ABAC XacmlPolicy attribute dictionary helper method

#474

As part of the integration with OED/DD (Digitalt dødsbo) as a new external role provider, an easy way to analyse and extract all attributeIds and values from a XacmlPolicy is needed.
This will be used to evaluate whether or not the policy contains a subject attribute for an OED/DD role code, and since it's populated to the XacmlPolicy object it will be cached along side policy itself.

The logic can later be reused by the resource-registry which will need same logic for analysing the policy for building rolecode register and required validation logic when publishing a resource.

Author: Jon Kjetil Øye

src/Altinn.Authorization.ABAC/Xacml/XacmlPolicy.cs

@@ -1,6 +1,8 @@
 using System;
 using System.Collections.Generic;
 using System.Collections.ObjectModel;
+using System.Linq;
+using Altinn.Authorization.ABAC.Constants;
 using Altinn.Authorization.ABAC.Utils;
 
 namespace Altinn.Authorization.ABAC.Xacml
@@ -96,6 +98,8 @@ public class XacmlPolicy
 
         private readonly ICollection<XacmlVariableDefinition> variableDefinitions = new Collection<XacmlVariableDefinition>();
 
+        private readonly IDictionary<string, IDictionary<string, Collection<string>>> categoryAttributes = new Dictionary<string, IDictionary<string, Collection<string>>>();
+
         private XacmlTarget target;
         private Uri policyId;
         private Uri ruleCombiningAlgId;
@@ -308,6 +312,51 @@ public ICollection<XacmlAdviceExpression> AdviceExpressions
             }
         }
 
+        /// <summary>
+        /// Returns a dictionary of all unique attribute ids and a collection of all their values, which exists across all rules in the policy, for a given match attribute category.
+        /// </summary>
+        /// <param name="matchAttributeCategory">The Xacml match attribute category to collect attributes values of</param>
+        /// <returns>Dictionary of attribute ids and list of values</returns>
+        public IDictionary<string, Collection<string>> GetAttributeDictionaryByCategory(string matchAttributeCategory)
+        {
+            if (categoryAttributes.ContainsKey(matchAttributeCategory))
+            {
+                return categoryAttributes[matchAttributeCategory];
+            }
+
+            IDictionary<string, Collection<string>> categoryAttributeDict = new Dictionary<string, Collection<string>>();
+            categoryAttributes.Add(matchAttributeCategory, categoryAttributeDict);
+
+            foreach (XacmlRule rule in Rules)
+            {
+                // should we care about permit?
+                if (rule.Effect.Equals(XacmlEffectType.Permit) && rule.Target != null)
+                {
+                    foreach (XacmlAnyOf anyOf in rule.Target.AnyOf)
+                    {
+                        foreach (XacmlAllOf allOf in anyOf.AllOf)
+                        {
+                            foreach (XacmlMatch xacmlMatch in allOf.Matches)
+                            {
+                                if (xacmlMatch.AttributeDesignator.Category.Equals(matchAttributeCategory))
+                                {
+                                    string attributeId = xacmlMatch.AttributeDesignator.AttributeId.AbsoluteUri;
+                                    if (!categoryAttributeDict.ContainsKey(attributeId))
+                                    {
+                                        categoryAttributeDict.Add(attributeId, new Collection<string>());
+                                    }
+
+                                    categoryAttributeDict[attributeId].Add(xacmlMatch.AttributeValue.Value);
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+            return categoryAttributes[matchAttributeCategory];
+        }
+
         /// <summary>
         /// The namespaces used in Policy
         /// </summary>