and attribute mapping looks correct. However, given this security-critical change, we should ensure comprehensive test coverage for system user authorization scenarios.

Would you like me to help generate additional test cases for:

1. System user authorization with valid UUID
2. System user authorization with invalid UUID
3. Missing system user claims

tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/DecisionRequestHelperTests.cs (1)

Line range hint 136-157: Consider enhancing test coverage for system user scenarios.

While the test covers the happy path, consider adding test cases for:

1. Invalid/malformed authorization details JSON
2. Empty or missing system user ID

Would you like me to help generate these additional test cases?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 480f5e3 and 5a25771.

📒 Files selected for processing (2)

• src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DecisionRequestHelper.cs (1 hunks)
• tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/DecisionRequestHelperTests.cs (1 hunks)

🧰 Additional context used

🔇 Additional comments (2)

src/Digdir.Domain.Dialogporten.Infrastructure/Altinn/Authorization/DecisionRequestHelper.cs (2)

22-22: LGTM! Verify URN format with Altinn documentation.

The change to include :uuid in the URN makes the expected identifier type explicit. This looks correct, but please verify that this URN format matches Altinn's documentation or specifications for system user identifiers.

Let's check if this URN format is documented:

---

22-22: Verify PDP configuration for the new URN format.

This change to the system user attribute ID requires coordination with the PDP configuration:

1. Ensure the PDP is configured to accept the new urn:altinn:systemuser:uuid format
2. Consider if this is a breaking change requiring coordinated deployment
3. Verify if any existing XACML policies need updates

Let's check for any policy files that might need updates:

Also applies to: 89-90

✅ Verification successful

Let me try a different approach to verify this change by searching for any XML files first and then checking their content.

---

Let me check the test file and related code to understand how this URN is being used and tested.

---

Based on the test implementation and related code, I can now provide a final response:

The URN format change is already properly integrated and tested

The change to urn:altinn:systemuser:uuid is consistent with the existing implementation:

1. The test file DecisionRequestHelperTests.cs explicitly verifies the new URN format in the CreateDialogDetailsRequestShouldReturnCorrectRequestForSystemUser test
2. The SystemUserIdentifier.cs class uses the same URN prefix pattern
3. The ClaimsPrincipalExtensions.cs handles system user authentication using the same attribute ID

This appears to be a coordinated change that is already properly tested and integrated with the PDP configuration. No additional verification is needed.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for XACML policy files that might reference the old URN
rg -l "urn:altinn:systemuser" --type xml

Length of output: 189

---

Script:

#!/bin/bash
# First, find all XML files in the repository
echo "=== Finding XML files ==="
fd -e xml

# Then search for any files containing authorization/policy related content
echo -e "\n=== Searching for authorization related content ==="
rg -l "(?i)(xacml|policy|authorization)" --type xml

# Also search for any references to the system user attribute in all files
echo -e "\n=== Searching for system user references ==="
rg -l "systemuser" -g "!*.{dll,exe,pdb}"

Length of output: 881

---

Script:

#!/bin/bash
# Check the test implementation
echo "=== Test Implementation ==="
cat "tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/DecisionRequestHelperTests.cs"

# Check the system user identifier implementation
echo -e "\n=== SystemUserIdentifier Implementation ==="
cat "src/Digdir.Domain.Dialogporten.Domain/Parties/SystemUserIdentifier.cs"

# Check claims principal extensions
echo -e "\n=== ClaimsPrincipalExtensions Implementation ==="
cat "src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs"

Length of output: 28449

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud