digdir · knuhau · Jan 22, 2024 · Jan 9, 2024 · Jan 10, 2024 · Jan 15, 2024
diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Numbers/PersonIdentifier.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Numbers/PersonIdentifier.cs
@@ -0,0 +1,18 @@
+using System.Globalization;
+using System.Text.RegularExpressions;
+
+namespace Digdir.Domain.Dialogporten.Application.Common.Numbers;
+
+internal static partial class PersonIdentifier
+{
+    [GeneratedRegex(@"^urn:altinn:person:[\w-]+::\d+$", RegexOptions.None, matchTimeoutMilliseconds: 1000)]
+    private static partial Regex ValidateIdentifierRegex();
+
+    public static bool IsValid(ReadOnlySpan<char> personIdentifier)
+    {
+        return ValidateIdentifierRegex().IsMatch(personIdentifier.ToString());
+    }
+
+    public static string? ExtractEndUserIdNumber(string? endUserId) =>
+        endUserId?.Split("::").LastOrDefault();
+}
@@ -11,6 +11,6 @@ public Task<DialogDetailsAuthorizationResult> GetDialogDetailsAuthorization(
     public Task<DialogSearchAuthorizationResult> GetAuthorizedResourcesForSearch(
         List<string> constraintParties,
         List<string> constraintServiceResources,
-        string? authEndUserPid = null,
+        string? endUserId = null,
         CancellationToken cancellationToken = default);
 }
@@ -9,8 +9,8 @@ public sealed class SearchDialogDto
     public Guid Id { get; set; }
     public string Org { get; set; } = null!;
     public string ServiceResource { get; set; } = null!;
-    public string? AuthEndUserPid { get; set; } = null!;
     public string Party { get; set; } = null!;
+    public string? EndUserId { get; set; } = null!;
     public int? Progress { get; set; }
     public string? ExtendedStatus { get; set; }
     public DateTimeOffset CreatedAt { get; set; }

@@ -3,6 +3,7 @@
 using Digdir.Domain.Dialogporten.Application.Common;
 using Digdir.Domain.Dialogporten.Application.Common.Extensions;
 using Digdir.Domain.Dialogporten.Application.Common.Extensions.Enumerables;
+using Digdir.Domain.Dialogporten.Application.Common.Numbers;
 using Digdir.Domain.Dialogporten.Application.Common.Pagination;
 using Digdir.Domain.Dialogporten.Application.Common.Pagination.OrderOption;
 using Digdir.Domain.Dialogporten.Application.Common.ReturnTypes;
@@ -31,9 +32,9 @@ public sealed class SearchDialogQuery : SortablePaginationParameter<SearchDialog
     public List<string>? Party { get; init; }
 
     /// <summary>
-    /// Filter by national identity number
+    /// Filter by end user id
     /// </summary>
-    public string? AuthEndUserPid { get; init; }
+    public string? EndUserId { get; init; }
 
     /// <summary>
     /// Filter by one or more extended statuses
@@ -164,12 +165,12 @@ public async Task<SearchDialogResult> Handle(SearchDialogQuery request, Cancella
             )
             .Where(x => resourceIds.Contains(x.ServiceResource));
 
-        if (request.AuthEndUserPid is not null)
+        if (request.EndUserId is not null)
         {
             var authorizedResources = await _altinnAuthorization.GetAuthorizedResourcesForSearch(
                 request.Party ?? new List<string>(),
                 request.ServiceResource ?? new List<string>(),
-                request.AuthEndUserPid,
+                request.EndUserId,
                 cancellationToken);
             query = query.WhereUserIsAuthorizedFor(authorizedResources);
         }

@@ -20,11 +20,13 @@ public SearchDialogQueryValidator()
             .WithMessage("'{PropertyName}' must be a valid culture code.");
 
         RuleFor(x => x)
-            .Must(x => SocialSecurityNumber.IsValid(x.AuthEndUserPid))
-            .WithMessage($"'{nameof(SearchDialogQuery.AuthEndUserPid)}' must be a valid national identity number.")
+            .Must(x => PersonIdentifier.IsValid(x.EndUserId))
+            .WithMessage($"'{nameof(SearchDialogQuery.EndUserId)}' must be a valid person identifier. It should match the format 'urn:altinn:person:identifier-no::12345678901'.")
+            .Must(x => SocialSecurityNumber.IsValid(PersonIdentifier.ExtractEndUserIdNumber(x.EndUserId!)))
+            .WithMessage($"'{nameof(SearchDialogQuery.EndUserId)}' must include a valid national identity number.")
             .Must(x => !x.ServiceResource.IsNullOrEmpty() || !x.Party.IsNullOrEmpty())
-            .WithMessage($"Either {nameof(SearchDialogQuery.ServiceResource)} or {nameof(SearchDialogQuery.Party)} must be specified.")
-            .When(x => x.AuthEndUserPid is not null);
+            .WithMessage($"Either '{nameof(SearchDialogQuery.ServiceResource)}' or '{nameof(SearchDialogQuery.Party)}' must be specified if '{nameof(SearchDialogQuery.EndUserId)}' is provided.")
+            .When(x => x.EndUserId is not null);
 
         RuleFor(x => x.ServiceResource!.Count)
             .LessThanOrEqualTo(20)

@@ -15,7 +15,7 @@ namespace Digdir.Domain.Dialogporten.Infrastructure.Altinn.Authorization;
 
 internal sealed class AltinnAuthorizationClient : IAltinnAuthorization
 {
-    private const string AttributeIdSsn = "urn:altinn:ssn";
+    private const string AttributePidClaim = "urn:altinn:ssn";
 
     private readonly HttpClient _httpClient;
     private readonly IUser _user;
@@ -48,10 +48,10 @@ await PerformDialogDetailsAuthorization(new DialogDetailsAuthorizationRequest
     public async Task<DialogSearchAuthorizationResult> GetAuthorizedResourcesForSearch(
         List<string> constraintParties,
         List<string> serviceResources,
-        string? authEndUserPid,
+        string? endUserId,
         CancellationToken cancellationToken = default)
     {
-        var claims = GetOrCreateClaimsBasedOnEndUserPid(authEndUserPid);
+        var claims = GetOrCreateClaimsBasedOnEndUserId(endUserId);
         return await PerformNonScalableDialogSearchAuthorization(new DialogSearchAuthorizationRequest
         {
             Claims = claims,
@@ -104,12 +104,12 @@ private async Task<DialogDetailsAuthorizationResult> PerformDialogDetailsAuthori
         return DecisionRequestHelper.CreateDialogDetailsResponse(request.AltinnActions, xamlJsonResponse);
     }
 
-    private List<Claim> GetOrCreateClaimsBasedOnEndUserPid(string? endUserPid)
+    private List<Claim> GetOrCreateClaimsBasedOnEndUserId(string? endUserId)
     {
         List<Claim> claims = new();
-        if (endUserPid is not null)
+        if (endUserId is not null)
         {
-            claims.Add(new Claim(AttributeIdSsn, endUserPid));
+            claims.Add(new Claim(AttributePidClaim, ExtractEndUserIdNumber(endUserId)!));
         }
         else
         {
@@ -118,6 +118,9 @@ private List<Claim> GetOrCreateClaimsBasedOnEndUserPid(string? endUserPid)
         return claims;
     }
 
+    private static string ExtractEndUserIdNumber(string endUserId) =>
+        endUserId.Split("::").LastOrDefault() ?? string.Empty;
+
     private static readonly JsonSerializerOptions _serializerOptions = new()
     {
         PropertyNameCaseInsensitive = true,

@@ -21,7 +21,7 @@ public Task<DialogDetailsAuthorizationResult> GetDialogDetailsAuthorization(Dial
         // Just allow everything
         Task.FromResult(new DialogDetailsAuthorizationResult { AuthorizedAltinnActions = dialogEntity.GetAltinnActions() });
 
-    public async Task<DialogSearchAuthorizationResult> GetAuthorizedResourcesForSearch(List<string> constraintParties, List<string> serviceResources, string? authEndUserPid,
+    public async Task<DialogSearchAuthorizationResult> GetAuthorizedResourcesForSearch(List<string> constraintParties, List<string> serviceResources, string? endUserId,
         CancellationToken cancellationToken = default)
     {
         // Allow all resources for all parties